diff --git a/VERSION-openeuler b/VERSION-openeuler index 436bd5c788971570bee20be1a1b8288bcf65d545..d7576ffee724d3f5e80ec1930cd0fa736446b45c 100644 --- a/VERSION-openeuler +++ b/VERSION-openeuler @@ -1 +1 @@ -18.09.0.301 +18.09.0.306 diff --git a/docker.spec b/docker.spec index 91996f65f977bc5f1741811dfef23dae15e84bce..85f3b87ce90582a1441d59771143674b7df76e92 100644 --- a/docker.spec +++ b/docker.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 301 +Release: 306 Summary: The open-source application container engine Group: Tools/Docker @@ -212,6 +212,36 @@ fi %endif %changelog +* Wed Jun 29 2022 zjw - 18.09.0-306 +- Type:CVE +- CVE:CVE-2021-41092 +- SUG:NA +- DESC:fix CVE-2021-41092 + +* Wed Jun 29 2022 zjw - 18.09.0-305 +- Type:CVE +- CVE:CVE-2021-41091 +- SUG:NA +- DESC:fix CVE-2021-41091 + +* Wed Jun 29 2022 zjw - 18.09.0-304 +- Type:CVE +- CVE:CVE-2021-41089 +- SUG:NA +- DESC:fix CVE-2021-41089 + +* Wed Jun 29 2022 zjw - 18.09.0-303 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:close channel in write side to avoid panic in docker stats + +* Tue Jun 28 2022 zjw - 18.09.0-302 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix status inconsistent after restart container + * Thu Jun 16 2022 duyiwei - 18.09.0-301 - Type:bugfix - CVE:CVE-2022-24769 diff --git a/git-commit b/git-commit index cf37fa1e56437799761c2541f94b62dbb6dc2743..44f0e7cbbe445bfa76be6c2a66265d3896982cec 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -aa1eee89dbf55f1be74beab946d39bd5308554f6 +1d79dce8b3c1b71f07ef5ad31adfe8026080311f diff --git a/patch/0220-docker-fix-endpoint-with-name-container_xx-already-e.patch b/patch/0220-docker-fix-endpoint-with-name-container_xx-already-e.patch index 4ef7e8b921932ef28dd0496fc576f60ac7f8dde8..11eeabdcf3999cc8a467d6d277e44edfbdbe1cfe 100644 --- a/patch/0220-docker-fix-endpoint-with-name-container_xx-already-e.patch +++ b/patch/0220-docker-fix-endpoint-with-name-container_xx-already-e.patch @@ -1,33 +1,34 @@ -From a7c1bbed0aed4c9a5c67871f7506646c07c34574 Mon Sep 17 00:00:00 2001 +From ba62de1350b25ec1d85eff67bd3c8c5be98d02a7 Mon Sep 17 00:00:00 2001 From: chenjiankun -Date: Thu, 9 Dec 2021 20:58:32 +0800 +Date: Thu, 17 Mar 2022 20:18:30 +0800 Subject: [PATCH] docker: fix "endpoint with name container_xx already exists in network none" error --- - components/engine/daemon/kill.go | 9 +++++++++ - 1 file changed, 9 insertions(+) + components/engine/daemon/kill.go | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/components/engine/daemon/kill.go b/components/engine/daemon/kill.go -index 2652f7ad2..0388b16c9 100644 +index 2652f7ad2..cb0ec61d1 100644 --- a/components/engine/daemon/kill.go +++ b/components/engine/daemon/kill.go -@@ -163,6 +163,15 @@ func (daemon *Daemon) Kill(container *containerpkg.Container) error { +@@ -162,7 +162,16 @@ func (daemon *Daemon) Kill(container *containerpkg.Container) error { + if isErrNoSuchProcess(err) { // there is a case where we hit here before the exit event is processed // So let's wait the container's stop timeout amount of time to see if the event is eventually processed - container.WaitForState(containerpkg.WaitConditionNotRunning, container.StopTimeout()) -+ // using mock exit event to handle container exit -+ ei := libcontainerd.EventInfo{ -+ ContainerID: container.ID, -+ ProcessID: container.ID, -+ Pid: uint32(container.GetPID()), -+ ExitCode: 137, -+ ExitedAt: time.Now(), +- container.WaitForState(containerpkg.WaitConditionNotRunning, container.StopTimeout()) ++ if err := container.WaitForState(containerpkg.WaitConditionNotRunning, container.StopTimeout()); err != nil { ++ ei := libcontainerd.EventInfo{ ++ ContainerID: container.ID, ++ ProcessID: container.ID, ++ Pid: uint32(container.GetPID()), ++ ExitCode: 137, ++ ExitedAt: time.Now(), ++ } ++ daemon.ProcessEvent(container.ID, libcontainerd.EventExit, ei) + } -+ daemon.ProcessEvent(container.ID, libcontainerd.EventExit, ei) return nil } return err -- -2.27.0 - +2.23.0 diff --git a/patch/0224-fix-rwlayer-umountd-after-container-restart.patch b/patch/0224-fix-rwlayer-umountd-after-container-restart.patch new file mode 100644 index 0000000000000000000000000000000000000000..17b3e2e20b825126723c26b01c9da73c3f5fcb71 --- /dev/null +++ b/patch/0224-fix-rwlayer-umountd-after-container-restart.patch @@ -0,0 +1,36 @@ +From e37f4e4f738b605fe5ea1030e39da8d723260007 Mon Sep 17 00:00:00 2001 +From: chenjiankun +Date: Fri, 18 Mar 2022 11:19:28 +0800 +Subject: [PATCH] docker: fix rwlayer umountd after container restart + +if exit event be handled to slow, then the exit event maybe handled again. +we need to add a check after the container lock acquired. +--- + components/engine/daemon/monitor.go | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/components/engine/daemon/monitor.go b/components/engine/daemon/monitor.go +index 0aadf33fd..0bf7f0379 100644 +--- a/components/engine/daemon/monitor.go ++++ b/components/engine/daemon/monitor.go +@@ -60,6 +60,17 @@ func (daemon *Daemon) ProcessEvent(id string, e libcontainerd.EventType, ei libc + if int(ei.Pid) == c.Pid { + logrus.Infof("handle container %s exit event pid=%d", c.ID, c.Pid) + c.Lock() ++ ++ // ProcessEvent could be called concurrently, and will execute serial ++ // for c.Lock(), but int(ei.Pid) == c.Pid has already pass. It will cause ++ // daemon.Cleanup be called twice. This will make rwlayer umount in docker ++ // restart, get "fork/exec /proc/self/exe: no such file or directory" err. ++ // Adding this under c.Lock(), could avaid daemon.Cleanup be called again. ++ if c.Pid == 0 || int(ei.Pid) != c.Pid { ++ c.Unlock() ++ return nil ++ } ++ + _, _, err := daemon.containerd.DeleteTask(context.Background(), c.ID) + if err != nil { + logrus.WithError(err).Warnf("failed to delete container %s from containerd", c.ID) +-- +2.23.0 + diff --git a/patch/0225-docker-close-channel-in-write-side-to-avoid-panic-in.patch b/patch/0225-docker-close-channel-in-write-side-to-avoid-panic-in.patch new file mode 100644 index 0000000000000000000000000000000000000000..6376c6712331f3bc66d7a0dc3ff28048f18be6b8 --- /dev/null +++ b/patch/0225-docker-close-channel-in-write-side-to-avoid-panic-in.patch @@ -0,0 +1,38 @@ +From 548078b9e76e34c6994830ce35bee1c15e3c091f Mon Sep 17 00:00:00 2001 +From: chenjiankun +Date: Mon, 21 Mar 2022 11:05:43 +0800 +Subject: [PATCH] docker: close channel in write side to avoid panic in docker + stats + +there is a situation when write event to chan c, chan c is close, +and that will cause a panic. Close chan c in write side can avaid +panic. +--- + components/cli/cli/command/container/stats.go | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/components/cli/cli/command/container/stats.go b/components/cli/cli/command/container/stats.go +index 8387fc988..daab91627 100644 +--- a/components/cli/cli/command/container/stats.go ++++ b/components/cli/cli/command/container/stats.go +@@ -60,6 +60,9 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error { + // monitorContainerEvents watches for container creation and removal (only + // used when calling `docker stats` without arguments). + monitorContainerEvents := func(started chan<- struct{}, c chan events.Message) { ++ // close channel in write side to avoid panic ++ defer close(c) ++ + f := filters.NewArgs() + f.Add("type", "container") + options := types.EventsOptions{ +@@ -150,7 +153,6 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error { + eventChan := make(chan events.Message) + go