!117 backport cli v26.1.0 patch to fix riscv64 build error

Merge pull request !117 from laokz/openEuler-24.03-LTS

0001-Set-CGO_ENABLED-1-on-riscv64.patch

@@ -0,0 +1,29 @@
+From 800a51d6cd22ac7b7465d2d408362f9683a11800 Mon Sep 17 00:00:00 2001
+From: Zhuo Zhi <h.dwwwwww@gmail.com>
+Date: Mon, 11 Mar 2024 13:57:35 +0800
+Subject: [PATCH] Set CGO_ENABLED=1 on riscv64
+
+CGO works fine on riscv64 thus should be enabled.
+Avoid build error https://github.com/golang/go/issues/64875
+
+Signed-off-by: Zhuo Zhi <h.dwwwwww@gmail.com>
+---
+ scripts/build/.variables | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/build/.variables b/scripts/build/.variables
+index a9371ebec2b6..de7945d0a7b3 100755
+--- a/scripts/build/.variables
++++ b/scripts/build/.variables
+@@ -48,7 +48,7 @@ if [ -z "$CGO_ENABLED" ]; then
+     case "$(go env GOOS)" in
+         linux)
+             case "$(go env GOARCH)" in
+-                amd64|arm64|arm|s390x)
++                amd64|arm64|arm|s390x|riscv64)
+                     CGO_ENABLED=1
+                 ;;
+                 *)
+-- 
+2.43.0
+

1004-fix-docker-swarm-run-failed-for-loongarch64.patch

@@ -0,0 +1,30 @@
+From d982ada96908ceef19f30d88ffda5e7956c2809e Mon Sep 17 00:00:00 2001
+From: Super User <root@localhost.localdomain>
+Date: Wed, 10 Jul 2024 17:27:20 +0800
+Subject: [PATCH] fix docker swarm run failed for loongarch64
+
+---
+ .../moby/swarmkit/v2/manager/scheduler/filter.go          | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/vendor/github.com/moby/swarmkit/v2/manager/scheduler/filter.go b/vendor/github.com/moby/swarmkit/v2/manager/scheduler/filter.go
+index 4e0bb9f..97847e1 100644
+--- a/vendor/github.com/moby/swarmkit/v2/manager/scheduler/filter.go
++++ b/vendor/github.com/moby/swarmkit/v2/manager/scheduler/filter.go
+@@ -305,6 +305,14 @@ func (f *PlatformFilter) platformEqual(imgPlatform, nodePlatform api.Platform) b
+ 		nodePlatform.Architecture = "arm64"
+ 	}
+ 
++	// normalize "loongarch64" architectures to "loong64"
++        if imgPlatform.Architecture == "loongarch64" {
++                imgPlatform.Architecture = "loong64"
++        }
++        if nodePlatform.Architecture == "loongarch64" {
++                nodePlatform.Architecture = "loong64"
++        }
++
+ 	if (imgPlatform.Architecture == "" || imgPlatform.Architecture == nodePlatform.Architecture) && (imgPlatform.OS == "" || imgPlatform.OS == nodePlatform.OS) {
+ 		return true
+ 	}
+-- 
+2.43.0

