diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000000000000000000000000000000000..0a80fdce31f59c062e2abba28776e9521eddff30 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.gz filter=lfs diff=lfs merge=lfs -text diff --git a/.lfsconfig b/.lfsconfig new file mode 100644 index 0000000000000000000000000000000000000000..7c096aac47a876d9ff56b470c5c5f5ce191802e0 --- /dev/null +++ b/.lfsconfig @@ -0,0 +1,2 @@ +[lfs] + url = https://artlfs.openeuler.openatom.cn/src-openEuler/moby diff --git a/1001-fix-cve-2024-29018.patch b/1001-fix-cve-2024-29018.patch deleted file mode 100644 index 709be1f8a1a326ba0eaad69605157294c5b631c8..0000000000000000000000000000000000000000 --- a/1001-fix-cve-2024-29018.patch +++ /dev/null @@ -1,212 +0,0 @@ -From a9b119d4858a40936583262cb8d878036a0171dd Mon Sep 17 00:00:00 2001 -From: root -Date: Sun, 14 Apr 2024 19:46:56 +0800 -Subject: [PATCH] fix cve-2024-29018 - ---- - integration/networking/bridge_test.go | 20 +++++++++++++++----- - libnetwork/endpoint.go | 8 +++++++- - libnetwork/resolver.go | 21 +++++++++++++++++---- - libnetwork/sandbox_dns_unix.go | 5 +---- - 4 files changed, 40 insertions(+), 14 deletions(-) - -diff --git a/integration/networking/bridge_test.go b/integration/networking/bridge_test.go -index e3d1fe2..4be3e55 100644 ---- a/integration/networking/bridge_test.go -+++ b/integration/networking/bridge_test.go -@@ -36,7 +36,8 @@ func TestBridgeICC(t *testing.T) { - name string - bridgeOpts []func(*types.NetworkCreate) - ctr1MacAddress string -- linkLocal bool -+ isIPv6 bool -+ isLinkLocal bool - pingHost string - }{ - { -@@ -55,6 +56,7 @@ func TestBridgeICC(t *testing.T) { - network.WithIPv6(), - network.WithIPAM("fdf1:a844:380c:b200::/64", "fdf1:a844:380c:b200::1"), - }, -+ isIPv6: true, - }, - { - name: "IPv6 ULA on internal network", -@@ -74,7 +76,8 @@ func TestBridgeICC(t *testing.T) { - // 2. the one dynamically assigned by the IPAM driver. - network.WithIPAM("fe80::/64", "fe80::1"), - }, -- linkLocal: true, -+ isLinkLocal: true, -+ isIPv6: true, - }, - { - name: "IPv6 link-local address on internal network", -@@ -84,7 +87,8 @@ func TestBridgeICC(t *testing.T) { - // See the note above about link-local addresses. - network.WithIPAM("fe80::/64", "fe80::1"), - }, -- linkLocal: true, -+ isLinkLocal: true, -+ isIPv6: true, - }, - { - // As for 'LL non-internal', but ping the container by name instead of by address -@@ -122,6 +126,7 @@ func TestBridgeICC(t *testing.T) { - // specify one here to hardcode the SLAAC LL address below. - ctr1MacAddress: "02:42:ac:11:00:02", - pingHost: "fe80::42:acff:fe11:2%eth0", -+ isIPv6: true, - }, - { - name: "IPv6 internal network with SLAAC LL address", -@@ -133,6 +138,7 @@ func TestBridgeICC(t *testing.T) { - // specify one here to hardcode the SLAAC LL address below. - ctr1MacAddress: "02:42:ac:11:00:02", - pingHost: "fe80::42:acff:fe11:2%eth0", -+ isIPv6: true, - }, - } - -@@ -162,7 +168,7 @@ func TestBridgeICC(t *testing.T) { - - pingHost := tc.pingHost - if pingHost == "" { -- if tc.linkLocal { -+ if tc.isLinkLocal { - inspect := container.Inspect(ctx, t, c, id1) - pingHost = inspect.NetworkSettings.Networks[bridgeName].GlobalIPv6Address + "%eth0" - } else { -@@ -170,7 +176,11 @@ func TestBridgeICC(t *testing.T) { - } - } - -- pingCmd := []string{"ping", "-c1", "-W3", pingHost} -+ pingCmd := []string{"ping", "-c1", "-W3"} -+ if tc.isIPv6 { -+ pingCmd = append(pingCmd, "-6") -+ } -+ pingCmd = append(pingCmd, pingHost) - - ctr2Name := fmt.Sprintf("ctr-icc-%d-2", tcID) - attachCtx, cancel := context.WithTimeout(ctx, 5*time.Second) -diff --git a/libnetwork/endpoint.go b/libnetwork/endpoint.go -index d9c257d..93ddbc9 100644 ---- a/libnetwork/endpoint.go -+++ b/libnetwork/endpoint.go -@@ -538,8 +538,11 @@ func (ep *Endpoint) sbJoin(sb *Sandbox, options ...EndpointOption) (err error) { - return sb.setupDefaultGW() - } - -- moveExtConn := sb.getGatewayEndpoint() != extEp -+ currentExtEp := sb.getGatewayEndpoint() -+ // Enable upstream