From df6e6c3b0edf272ecbc9125a1fb2905f16fc37b9 Mon Sep 17 00:00:00 2001 From: lvxiangcong Date: Wed, 17 Apr 2024 20:55:59 +0800 Subject: [PATCH 01/16] fix CVE-2024-29018 (cherry picked from commit 3e8a821b9db8089e7333f29a5d0ba8ea1a8f51cb) --- 0001-fix-cve-2024-29018.patch | 212 ++++++++++++++++++++++++++++++++++ moby.spec | 9 +- 2 files changed, 220 insertions(+), 1 deletion(-) create mode 100644 0001-fix-cve-2024-29018.patch diff --git a/0001-fix-cve-2024-29018.patch b/0001-fix-cve-2024-29018.patch new file mode 100644 index 0000000..709be1f --- /dev/null +++ b/0001-fix-cve-2024-29018.patch @@ -0,0 +1,212 @@ +From a9b119d4858a40936583262cb8d878036a0171dd Mon Sep 17 00:00:00 2001 +From: root +Date: Sun, 14 Apr 2024 19:46:56 +0800 +Subject: [PATCH] fix cve-2024-29018 + +--- + integration/networking/bridge_test.go | 20 +++++++++++++++----- + libnetwork/endpoint.go | 8 +++++++- + libnetwork/resolver.go | 21 +++++++++++++++++---- + libnetwork/sandbox_dns_unix.go | 5 +---- + 4 files changed, 40 insertions(+), 14 deletions(-) + +diff --git a/integration/networking/bridge_test.go b/integration/networking/bridge_test.go +index e3d1fe2..4be3e55 100644 +--- a/integration/networking/bridge_test.go ++++ b/integration/networking/bridge_test.go +@@ -36,7 +36,8 @@ func TestBridgeICC(t *testing.T) { + name string + bridgeOpts []func(*types.NetworkCreate) + ctr1MacAddress string +- linkLocal bool ++ isIPv6 bool ++ isLinkLocal bool + pingHost string + }{ + { +@@ -55,6 +56,7 @@ func TestBridgeICC(t *testing.T) { + network.WithIPv6(), + network.WithIPAM("fdf1:a844:380c:b200::/64", "fdf1:a844:380c:b200::1"), + }, ++ isIPv6: true, + }, + { + name: "IPv6 ULA on internal network", +@@ -74,7 +76,8 @@ func TestBridgeICC(t *testing.T) { + // 2. the one dynamically assigned by the IPAM driver. + network.WithIPAM("fe80::/64", "fe80::1"), + }, +- linkLocal: true, ++ isLinkLocal: true, ++ isIPv6: true, + }, + { + name: "IPv6 link-local address on internal network", +@@ -84,7 +87,8 @@ func TestBridgeICC(t *testing.T) { + // See the note above about link-local addresses. + network.WithIPAM("fe80::/64", "fe80::1"), + }, +- linkLocal: true, ++ isLinkLocal: true, ++ isIPv6: true, + }, + { + // As for 'LL non-internal', but ping the container by name instead of by address +@@ -122,6 +126,7 @@ func TestBridgeICC(t *testing.T) { + // specify one here to hardcode the SLAAC LL address below. + ctr1MacAddress: "02:42:ac:11:00:02", + pingHost: "fe80::42:acff:fe11:2%eth0", ++ isIPv6: true, + }, + { + name: "IPv6 internal network with SLAAC LL address", +@@ -133,6 +138,7 @@ func TestBridgeICC(t *testing.T) { + // specify one here to hardcode the SLAAC LL address below. + ctr1MacAddress: "02:42:ac:11:00:02", + pingHost: "fe80::42:acff:fe11:2%eth0", ++ isIPv6: true, + }, + } + +@@ -162,7 +168,7 @@ func TestBridgeICC(t *testing.T) { + + pingHost := tc.pingHost + if pingHost == "" { +- if tc.linkLocal { ++ if tc.isLinkLocal { + inspect := container.Inspect(ctx, t, c, id1) + pingHost = inspect.NetworkSettings.Networks[bridgeName].GlobalIPv6Address + "%eth0" + } else { +@@ -170,7 +176,11 @@ func TestBridgeICC(t *testing.T) { + } + } + +- pingCmd := []string{"ping", "-c1", "-W3", pingHost} ++ pingCmd := []string{"ping", "-c1", "-W3"} ++ if tc.isIPv6 { ++ pingCmd = append(pingCmd, "-6") ++ } ++ pingCmd = append(pingCmd, pingHost) + + ctr2Name := fmt.Sprintf("ctr-icc-%d-2", tcID) + attachCtx, cancel := context.WithTimeout(ctx, 5*time.Second) +diff --git a/libnetwork/endpoint.go b/libnetwork/endpoint.go +index d9c257d..93ddbc9 100644 +--- a/libnetwork/endpoint.go ++++ b/libnetwork/endpoint.go +@@ -538,8 +538,11 @@ func (ep *Endpoint) sbJoin(sb *Sandbox, options ...EndpointOption) (err error) { + return sb.setupDefaultGW() + } + +- moveExtConn := sb.getGatewayEndpoint() != extEp ++ currentExtEp := sb.getGatewayEndpoint() ++ // Enable upstream forwarding if the sandbox gained external connectivity. ++ sb.resolver.SetForwardingPolicy(currentExtEp != nil) + ++ moveExtConn := currentExtEp != extEp + if moveExtConn { + if extEp != nil { + log.G(context.TODO()).Debugf("Revoking external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID()) +@@ -735,6 +738,9 @@ func (ep *Endpoint) sbLeave(sb *Sandbox, force bool, options ...EndpointOption) + + // New endpoint providing external connectivity for the sandbox + extEp = sb.getGatewayEndpoint() ++ // Disable upstream forwarding if the sandbox lost external connectivity. ++ sb.resolver.SetForwardingPolicy(extEp != nil) ++ + if moveExtConn && extEp != nil { + log.G(context.TODO()).Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID()) + extN, err := extEp.getNetworkFromStore() +diff --git a/libnetwork/resolver.go b/libnetwork/resolver.go +index 9df2154..6da595c 100644 +--- a/libnetwork/resolver.go ++++ b/libnetwork/resolver.go +@@ -9,6 +9,7 @@ import ( + "strconv" + "strings" + "sync" ++ "sync/atomic" + "time" + + "github.com/containerd/log" +@@ -75,7 +76,7 @@ type Resolver struct { + tcpListen *net.TCPListener + err error + listenAddress string +- proxyDNS bool ++ proxyDNS atomic.Bool + startCh chan struct{} + logger *log.Entry + +@@ -85,15 +86,17 @@ type Resolver struct { + + // NewResolver creates a new instance of the Resolver + func NewResolver(address string, proxyDNS bool, backend DNSBackend) *Resolver { +- return &Resolver{ ++ r := &Resolver{ + backend: backend, +- proxyDNS: proxyDNS, + listenAddress: address, + err: fmt.Errorf("setup not done yet"), + startCh: make(chan struct{}, 1), + fwdSem: semaphore.NewWeighted(maxConcurrent), + logInverval: rate.Sometimes{Interval: logInterval}, + } ++ r.proxyDNS.Store(proxyDNS) ++ ++ return r + } + + func (r *Resolver) log(ctx context.Context) *log.Entry { +@@ -103,6 +106,8 @@ func (r *Resolver) log(ctx context.Context) *log.Entry { + return r.logger + } + ++ ++ + // SetupFunc returns the setup function that should be run in the container's + // network namespace. + func (r *Resolver) SetupFunc(port int) func() { +@@ -194,6 +199,14 @@ func (r *Resolver) SetExtServers(extDNS []extDNSEntry) { + } + } + ++// SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to ++// external servers. ++func (r *Resolver) SetForwardingPolicy(policy bool) { ++ if r != nil { ++ r.proxyDNS.Store(policy) ++ } ++} ++ + // NameServer returns the IP of the DNS resolver for the containers. + func (r *Resolver) NameServer() string { + return r.listenAddress +@@ -421,7 +434,7 @@ func (r *Resolver) serveDNS(w dns.ResponseWriter, query *dns.Msg) { + return + } + +- if r.proxyDNS { ++ if r.proxyDNS.Load(){ + // If the user sets ndots > 0 explicitly and the query is + // in the root domain don't forward it out. We will return + // failure and let the client retry with the search domain +diff --git a/libnetwork/sandbox_dns_unix.go b/libnetwork/sandbox_dns_unix.go +index e30f394..505c5f5 100644 +--- a/libnetwork/sandbox_dns_unix.go ++++ b/libnetwork/sandbox_dns_unix.go +@@ -30,10 +30,7 @@ const ( + func (sb *Sandbox) startResolver(restore bool) { + sb.resolverOnce.Do(func() { + var err error +- // The embedded resolver is always started with proxyDNS set as true, even when the sandbox is only attached to +- // an internal network. This