1005-CVE-2024-41110.patch

@@ -0,0 +1,206 @@
+From 9659c3a52bac57e615b5fb49b0652baca448643e Mon Dec 1 00:00:00 2001
+From: Jameson Hyde <jameson.hyde@docker.com>
+Date: Mon, 1 Dec 2018 09:57:10 +0800
+Subject: [PATCH] Authz plugin security fixes for 0-length content and path validation
+https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919
+https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76
+
+If url includes scheme, urlPath will drop hostname, which would not m…
+…atch the auth check
+
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
+
+---
+ pkg/authorization/authz.go           | 38 +++++++++++--
+ pkg/authorization/authz_unix_test.go | 84 +++++++++++++++++++++++++++-
+ 2 files changed, 115 insertions(+), 7 deletions(-)
+
+diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
+index 1eb4431..d568a2b 100644
+--- a/pkg/authorization/authz.go
++++ b/pkg/authorization/authz.go
+@@ -8,6 +8,8 @@ import (
+ 	"io"
+ 	"mime"
+ 	"net/http"
++	"net/url"
++	"regexp"
+ 	"strings"
+ 
+ 	"github.com/containerd/log"
+@@ -53,10 +55,23 @@ type Ctx struct {
+ 	authReq *Request
+ }
+ 
++func isChunked(r *http.Request) bool {
++	// RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
++	if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") {
++		return true
++	}
++	for _, v := range r.TransferEncoding {
++		if strings.EqualFold(v, "chunked") {
++			return true
++		}
++	}
++	return false
++}
++
+ // AuthZRequest authorized the request to the docker daemon using authZ plugins
+ func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
+ 	var body []byte
+-	if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
++	if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
+ 		var err error
+ 		body, r.Body, err = drainBody(r.Body)
+ 		if err != nil {
+@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
+ 	if sendBody(ctx.requestURI, rm.Header()) {
+ 		ctx.authReq.ResponseBody = rm.RawBody()
+ 	}
+-
+ 	for _, plugin := range ctx.plugins {
+ 		log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name())
+ 
+@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
+ 	return nil, newBody, err
+ }
+ 
++func isAuthEndpoint(urlPath string) (bool, error) {
++	// eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
++	matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath)
++	if err != nil {
++		return false, err
++	}
++	return matched, nil
++}
++
+ // sendBody returns true when request/response body should be sent to AuthZPlugin
+-func sendBody(url string, header http.Header) bool {
++func sendBody(inURL string, header http.Header) bool {
++	u, err := url.Parse(inURL)
++	// Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
++	if err != nil {
++		return false
++	}
++
+ 	// Skip body for auth endpoint
+-	if strings.HasSuffix(url, "/auth") {
++	isAuth, err := isAuthEndpoint(u.Path)
++	if isAuth || err != nil {
+ 		return false
+ 	}
+ 
+diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
+index c9b18d9..66b4d20 100644
+--- a/pkg/authorization/authz_unix_test.go
++++ b/pkg/authorization/authz_unix_test.go
+@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) {
+ 
+ func TestSendBody(t *testing.T) {
+ 	var (
+-		url       = "nothing.com"
+ 		testcases = []struct {
++			url         string
+ 			contentType string
+ 			expected    bool
+ 		}{
+@@ -219,15 +219,93 @@ func TestSendBody(t *testing.T) {
+ 				contentType: "",
+ 				expected:    false,
+ 			},
++			{
++				url:         "nothing.com/auth",
++				contentType: "",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/auth",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/auth?p1=test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/test?p1=/auth",
++				contentType: "application/json;charset=UTF8",
++				expected:    true,
++			},
++			{
++				url:         "nothing.com/something/auth",
++				contentType: "application/json;charset=UTF8",
++				expected:    true,
++			},
++			{
++				url:         "nothing.com/auth/test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/v1.24/auth/test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/v1/auth/test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "www.nothing.com/v1.24/auth/test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "https://www.nothing.com/v1.24/auth/test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "http://nothing.com/v1.24/auth/test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "www.nothing.com/test?p1=/auth",
++				contentType: "application/json;charset=UTF8",
++				expected:    true,
++			},
++			{
++				url:         "http://www.nothing.com/test?p1=/auth",
++				contentType: "application/json;charset=UTF8",
++				expected:    true,
++			},
++			{
++				url:         "www.nothing.com/something/auth",
++				contentType: "application/json;charset=UTF8",
++				expected:    true,
++			},
++			{
++				url:         "https://www.nothing.com/something/auth",
++				contentType: "application/json;charset=UTF8",
++				expected:    true,
++			},
+ 		}
+ 	)
+ 
+ 	for _, testcase := range testcases {
+ 		header := http.Header{}
+ 		header.Set("Content-Type", testcase.contentType)
++		if testcase.url == "" {
++			testcase.url = "nothing.com"
++		}
+ 
+-		if b := sendBody(url, header); b != testcase.expected {
+-			t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
++		if b := sendBody(testcase.url, header); b != testcase.expected {
++			t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
+ 		}
+ 	}
+ }
+-- 
+2.33.0
+