forwarding if the sandbox gained external connectivity. -+ sb.resolver.SetForwardingPolicy(currentExtEp != nil) - -+ moveExtConn := currentExtEp != extEp - if moveExtConn { - if extEp != nil { - log.G(context.TODO()).Debugf("Revoking external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID()) -@@ -735,6 +738,9 @@ func (ep *Endpoint) sbLeave(sb *Sandbox, force bool, options ...EndpointOption) - - // New endpoint providing external connectivity for the sandbox - extEp = sb.getGatewayEndpoint() -+ // Disable upstream forwarding if the sandbox lost external connectivity. -+ sb.resolver.SetForwardingPolicy(extEp != nil) -+ - if moveExtConn && extEp != nil { - log.G(context.TODO()).Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID()) - extN, err := extEp.getNetworkFromStore() -diff --git a/libnetwork/resolver.go b/libnetwork/resolver.go -index 9df2154..6da595c 100644 ---- a/libnetwork/resolver.go -+++ b/libnetwork/resolver.go -@@ -9,6 +9,7 @@ import ( - "strconv" - "strings" - "sync" -+ "sync/atomic" - "time" - - "github.com/containerd/log" -@@ -75,7 +76,7 @@ type Resolver struct { - tcpListen *net.TCPListener - err error - listenAddress string -- proxyDNS bool -+ proxyDNS atomic.Bool - startCh chan struct{} - logger *log.Entry - -@@ -85,15 +86,17 @@ type Resolver struct { - - // NewResolver creates a new instance of the Resolver - func NewResolver(address string, proxyDNS bool, backend DNSBackend) *Resolver { -- return &Resolver{ -+ r := &Resolver{ - backend: backend, -- proxyDNS: proxyDNS, - listenAddress: address, - err: fmt.Errorf("setup not done yet"), - startCh: make(chan struct{}, 1), - fwdSem: semaphore.NewWeighted(maxConcurrent), - logInverval: rate.Sometimes{Interval: logInterval}, - } -+ r.proxyDNS.Store(proxyDNS) -+ -+ return r - } - - func (r *Resolver) log(ctx context.Context) *log.Entry { -@@ -103,6 +106,8 @@ func (r *Resolver) log(ctx context.Context) *log.Entry { - return r.logger - } - -+ -+ - // SetupFunc returns the setup function that should be run in the container's - // network namespace. - func (r *Resolver) SetupFunc(port int) func() { -@@ -194,6 +199,14 @@ func (r *Resolver) SetExtServers(extDNS []extDNSEntry) { - } - } - -+// SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to -+// external servers. -+func (r *Resolver) SetForwardingPolicy(policy bool) { -+ if r != nil { -+ r.proxyDNS.Store(policy) -+ } -+} -+ - // NameServer returns the IP of the DNS resolver for the containers. - func (r *Resolver) NameServer() string { - return r.listenAddress -@@ -421,7 +434,7 @@ func (r *Resolver) serveDNS(w dns.ResponseWriter, query *dns.Msg) { - return - } - -- if r.proxyDNS { -+ if r.proxyDNS.Load(){ - // If the user sets ndots > 0 explicitly and the query is - // in the root domain don't forward it out. We will return - // failure and let the client retry with the search domain -diff --git a/libnetwork/sandbox_dns_unix.go b/libnetwork/sandbox_dns_unix.go -index e30f394..505c5f5 100644 ---- a/libnetwork/sandbox_dns_unix.go -+++ b/libnetwork/sandbox_dns_unix.go -@@ -30,10 +30,7 @@ const ( - func (sb *Sandbox) startResolver(restore bool) { - sb.resolverOnce.Do(func() { - var err error -- // The embedded resolver is always started with proxyDNS set as true, even when the sandbox is only attached to -- // an internal network. This way, it's the driver responsibility to make sure `connect` syscall fails fast when -- // no external connectivity is available (eg. by not setting a default gateway). -- sb.resolver = NewResolver(resolverIPSandbox, true, sb) -+ sb.resolver = NewResolver(resolverIPSandbox, sb.getGatewayEndpoint() != nil, sb) - defer func() { - if err != nil { - sb.resolver = nil --- -2.27.0 - diff --git a/1002-fix-cve-2024-32473.patch b/1002-fix-cve-2024-32473.patch index 0499aba144a07fa44f7f240804acc7701e6e1f93..06edb181cba2603f7df6c83999405e9aade3e2e3 100644 --- a/1002-fix-cve-2024-32473.patch +++ b/1002-fix-cve-2024-32473.patch @@ -1,6 +1,6 @@ -From