way, it's the driver responsibility to make sure `connect` syscall fails fast when +- // no external connectivity is available (eg. by not setting a default gateway). +- sb.resolver = NewResolver(resolverIPSandbox, true, sb) ++ sb.resolver = NewResolver(resolverIPSandbox, sb.getGatewayEndpoint() != nil, sb) + defer func() { + if err != nil { + sb.resolver = nil +-- +2.27.0 + diff --git a/moby.spec b/moby.spec index 003227e..f7e0e33 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: moby Version: 25.0.3 -Release: 1 +Release: 2 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -20,6 +20,8 @@ Source2: tini-0.19.0.tar.gz Source3: docker.service Source4: docker.socket Source5: docker.sysconfig +Patch0000: 0001-fix-cve-2024-29018.patch + Requires: %{name}-engine = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} @@ -89,6 +91,8 @@ Docker client binary and related utilities %prep %setup -q -n %{_source_client} %setup -q -T -n %{_source_engine} -b 1 +%patch0000 -p1 + %setup -q -T -n %{_source_docker_init} -b 2 %build @@ -190,6 +194,9 @@ fi %systemd_postun_with_restart docker.service %changelog +* Wed Apr 17 2024 lvxiangcong - 25.0.3-2 +- DESC:fix cve-2024-29018 + * Tue Feb 06 2024 shechenglong - 25.0.3-1 - DESC:update to 25.0.3 -- Gitee From 7a18e272be4c5107a8e122b2a725afed7f356d0a Mon Sep 17 00:00:00 2001 From: lvxiangcong Date: Mon, 22 Apr 2024 14:55:45 +0800 Subject: [PATCH 02/16] fix CVE-2024-32473 (cherry picked from commit 8b5f202b7d73b9cfbf374e171fc33f47c4c6eae0) --- 0002-fix-cve-2024-32473.patch | 185 ++++++++++++++++++++++++++++++++++ moby.spec | 8 +- 2 files changed, 191 insertions(+), 2 deletions(-) create mode 100644 0002-fix-cve-2024-32473.patch diff --git a/0002-fix-cve-2024-32473.patch b/0002-fix-cve-2024-32473.patch new file mode 100644 index 0000000..0499aba --- /dev/null +++ b/0002-fix-cve-2024-32473.patch @@ -0,0 +1,185 @@ +From ed2e2bd1cb6491cc76e6681db122844400762a2e Mon Sep 17 00:00:00 2001 +From: lvxiangcong +Date: Mon, 22 Apr 2024 10:59:42 +0800 +Subject: [PATCH] fix cve-2024-32473 + +--- + integration/network/ipvlan/ipvlan_test.go | 25 +++++++++++++++ + integration/network/macvlan/macvlan_test.go | 29 +++++++++++++++++ + integration/networking/bridge_test.go | 35 +++++++++++++++++++++ + libnetwork/osl/interface_linux.go | 21 ++++++++----- + 4 files changed, 103 insertions(+), 7 deletions(-) + +diff --git a/integration/network/ipvlan/ipvlan_test.go b/integration/network/ipvlan/ipvlan_test.go +index 130b60d..adb42cd 100644 +--- a/integration/network/ipvlan/ipvlan_test.go ++++ b/integration/network/ipvlan/ipvlan_test.go +@@ -87,6 +87,9 @@ func TestDockerNetworkIpvlan(t *testing.T) { + }, { + name: "Addressing", + test: testIpvlanAddressing, ++ }, { ++ name: "NoIPv6", ++ test: testIpvlanNoIPv6, + }, + } { + +@@ -438,3 +441,25 @@ func ipvlanKernelSupport(t *testing.T) bool { + + return ipvlanSupported + } ++ ++// Check that an ipvlan interface with '--ipv6=false' doesn't get kernel-assigned ++// IPv6 addresses, but the loopback interface does still have an IPv6 address ('::1'). ++func testIpvlanNoIPv6(t *testing.T, ctx context.Context, client dclient.APIClient) { ++ const netName = "ipvlannet" ++ net.CreateNoError(ctx, t, client, netName, net.WithIPvlan("", "l3")) ++ assert.Check(t, n.IsNetworkAvailable(ctx, client, netName)) ++ ++ id := container.Run(ctx, t, client, container.WithNetworkMode(netName)) ++ ++ loRes := container.ExecT(ctx, t, client, id, []string{"ip", "a", "show", "dev", "lo"}) ++ assert.Check(t, is.Contains(loRes.Combined(), " inet ")) ++ assert.Check(t, is.Contains(loRes.Combined(), " inet6 ")) ++ ++ eth0Res := container.ExecT(ctx, t, client, id, []string{"ip", "a", "show", "dev", "eth0"}) ++ assert.Check(t, is.Contains(eth0Res.Combined(), " inet ")) ++ assert.Check(t, !strings.Contains(eth0Res.Combined(), " inet6 "), ++ "result.Combined(): %s", eth0Res.Combined()) ++ ++ sysctlRes := container.ExecT(ctx, t, client, id, []string{"sysctl", "-n", "net.ipv6.conf.eth0.disable_ipv6"}) ++ assert.Check(t, is.Equal(strings.TrimSpace(sysctlRes.Combined()), "1")) ++} +diff --git a/integration/network/macvlan/macvlan_test.go b/integration/network/macvlan/macvlan_test.go +index c41373c..c907ffb 100644 +--- a/integration/network/macvlan/macvlan_test.go ++++ b/integration/network/macvlan/macvlan_test.go +@@ -71,6 +71,9 @@ func TestDockerNetworkMacvlan(t *testing.T) { + }, { + name: "Addressing", + test: testMacvlanAddressing, ++ }, { ++ name: "NoIPv6", ++ test: testMacvlanNoIPv6, + }, + } { + tc := tc +@@ -275,3 +278,29 @@ func testMacvlanAddressing(ctx context.Context, client client.APIClient) func(*t + assert.Check(t, strings.Contains(result.Combined(), "default via 2001:db8:abca::254 dev eth0")) + } + } ++ ++// Check that a macvlan interface with '--ipv6=false' doesn't get kernel-assigned ++// IPv6 addresses, but the loopback interface does still have an IPv6 address ('::1'). ++func testMacvlanNoIPv6(t *testing.T, ctx context.Context, client client.APIClient) { ++ const netName = "macvlannet" ++ ++ net.CreateNoError(ctx, t, client, netName, ++ net.WithMacvlan(""), ++ net.WithOption("macvlan_mode", "bridge"), ++ ) ++ assert.Check(t, n.IsNetworkAvailable(ctx, client, netName)) ++ ++ id := container.Run(ctx, t, client, container.WithNetworkMode(netName)) ++ ++ loRes := container.ExecT(ctx, t, client, id, []string{"ip", "a", "show", "dev", "lo"}) ++ assert.Check(t, is.Contains(loRes.Combined(), " inet ")) ++ assert.Check(t, is.Contains(loRes.Combined(), " inet6 ")) ++ ++ eth0Res := container.ExecT(ctx, t, client, id, []string{"ip", "a", "show", "dev", "eth0"}) ++ assert.Check(t, is.Contains(eth0Res.Combined(), " inet ")) ++ assert.Check(t, !strings.Contains(eth0Res.Combined(), " inet6 "), ++ "result.Combined(): %s", eth0Res.Combined()) ++ ++ sysctlRes := container.ExecT(ctx, t, client, id, []string{"sysctl", "-n", "net.ipv6.conf.eth0.disable_ipv6"}) ++ assert.Check(t, is.Equal(strings.TrimSpace(sysctlRes.Combined()), "1")) ++} +diff --git a/integration/networking/bridge_test.go b/integration/networking/bridge_test.go +index e3d1fe2..7dfcd28 100644 +--- a/integration/networking/bridge_test.go ++++ b/integration/networking/bridge_test.go +@@ -3,6 +3,7 @@ package networking + import ( + "context" + "fmt" ++ "strings" + "testing" + "time" + +@@ -477,3 +478,37 @@ func TestDefaultBridgeAddresses(t *testing.T) { + }) + } + } ++ ++// Check that an interface to an '--ipv6=false' network has no IPv6 ++// address - either IPAM assigned, or kernel-assigned LL, but the loopback ++// interface does still have an IPv6 address ('::1'). ++func TestNonIPv6Network(t *testing.T) { ++ skip.If(t, testEnv.DaemonInfo.OSType == "windows") ++ ++ ctx := setupTest(t) ++ d := daemon.New(t) ++ d.StartWithBusybox(ctx, t) ++ defer d.Stop(t) ++ ++ c := d.NewClientT(t) ++ defer c.Close() ++ ++ const netName = "testnet" ++ network.CreateNoError(ctx, t, c, netName) ++ defer network.RemoveNoError(ctx, t, c, netName) ++ ++ id := container.Run(ctx, t, c, container.WithNetworkMode(netName)) ++ defer c.ContainerRemove(ctx, id, containertypes.RemoveOptions{Force: true}) ++ ++ loRes := container.ExecT(ctx, t, c, id, []string{"ip", "a", "show", "dev", "lo"}) ++ assert.Check(t, is.Contains(loRes.Combined(), " inet ")) ++ assert.Check(t, is.Contains(loRes.Combined(), " inet6 ")) ++ ++ eth0Res := container.ExecT(ctx, t, c, id, []string{"ip", "a", "show", "dev", "eth0"}) ++ assert.Check(t, is.Contains(eth0Res.Combined(), " inet ")) ++ assert.Check(t, !strings.Contains(eth0Res.Combined(), " inet6 "), ++ "result.Combined(): %s", eth0Res.Combined()) ++ ++ sysctlRes := container.ExecT(ctx, t, c, id, []string{"sysctl", "-n", "net.ipv6.conf.eth0.disable_ipv6"}) ++ assert.Check(t, is.Equal(strings.TrimSpace(sysctlRes.Combined()), "1")) ++} +diff --git a/libnetwork/osl/interface_linux.go b/libnetwork/osl/interface_linux.go +index 27e079d..e559ab9 100644 +--- a/libnetwork/osl/interface_linux.go ++++ b/libnetwork/osl/interface_linux.go +@@ -367,17 +367,24 @@ func setInterfaceIP(nlh *netlink.Handle, iface netlink.Link, i *Interface) error + } + + func setInterfaceIPv6(nlh *netlink.Handle, iface netlink.Link, i *Interface) error { +- if i.AddressIPv6() == nil { ++ addr := i.AddressIPv6() ++ // IPv6 must be enabled on the interface if and only if the network is ++ // IPv6-enabled. For an interface on an IPv4-only network, if IPv6 isn't ++ // disabled, the interface will be put into IPv6 multicast groups making ++ // it unexpectedly susceptible to NDP cache poisoning, route injection, etc. ++ // (At present, there will always be a pre-configured IPv6 address if the ++ // network is IPv6-enabled.) ++ if err := setIPv6(i.ns.path, i.DstName(), addr != nil); err != nil { ++ return fmt.Errorf("failed to configure ipv6: %v", err) ++ } ++ if addr == nil { + return nil + } +- if err := checkRouteConflict(nlh, i.AddressIPv6(), netlink.FAMILY_V6); err != nil { ++ if err := checkRouteConflict(nlh, addr, netlink.FAMILY_V6); err != nil { + return err + } +- if err := setIPv6(i.ns.path, i.DstName(), true); err != nil { +- return fmt.Errorf("failed to enable ipv6: %v", err) +- } +- ipAddr := &netlink.Addr{IPNet: i.AddressIPv6(), Label: "", Flags: syscall.IFA_F_NODAD} +- return nlh.AddrAdd(iface, ipAddr) ++ nlAddr := &netlink.Addr{IPNet: addr, Label: "", Flags: syscall.IFA_F_NODAD} ++ return nlh.AddrAdd(iface, nlAddr) + } + + func setInterfaceLinkLocalIPs(nlh *netlink.Handle, iface netlink.Link, i *Interface) error { +-- +2.25.1 + diff --git a/moby.spec b/moby.spec index f7e0e33..ea0399d 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: moby Version: 25.0.3 -Release: 2 +Release: 3 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -21,6 +21,7 @@ Source3: docker.service Source4: docker.socket Source5: docker.sysconfig Patch0000: 0001-fix-cve-2024-29018.patch +Patch0001: 0002-fix-cve-2024-32473.patch Requires: %{name}-engine = %{version}-%{release} @@ -92,7 +93,7 @@ Docker client binary and related utilities %setup -q -n %{_source_client} %setup -q -T -n %{_source_engine} -b 1 %patch0000 -p1 - +%patch0001 -p1 %setup -q -T -n %{_source_docker_init} -b 2 %build @@ -194,6 +195,9 @@ fi %systemd_postun_with_restart docker.service %changelog +* Mon Apr 22 2024 lvxiangcong - 25.0.3-3 +- DESC:fix cve-2024-32473 + * Wed Apr 17 2024 lvxiangcong - 25.0.3-2 - DESC:fix cve-2024-29018 -- Gitee From 5539b60518c0504a797e891f0fcaa743f375e2e1 Mon Sep 17 00:00:00 2001 From: lvxiangcong Date: Sat, 11 May 2024 11:28:40 +0800 Subject: [PATCH 03/16] fix install error failed to docker.service does not exist (cherry picked from commit a366861d17b865c41a00a0bafa6ae5b4b35ff580) --- moby.