1006-fix-libnetwork-osl-test-TestAddRemoveInterface.patch

@@ -0,0 +1,76 @@
+From c72e458a7273bf7e542082ef2bbe3d50ca1a62dd Mon Sep 17 00:00:00 2001
+From: Rob Murray <rob.murray@docker.com>
+Date: Thu, 18 Jan 2024 21:01:41 +0000
+Subject: [PATCH] Fix libnetwork/osl test TestAddRemoveInterface
+
+For some time, when adding an interface with no IPv6 address (an
+interface to a network that does not have IPv6 enabled), we've been
+disabling IPv6 on that interface.
+
+As part of a separate change, I'm removing that logic - there's nothing
+wrong with having IPv6 enabled on an interface with no routable address.
+The difference is that the kernel will assign a link-local address.
+
+TestAddRemoveInterface does this...
+- Assign an IPv6 link-local address to one end of a veth interface, and
+  add it to a namespace.
+- Add a bridge with no assigned IPv6 address to the namespace.
+- Remove the veth interface from the namespace.
+- Put the veth interface back into the namespace, still with an
+  explicitly assigned IPv6 link local address.
+
+When IPv6 is disabled on the bridge interface, the test passes.
+
+But, when IPv6 is enabled, the bridge gets a kernel assigned link-local
+address.
+
+Then, when re-adding the veth interface, the test generates an error in
+'osl/interface_linux.go:checkRouteConflict()'. The conflict is between
+the explicitly assigned fe80::2 on the veth, and a route for fe80::/64
+belonging to the bridge.
+
+So, in preparation for not-disabling IPv6 on these interfaces, use a
+unique-local address in the test instead of link-local.
+
+I don't think that changes the intent of the test.
+
+With the change to not-always disable IPv6, it is possible to repro the
+problem with a real container, disconnect and re-connect a user-defined
+network with '--subnet fe80::/64' while the container's connected to an
+IPv4 network. So, strictly speaking, that will be a regression.
+
+But, it's also possible to repro the problem in master, by disconnecting
+and re-connecting the fe80::/64 network while another IPv6 network is
+connected. So, I don't think it's a problem we need to address, perhaps
+other than by prohibiting '--subnet fe80::/64'.
+
+Signed-off-by: Rob Murray <rob.murray@docker.com>
+---
+ libnetwork/osl/sandbox_linux_test.go | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libnetwork/osl/sandbox_linux_test.go b/libnetwork/osl/sandbox_linux_test.go
+index dd1ac18275..c1c54b0627 100644
+--- a/libnetwork/osl/sandbox_linux_test.go
++++ b/libnetwork/osl/sandbox_linux_test.go
+@@ -72,7 +72,7 @@ func newInfo(t *testing.T, hnd *netlink.Handle) (*Namespace, error) {
+ 	}
+ 	addr.IP = ip4
+ 
+-	ip6, addrv6, err := net.ParseCIDR("fe80::2/64")
++	ip6, addrv6, err := net.ParseCIDR("fdac:97b4:dbcc::2/64")
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -116,7 +116,7 @@ func newInfo(t *testing.T, hnd *netlink.Handle) (*Namespace, error) {
+ 	return &Namespace{
+ 		iFaces: []*Interface{intf1, intf2, intf3},
+ 		gw:     net.ParseIP("192.168.1.1"),
+-		gwv6:   net.ParseIP("fe80::1"),
++		gwv6:   net.ParseIP("fdac:97b4:dbcc::1/64"),
+ 	}, nil
+ }
+ 
+-- 
+2.42.0.windows.2
+

