sync code from 24.03-LTS-SP1

0006-tini.c-a-function-declaration-without-a-prototype-is.patch

@@ -0,0 +1,72 @@
+From a49fdd374d6d9c047e35de8b82935cc4d837e678 Mon Sep 17 00:00:00 2001
+From: Jose Quaresma <jose.quaresma@foundries.io>
+Date: Fri, 23 Sep 2022 16:31:33 +0000
+Subject: [PATCH 1/2] tini.c: a function declaration without a prototype is
+ deprecated in all versions of C
+
+| /srv/oe/build/tmp-lmp/work/corei7-64-lmp-linux/tini/0.19.0-r0/git/src/tini.c:150:18: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+| int isolate_child() {
+|                  ^
+|                   void
+| /srv/oe/build/tmp-lmp/work/corei7-64-lmp-linux/tini/0.19.0-r0/git/src/tini.c:395:14: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+| int parse_env() {
+|              ^
+|               void
+| /srv/oe/build/tmp-lmp/work/corei7-64-lmp-linux/tini/0.19.0-r0/git/src/tini.c:416:24: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+| int register_subreaper () {
+|                        ^
+|                         void
+| /srv/oe/build/tmp-lmp/work/corei7-64-lmp-linux/tini/0.19.0-r0/git/src/tini.c:434:19: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+| void reaper_check () {
+|                   ^
+|                    void
+| 4 errors generated.
+
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+---
+ src/tini.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/tini.c b/src/tini.c
+index 2c873f9..7914d3a 100644
+--- a/src/tini.c
++++ b/src/tini.c
+@@ -147,7 +147,7 @@ int restore_signals(const signal_configuration_t* const sigconf_ptr) {
+ 	return 0;
+ }
+ 
+-int isolate_child() {
++int isolate_child(void) {
+ 	// Put the child into a new process group.
+ 	if (setpgid(0, 0) < 0) {
+ 		PRINT_FATAL("setpgid failed: %s", strerror(errno));
+@@ -392,7 +392,7 @@ int parse_args(const int argc, char* const argv[], char* (**child_args_ptr_ptr)[
+ 	return 0;
+ }
+ 
+-int parse_env() {
++int parse_env(void) {
+ #if HAS_SUBREAPER
+ 	if (getenv(SUBREAPER_ENV_VAR) != NULL) {
+ 		subreaper++;
+@@ -413,7 +413,7 @@ int parse_env() {
+ 
+ 
+ #if HAS_SUBREAPER
+-int register_subreaper () {
++int register_subreaper (void) {
+ 	if (subreaper > 0) {
+ 		if (prctl(PR_SET_CHILD_SUBREAPER, 1)) {
+ 			if (errno == EINVAL) {
+@@ -431,7 +431,7 @@ int register_subreaper () {
+ #endif
+ 
+ 
+-void reaper_check () {
++void reaper_check (void) {
+ 	/* Check that we can properly reap zombies */
+ #if HAS_SUBREAPER
+ 	int bit = 0;
+-- 
+2.25.1
+