eh.Watch(eventChan) + go monitorContainerEvents(started, eventChan) +- defer close(eventChan) + <-started + + // Start a short-lived goroutine to retrieve the initial list of +-- +2.23.0 + diff --git a/patch/0226-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch b/patch/0226-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch new file mode 100644 index 0000000000000000000000000000000000000000..8987975d2a377c5abb2d81ac9df2669b8de25451 --- /dev/null +++ b/patch/0226-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch @@ -0,0 +1,53 @@ +From 80f1169eca587305759829e626cebd2a434664f6 Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Wed, 19 May 2021 16:51:35 -0700 +Subject: [PATCH] chrootarchive: don't create parent dirsoutside of chroot + +If chroot is used with a special root directory then create +destination directory within chroot. This works automatically +already due to extractor creating parent paths and is only +used currently with cp where parent paths are actually required +and error will be shown to user before reaching this point. + +Signed-off-by: Tonis Tiigi +(cherry picked from commit 52d285184068998c22632bfb869f6294b5613a58) +Signed-off-by: Brian Goff + +Conflict:NA +Reference:https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a + +--- + components/engine/pkg/chrootarchive/archive.go | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/components/engine/pkg/chrootarchive/archive.go b/components/engine/pkg/chrootarchive/archive.go +index 6ff61e6a7..9926b63b8 100644 +--- a/components/engine/pkg/chrootarchive/archive.go ++++ b/components/engine/pkg/chrootarchive/archive.go +@@ -65,13 +65,17 @@ func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions + options.ExcludePatterns = []string{} + } + +- idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps) +- rootIDs := idMapping.RootPair() ++ // If dest is inside a root then directory is created within chroot by extractor. ++ // This case is only currently used by cp. ++ if dest == root { ++ idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps) ++ rootIDs := idMapping.RootPair() + +- dest = filepath.Clean(dest) +- if _, err := os.Stat(dest); os.IsNotExist(err) { +- if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil { +- return err ++ dest = filepath.Clean(dest) ++ if _, err := os.Stat(dest); os.IsNotExist(err) { ++ if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil { ++ return err ++ } + } + } + +-- +2.30.0 + diff --git a/patch/0227-docker-Lock-down-docker-root-dir-perms.patch b/patch/0227-docker-Lock-down-docker-root-dir-perms.patch new file mode 100644 index 0000000000000000000000000000000000000000..093b76ca7a86c9045c87e71ab1366d1891c3d12c --- /dev/null +++ b/patch/0227-docker-Lock-down-docker-root-dir-perms.patch @@ -0,0 +1,323 @@ +From 4d3147906307befb5055d668bb4d55c1f3c03286 Mon Sep 17 00:00:00 2001 +From: zhongjiawei +Date: Thu, 9 Jun 2022 10:48:26 +0800 +Subject: [PATCH] docker: Lock down docker root dir perms. + +Do not use 0701 perms. +0701 dir perms allows anyone to traverse the docker dir. +It happens to allow any user to execute, as an example, suid binaries +from image rootfs dirs because it allows traversal AND critically +container users need to be able to do execute things. + +0701 on lower directories also happens to allow any user to modify + things in, for instance, the overlay upper dir which neccessarily + has 0755 permissions. + +This changes to use 0710 which allows users in the group to traverse. +In userns mode the UID owner is (real) root and the GID is the remapped +root's GID. + +This prevents anyone but the remapped root to traverse our directories +(which is required for userns with runc). + +Conflict:daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go +Reference:https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64 +--- + .../daemon/container_operations_unix.go | 2 +- + components/engine/daemon/create.go | 5 ++-- + components/engine/daemon/daemon.go | 5 +++- + components/engine/daemon/daemon_unix.go | 13 +++++----- + .../engine/daemon/graphdriver/aufs/aufs.go | 13 ++++++++-- + .../engine/daemon/graphdriver/btrfs/btrfs.go | 18 ++++++++++++-- + .../daemon/graphdriver/overlay/overlay.go | 19 +++++++++++---- + .../daemon/graphdriver/overlay2/overlay.go | 24 +++++++++++++++---- + .../engine/daemon/graphdriver/vfs/driver.go | 16 +++++++++++-- + .../engine/daemon/graphdriver/zfs/zfs.go | 11 ++++++++- + 10 files changed, 101 insertions(+), 25 deletions(-) + +diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go +index e238366c1..5c6a09ce4 100644 +--- a/components/engine/daemon/container_operations_unix.go ++++ b/components/engine/daemon/container_operations_unix.go +@@ -425,5 +425,5 @@ func (daemon *Daemon) setupContainerMountsRoot(c *container.Container) error { + if err != nil { + return err + } +- return idtools.MkdirAllAndChown(p, 0701, idtools.CurrentIdentity()) ++ return idtools.MkdirAllAndChown(p, 0710, idtools.Identity{UID: idtools.CurrentIdentity().UID, GID: daemon.IdentityMapping().RootPair().GID}) + } +diff --git a/components/engine/daemon/create.go b/components/engine/daemon/create.go +index 4d083e703..e3dd598d4 100644 +--- a/components/engine/daemon/create.go ++++ b/components/engine/daemon/create.go +@@ -190,10 +190,11 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) ( + return nil, err + } + +- if err := idtools.MkdirAndChown(container.Root, 0701, idtools.CurrentIdentity()); err != nil { ++ current := idtools.CurrentIdentity() ++ if err := idtools.MkdirAndChown(container.Root, 0710, idtools.Identity{UID: current.UID, GID: daemon.IdentityMapping().RootPair().GID}); err != nil { + return nil, err + } +- if err := idtools.MkdirAndChown(container.CheckpointDir(), 0700, idtools.CurrentIdentity()); err != nil { ++ if err := idtools.MkdirAndChown(container.CheckpointDir(), 0700, current); err != nil { + return nil, err + } + +diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go +index b3039abf3..5c6be8e45 100644 +--- a/components/engine/daemon/daemon.go ++++ b/components/engine/daemon/daemon.go +@@ -913,7 +913,10 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S + } + + daemonRepo := filepath.Join(config.Root, "containers") +- if err := idtools.MkdirAllAndChown(daemonRepo, 0701, idtools.CurrentIdentity()); err != nil { ++ if err := idtools.MkdirAllAndChown(daemonRepo, 0710, idtools.Identity{ ++ UID: idtools.CurrentIdentity().UID, ++ GID: rootIDs.GID, ++ }); err != nil { + return nil, err + } + +diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go +index 07a0aa0d5..8c21807df 100644 +--- a/components/engine/daemon/daemon_unix.go ++++ b/components/engine/daemon/daemon_unix.go +@@ -1291,21 +1291,22 @@ func setupDaemonRoot(config *config.Config, rootDir string, remappedRoot idtools + } + } + ++ id := idtools.Identity{UID: idtools.CurrentIdentity().UID, GID: remappedRoot.GID} ++ // First make sure the current root dir has the correct perms. ++ if err := idtools.MkdirAllAndChown(config.Root, 0710, id); err != nil { ++ return errors.Wrapf(err, "could not create or set daemon root permissions: %s", config.Root) ++ } ++ + // if user namespaces are enabled we will create a subtree underneath the specified root + // with any/all specified remapped root uid/gid options on the daemon creating + // a new subdirectory with ownership set to the remapped uid/gid (so as to allow + // `chdir()` to work for containers namespaced to that uid/gid) + if config.RemappedRoot != "" { +- id := idtools.CurrentIdentity() +- // First make sure the current root dir has the correct perms. +- if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil { +- return errors.Wrapf(err, "could not create or set daemon root permissions: %s", config.Root) +- } + + config.Root = filepath.Join(rootDir, fmt.Sprintf("%d.