1007-api-omit-missing-Created-field-from-ImageInspect-res.patch

@@ -0,0 +1,69 @@
+From 5d9e13bc8453c856f055769008dac9311f43c265 Mon Sep 17 00:00:00 2001
+From: Bjorn Neergaard <bjorn.neergaard@docker.com>
+Date: Mon, 26 Feb 2024 10:25:08 -0700
+Subject: [PATCH] api: omit missing Created field from ImageInspect response
+
+Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
+---
+ api/swagger.yaml    | 6 +++++-
+ api/types/types.go  | 6 +++++-
+ docs/api/v1.44.yaml | 6 +++++-
+ 3 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/api/swagger.yaml b/api/swagger.yaml
+index e55a76f..350d37a 100644
+--- a/api/swagger.yaml
++++ b/api/swagger.yaml
+@@ -1743,8 +1743,12 @@ definitions:
+         description: |
+           Date and time at which the image was created, formatted in
+           [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
++
++          This information is only available if present in the image,
++          and omitted otherwise.
+         type: "string"
+-        x-nullable: false
++        format: "dateTime"
++        x-nullable: true
+         example: "2022-02-04T21:20:12.497794809Z"
+       Container:
+         description: |
+diff --git a/api/types/types.go b/api/types/types.go
+index 5c56a0c..3c1f69a 100644
+--- a/api/types/types.go
++++ b/api/types/types.go
+@@ -72,8 +72,12 @@ type ImageInspect struct {
+ 
+ 	// Created is the date and time at which the image was created, formatted in
+ 	// RFC 3339 nano-seconds (time.RFC3339Nano).
+-	Created string
+ 
++	//
++	// This information is only available if present in the image,
++	// and omitted otherwise.
++	Created string `json:",omitempty"`
++ 
+ 	// Container is the ID of the container that was used to create the image.
+ 	//
+ 	// Depending on how the image was created, this field may be empty.
+diff --git a/docs/api/v1.44.yaml b/docs/api/v1.44.yaml
+index e55a76f..350d37a 100644
+--- a/docs/api/v1.44.yaml
++++ b/docs/api/v1.44.yaml
+@@ -1743,8 +1743,12 @@ definitions:
+         description: |
+           Date and time at which the image was created, formatted in
+           [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
++
++          This information is only available if present in the image,
++          and omitted otherwise.
+         type: "string"
+-        x-nullable: false
++        format: "dateTime"
++        x-nullable: true
+         example: "2022-02-04T21:20:12.497794809Z"
+       Container:
+         description: |
+-- 
+2.41.0
+

1008-integration-Add-container-output-utility.patch

@@ -0,0 +1,51 @@
+From 9ee331235a3affa082d5cb0028351182b89fd123 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
+Date: Thu, 22 Feb 2024 11:14:27 +0100
+Subject: [PATCH] integration: Add container.Output utility
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Extracted from https://github.com/moby/moby/commit/bfb810445c3c111478f5e0e6268ef334c38f38cf
+
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ integration/internal/container/container.go | 25 +++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/integration/internal/container/container.go b/integration/internal/container/container.go
+index 0974ce6bf1..dac52999ae 100644
+--- a/integration/internal/container/container.go
++++ b/integration/internal/container/container.go
+@@ -170,3 +170,28 @@ func Inspect(ctx context.Context, t *testing.T, apiClient client.APIClient, cont
+ 
+ 	return c
+ }
++
++type ContainerOutput struct {
++	Stdout, Stderr string
++}
++
++// Output waits for the container to end running and returns its output.
++func Output(ctx context.Context, client client.APIClient, id string) (ContainerOutput, error) {
++	logs, err := client.ContainerLogs(ctx, id, container.LogsOptions{Follow: true, ShowStdout: true, ShowStderr: true})
++	if err != nil {
++		return ContainerOutput{}, err
++	}
++
++	defer logs.Close()
++
++	var stdoutBuf, stderrBuf bytes.Buffer
++	_, err = stdcopy.StdCopy(&stdoutBuf, &stderrBuf, logs)
++	if err != nil {
++		return ContainerOutput{}, err
++	}
++
++	return ContainerOutput{
++		Stdout: stdoutBuf.String(),
++		Stderr: stderrBuf.String(),
++	}, nil
++}
+-- 
+2.33.0
+

1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch

@@ -0,0 +1,37 @@
+From a72294a6688d747dcfec8751c3e2616cad703a31 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
+Date: Mon, 19 Feb 2024 15:16:07 +0100
+Subject: [PATCH] mounts/validate: Don't check source exists with
+ CreateMountpoint
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Don't error out when mount source doesn't exist and mounts has
+`CreateMountpoint` option enabled.
+
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+(cherry picked from commit 05b883bdc836a2fd621452f58a2a2c02d253718c)
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ volume/mounts/linux_parser.go | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/volume/mounts/linux_parser.go b/volume/mounts/linux_parser.go
+index 1b64c23935..e7e8ad80f3 100644
+--- a/volume/mounts/linux_parser.go
++++ b/volume/mounts/linux_parser.go
+@@ -85,7 +85,9 @@ func (p *linuxParser) validateMountConfigImpl(mnt *mount.Mount, validateBindSour
+ 			if err != nil {
+ 				return &errMountConfig{mnt, err}
+ 			}
+-			if !exists {
++
++			createMountpoint := mnt.BindOptions != nil && mnt.BindOptions.CreateMountpoint
++			if !exists && !createMountpoint {
+ 				return &errMountConfig{mnt, errBindSourceDoesNotExist(mnt.Source)}
+ 			}
+ 		}
+-- 
+2.33.0
+