ed2e2bd1cb6491cc76e6681db122844400762a2e Mon Sep 17 00:00:00 2001 +From afed996c45e9cff715f74c275e3fc3096ed62f65 Mon Sep 17 00:00:00 2001 From: lvxiangcong -Date: Mon, 22 Apr 2024 10:59:42 +0800 +Date: Tue, 14 Jan 2025 19:42:39 +0800 Subject: [PATCH] fix cve-2024-32473 --- @@ -11,7 +11,7 @@ Subject: [PATCH] fix cve-2024-32473 4 files changed, 103 insertions(+), 7 deletions(-) diff --git a/integration/network/ipvlan/ipvlan_test.go b/integration/network/ipvlan/ipvlan_test.go -index 130b60d..adb42cd 100644 +index 37e3dd0..fbb225d 100644 --- a/integration/network/ipvlan/ipvlan_test.go +++ b/integration/network/ipvlan/ipvlan_test.go @@ -87,6 +87,9 @@ func TestDockerNetworkIpvlan(t *testing.T) { @@ -24,7 +24,7 @@ index 130b60d..adb42cd 100644 }, } { -@@ -438,3 +441,25 @@ func ipvlanKernelSupport(t *testing.T) bool { +@@ -420,3 +423,25 @@ func ipvlanKernelSupport(t *testing.T) bool { return ipvlanSupported } @@ -51,7 +51,7 @@ index 130b60d..adb42cd 100644 + assert.Check(t, is.Equal(strings.TrimSpace(sysctlRes.Combined()), "1")) +} diff --git a/integration/network/macvlan/macvlan_test.go b/integration/network/macvlan/macvlan_test.go -index c41373c..c907ffb 100644 +index 5b0a174..fdf9ef7 100644 --- a/integration/network/macvlan/macvlan_test.go +++ b/integration/network/macvlan/macvlan_test.go @@ -71,6 +71,9 @@ func TestDockerNetworkMacvlan(t *testing.T) { @@ -64,9 +64,9 @@ index c41373c..c907ffb 100644 }, } { tc := tc -@@ -275,3 +278,29 @@ func testMacvlanAddressing(ctx context.Context, client client.APIClient) func(*t - assert.Check(t, strings.Contains(result.Combined(), "default via 2001:db8:abca::254 dev eth0")) - } +@@ -263,3 +266,29 @@ func testMacvlanAddressing(t *testing.T, ctx context.Context, client client.APIC + assert.NilError(t, err) + assert.Check(t, strings.Contains(result.Combined(), "default via 2001:db8:abca::254 dev eth0")) } + +// Check that a macvlan interface with '--ipv6=false' doesn't get kernel-assigned @@ -95,7 +95,7 @@ index c41373c..c907ffb 100644 + assert.Check(t, is.Equal(strings.TrimSpace(sysctlRes.Combined()), "1")) +} diff --git a/integration/networking/bridge_test.go b/integration/networking/bridge_test.go -index e3d1fe2..7dfcd28 100644 +index 6007449..1e55fb6 100644 --- a/integration/networking/bridge_test.go +++ b/integration/networking/bridge_test.go @@ -3,6 +3,7 @@ package networking @@ -106,9 +106,9 @@ index e3d1fe2..7dfcd28 100644 "testing" "time" -@@ -477,3 +478,37 @@ func TestDefaultBridgeAddresses(t *testing.T) { - }) - } +@@ -594,3 +595,37 @@ func TestInternalNwConnectivity(t *testing.T) { + assert.Check(t, is.Equal(res.ExitCode, 1)) + assert.Check(t, is.Contains(res.Stderr(), "Network is unreachable")) } + +// Check that an interface to an '--ipv6=false' network has no IPv6 @@ -181,5 +181,5 @@ index 27e079d..e559ab9 100644 func setInterfaceLinkLocalIPs(nlh *netlink.Handle, iface netlink.Link, i *Interface) error { -- -2.25.1 +2.46.0 diff --git a/1003-add-loongarch64-seccomp-support.patch b/1003-add-loongarch64-seccomp-support.patch index e2b320f73ca224e4f1f7620f426abb8755db87ab..94f3027344ba52e66ce2b78b29a5ae9791f66dc2 100644 --- a/1003-add-loongarch64-seccomp-support.patch +++ b/1003-add-loongarch64-seccomp-support.patch @@ -13,13 +13,6 @@ index 8d4d211..b63bfc9 100644 } ], "syscalls": [ -@@ -810,4 +814,4 @@ - "excludes": {} - } - ] --} -\ No newline at end of file -+} diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index c4d9110..3501693 100644 --- a/profiles/seccomp/default.json @@ -35,13 +28,6 @@ index c4d9110..3501693 100644 } ], "syscalls": [ -@@ -830,4 +834,4 @@ - } - } - ] --} -\ No newline at end of file -+} diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index 09fb337..3834bab 100644 --- a/profiles/seccomp/default_linux.go @@ -58,19 +44,19 @@ index 09fb337..3834bab 100644 } } diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go -index 4d8fed6..9eb0741 100644 +index 17ee350..1b08dd8 100644 --- a/profiles/seccomp/seccomp_linux.go +++ b/profiles/seccomp/seccomp_linux.go -@@ -41,6 +41,7 @@ var nativeToSeccomp = map[string]specs.Arch{ - "ppc64le": specs.ArchPPC64LE, +@@ -42,6 +42,7 @@ var nativeToSeccomp = map[string]specs.Arch{ + "riscv64": specs.ArchRISCV64, "s390": specs.ArchS390, "s390x": specs.ArchS390X, + "loong64": specs.ArchLOONGARCH64, } // GOARCH => libseccomp string -@@ -59,6 +60,7 @@ var goToNative = map[string]string{ - "ppc64le": "ppc64le", +@@ -61,6 +62,7 @@ var goToNative = map[string]string{ + "riscv64": "riscv64", "s390": "s390", "s390x": "s390x", + "loong64": "loong64", diff --git a/1005-CVE-2024-41110.patch b/1005-CVE-2024-41110.patch deleted file mode 100644 index 1af6d1e9d77dd2f39ba00c1ba4c6ecf3e861ffc9..0000000000000000000000000000000000000000 --- a/1005-CVE-2024-41110.patch +++ /dev/null @@ -1,206 +0,0 @@ -From 9659c3a52bac57e615b5fb49b0652baca448643e Mon Dec 1 00:00:00 2001 -From: Jameson Hyde -Date: Mon, 1 Dec 2018 09:57:10 +0800 -Subject: [PATCH] Authz plugin security fixes for 0-length content and path validation -https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919 -https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76 - -If url includes scheme, urlPath will drop hostname, which would not m… -…atch the auth check - -Signed-off-by: Sebastiaan van Stijn -Signed-off-by: Eli Uriegas - ---- - pkg/authorization/authz.go | 38 +++++++++++-- - pkg/authorization/authz_unix_test.go | 84 +++++++++++++++++++++++++++- - 2 files changed, 115 insertions(+), 7 deletions(-) - -diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go -index 1eb4431..d568a2b 100644 ---- a/pkg/authorization/authz.go -+++ b/pkg/authorization/authz.go -@@ -8,6 +8,8 @@ import ( - "io" - "mime" - "net/http" -+ "net/url" -+ "regexp" - "strings" - - "github.com/containerd/log" -@@ -53,10 +55,23 @@ type Ctx struct { - authReq *Request - } - -+func isChunked(r *http.Request) bool { -+ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked -+ if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") { -+ return true -+ } -+ for _, v := range r.TransferEncoding { -+ if strings.EqualFold(v, "chunked") { -+ return true -+ } -+ } -+ return false -+} -+ - // AuthZRequest authorized the request to the docker daemon using authZ plugins - func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error { - var body []byte -- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize { -+ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize { - var err error - body, r.Body, err = drainBody(r.Body) - if err != nil { -@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error { - if sendBody(ctx.requestURI, rm.Header()) { - ctx.authReq.ResponseBody = rm.RawBody() - } -- - for _, plugin := range ctx.plugins { - log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name()) - -@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) { - return nil, newBody, err - } - -+func isAuthEndpoint(urlPath string) (bool, error) { -+ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional) -+ matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath) -+ if err != nil { -+ return false, err -+ } -+ return matched, nil -+} -+ - // sendBody returns true when request/response body should be sent to AuthZPlugin --func sendBody(url string, header http.Header) bool { -+func sendBody(inURL string, header http.Header) bool { -+ u, err := url.Parse(inURL) -+ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected -+ if err != nil { -+ return false -+ } -+ - // Skip body for auth endpoint -- if strings.HasSuffix(url, "/auth") { -+ isAuth, err := isAuthEndpoint(u.Path) -+ if isAuth || err != nil { - return false - } - -diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go -index c9b18d9..66b4d20 100644 ---- a/pkg/authorization/authz_unix_test.go -+++ b/pkg/authorization/authz_unix_test.go -@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) { - - func TestSendBody(t *testing.T) { - var ( -- url = "nothing.com" - testcases = []struct { -+ url string - contentType string - expected bool - }{ -@@ -219,15 +219,93 @@ func TestSendBody(t *testing.T) { - contentType: "", - expected: false, - }, -+ { -+ url: "nothing.com/auth", -+ contentType: "", -+ expected: false, -+ }, -+ { -+ url: "nothing.com/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "nothing.com/auth?p1=test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "nothing.com/test?p1=/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: true, -+ }, -+ { -+ url: "nothing.com/something/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: true, -+ }, -+ { -+ url: "nothing.com/auth/test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "nothing.com/v1.24/auth/test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "nothing.com/v1/auth/test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "www.nothing.com/v1.24/auth/test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "https://www.nothing.com/v1.24/auth/test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "http://nothing.com/v1.24/auth/test", -+ contentType: "application/json;charset=UTF8", -+ expected: false, -+ }, -+ { -+ url: "www.nothing.com/test?p1=/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: true, -+ }, -+ { -+ url: "http://www.nothing.com/test?p1=/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: true, -+ }, -+ { -+ url: "www.nothing.com/something/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: true, -+ }, -+ { -+ url: "https://www.nothing.com/something/auth", -+ contentType: "application/json;charset=UTF8", -+ expected: true, -+ }, - } - ) - - for _, testcase := range testcases { - header := http.Header{} - header.Set("Content-Type", testcase.contentType) -+ if testcase.url == "" { -+ testcase.url = "nothing.com" -+ } - -- if b := sendBody(url, header); b != testcase.expected { -- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b) -+ if b := sendBody(testcase.url, header); b != testcase.expected { -+ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b) - } - } - } --- -2.33.0 - diff --git a/1007-api-omit-missing-Created-field-from-ImageInspect-res.patch b/1007-api-omit-missing-Created-field-from-ImageInspect-res.patch deleted file mode 100644 index 0c22e4346112677c0333c9910e9214c1b44ccb91..0000000000000000000000000000000000000000 --- a/1007-api-omit-missing-Created-field-from-ImageInspect-res.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 5d9e13bc8453c856f055769008dac9311f43c265 Mon Sep 17 00:00:00 2001 -From: Bjorn Neergaard -Date: Mon, 26 Feb 2024 10:25:08 -0700 -Subject: [PATCH] api: omit missing Created field from ImageInspect response - -Signed-off-by: Bjorn Neergaard ---- - api/swagger.yaml | 6 +++++- - api/types/types.go | 6 +++++- - docs/api/v1.44.yaml | 6 +++++- - 3 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/api/swagger.yaml b/api/swagger.yaml -index e55a76f..350d37a 100644 ---- a/api/swagger.yaml -+++ b/api/swagger.yaml -@@ -1743,8 +1743,12 @@ definitions: - description: | - Date and time at which the image was created, formatted in - [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds. -+ -+ This information is only available if present in the image, -+ and omitted otherwise. - type: "string" -- x-nullable: false -+ format: "dateTime" -+ x-nullable: true - example: "2022-02-04T21:20:12.497794809Z" - Container: - description: | -diff --git a/api/types/types.go b/api/types/types.go -index 5c56a0c..3c1f69a 100644 ---- a/api/types/types.go -+++ b/api/types/types.go -@@ -72,8 +72,12 @@ type ImageInspect struct { - - // Created is the date and time at which the image was created, formatted in - // RFC 3339 nano-seconds (time.RFC3339Nano). -- Created string - -+ // -+ // This information is only available if present in the image, -+ // and omitted otherwise. -+ Created string `json:",omitempty"` -+ - // Container is the ID of the container that was used to create the image. - // - // Depending on how the image was created, this field may be empty. -diff --git a/docs/api/v1.44.yaml b/docs/api/v1.44.yaml -index e55a76f..350d37a 