0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch

@@ -0,0 +1,76 @@
+From c72e458a7273bf7e542082ef2bbe3d50ca1a62dd Mon Sep 17 00:00:00 2001
+From: Rob Murray <rob.murray@docker.com>
+Date: Thu, 18 Jan 2024 21:01:41 +0000
+Subject: [PATCH] Fix libnetwork/osl test TestAddRemoveInterface
+
+For some time, when adding an interface with no IPv6 address (an
+interface to a network that does not have IPv6 enabled), we've been
+disabling IPv6 on that interface.
+
+As part of a separate change, I'm removing that logic - there's nothing
+wrong with having IPv6 enabled on an interface with no routable address.
+The difference is that the kernel will assign a link-local address.
+
+TestAddRemoveInterface does this...
+- Assign an IPv6 link-local address to one end of a veth interface, and
+  add it to a namespace.
+- Add a bridge with no assigned IPv6 address to the namespace.
+- Remove the veth interface from the namespace.
+- Put the veth interface back into the namespace, still with an
+  explicitly assigned IPv6 link local address.
+
+When IPv6 is disabled on the bridge interface, the test passes.
+
+But, when IPv6 is enabled, the bridge gets a kernel assigned link-local
+address.
+
+Then, when re-adding the veth interface, the test generates an error in
+'osl/interface_linux.go:checkRouteConflict()'. The conflict is between
+the explicitly assigned fe80::2 on the veth, and a route for fe80::/64
+belonging to the bridge.
+
+So, in preparation for not-disabling IPv6 on these interfaces, use a
+unique-local address in the test instead of link-local.
+
+I don't think that changes the intent of the test.
+
+With the change to not-always disable IPv6, it is possible to repro the
+problem with a real container, disconnect and re-connect a user-defined
+network with '--subnet fe80::/64' while the container's connected to an
+IPv4 network. So, strictly speaking, that will be a regression.
+
+But, it's also possible to repro the problem in master, by disconnecting
+and re-connecting the fe80::/64 network while another IPv6 network is
+connected. So, I don't think it's a problem we need to address, perhaps
+other than by prohibiting '--subnet fe80::/64'.
+
+Signed-off-by: Rob Murray <rob.murray@docker.com>
+---
+ libnetwork/osl/sandbox_linux_test.go | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libnetwork/osl/sandbox_linux_test.go b/libnetwork/osl/sandbox_linux_test.go
+index dd1ac18275..c1c54b0627 100644
+--- a/libnetwork/osl/sandbox_linux_test.go
++++ b/libnetwork/osl/sandbox_linux_test.go
+@@ -72,7 +72,7 @@ func newInfo(t *testing.T, hnd *netlink.Handle) (*Namespace, error) {
+ 	}
+ 	addr.IP = ip4
+ 
+-	ip6, addrv6, err := net.ParseCIDR("fe80::2/64")
++	ip6, addrv6, err := net.ParseCIDR("fdac:97b4:dbcc::2/64")
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -116,7 +116,7 @@ func newInfo(t *testing.T, hnd *netlink.Handle) (*Namespace, error) {
+ 	return &Namespace{
+ 		iFaces: []*Interface{intf1, intf2, intf3},
+ 		gw:     net.ParseIP("192.168.1.1"),
+-		gwv6:   net.ParseIP("fe80::1"),
++		gwv6:   net.ParseIP("fdac:97b4:dbcc::1/64"),
+ 	}, nil
+ }
+ 
+-- 
+2.42.0.windows.2
+

0008-api-omit-missing-Created-field-from-ImageInspect-res.patch

@@ -0,0 +1,69 @@
+From 5d9e13bc8453c856f055769008dac9311f43c265 Mon Sep 17 00:00:00 2001
+From: Bjorn Neergaard <bjorn.neergaard@docker.com>
+Date: Mon, 26 Feb 2024 10:25:08 -0700
+Subject: [PATCH] api: omit missing Created field from ImageInspect response
+
+Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
+---
+ api/swagger.yaml    | 6 +++++-
+ api/types/types.go  | 6 +++++-
+ docs/api/v1.44.yaml | 6 +++++-
+ 3 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/api/swagger.yaml b/api/swagger.yaml
+index e55a76f..350d37a 100644
+--- a/api/swagger.yaml
++++ b/api/swagger.yaml
+@@ -1743,8 +1743,12 @@ definitions:
+         description: |
+           Date and time at which the image was created, formatted in
+           [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
++
++          This information is only available if present in the image,
++          and omitted otherwise.
+         type: "string"
+-        x-nullable: false
++        format: "dateTime"
++        x-nullable: true
+         example: "2022-02-04T21:20:12.497794809Z"
+       Container:
+         description: |
+diff --git a/api/types/types.go b/api/types/types.go
+index 5c56a0c..3c1f69a 100644
+--- a/api/types/types.go
++++ b/api/types/types.go
+@@ -72,8 +72,12 @@ type ImageInspect struct {
+ 
+ 	// Created is the date and time at which the image was created, formatted in
+ 	// RFC 3339 nano-seconds (time.RFC3339Nano).
+-	Created string
+ 
++	//
++	// This information is only available if present in the image,
++	// and omitted otherwise.
++	Created string `json:",omitempty"`
++ 
+ 	// Container is the ID of the container that was used to create the image.
+ 	//
+ 	// Depending on how the image was created, this field may be empty.
+diff --git a/docs/api/v1.44.yaml b/docs/api/v1.44.yaml
+index e55a76f..350d37a 100644
+--- a/docs/api/v1.44.yaml
++++ b/docs/api/v1.44.yaml
+@@ -1743,8 +1743,12 @@ definitions:
+         description: |
+           Date and time at which the image was created, formatted in
+           [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
++
++          This information is only available if present in the image,
++          and omitted otherwise.
+         type: "string"
+-        x-nullable: false
++        format: "dateTime"
++        x-nullable: true
+         example: "2022-02-04T21:20:12.497794809Z"
+       Container:
+         description: |
+-- 
+2.41.0
+