1010-fix-CVE-2024-36621.patch

@@ -0,0 +1,76 @@
+From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Wed, 6 Mar 2024 23:11:32 -0800
+Subject: [PATCH] builder-next: fix missing lock in ensurelayer
+
+When this was called concurrently from the moby image
+exporter there could be a data race where a layer was
+written to the refs map when it was already there.
+
+In that case the reference count got mixed up and on
+release only one of these layers was actually released.
+
+Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
+---
+ .../builder-next/adapters/snapshot/layer.go   |  3 +++
+ .../adapters/snapshot/snapshot.go             | 19 +++++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go
+index 73120ea70b2ee..fc83058339c7b 100644
+--- a/builder/builder-next/adapters/snapshot/layer.go
++++ b/builder/builder-next/adapters/snapshot/layer.go
+@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
+ }
+ 
+ func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
++	s.layerCreateLocker.Lock(key)
++	defer s.layerCreateLocker.Unlock(key)
++
+ 	diffIDs, err := s.GetDiffIDs(ctx, key)
+ 	if err != nil {
+ 		return nil, err
+diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go
+index a0d28ad984ba4..510ffefb49406 100644
+--- a/builder/builder-next/adapters/snapshot/snapshot.go
++++ b/builder/builder-next/adapters/snapshot/snapshot.go
+@@ -17,6 +17,7 @@ import (
+ 	"github.com/moby/buildkit/identity"
+ 	"github.com/moby/buildkit/snapshot"
+ 	"github.com/moby/buildkit/util/leaseutil"
++	"github.com/moby/locker"
+ 	"github.com/opencontainers/go-digest"
+ 	"github.com/pkg/errors"
+ 	bolt "go.etcd.io/bbolt"
+@@ -51,10 +52,11 @@ type checksumCalculator interface {
+ type snapshotter struct {
+ 	opt Opt
+ 
+-	refs map[string]layer.Layer
+-	db   *bolt.DB
+-	mu   sync.Mutex
+-	reg  graphIDRegistrar
++	refs              map[string]layer.Layer
++	db                *bolt.DB
++	mu                sync.Mutex
++	reg               graphIDRegistrar
++	layerCreateLocker *locker.Locker
+ }
+ 
+ // NewSnapshotter creates a new snapshotter
+@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
+ 	}
+ 
+ 	s := &snapshotter{
+-		opt:  opt,
+-		db:   db,
+-		refs: map[string]layer.Layer{},
+-		reg:  reg,
++		opt:               opt,
++		db:                db,
++		refs:              map[string]layer.Layer{},
++		reg:               reg,
++		layerCreateLocker: locker.New(),
+ 	}
+ 
+ 	slm := newLeaseManager(s, prevLM)

1011-fix-CVE-2024-36620.patch

@@ -0,0 +1,33 @@
+From ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Mon Sep 17 00:00:00 2001
+From: Christopher Petito <47751006+krissetto@users.noreply.github.com>
+Date: Fri, 19 Apr 2024 10:44:30 +0000
+Subject: [PATCH] nil dereference fix on image history Created value
+
+Issue was caused by the changes here https://github.com/moby/moby/pull/45504
+First released in v25.0.0-beta.1
+
+Signed-off-by: Christopher Petito <47751006+krissetto@users.noreply.github.com>
+---
+ daemon/images/image_history.go | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go
+index 1617f8be62906..f621ceae13bc6 100644
+--- a/daemon/images/image_history.go
++++ b/daemon/images/image_history.go
+@@ -43,9 +43,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image.
+ 			layerCounter++
+ 		}
+ 
++		var created int64
++		if h.Created != nil {
++			created = h.Created.Unix()
++		}
++
+ 		history = append([]*image.HistoryResponseItem{{
+ 			ID:        "<missing>",
+-			Created:   h.Created.Unix(),
++			Created:   created,
+ 			CreatedBy: h.CreatedBy,
+ 			Comment:   h.Comment,
+ 			Size:      layerSize,