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/moby.spec b/moby.spec index ea0399d..5346b70 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: moby Version: 25.0.3 -Release: 3 +Release: 4 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -182,19 +182,22 @@ install -p -m 644 %{_builddir}/%{_source_client}/{LICENSE,MAINTAINERS,NOTICE,REA %{_datadir}/fish/vendor_completions.d/docker.fish %doc %{_pkgdocdir} -%post +%post engine %systemd_post docker.service if ! getent group docker > /dev/null; then groupadd --system docker fi -%preun +%preun engine %systemd_preun docker.service docker.socket -%postun +%postun engine %systemd_postun_with_restart docker.service %changelog +* Sat May 11 2024 lvxiangcong - 25.0.3-4 +- DESC:fix install error failed to docker.service does not exit + * Mon Apr 22 2024 lvxiangcong - 25.0.3-3 - DESC:fix cve-2024-32473 -- Gitee From 88f3c32b05394bd3840ac33c90af7201d6ab55f9 Mon Sep 17 00:00:00 2001 From: wanglmb Date: Tue, 14 May 2024 09:26:27 +0000 Subject: [PATCH 04/16] clean dependency between engine and cli Signed-off-by: wanglmb (cherry picked from commit 4769668e2b15b428f18d30ff34403eb60bbe8c85) --- moby.spec | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/moby.spec b/moby.spec index 5346b70..4ff63b8 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: moby Version: 25.0.3 -Release: 4 +Release: 5 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -42,8 +42,6 @@ lightweight container. Summary: Docker daemon binary and related utilities Requires: /usr/sbin/groupadd -Requires: %{name} = %{version}-%{release} -Requires: %{name}-client = %{version}-%{release} Requires: runc Requires: container-selinux >= 2:2.74 Requires: libseccomp >= 2.3 @@ -83,7 +81,6 @@ Docker daemon binary and related utilities Summary: Docker client binary and related utilities Requires: /bin/sh -Requires: %{name}-engine = %{version}-%{release} BuildRequires: libtool-ltdl-devel %description client @@ -182,19 +179,22 @@ install -p -m 644 %{_builddir}/%{_source_client}/{LICENSE,MAINTAINERS,NOTICE,REA %{_datadir}/fish/vendor_completions.d/docker.fish %doc %{_pkgdocdir} -%post engine +%post %systemd_post docker.service if ! getent group docker > /dev/null; then groupadd --system docker fi -%preun engine +%preun %systemd_preun docker.service docker.socket -%postun engine +%postun %systemd_postun_with_restart docker.service %changelog +* Tue May 14 2024 wanglimin - 25.0.3-5 +- DESC:clean dependency between engine and cli + * Sat May 11 2024 lvxiangcong - 25.0.3-4 - DESC:fix install error failed to docker.service does not exit -- Gitee From 8f793b0dcf0f1b9f8fd652f924423164db12f28f Mon Sep 17 00:00:00 2001 From: zhaixiaojuan Date: Sat, 15 Jun 2024 10:30:35 +0800 Subject: [PATCH 05/16] Add loongarch64 seccomp support (cherry picked from commit 1cc08b4ce3ff13624e1282c216306ac54967cea4) --- 0003-add-loongarch64-seccomp-support.patch | 91 ++++++++++++++++++++++ moby.spec | 7 +- 2 files changed, 97 insertions(+), 1 deletion(-) create mode 100644 0003-add-loongarch64-seccomp-support.patch diff --git a/0003-add-loongarch64-seccomp-support.patch b/0003-add-loongarch64-seccomp-support.patch new file mode 100644 index 0000000..e2b320f --- /dev/null +++ b/0003-add-loongarch64-seccomp-support.patch @@ -0,0 +1,91 @@ +diff --git a/oci/fixtures/default.json b/oci/fixtures/default.json +index 8d4d211..b63bfc9 100644 +--- a/oci/fixtures/default.json ++++ b/oci/fixtures/default.json +@@ -47,6 +47,10 @@ + "subArchitectures": [ + "SCMP_ARCH_S390" + ] ++ }, ++ { ++ "architecture": "SCMP_ARCH_LOONGARCH64", ++ "subArchitectures": null + } + ], + "syscalls": [ +@@ -810,4 +814,4 @@ + "excludes": {} + } + ] +-} +\ No newline at end of file ++} +diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json +index c4d9110..3501693 100644 +--- a/profiles/seccomp/default.json ++++ b/profiles/seccomp/default.json +@@ -52,6 +52,10 @@ + { + "architecture": "SCMP_ARCH_RISCV64", + "subArchitectures": null ++ }, ++ { ++ "architecture": "SCMP_ARCH_LOONGARCH64", ++ "subArchitectures": null + } + ], + "syscalls": [ +@@ -830,4 +834,4 @@ + } + } + ] +-} +\ No newline at end of file ++} +diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go +index 09fb337..3834bab 100644 +--- a/profiles/seccomp/default_linux.go ++++ b/profiles/seccomp/default_linux.go +@@ -38,6 +38,10 @@ func arches() []Architecture { + { + Arch: specs.ArchRISCV64, + SubArches: nil, ++ }, ++ { ++ Arch: specs.ArchLOONGARCH64, ++ SubArches: nil, + }, + } + } +diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go +index 4d8fed6..9eb0741 100644 +--- a/profiles/seccomp/seccomp_linux.go ++++ b/profiles/seccomp/seccomp_linux.go +@@ -41,6 +41,7 @@ var nativeToSeccomp = map[string]specs.Arch{ + "ppc64le": specs.ArchPPC64LE, + "s390": specs.ArchS390, + "s390x": specs.ArchS390X, ++ "loong64": specs.ArchLOONGARCH64, + } + + // GOARCH => libseccomp string +@@ -59,6 +60,7 @@ var goToNative = map[string]string{ + "ppc64le": "ppc64le", + "s390": "s390", + "s390x": "s390x", ++ "loong64": "loong64", + } + + // inSlice tests whether a string is contained in a slice of strings or not. +diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +index 4e7717d..96e04af 100644 +--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go ++++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +@@ -741,6 +741,7 @@ const ( + ArchPARISC Arch = "SCMP_ARCH_PARISC" + ArchPARISC64 Arch = "SCMP_ARCH_PARISC64" + ArchRISCV64 Arch = "SCMP_ARCH_RISCV64" ++ ArchLOONGARCH64 Arch = "SCMP_ARCH_LOONGARCH64" + ) + + // LinuxSeccompAction taken upon Seccomp rule match diff --git a/moby.spec b/moby.spec index 4ff63b8..73c58f3 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: moby Version: 25.0.3 -Release: 5 +Release: 6 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -22,6 +22,7 @@ Source4: docker.socket Source5: docker.sysconfig Patch0000: 0001-fix-cve-2024-29018.patch Patch0001: 0002-fix-cve-2024-32473.patch +Patch0002: 0003-add-loongarch64-seccomp-support.patch Requires: %{name}-engine = %{version}-%{release} @@ -91,6 +92,7 @@ Docker client binary and related utilities %setup -q -T -n %{_source_engine} -b 1 %patch0000 -p1 %patch0001 -p1 +%patch0002 -p1 %setup -q -T -n %{_source_docker_init} -b 2 %build @@ -192,6 +194,9 @@ fi %systemd_postun_with_restart docker.service %changelog +* Fri Jun 14 2024 zhaixiaojuan - 25.0.3-6 +- DESC:add loongarch64 seccomp support + * Tue May 14 2024 wanglimin - 25.0.3-5 - DESC:clean dependency between engine and cli -- Gitee From 68aca625079ec304dbbc9cf9186cc34236395e04 Mon Sep 17 00:00:00 2001 From: shechenglong Date: Fri, 28 Jun 2024 06:46:33 +0000 Subject: [PATCH 06/16] software package name moby is changed to docker Signed-off-by: shechenglong (cherry picked from commit 57a9eb74ce4e8dadb3fe0b31c1d4d52d845352c7) --- moby.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/moby.spec b/moby.spec index 73c58f3..69cdd0b 100644 --- a/moby.spec +++ b/moby.spec @@ -5,9 +5,9 @@ %global _source_docker_init tini-0.19.0 %define _debugsource_template %{nil} -Name: moby +Name: docker Version: 25.0.3 -Release: 6 +Release: 7 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -194,6 +194,9 @@ fi %systemd_postun_with_restart docker.service %changelog +* Fri Jun 24 2024 shechenglong - 25.0.3-7 +- DESC:software package name moby is changed to docker + * Fri Jun 14 2024 zhaixiaojuan - 25.0.3-6 - DESC:add loongarch64 seccomp support -- Gitee From 4d65aa09096e8c4e498ad72b7f39ded8df2305c1 Mon Sep 17 00:00:00 2001 From: shechenglong Date: Fri, 28 Jun 2024 07:05:32 +0000 Subject: [PATCH 07/16] software package name moby is changed to docker Signed-off-by: shechenglong (cherry picked from commit b945727b5d6ca8929d91177284511b76df2b7dc2) --- moby.