100644 ---- a/docs/api/v1.44.yaml -+++ b/docs/api/v1.44.yaml -@@ -1743,8 +1743,12 @@ definitions: - description: | - Date and time at which the image was created, formatted in - [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds. -+ -+ This information is only available if present in the image, -+ and omitted otherwise. - type: "string" -- x-nullable: false -+ format: "dateTime" -+ x-nullable: true - example: "2022-02-04T21:20:12.497794809Z" - Container: - description: | --- -2.41.0 - diff --git a/1008-integration-Add-container-output-utility.patch b/1008-integration-Add-container-output-utility.patch deleted file mode 100644 index d41328c04534ea3df2fa4ab535854c3761b83b9d..0000000000000000000000000000000000000000 --- a/1008-integration-Add-container-output-utility.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 9ee331235a3affa082d5cb0028351182b89fd123 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= -Date: Thu, 22 Feb 2024 11:14:27 +0100 -Subject: [PATCH] integration: Add container.Output utility -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Extracted from https://github.com/moby/moby/commit/bfb810445c3c111478f5e0e6268ef334c38f38cf - -Signed-off-by: Paweł Gronowski ---- - integration/internal/container/container.go | 25 +++++++++++++++++++++ - 1 file changed, 25 insertions(+) - -diff --git a/integration/internal/container/container.go b/integration/internal/container/container.go -index 0974ce6bf1..dac52999ae 100644 ---- a/integration/internal/container/container.go -+++ b/integration/internal/container/container.go -@@ -170,3 +170,28 @@ func Inspect(ctx context.Context, t *testing.T, apiClient client.APIClient, cont - - return c - } -+ -+type ContainerOutput struct { -+ Stdout, Stderr string -+} -+ -+// Output waits for the container to end running and returns its output. -+func Output(ctx context.Context, client client.APIClient, id string) (ContainerOutput, error) { -+ logs, err := client.ContainerLogs(ctx, id, container.LogsOptions{Follow: true, ShowStdout: true, ShowStderr: true}) -+ if err != nil { -+ return ContainerOutput{}, err -+ } -+ -+ defer logs.Close() -+ -+ var stdoutBuf, stderrBuf bytes.Buffer -+ _, err = stdcopy.StdCopy(&stdoutBuf, &stderrBuf, logs) -+ if err != nil { -+ return ContainerOutput{}, err -+ } -+ -+ return ContainerOutput{ -+ Stdout: stdoutBuf.String(), -+ Stderr: stderrBuf.String(), -+ }, nil -+} --- -2.33.0 - diff --git a/1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch b/1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch deleted file mode 100644 index 61966eba469daef94f888da3a5544bd451a36873..0000000000000000000000000000000000000000 --- a/1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a72294a6688d747dcfec8751c3e2616cad703a31 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= -Date: Mon, 19 Feb 2024 15:16:07 +0100 -Subject: [PATCH] mounts/validate: Don't check source exists with - CreateMountpoint -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Don't error out when mount source doesn't exist and mounts has -`CreateMountpoint` option enabled. - -Signed-off-by: Paweł Gronowski -(cherry picked from commit 05b883bdc836a2fd621452f58a2a2c02d253718c) -Signed-off-by: Paweł Gronowski ---- - volume/mounts/linux_parser.go | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/volume/mounts/linux_parser.go b/volume/mounts/linux_parser.go -index 1b64c23935..e7e8ad80f3 100644 ---- a/volume/mounts/linux_parser.go -+++ b/volume/mounts/linux_parser.go -@@ -85,7 +85,9 @@ func (p *linuxParser) validateMountConfigImpl(mnt *mount.Mount, validateBindSour - if err != nil { - return &errMountConfig{mnt, err} - } -- if !exists { -+ -+ createMountpoint := mnt.BindOptions != nil && mnt.BindOptions.CreateMountpoint -+ if !exists && !createMountpoint { - return &errMountConfig{mnt, errBindSourceDoesNotExist(mnt.Source)} - } - } --- -2.33.0 - diff --git a/1010-fix-CVE-2024-36621.patch b/1010-fix-CVE-2024-36621.patch deleted file mode 100644 index 2f9fe886fdc4b1a9749e8a549c423344b5895aa5..0000000000000000000000000000000000000000 --- a/1010-fix-CVE-2024-36621.