diff --git a/backport-CVE-2024-41110.patch b/0005-CVE-2024-41110.patch similarity index 100% rename from backport-CVE-2024-41110.patch rename to 0005-CVE-2024-41110.patch diff --git a/backport-tini.c-a-function-declaration-without-a-prototype-is.patch b/0006-tini.c-a-function-declaration-without-a-prototype-is.patch similarity index 100% rename from backport-tini.c-a-function-declaration-without-a-prototype-is.patch rename to 0006-tini.c-a-function-declaration-without-a-prototype-is.patch diff --git a/0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch b/0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch new file mode 100644 index 0000000000000000000000000000000000000000..d7e75baeacdfb35876e910322b98e0ba35ec3716 --- /dev/null +++ b/0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch @@ -0,0 +1,76 @@ +From c72e458a7273bf7e542082ef2bbe3d50ca1a62dd Mon Sep 17 00:00:00 2001 +From: Rob Murray +Date: Thu, 18 Jan 2024 21:01:41 +0000 +Subject: [PATCH] Fix libnetwork/osl test TestAddRemoveInterface + +For some time, when adding an interface with no IPv6 address (an +interface to a network that does not have IPv6 enabled), we've been +disabling IPv6 on that interface. + +As part of a separate change, I'm removing that logic - there's nothing +wrong with having IPv6 enabled on an interface with no routable address. +The difference is that the kernel will assign a link-local address. + +TestAddRemoveInterface does this... +- Assign an IPv6 link-local address to one end of a veth interface, and + add it to a namespace. +- Add a bridge with no assigned IPv6 address to the namespace. +- Remove the veth interface from the namespace. +- Put the veth interface back into the namespace, still with an + explicitly assigned IPv6 link local address. + +When IPv6 is disabled on the bridge interface, the test passes. + +But, when IPv6 is enabled, the bridge gets a kernel assigned link-local +address. + +Then, when re-adding the veth interface, the test generates an error in +'osl/interface_linux.go:checkRouteConflict()'. The conflict is between +the explicitly assigned fe80::2 on the veth, and a route for fe80::/64 +belonging to the bridge. + +So, in preparation for not-disabling IPv6 on these interfaces, use a +unique-local address in the test instead of link-local. + +I don't think that changes the intent of the test. + +With the change to not-always disable IPv6, it is possible to repro the +problem with a real container, disconnect and re-connect a user-defined +network with '--subnet fe80::/64' while the container's connected to an +IPv4 network. So, strictly speaking, that will be a regression. + +But, it's also possible to repro the problem in master, by disconnecting +and re-connecting the fe80::/64 network while another IPv6 network is +connected. So, I don't think it's a problem we need to address, perhaps +other than by prohibiting '--subnet fe80::/64'. + +Signed-off-by: Rob Murray +--- + libnetwork/osl/sandbox_linux_test.go | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libnetwork/osl/sandbox_linux_test.go b/libnetwork/osl/sandbox_linux_test.go +index dd1ac18275..c1c54b0627 100644 +--- a/libnetwork/osl/sandbox_linux_test.go ++++ b/libnetwork/osl/sandbox_linux_test.go +@@ -72,7 +72,7 @@ func newInfo(t *testing.T, hnd *netlink.Handle) (*Namespace, error) { + } + addr.IP = ip4 + +- ip6, addrv6, err := net.ParseCIDR("fe80::2/64") ++ ip6, addrv6, err := net.ParseCIDR("fdac:97b4:dbcc::2/64") + if