0009-integration-Add-container-output-utility.patch

@@ -0,0 +1,51 @@
+From 9ee331235a3affa082d5cb0028351182b89fd123 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
+Date: Thu, 22 Feb 2024 11:14:27 +0100
+Subject: [PATCH] integration: Add container.Output utility
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Extracted from https://github.com/moby/moby/commit/bfb810445c3c111478f5e0e6268ef334c38f38cf
+
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ integration/internal/container/container.go | 25 +++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/integration/internal/container/container.go b/integration/internal/container/container.go
+index 0974ce6bf1..dac52999ae 100644
+--- a/integration/internal/container/container.go
++++ b/integration/internal/container/container.go
+@@ -170,3 +170,28 @@ func Inspect(ctx context.Context, t *testing.T, apiClient client.APIClient, cont
+ 
+ 	return c
+ }
++
++type ContainerOutput struct {
++	Stdout, Stderr string
++}
++
++// Output waits for the container to end running and returns its output.
++func Output(ctx context.Context, client client.APIClient, id string) (ContainerOutput, error) {
++	logs, err := client.ContainerLogs(ctx, id, container.LogsOptions{Follow: true, ShowStdout: true, ShowStderr: true})
++	if err != nil {
++		return ContainerOutput{}, err
++	}
++
++	defer logs.Close()
++
++	var stdoutBuf, stderrBuf bytes.Buffer
++	_, err = stdcopy.StdCopy(&stdoutBuf, &stderrBuf, logs)
++	if err != nil {
++		return ContainerOutput{}, err
++	}
++
++	return ContainerOutput{
++		Stdout: stdoutBuf.String(),
++		Stderr: stderrBuf.String(),
++	}, nil
++}
+-- 
+2.33.0
+

0010-mounts-validate-Don-t-check-source-exists-with-Creat.patch

@@ -0,0 +1,37 @@
+From a72294a6688d747dcfec8751c3e2616cad703a31 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
+Date: Mon, 19 Feb 2024 15:16:07 +0100
+Subject: [PATCH] mounts/validate: Don't check source exists with
+ CreateMountpoint
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Don't error out when mount source doesn't exist and mounts has
+`CreateMountpoint` option enabled.
+
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+(cherry picked from commit 05b883bdc836a2fd621452f58a2a2c02d253718c)
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ volume/mounts/linux_parser.go | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/volume/mounts/linux_parser.go b/volume/mounts/linux_parser.go
+index 1b64c23935..e7e8ad80f3 100644
+--- a/volume/mounts/linux_parser.go
++++ b/volume/mounts/linux_parser.go
+@@ -85,7 +85,9 @@ func (p *linuxParser) validateMountConfigImpl(mnt *mount.Mount, validateBindSour
+ 			if err != nil {
+ 				return &errMountConfig{mnt, err}
+ 			}
+-			if !exists {
++
++			createMountpoint := mnt.BindOptions != nil && mnt.BindOptions.CreateMountpoint
++			if !exists && !createMountpoint {
+ 				return &errMountConfig{mnt, errBindSourceDoesNotExist(mnt.Source)}
+ 			}
+ 		}
+-- 
+2.33.0
+

moby.spec

@@ -5,11 +5,11 @@
 %global _source_docker_init tini-0.19.0
 %define _debugsource_template %{nil}
 