1012-fix-CVE-2024-36623.patch

@@ -0,0 +1,45 @@
+From 5689dabfb357b673abdb4391eef426f297d7d1bb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
+Date: Thu, 22 Feb 2024 18:01:40 +0100
+Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Sync access to the underlying `io.Writer` with a mutex.
+
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ pkg/streamformatter/streamformatter.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go
+index b0456e580dc9d..098df6b5236b9 100644
+--- a/pkg/streamformatter/streamformatter.go
++++ b/pkg/streamformatter/streamformatter.go
+@@ -5,6 +5,7 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
++	"sync"
+ 
+ 	"github.com/docker/docker/pkg/jsonmessage"
+ 	"github.com/docker/docker/pkg/progress"
+@@ -109,6 +110,7 @@ type progressOutput struct {
+ 	sf       formatProgress
+ 	out      io.Writer
+ 	newLines bool
++	mu       sync.Mutex
+ }
+ 
+ // WriteProgress formats progress information from a ProgressReader.
+@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error {
+ 		jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units}
+ 		formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
+ 	}
++
++	out.mu.Lock()
++	defer out.mu.Unlock()
+ 	_, err := out.out.Write(formatted)
+ 	if err != nil {
+ 		return err

2001-tini.c-a-function-declaration-without-a-prototype-is.patch

@@ -0,0 +1,72 @@
+From a49fdd374d6d9c047e35de8b82935cc4d837e678 Mon Sep 17 00:00:00 2001
+From: Jose Quaresma <jose.quaresma@foundries.io>
+Date: Fri, 23 Sep 2022 16:31:33 +0000
+Subject: [PATCH 1/2] tini.c: a function declaration without a prototype is
+ deprecated in all versions of C
+
+| /srv/oe/build/tmp-lmp/work/corei7-64-lmp-linux/tini/0.19.0-r0/git/src/tini.c:150:18: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+| int isolate_child() {
+|                  ^
+|                   void
+| /srv/oe/build/tmp-lmp/work/corei7-64-lmp-linux/tini/0.19.0-r0/git/src/tini.c:395:14: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+| int parse_env() {
+|              ^
+|               void
+| /srv/oe/build/tmp-lmp/work/corei7-64-lmp-linux/tini/0.19.0-r0/git/src/tini.c:416:24: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+| int register_subreaper () {
+|                        ^
+|                         void
+| /srv/oe/build/tmp-lmp/work/corei7-64-lmp-linux/tini/0.19.0-r0/git/src/tini.c:434:19: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+| void reaper_check () {
+|                   ^
+|                    void
+| 4 errors generated.
+
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+---
+ src/tini.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/tini.c b/src/tini.c
+index 2c873f9..7914d3a 100644
+--- a/src/tini.c
++++ b/src/tini.c
+@@ -147,7 +147,7 @@ int restore_signals(const signal_configuration_t* const sigconf_ptr) {
+ 	return 0;
+ }
+ 
+-int isolate_child() {
++int isolate_child(void) {
+ 	// Put the child into a new process group.
+ 	if (setpgid(0, 0) < 0) {
+ 		PRINT_FATAL("setpgid failed: %s", strerror(errno));
+@@ -392,7 +392,7 @@ int parse_args(const int argc, char* const argv[], char* (**child_args_ptr_ptr)[
+ 	return 0;
+ }
+ 
+-int parse_env() {
++int parse_env(void) {
+ #if HAS_SUBREAPER
+ 	if (getenv(SUBREAPER_ENV_VAR) != NULL) {
+ 		subreaper++;
+@@ -413,7 +413,7 @@ int parse_env() {
+ 
+ 
+ #if HAS_SUBREAPER
+-int register_subreaper () {
++int register_subreaper (void) {
+ 	if (subreaper > 0) {
+ 		if (prctl(PR_SET_CHILD_SUBREAPER, 1)) {
+ 			if (errno == EINVAL) {
+@@ -431,7 +431,7 @@ int register_subreaper () {
+ #endif
+ 
+ 
+-void reaper_check () {
++void reaper_check (void) {
+ 	/* Check that we can properly reap zombies */
+ #if HAS_SUBREAPER
+ 	int bit = 0;
+-- 
+2.25.1
+

moby.spec

@@ -5,11 +5,11 @@
 %global _source_docker_init tini-0.19.0
 %define _debugsource_template %{nil}
 