err != nil { + return nil, err + } +@@ -116,7 +116,7 @@ func newInfo(t *testing.T, hnd *netlink.Handle) (*Namespace, error) { + return &Namespace{ + iFaces: []*Interface{intf1, intf2, intf3}, + gw: net.ParseIP("192.168.1.1"), +- gwv6: net.ParseIP("fe80::1"), ++ gwv6: net.ParseIP("fdac:97b4:dbcc::1/64"), + }, nil + } + +-- +2.42.0.windows.2 + diff --git a/0008-api-omit-missing-Created-field-from-ImageInspect-res.patch b/0008-api-omit-missing-Created-field-from-ImageInspect-res.patch new file mode 100644 index 0000000000000000000000000000000000000000..0c22e4346112677c0333c9910e9214c1b44ccb91 --- /dev/null +++ b/0008-api-omit-missing-Created-field-from-ImageInspect-res.patch @@ -0,0 +1,69 @@ +From 5d9e13bc8453c856f055769008dac9311f43c265 Mon Sep 17 00:00:00 2001 +From: Bjorn Neergaard +Date: Mon, 26 Feb 2024 10:25:08 -0700 +Subject: [PATCH] api: omit missing Created field from ImageInspect response + +Signed-off-by: Bjorn Neergaard +--- + api/swagger.yaml | 6 +++++- + api/types/types.go | 6 +++++- + docs/api/v1.44.yaml | 6 +++++- + 3 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/api/swagger.yaml b/api/swagger.yaml +index e55a76f..350d37a 100644 +--- a/api/swagger.yaml ++++ b/api/swagger.yaml +@@ -1743,8 +1743,12 @@ definitions: + description: | + Date and time at which the image was created, formatted in + [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds. ++ ++ This information is only available if present in the image, ++ and omitted otherwise. + type: "string" +- x-nullable: false ++ format: "dateTime" ++ x-nullable: true + example: "2022-02-04T21:20:12.497794809Z" + Container: + description: | +diff --git a/api/types/types.go b/api/types/types.go +index 5c56a0c..3c1f69a 100644 +--- a/api/types/types.go ++++ b/api/types/types.go +@@ -72,8 +72,12 @@ type ImageInspect struct { + + // Created is the date and time at which the image was created, formatted in + // RFC 3339 nano-seconds (time.RFC3339Nano). +- Created string + ++ // ++ // This information is only available if present in the image, ++ // and omitted otherwise. ++ Created string `json:",omitempty"` ++ + // Container is the ID of the container that was used to create the image. + // + // Depending on how the image was created, this field may be empty. +diff --git a/docs/api/v1.44.yaml b/docs/api/v1.44.yaml +index e55a76f..350d37a 100644 +--- a/docs/api/v1.44.yaml ++++ b/docs/api/v1.44.yaml +@@ -1743,8 +1743,12 @@ definitions: + description: | + Date and time at which the image was created, formatted in + [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds. ++ ++ This information is only available if present in the image, ++ and omitted otherwise. + type: "string" +- x-nullable: false ++ format: "dateTime" ++ x-nullable: true + example: "2022-02-04T21:20:12.497794809Z" + Container: + description: | +-- +2.41.0 + diff --git a/0009-integration-Add-container-output-utility.patch b/0009-integration-Add-container-output-utility.patch new file mode 100644 index 0000000000000000000000000000000000000000..d41328c04534ea3df2fa4ab535854c3761b83b9d --- /dev/null +++ b/0009-integration-Add-container-output-utility.patch @@ -0,0 +1,51 @@ +From 9ee331235a3affa082d5cb0028351182b89fd123 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= +Date: Thu, 22 Feb 2024 11:14:27 +0100 +Subject: [PATCH] integration: Add container.Output utility +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Extracted