-Name: 	  docker
+Name: 	  moby
 Version:  25.0.3
-Release:  10
+Release:  21
 Summary:  The open-source application container engine
-License:  ASL 2.0
+License:  Apache-2.0
 URL:	  https://www.docker.com
 # https://github.com/docker/cli/archive/refs/tags/v25.0.3.tar.gz
 Source0:  cli-%{version}.tar.gz
@@ -20,21 +20,26 @@ Source2:  tini-0.19.0.tar.gz
 Source3:  docker.service
 Source4:  docker.socket
 Source5:  docker.sysconfig
-Patch0000:  0001-fix-cve-2024-29018.patch
-Patch0001:  0002-fix-cve-2024-32473.patch
-Patch0002:  0003-add-loongarch64-seccomp-support.patch
-Patch0003:  0004-fix-docker-swarm-run-failed-for-loongarch64.patch
-
-Patch9000:  backport-CVE-2024-41110.patch
-
-Requires: %{name}-engine = %{version}-%{release}
-Requires: %{name}-client = %{version}-%{release}
+Patch0001:  0001-fix-cve-2024-29018.patch
+Patch0002:  0002-fix-cve-2024-32473.patch
+Patch0003:  0003-add-loongarch64-seccomp-support.patch
+Patch0004:  0004-fix-docker-swarm-run-failed-for-loongarch64.patch
+Patch0005:  0005-CVE-2024-41110.patch
+Patch0006:  0006-tini.c-a-function-declaration-without-a-prototype-is.patch
+Patch0007:  0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch
+Patch0008:  0008-api-omit-missing-Created-field-from-ImageInspect-res.patch
+Patch0009:  0009-integration-Add-container-output-utility.patch
+Patch0010:  0010-mounts-validate-Don-t-check-source-exists-with-Creat.patch
+Requires(meta): %{name}-engine = %{version}-%{release}
+Requires(meta): %{name}-client = %{version}-%{release}
 
 # conflicting packages
 Conflicts: docker-ce
 Conflicts: docker-io
 Conflicts: docker-engine-cs
 Conflicts: docker-ee
+Obsoletes: docker < %{version}-%{release}
+Provides: docker = %{version}-%{release}
 
 %description
 Docker is a product for you to build, ship and run any application as a
@@ -43,7 +48,7 @@ lightweight container.
 %package engine
 Summary: Docker daemon binary and related utilities
 
-Requires: /usr/sbin/groupadd
+Requires(pre): /usr/sbin/groupadd
 Requires: runc
 Requires: container-selinux >= 2:2.74
 Requires: libseccomp >= 2.3
@@ -53,6 +58,7 @@ Requires: libcgroup
 Requires: containerd
 Requires: tar
 Requires: xz
+%{?systemd_requires}
 
 BuildRequires: bash
 BuildRequires: ca-certificates
@@ -74,12 +80,16 @@ BuildRequires: systemd-devel
 BuildRequires: tar
 BuildRequires: which
 BuildRequires: golang  >= 1.18.0
+Obsoletes: docker-engine < %{version}-%{release}
+Conflicts: docker-engine >= 2:18
+Requires: libnetwork = %{version}-%{release}
 
 %description engine
 Docker daemon binary and related utilities
 
 %package client
 Summary: Docker client binary and related utilities
+Obsoletes: docker-client < %{version}-%{release}
 
 Requires: /bin/sh
 BuildRequires: libtool-ltdl-devel
@@ -87,15 +97,29 @@ BuildRequires: libtool-ltdl-devel
 %description client
 Docker client binary and related utilities
 