%d", remappedRoot.UID, remappedRoot.GID)) + logrus.Debugf("Creating user namespaced daemon root: %s", config.Root) + // Create the root directory if it doesn't exist +- if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil { ++ if err := idtools.MkdirAllAndChown(config.Root, 0710, id); err != nil { + return fmt.Errorf("Cannot create daemon root: %s: %v", config.Root, err) + } + // we also need to verify that any pre-existing directories in the path to +diff --git a/components/engine/daemon/graphdriver/aufs/aufs.go b/components/engine/daemon/graphdriver/aufs/aufs.go +index 4ee3682cb..f0e8e0b23 100644 +--- a/components/engine/daemon/graphdriver/aufs/aufs.go ++++ b/components/engine/daemon/graphdriver/aufs/aufs.go +@@ -131,14 +131,23 @@ func Init(root string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap + } + + currentID := idtools.CurrentIdentity() ++ _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) ++ if err != nil { ++ return nil, err ++ } ++ dirID := idtools.Identity{ ++ UID: currentID.UID, ++ GID: rootGID, ++ } ++ + // Create the root aufs driver dir +- if err := idtools.MkdirAllAndChown(root, 0701, currentID); err != nil { ++ if err := idtools.MkdirAllAndChown(root, 0710, dirID); err != nil { + return nil, err + } + + // Populate the dir structure + for _, p := range paths { +- if err := idtools.MkdirAllAndChown(path.Join(root, p), 0701, currentID); err != nil { ++ if err := idtools.MkdirAllAndChown(path.Join(root, p), 0710, dirID); err != nil { + return nil, err + } + } +diff --git a/components/engine/daemon/graphdriver/btrfs/btrfs.go b/components/engine/daemon/graphdriver/btrfs/btrfs.go +index d76e14490..35e14db0f 100644 +--- a/components/engine/daemon/graphdriver/btrfs/btrfs.go ++++ b/components/engine/daemon/graphdriver/btrfs/btrfs.go +@@ -70,7 +70,14 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap + return nil, graphdriver.ErrPrerequisites + } + +- if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil { ++ remappedRoot := idtools.NewIDMappingsFromMaps(uidMaps, gidMaps) ++ currentID := idtools.CurrentIdentity() ++ dirID := idtools.Identity{ ++ UID: currentID.UID, ++ GID: remappedRoot.RootPair().GID, ++ } ++ ++ if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { + return nil, err + } + +@@ -531,7 +538,14 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error { + if err != nil { + return err + } +- if err := idtools.MkdirAllAndChown(subvolumes, 0701, idtools.CurrentIdentity()); err != nil { ++ ++ currentID := idtools.CurrentIdentity() ++ dirID := idtools.Identity{ ++ UID: currentID.UID, ++ GID: rootGID, ++ } ++ ++ if err := idtools.MkdirAllAndChown(subvolumes, 0710, dirID); err != nil { + return err + } + if parent == "" { +diff --git a/components/engine/daemon/graphdriver/overlay/overlay.go b/components/engine/daemon/graphdriver/overlay/overlay.go +index a9e65a35c..566c4cc9f 100644 +--- a/components/engine/daemon/graphdriver/overlay/overlay.go ++++ b/components/engine/daemon/graphdriver/overlay/overlay.go +@@ -163,8 +163,18 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap + logrus.WithField("storage-driver", "overlay").Warn(overlayutils.ErrDTypeNotSupported("overlay", backingFs)) + } + ++ currentID := idtools.CurrentIdentity() ++ _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) ++ if err != nil { ++ return nil, err ++ } ++ dirID := idtools.Identity{ ++ UID: currentID.UID, ++ GID: rootGID, ++ } ++ + // Create the driver home dir +- if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil { ++ if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { + return nil, err + } + +@@ -300,10 +310,11 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr + root := idtools.Identity{UID: rootUID, GID: rootGID} + + currentID := idtools.CurrentIdentity() +- if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, currentID); err != nil { +- return err ++ dirID := idtools.Identity{ ++ UID: currentID.UID, ++ GID: rootGID, + } +- if err := idtools.MkdirAndChown(dir, 0701, currentID); err != nil { ++ if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil { + return err + } + +diff --git a/components/engine/daemon/graphdriver/overlay2/overlay.go b/components/engine/daemon/graphdriver/overlay2/overlay.go +index 7576320ad..3a9f5ce6e 100644 +--- a/components/engine/daemon/graphdriver/overlay2/overlay.go ++++ b/components/engine/daemon/graphdriver/overlay2/overlay.go +@@ -197,7 +197,20 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap + logger.Warn(overlayutils.ErrDTypeNotSupported("overlay2", backingFs)) + } + +- if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0701, idtools.CurrentIdentity()); err != nil { ++ _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) ++ if err != nil { ++ return nil, err ++ } ++ ++ cur := idtools.CurrentIdentity() ++ dirID := idtools.Identity{ ++ UID: cur.UID, ++ GID: rootGID, ++ } ++ if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { ++ return nil, err ++ } ++ if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0700, cur); err != nil { + return nil, err + } + +@@ -424,12 +437,15 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr + return err + } + root := idtools.Identity{UID: rootUID, GID: rootGID} +- current := idtools.CurrentIdentity() ++ dirID := idtools.Identity{ ++ UID: idtools.CurrentIdentity().UID, ++ GID: rootGID, ++ } + +- if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, current); err != nil { ++ if err := idtools.MkdirAllAndChown(path.Dir(dir), 0710, dirID); err != nil { + return err + } +- if err := idtools.MkdirAndChown(dir, 0701, current); err != nil { ++ if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil { + return err + } + +diff --git a/components/engine/daemon/graphdriver/vfs/driver.go b/components/engine/daemon/graphdriver/vfs/driver.go +index 15ac25199..3ced5d7a1 100644 +--- a/components/engine/daemon/graphdriver/vfs/driver.go ++++ b/components/engine/daemon/graphdriver/vfs/driver.go +@@ -30,7 +30,15 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap + home: home, + idMapping: idtools.NewIDMappingsFromMaps(uidMaps, gidMaps), + } +- if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil { ++ _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) ++ if err != nil { ++ return nil, err ++ } ++ dirID := idtools.Identity{ ++ UID: idtools.CurrentIdentity().UID, ++ GID: rootGID, ++ } ++ if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { + return nil, err + } + +@@ -115,7 +123,11 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error { + func (d *Driver) create(id, parent string, size uint64) error { + dir := d.dir(id) + rootIDs := d.idMapping.RootPair() +- if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0701, idtools.CurrentIdentity()); err != nil { ++ dirID := idtools.Identity{ ++ UID: idtools.CurrentIdentity().UID, ++ GID: rootIDs.GID, ++ } ++ if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0710, dirID); err != nil { + return err + } + if err := idtools.MkdirAndChown(dir, 0755, rootIDs); err != nil { +diff --git a/components/engine/daemon/graphdriver/zfs/zfs.go b/components/engine/daemon/graphdriver/zfs/zfs.go +index 