-Name: 	  docker
+Name: 	  moby
 Version:  25.0.3
-Release:  8
+Release:  23
 Summary:  The open-source application container engine
-License:  ASL 2.0
+License:  Apache-2.0
 URL:	  https://www.docker.com
 # https://github.com/docker/cli/archive/refs/tags/v25.0.3.tar.gz
 Source0:  cli-%{version}.tar.gz
@@ -20,19 +20,33 @@ Source2:  tini-0.19.0.tar.gz
 Source3:  docker.service
 Source4:  docker.socket
 Source5:  docker.sysconfig
-Patch0000:  0001-fix-cve-2024-29018.patch
-Patch0001:  0002-fix-cve-2024-32473.patch
-Patch0002:  0003-add-loongarch64-seccomp-support.patch
-
-
-Requires: %{name}-engine = %{version}-%{release}
-Requires: %{name}-client = %{version}-%{release}
+# Patch 0001-0999 for cli
+Patch0001:  0001-Set-CGO_ENABLED-1-on-riscv64.patch
+# Patch 1001-1999 for moby
+Patch1001:  1001-fix-cve-2024-29018.patch
+Patch1002:  1002-fix-cve-2024-32473.patch
+Patch1003:  1003-add-loongarch64-seccomp-support.patch
+Patch1004:  1004-fix-docker-swarm-run-failed-for-loongarch64.patch
+Patch1005:  1005-CVE-2024-41110.patch
+Patch1006:  1006-fix-libnetwork-osl-test-TestAddRemoveInterface.patch
+Patch1007:  1007-api-omit-missing-Created-field-from-ImageInspect-res.patch
+Patch1008:  1008-integration-Add-container-output-utility.patch
+Patch1009:  1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch
+Patch1010:  1010-fix-CVE-2024-36621.patch
+Patch1011:  1011-fix-CVE-2024-36620.patch
+Patch1012:  1012-fix-CVE-2024-36623.patch
+# Patch 2001-2999 for tini
+Patch2001:  2001-tini.c-a-function-declaration-without-a-prototype-is.patch
+Requires(meta): %{name}-engine = %{version}-%{release}
+Requires(meta): %{name}-client = %{version}-%{release}
 
 # conflicting packages
 Conflicts: docker-ce
 Conflicts: docker-io
 Conflicts: docker-engine-cs
 Conflicts: docker-ee
+Obsoletes: docker < %{version}-%{release}
+Provides: docker = %{version}-%{release}
 
 %description
 Docker is a product for you to build, ship and run any application as a
@@ -41,7 +55,7 @@ lightweight container.
 %package engine
 Summary: Docker daemon binary and related utilities
 
-Requires: /usr/sbin/groupadd
+Requires(pre): /usr/sbin/groupadd
 Requires: runc
 Requires: container-selinux >= 2:2.74
 Requires: libseccomp >= 2.3
@@ -51,6 +65,7 @@ Requires: libcgroup
 Requires: containerd
 Requires: tar
 Requires: xz
+%{?systemd_requires}
 
 BuildRequires: bash
 BuildRequires: ca-certificates
@@ -72,12 +87,16 @@ BuildRequires: systemd-devel
 BuildRequires: tar
 BuildRequires: which
 BuildRequires: golang  >= 1.18.0
+Obsoletes: docker-engine < %{version}-%{release}
+Conflicts: docker-engine >= 2:18
+Requires: libnetwork = %{version}-%{release}
 
 %description engine
 Docker daemon binary and related utilities
 
 %package client
 Summary: Docker client binary and related utilities
+Obsoletes: docker-client < %{version}-%{release}
 
 Requires: /bin/sh
 BuildRequires: libtool-ltdl-devel
@@ -85,13 +104,22 @@ BuildRequires: libtool-ltdl-devel
 %description client
 Docker client binary and related utilities
 
+%package -n libnetwork
+Summary: Proxy used for docker port mapping
+Provides: docker-proxy
+Obsoletes: docker-proxy
+Conflicts: docker-engine < 25.0.3-20
+
+%description -n libnetwork
+Proxy used for docker port mapping.
+
 %prep
 %setup -q -n %{_source_client}
+%autopatch -p1 -m 0001 -M 0999
 %setup -q -T -n %{_source_engine} -b 1
-%patch0000 -p1
-%patch0001 -p1
-%patch0002 -p1
+%autopatch -p1 -m 1001 -M 1999
 %setup -q -T -n %{_source_docker_init} -b 2
+%autopatch -p1 -m 2001 -M 2999
 
 %build
 export GO111MODULE=off
@@ -100,6 +128,8 @@ export DOCKER_GITCOMMIT=%{_gitcommit_engine}
 export DOCKER_BUILDTAGS="exclude_graphdriver_btrfs"
 
 pushd %{_builddir}/%{_source_engine}
+CGO_CFLAGS="%{build_cflags}" \
+CGO_LDFLAGS="%{build_ldflags}" \
 AUTO_GOPATH=1 VERSION=%{version} PRODUCT=docker hack/make.sh dynbinary
 popd
 