+%package -n libnetwork
+Summary: Proxy used for docker port mapping
+Provides: docker-proxy
+Obsoletes: docker-proxy
+Conflicts: docker-engine < 25.0.3-20
+
+%description -n libnetwork
+Proxy used for docker port mapping.
+
 %prep
 %setup -q -n %{_source_client}
 %setup -q -T -n %{_source_engine} -b 1
-%patch0000 -p1
-%patch0001 -p1
-%patch0002 -p1
-%patch0003 -p1
-%patch9000 -p1
+%patch 0001 -p1
+%patch 0002 -p1
+%patch 0003 -p1
+%patch 0004 -p1
+%patch 0005 -p1
+%patch 0007 -p1
+%patch 0008 -p1
+%patch 0009 -p1
+%patch 0010 -p1
 %setup -q -T -n %{_source_docker_init} -b 2
+%patch 0006 -p1
 
 %build
 export GO111MODULE=off
@@ -171,11 +195,13 @@ install -p -m 644 %{_builddir}/%{_source_client}/{LICENSE,MAINTAINERS,NOTICE,REA
 %files engine
 %config(noreplace) %{_sysconfdir}/sysconfig/docker
 %{_bindir}/dockerd
-%{_bindir}/docker-proxy
 %{_bindir}/docker-init
 %{_unitdir}/docker.service
 %{_unitdir}/docker.socket
 
+%files -n libnetwork
+%{_bindir}/docker-proxy
+
 %files client
 %{_bindir}/docker
 %{_datadir}/bash-completion/completions/docker
@@ -183,19 +209,59 @@ install -p -m 644 %{_builddir}/%{_source_client}/{LICENSE,MAINTAINERS,NOTICE,REA
 %{_datadir}/fish/vendor_completions.d/docker.fish
 %doc %{_pkgdocdir}
 
-%post
-%systemd_post docker.service
+%pre engine
 if ! getent group docker > /dev/null; then
     groupadd --system docker
 fi
 
-%preun
+%post engine
+%systemd_post docker.service
+
+%preun engine
 %systemd_preun docker.service docker.socket
 
-%postun
+%postun engine
 %systemd_postun_with_restart docker.service
 
 %changelog
+* Fri Nov 29 2024 Funda Wang <fundawang@yeah.net> - 25.0.3-21
+- convert patches into unix format
+
+* Fri Nov 22 2024 Funda Wang <fundawang@yeah.net> - 25.0.3-20
+- rename back to moby
+- split docker-proxy for docker 18 to use
+
+* Thu Nov 14 2024 shechenglong <shechenglong@xfusion.com> - 25.0.3-19
+- DESC: Resolving installation conflicts between docker-engine and libnetwork
+
+* Fri Nov 08 2024 shechenglong <shechenglong@xfusion.com> - 25.0.3-18
+- DESC: Don't check source exists with CreateMountpoint
+
+* Fri Nov 08 2024 shechenglong <shechenglong@xfusion.com> - 25.0.3-17
+- DESC: move group creation into pre section rather than post section
+        change requires into meta dependency for its actual use
+
+* Wed Nov 6 2024 sunchendong<sunchendong@xfusion.com> - 25.0.3-16
+- DESC:Add container.Output utility
+
+* Mon Nov 4 2024 sunchendong<sunchendong@xfusion.com> - 25.0.3-15
+- DESC:omit missing Created field from ImageInspect response
+
+* Thu Oct 31 2024 yaoguangzhong<yaoguangzhong@xfusion.com> - 25.0.3-14
+- DESC:backport upstream patch to fix libnetwork/osl test TestAddRemoveInterface
+
+* Tue Oct 29 2024 yaoguangzhong<yaoguangzhong@xfusion.com> - 25.0.3-13
+- DESC:modify patch number
+
+* Tue Oct 29 2024 yaoguangzhong<yaoguangzhong@xfusion.com> - 25.0.3-12
+- DESC:fix build warnings for moby.spec
+
+* Mon Sep 9 2024 tiberium <jinzhe.oerv@isrc.iscas.ac.cn> - 25.0.3-11
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:backport upstream patch to solve -Wstrict-prototypes error
+
 * Fri Jul 26 2024 zhangxianting <zhangxianting@uniontechc.om> - 25.0.3-10
 - Type:CVE
 - ID:NA