from https://github.com/moby/moby/commit/bfb810445c3c111478f5e0e6268ef334c38f38cf + +Signed-off-by: Paweł Gronowski +--- + integration/internal/container/container.go | 25 +++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/integration/internal/container/container.go b/integration/internal/container/container.go +index 0974ce6bf1..dac52999ae 100644 +--- a/integration/internal/container/container.go ++++ b/integration/internal/container/container.go +@@ -170,3 +170,28 @@ func Inspect(ctx context.Context, t *testing.T, apiClient client.APIClient, cont + + return c + } ++ ++type ContainerOutput struct { ++ Stdout, Stderr string ++} ++ ++// Output waits for the container to end running and returns its output. ++func Output(ctx context.Context, client client.APIClient, id string) (ContainerOutput, error) { ++ logs, err := client.ContainerLogs(ctx, id, container.LogsOptions{Follow: true, ShowStdout: true, ShowStderr: true}) ++ if err != nil { ++ return ContainerOutput{}, err ++ } ++ ++ defer logs.Close() ++ ++ var stdoutBuf, stderrBuf bytes.Buffer ++ _, err = stdcopy.StdCopy(&stdoutBuf, &stderrBuf, logs) ++ if err != nil { ++ return ContainerOutput{}, err ++ } ++ ++ return ContainerOutput{ ++ Stdout: stdoutBuf.String(), ++ Stderr: stderrBuf.String(), ++ }, nil ++} +-- +2.33.0 + diff --git a/0010-mounts-validate-Don-t-check-source-exists-with-Creat.patch b/0010-mounts-validate-Don-t-check-source-exists-with-Creat.patch new file mode 100644 index 0000000000000000000000000000000000000000..61966eba469daef94f888da3a5544bd451a36873 --- /dev/null +++ b/0010-mounts-validate-Don-t-check-source-exists-with-Creat.patch @@ -0,0 +1,37 @@ +From a72294a6688d747dcfec8751c3e2616cad703a31 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= +Date: Mon, 19 Feb 2024 15:16:07 +0100 +Subject: [PATCH] mounts/validate: Don't check source exists with + CreateMountpoint +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Don't error out when mount source doesn't exist and mounts has +`CreateMountpoint` option enabled. + +Signed-off-by: Paweł Gronowski +(cherry picked from commit 05b883bdc836a2fd621452f58a2a2c02d253718c) +Signed-off-by: Paweł Gronowski +--- + volume/mounts/linux_parser.go | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/volume/mounts/linux_parser.go b/volume/mounts/linux_parser.go +index 1b64c23935..e7e8ad80f3 100644 +--- a/volume/mounts/linux_parser.go ++++ b/volume/mounts/linux_parser.go +@@ -85,7 +85,9 @@ func (p *linuxParser) validateMountConfigImpl(mnt *mount.Mount, validateBindSour + if err != nil { + return &errMountConfig{mnt, err} + } +- if !exists { ++ ++ createMountpoint := mnt.BindOptions != nil && mnt.BindOptions.CreateMountpoint ++ if !exists && !createMountpoint { + return &errMountConfig{mnt, errBindSourceDoesNotExist(mnt.Source)} + } + } +-- +2.33.0 + diff --git a/moby.spec b/moby.spec index 0ec5588b1a576ff86429bcbf8aaa5826cfb5afed..c225f977185bf6cf4161f5ff61f0ac36ae63f8f3 100644 --- a/moby.spec +++ b/moby.spec @@ -1,3 +1,4 @@ +%undefine _missing_build_ids_terminate_build %global _gitcommit_engine f417435 %global _gitcommit_cli 4debf41 %global _source_engine moby-%{version} @@ -5,11 +6,11 @@ %global _source_docker_init tini-0.19.0 %define _debugsource_template %{nil} -Name: docker +Name: moby Version: 25.0.3 -Release: 14 +Release: 21 Summary: The open-source application container engine -License: ASL 2.0 +License: Apache-2.0 URL: https://www.docker.com # https://github.com/docker/cli/archive/refs/tags/v25.0.3.tar.gz Source0: cli-%{version}.tar.gz @@ -20,14 +21,16 @@ Source2: tini-0.19.0.tar.gz Source3: docker.service Source4: docker.socket Source5: docker.sysconfig -Patch0000: 0001-fix-cve-2024-29018.patch -Patch0001: 0002-fix-cve-2024-32473.patch -Patch0002: 0003-add-loongarch64-seccomp-support.patch -Patch0003: 0004-fix-docker-swarm-run-failed-for-loongarch64.patch - -Patch9000: backport-CVE-2024-41110.patch -Patch9001: backport-tini.c-a-function-declaration-without-a-prototype-is.patch - +Patch0001: 0001-fix-cve-2024-29018.patch +Patch0002: 0002-fix-cve-2024-32473.patch +Patch0003: 0003-add-loongarch64-seccomp-support.patch +Patch0004: 0004-fix-docker-swarm-run-failed-for-loongarch64.patch +Patch0005: 0005-CVE-2024-41110.patch +Patch0006: 0006-tini.c-a-function-declaration-without-a-prototype-is.patch +Patch0007: 0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch +Patch0008: 0008-api-omit-missing-Created-field-from-ImageInspect-res.patch +Patch0009: 0009-integration-Add-container-output-utility.patch +Patch0010: 0010-mounts-validate-Don-t-check-source-exists-with-Creat.patch Requires(meta): %{name}-engine = %{version}-%{release} Requires(meta): %{name}-client = %{version}-%{release} @@ -36,6 +39,8 @@ Conflicts: docker-ce Conflicts: docker-io Conflicts: docker-engine-cs Conflicts: docker-ee +Obsoletes: docker < %{version}-%{release} +Provides: docker = %{version}-%{release} %description Docker is a product for you to build, ship and run any application as a @@ -76,12 +81,16 @@ BuildRequires: systemd-devel BuildRequires: tar BuildRequires: which BuildRequires: golang >= 1.18.0 +Obsoletes: docker-engine < %{version}-%{release} +Conflicts: docker-engine >= 2:18 +Requires: libnetwork = %{version}-%{release} %description engine Docker daemon binary and related utilities %package client Summary: Docker client binary and related utilities +Obsoletes: docker-client < %{version}-%{release} Requires: /bin/sh BuildRequires: libtool-ltdl-devel @@ -89,16 +98,29 @@ BuildRequires: libtool-ltdl-devel %description client Docker client binary and related utilities +%package -n libnetwork +Summary: Proxy used for docker port mapping +Provides: docker-proxy +Obsoletes: docker-proxy +Conflicts: docker-engine < 25.0.3-20 + +%description -n libnetwork +Proxy used for docker port mapping. + %prep %setup -q -n %{_source_client} %setup -q -T -n %{_source_engine} -b 1 -%patch 0000 -p1 %patch 0001 -p1 %patch 0002 -p1 %patch 0003 -p1 -%patch 9000 -p1 +%patch 0004 -p1 +%patch 0005 -p1 +%patch 0007 -p1 +%patch 0008 -p1 +%patch 0009 -p1 +%patch 0010 -p1 %setup -q -T -n %{_source_docker_init} -b 2 -%patch 9001 -p1 +%patch 0006 -p1 %build export GO111MODULE=off @@ -174,11 +196,13 @@ install -p -m 644 %{_builddir}/%{_source_client}/{LICENSE,MAINTAINERS,NOTICE,REA %files engine %config(noreplace) %{_sysconfdir}/sysconfig/docker %{_bindir}/dockerd -%{_bindir}/docker-proxy %{_bindir}/docker-init %{_unitdir}/docker.service %{_unitdir}/docker.socket +%files -n libnetwork +%{_bindir}/docker-proxy + %files client %{_bindir}/docker %{_datadir}/bash-completion/completions/docker @@ -201,6 +225,12 @@ fi %systemd_postun_with_restart docker.service %changelog +* Fri Nov 29 2024 Funda Wang - 25.0.3-21 +- convert patches into unix format + +* Fri Nov 29 2024 Funda Wang - 25.0.3-20 +- sync code form 24.03-LTS-SP1 + * Wed Nov 06 2024 Funda Wang - 25.0.3-14 - Type:bugfix - ID:NA