@@ -167,11 +197,13 @@ install -p -m 644 %{_builddir}/%{_source_client}/{LICENSE,MAINTAINERS,NOTICE,REA
 %files engine
 %config(noreplace) %{_sysconfdir}/sysconfig/docker
 %{_bindir}/dockerd
-%{_bindir}/docker-proxy
 %{_bindir}/docker-init
 %{_unitdir}/docker.service
 %{_unitdir}/docker.socket
 
+%files -n libnetwork
+%{_bindir}/docker-proxy
+
 %files client
 %{_bindir}/docker
 %{_datadir}/bash-completion/completions/docker
@@ -179,19 +211,78 @@ install -p -m 644 %{_builddir}/%{_source_client}/{LICENSE,MAINTAINERS,NOTICE,REA
 %{_datadir}/fish/vendor_completions.d/docker.fish
 %doc %{_pkgdocdir}
 
-%post
-%systemd_post docker.service
+%pre engine
 if ! getent group docker > /dev/null; then
     groupadd --system docker
 fi
 
-%preun
+%post engine
+%systemd_post docker.service
+
+%preun engine
 %systemd_preun docker.service docker.socket
 
-%postun
+%postun engine
 %systemd_postun_with_restart docker.service
 
 %changelog
+* Fri Jan 17 2025 laokz <zhangkai@iscas.ac.cn> - 25.0.3-23
+- backport cli v26.1.0 patch to fix riscv64 build error
+
+* Sat Nov 30 2024 Funda Wang <fundawang@yeah.net> - 25.0.3-22
+- fix CVE-2024-36620, CVE-2024-36621, CVE-2024-36623
+- reorganize patches so that they could be applied automatically
+
+* Fri Nov 29 2024 Funda Wang <fundawang@yeah.net> - 25.0.3-21
+- convert patches into unix format
+
+* Fri Nov 22 2024 Funda Wang <fundawang@yeah.net> - 25.0.3-20
+- rename back to moby
+- split docker-proxy for docker 18 to use
+
+* Thu Nov 14 2024 shechenglong <shechenglong@xfusion.com> - 25.0.3-19
+- DESC: Resolving installation conflicts between docker-engine and libnetwork
+
+* Fri Nov 08 2024 shechenglong <shechenglong@xfusion.com> - 25.0.3-18
+- DESC: Don't check source exists with CreateMountpoint
+
+* Fri Nov 08 2024 shechenglong <shechenglong@xfusion.com> - 25.0.3-17
+- DESC: move group creation into pre section rather than post section
+        change requires into meta dependency for its actual use
+
+* Wed Nov 6 2024 sunchendong<sunchendong@xfusion.com> - 25.0.3-16
+- DESC:Add container.Output utility
+
+* Mon Nov 4 2024 sunchendong<sunchendong@xfusion.com> - 25.0.3-15
+- DESC:omit missing Created field from ImageInspect response
+
+* Thu Oct 31 2024 yaoguangzhong<yaoguangzhong@xfusion.com> - 25.0.3-14
+- DESC:backport upstream patch to fix libnetwork/osl test TestAddRemoveInterface
+
+* Tue Oct 29 2024 yaoguangzhong<yaoguangzhong@xfusion.com> - 25.0.3-13
+- DESC:modify patch number
+
+* Tue Oct 29 2024 yaoguangzhong<yaoguangzhong@xfusion.com> - 25.0.3-12
+- DESC:fix build warnings for moby.spec
+
+* Mon Sep 9 2024 tiberium <jinzhe.oerv@isrc.iscas.ac.cn> - 25.0.3-11
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:backport upstream patch to solve -Wstrict-prototypes error
+
+* Fri Jul 26 2024 zhangxianting <zhangxianting@uniontechc.om> - 25.0.3-10
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2024-41110
+
+* Fri Jul 12 2024 lvxiangcong <lvxiangcong@kylinos.cn> - 25.0.3-9
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix docker swarm run failed for loongarch64
+
 * Tue Jul 02 2024 zhangbowei<zhangbowei@kylinos.cn> - 25.0.3-8
 - Type:bugfix
 - ID:NA