4484c517a..944f902f6 100644 +--- a/components/engine/daemon/graphdriver/zfs/zfs.go ++++ b/components/engine/daemon/graphdriver/zfs/zfs.go +@@ -102,7 +102,16 @@ func Init(base string, opt []string, uidMaps, gidMaps []idtools.IDMap) (graphdri + return nil, fmt.Errorf("BUG: zfs get all -t filesystem -rHp '%s' should contain '%s'", options.fsName, options.fsName) + } + +- if err := idtools.MkdirAllAndChown(base, 0701, idtools.CurrentIdentity()); err != nil { ++ _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) ++ if err != nil { ++ return nil, err ++ } ++ ++ dirID := idtools.Identity{ ++ UID: idtools.CurrentIdentity().UID, ++ GID: rootGID, ++ } ++ if err := idtools.MkdirAllAndChown(base, 0710, dirID); err != nil { + return nil, fmt.Errorf("Failed to create '%s': %v", base, err) + } + +-- +2.30.0 diff --git a/patch/0228-docker-registry-ensure-default-auth-config-has-address.patch b/patch/0228-docker-registry-ensure-default-auth-config-has-address.patch new file mode 100644 index 0000000000000000000000000000000000000000..bb2da5a0e88b97f1b64ef53b6a2fc380a84cfbea --- /dev/null +++ b/patch/0228-docker-registry-ensure-default-auth-config-has-address.patch @@ -0,0 +1,130 @@ +From 47b9fb37236351afc0c2e58c109a70c1432096ff Mon Sep 17 00:00:00 2001 +From: zhongjiawei +Date: Thu, 9 Jun 2022 10:50:43 +0800 +Subject: [PATCH] docker: registry: ensure default auth config has address + +Conflict:cli/command/registry.go,cli/command/registry/login.go +Reference:https://github.com/docker/cli/commit/893e52cf4ba4b048d72e99748e0f86b2767c6c6b +--- + components/cli/cli/command/registry.go | 12 ++++++++---- + components/cli/cli/command/registry/login.go | 13 ++++++------- + components/cli/cli/command/registry_test.go | 16 +++++++++++++++- + 3 files changed, 29 insertions(+), 12 deletions(-) + +diff --git a/components/cli/cli/command/registry.go b/components/cli/cli/command/registry.go +index c12843693..74abbfc5f 100644 +--- a/components/cli/cli/command/registry.go ++++ b/components/cli/cli/command/registry.go +@@ -58,11 +58,11 @@ func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInf + if err != nil { + fmt.Fprintf(cli.Err(), "Unable to retrieve stored credentials for %s, error: %s.\n", indexServer, err) + } +- err = ConfigureAuth(cli, "", "", authConfig, isDefaultRegistry) ++ err = ConfigureAuth(cli, "", "", &authConfig, isDefaultRegistry) + if err != nil { + return "", err + } +- return EncodeAuthToBase64(*authConfig) ++ return EncodeAuthToBase64(authConfig) + } + } + +@@ -81,7 +81,7 @@ func ResolveAuthConfig(ctx context.Context, cli Cli, index *registrytypes.IndexI + + // GetDefaultAuthConfig gets the default auth config given a serverAddress + // If credentials for given serverAddress exists in the credential store, the configuration will be populated with values in it +-func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (*types.AuthConfig, error) { ++func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (types.AuthConfig, error) { + if !isDefaultRegistry { + serverAddress = registry.ConvertToHostname(serverAddress) + } +@@ -89,12 +89,16 @@ func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, is + var err error + if checkCredStore { + authconfig, err = cli.ConfigFile().GetAuthConfig(serverAddress) ++ if err != nil { ++ return types.AuthConfig{ServerAddress: serverAddress,}, err ++ } + } else { + authconfig = types.AuthConfig{} + } + authconfig.ServerAddress = serverAddress + authconfig.IdentityToken = "" +- return &authconfig, err ++ res := types.AuthConfig(authconfig) ++ return res, err + } + + // ConfigureAuth handles prompting of user's username and password if needed +diff --git a/components/cli/cli/command/registry/login.go b/components/cli/cli/command/registry/login.go +index f4f57398b..f86076c5e 100644 +--- a/components/cli/cli/command/registry/login.go ++++ b/components/cli/cli/command/registry/login.go +@@ -111,23 +111,22 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl + } + + var err error +- var authConfig *types.AuthConfig + var response registrytypes.AuthenticateOKBody + isDefaultRegistry := serverAddress == authServer +- authConfig, err = command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry) ++ authConfig, err := command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry) + if err == nil && authConfig.Username != "" && authConfig.Password != "" { +- response, err = loginWithCredStoreCreds(ctx, dockerCli, authConfig) ++ response, err = loginWithCredStoreCreds(ctx, dockerCli, &authConfig) + } + if err != nil || authConfig.Username == "" || authConfig.Password == "" { +- err = command.ConfigureAuth(dockerCli, opts.user, opts.password, authConfig, isDefaultRegistry) ++ err = command.ConfigureAuth(dockerCli, opts.user, opts.password, &authConfig, isDefaultRegistry) + if err != nil { + return err + } + +- response, err = clnt.RegistryLogin(ctx, *authConfig) ++ response, err = clnt.RegistryLogin(ctx, authConfig) + if err != nil && client.IsErrConnectionFailed(err) { + // If the server isn't responding (yet) attempt to login purely client side +- response, err = loginClientSide(ctx, *authConfig) ++ response, err = loginClientSide(ctx, authConfig) + } + // If we (still) have an error, give up + if err != nil { +@@ -149,7 +148,7 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl + } + } + +- if err := creds.Store(*authConfig); err != nil { ++ if err := creds.Store(types.AuthConfig(authConfig)); err != nil { + return errors.Errorf("Error saving credentials: %v", err) + } + +diff --git a/components/cli/cli/command/registry_test.go b/components/cli/cli/command/registry_test.go +index 966db86b9..a4a7fe184 100644 +--- a/components/cli/cli/command/registry_test.go ++++ b/components/cli/cli/command/registry_test.go +@@ -144,7 +144,21 @@ func TestGetDefaultAuthConfig(t *testing.T) { + assert.Check(t, is.Equal(tc.expectedErr, err.Error())) + } else { + assert.NilError(t, err) +- assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, *authconfig)) ++ assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, authconfig)) + } + } + } ++ ++func TestGetDefaultAuthConfig_HelperError(t *testing.T) { ++ cli := test.NewFakeCli(&fakeClient{}) ++ errBuf := new(bytes.Buffer) ++ cli.SetErr(errBuf) ++ cli.ConfigFile().CredentialsStore = "fake-does-not-exist" ++ serverAddress := "test-server-address" ++ expectedAuthConfig := types.AuthConfig{ ++ ServerAddress: serverAddress, ++ } ++ authconfig, err := GetDefaultAuthConfig(cli, true, serverAddress, serverAddress == "https://index.docker.io/v1/") ++ assert.Check(t, is.DeepEqual(expectedAuthConfig, authconfig)) ++ assert.Check(t, is.ErrorContains(err, "docker-credential-fake-does-not-exist")) ++} +-- +2.30.0 + diff --git a/series.conf b/series.conf index 10ac7ebc34b6128d0440cbac01ad8d74d849eb3b..5033fa4c0d110a8ff592644ff152f1b53947cbb6 100644 --- a/series.conf +++ b/series.conf @@ -221,4 +221,9 @@ patch/0220-docker-fix-endpoint-with-name-container_xx-already-e.patch patch/0221-docker-fix-Up-292-years-in-status-in-docker-ps-a.patch patch/0222-docker-Use-original-process-spec-for-execs.patch patch/0223-docker-fix-CVE-2022-24769.patch +patch/0224-fix-rwlayer-umountd-after-container-restart.patch +patch/0225-docker-close-channel-in-write-side-to-avoid-panic-in.patch +patch/0226-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch +patch/0227-docker-Lock-down-docker-root-dir-perms.patch +patch/0228-docker-registry-ensure-default-auth-config-has-address.patch #end