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001 -From: Tonis Tiigi -Date: Wed, 6 Mar 2024 23:11:32 -0800 -Subject: [PATCH] builder-next: fix missing lock in ensurelayer - -When this was called concurrently from the moby image -exporter there could be a data race where a layer was -written to the refs map when it was already there. - -In that case the reference count got mixed up and on -release only one of these layers was actually released. - -Signed-off-by: Tonis Tiigi ---- - .../builder-next/adapters/snapshot/layer.go | 3 +++ - .../adapters/snapshot/snapshot.go | 19 +++++++++++-------- - 2 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go -index 73120ea70b2ee..fc83058339c7b 100644 ---- a/builder/builder-next/adapters/snapshot/layer.go -+++ b/builder/builder-next/adapters/snapshot/layer.go -@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI - } - - func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) { -+ s.layerCreateLocker.Lock(key) -+ defer s.layerCreateLocker.Unlock(key) -+ - diffIDs, err := s.GetDiffIDs(ctx, key) - if err != nil { - return nil, err -diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go -index a0d28ad984ba4..510ffefb49406 100644 ---- a/builder/builder-next/adapters/snapshot/snapshot.go -+++ b/builder/builder-next/adapters/snapshot/snapshot.go -@@ -17,6 +17,7 @@ import ( - "github.com/moby/buildkit/identity" - "github.com/moby/buildkit/snapshot" - "github.com/moby/buildkit/util/leaseutil" -+ "github.com/moby/locker" - "github.com/opencontainers/go-digest" - "github.com/pkg/errors" - bolt "go.etcd.io/bbolt" -@@ -51,10 +52,11 @@ type checksumCalculator interface { - type snapshotter struct { - opt Opt - -- refs map[string]layer.Layer -- db *bolt.DB -- mu sync.Mutex -- reg graphIDRegistrar -+ refs map[string]layer.Layer -+ db *bolt.DB -+ mu sync.Mutex -+ reg graphIDRegistrar -+ layerCreateLocker *locker.Locker - } - - // NewSnapshotter creates a new snapshotter -@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho - } - - s := &snapshotter{ -- opt: opt, -- db: db, -- refs: map[string]layer.Layer{}, -- reg: reg, -+ opt: opt, -+ db: db, -+ refs: map[string]layer.Layer{}, -+ reg: reg, -+ layerCreateLocker: locker.New(), - } - - slm := newLeaseManager(s, prevLM) diff --git a/1011-fix-CVE-2024-36620.patch b/1011-fix-CVE-2024-36620.patch deleted file mode 100644 index 2f2ca221177e82b27457bfb505ef4908f1fd9636..0000000000000000000000000000000000000000 --- a/1011-fix-CVE-2024-36620.patch +++ /dev/null @@ -1,33 +0,0 @@ -From ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Mon Sep 17 00:00:00 2001 -From: Christopher Petito <47751006+krissetto@users.noreply.github.com> -Date: Fri, 19 Apr 2024 10:44:30 +0000 -Subject: [PATCH] nil dereference fix on image history Created value - -Issue was caused by the changes here https://github.com/moby/moby/pull/45504 -First released in v25.0.0-beta.1 - -Signed-off-by: Christopher Petito <47751006+krissetto@users.noreply.github.com> ---- - daemon/images/image_history.go | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go -index 1617f8be62906..f621ceae13bc6 100644 ---- a/daemon/images/image_history.go -+++ b/daemon/images/image_history.go -@@ -43,9 +43,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image. - layerCounter++ - } - -+ var created int64 -+ if h.Created != nil { -+ created = h.Created.Unix() -+ } -+ - history = append([]*image.HistoryResponseItem{{ - ID: "", -- Created: h.Created.Unix(), -+ Created: created, - CreatedBy: h.CreatedBy, - Comment: h.Comment, - Size: layerSize, diff --git a/1012-fix-CVE-2024-36623.patch b/1012-fix-CVE-2024-36623.patch deleted file mode 100644 index 6018f33abc2b0223d5f43e78a007b5572f803f9c..0000000000000000000000000000000000000000 --- a/1012-fix-CVE-2024-36623.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 5689dabfb357b673abdb4391eef426f297d7d1bb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= -Date: Thu, 22 Feb 2024 18:01:40 +0100 -Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Sync access to the underlying `io.Writer` with a mutex. - -Signed-off-by: Paweł Gronowski ---- - pkg/streamformatter/streamformatter.go | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go -index b0456e580dc9d..098df6b5236b9 100644 ---- a/pkg/streamformatter/streamformatter.go -+++ b/pkg/streamformatter/streamformatter.go -@@ -5,6 +5,7 @@ import ( - "encoding/json" - "fmt" - "io" -+ "sync" - - "github.com/docker/docker/pkg/jsonmessage" - "github.com/docker/docker/pkg/progress" -@@ -109,6 +110,7 @@ type progressOutput struct { - sf formatProgress - out io.Writer - newLines bool -+ mu sync.Mutex - } - - // WriteProgress formats progress information from a ProgressReader. -@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error { - jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units} - formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux) - } -+ -+ out.mu.Lock() -+ defer out.mu.Unlock() - _, err := out.out.Write(formatted) - if err != nil { - return err diff --git a/cli-25.0.3.tar.gz b/cli-25.0.3.tar.gz deleted file mode 100644 index 9c91c25f6e6416225ffba2da9592bcf07fe277e9..0000000000000000000000000000000000000000 Binary files a/cli-25.0.3.tar.gz and /dev/null differ diff --git a/cli-25.0.7.tar.gz b/cli-25.0.7.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..5ddd30731d35cbde36e3b8a35243cf8755666b12 --- /dev/null +++ b/cli-25.0.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:95b57af62273f9c069141b78360f0e39c5662447d63de2a6a257d59750b8d5ac +size 6881749 diff --git a/moby-25.0.3.tar.gz b/moby-25.0.3.tar.gz deleted file mode 100644 index 2cb68b06f96515708dd778d6708a7bd9358c7720..0000000000000000000000000000000000000000 Binary files a/moby-25.0.3.tar.gz and /dev/null differ diff --git a/moby-25.0.7.tar.gz b/moby-25.0.7.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..19882b1a6fc0b8b388554150b47d70aafe0cbb77 --- /dev/null +++ b/moby-25.0.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e67fbb96764fa5cde25a55a379b337a6f37307e00dc484677fcf1cadb8aedbb2 +size 15930979 diff --git a/moby.spec b/moby.spec index 131dff0307e4e2e6fa120c9a6a62a0bdc5cfd5f7..7d0af1aac0a63b93b08e215331384bb4a050cc80 100644 --- a/moby.spec +++ b/moby.spec @@ -7,8 +7,8 @@ %define _debugsource_template %{nil} Name: moby -Version: 25.0.3 -Release: 22 +Version: 25.0.7 +Release: 1 Summary: The open-source application container engine License: Apache-2.0 URL: https://www.docker.com @@ -23,18 +23,10 @@ Source4: docker.socket Source5: docker.sysconfig # Patch 0001-0999 for cli # Patch 1001-1999 for moby -Patch1001: 1001-fix-cve-2024-29018.patch Patch1002: 1002-fix-cve-2024-32473.patch Patch1003: 1003-add-loongarch64-seccomp-support.patch Patch1004: 1004-fix-docker-swarm-run-failed-for-loongarch64.patch -Patch1005: 1005-CVE-2024-41110.patch Patch1006: 1006-fix-libnetwork-osl-test-TestAddRemoveInterface.patch -Patch1007: 1007-api-omit-missing-Created-field-from-ImageInspect-res.patch -Patch1008: 1008-integration-Add-container-output-utility.patch -Patch1009: 1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch -Patch1010: 1010-fix-CVE-2024-36621.patch -Patch1011: 1011-fix-CVE-2024-36620.patch -Patch1012: 1012-fix-CVE-2024-36623.patch # Patch 2001-2999 for tini Patch2001: 2001-tini.c-a-function-declaration-without-a-prototype-is.patch Requires(meta): %{name}-engine = %{version}-%{release} @@ -226,6 +218,9 @@ fi %systemd_postun_with_restart docker.service %changelog +* Tue Jan 14 2025 Funda Wang - 25.0.7-1 +- update to 25.0.7 + * Sat Nov 30 2024 Funda Wang - 25.0.3-22 - fix CVE-2024-36620, CVE-2024-36621, CVE-2024-36623 - reorganize patches so that they could be applied automatically diff --git a/tini-0.19.0.tar.gz b/tini-0.19.0.tar.gz index 2966c7b53c3f8f5d0d2f18986e4955612fb14519..be118d56c90e0801c43eefbe29e114578fb84337 100644 Binary files a/tini-0.19.0.tar.gz and b/tini-0.19.0.tar.gz differ