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/moby.spec b/moby.spec index 69cdd0b..26d7ef3 100644 --- a/moby.spec +++ b/moby.spec @@ -194,7 +194,7 @@ fi %systemd_postun_with_restart docker.service %changelog -* Fri Jun 24 2024 shechenglong - 25.0.3-7 +* Fri Jun 28 2024 shechenglong - 25.0.3-7 - DESC:software package name moby is changed to docker * Fri Jun 14 2024 zhaixiaojuan - 25.0.3-6 -- Gitee From aceb0715f63e4a9acaef36e617b1ae469f50eb59 Mon Sep 17 00:00:00 2001 From: shechenglong Date: Fri, 28 Jun 2024 07:37:26 +0000 Subject: [PATCH 08/16] software package name moby is changed to docker Signed-off-by: shechenglong (cherry picked from commit f287400f7f2c88dbb00279cff1491d2062fbf424) --- moby.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/moby.spec b/moby.spec index 26d7ef3..6ec8481 100644 --- a/moby.spec +++ b/moby.spec @@ -31,7 +31,6 @@ Requires: %{name}-client = %{version}-%{release} # conflicting packages Conflicts: docker-ce Conflicts: docker-io -Conflicts: docker-engine Conflicts: docker-engine-cs Conflicts: docker-ee -- Gitee From d4078871de9750081e5ca53d9c5eab46461d5c98 Mon Sep 17 00:00:00 2001 From: bwzhang Date: Tue, 2 Jul 2024 17:25:43 +0800 Subject: [PATCH 09/16] fix bug by using docker-proxy in the source file to get better compatibility (cherry picked from commit a786aaffbbd19963c3db674d0a457f5648e41a32) --- moby.spec | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/moby.spec b/moby.spec index 6ec8481..ea4931a 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: docker Version: 25.0.3 -Release: 7 +Release: 8 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -72,7 +72,6 @@ BuildRequires: systemd-devel BuildRequires: tar BuildRequires: which BuildRequires: golang >= 1.18.0 -BuildRequires: docker-proxy %description engine Docker daemon binary and related utilities @@ -135,7 +134,7 @@ ver="$(%{_builddir}/%{_source_client}/build/docker --version)"; \ install -D -p -m 0755 $(readlink -f %{_builddir}/%{_source_engine}/bundles/dynbinary-daemon/dockerd) %{buildroot}%{_bindir}/dockerd # install proxy -install -D -p -m 0755 /usr/bin/docker-proxy %{buildroot}%{_bindir}/docker-proxy +install -D -p -m 0755 %{_builddir}/%{_source_engine}/bundles/dynbinary-daemon/docker-proxy %{buildroot}%{_bindir}/docker-proxy # install tini install -D -p -m 755 %{_builddir}/%{_source_docker_init}/tini-static %{buildroot}%{_bindir}/docker-init @@ -193,6 +192,12 @@ fi %systemd_postun_with_restart docker.service %changelog +* Tue Jul 02 2024 zhangbowei - 25.0.3-8 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix bug by using docker-proxy in the source file to get better compatibility + * Fri Jun 28 2024 shechenglong - 25.0.3-7 - DESC:software package name moby is changed to docker -- Gitee From 9986014272e53e2b9c244570dec1cb11d54dc9c5 Mon Sep 17 00:00:00 2001 From: lvxiangcong Date: Fri, 12 Jul 2024 16:56:06 +0800 Subject: [PATCH 10/16] fix-docker-swarm-run-failed-for-loongarch64 (cherry picked from commit 6a629c5cc2eed73fdf1703c5ca010d4260e2acab) --- ...ker-swarm-run-failed-for-loongarch64.patch | 30 +++++++++++++++++++ moby.spec | 10 ++++++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 0004-fix-docker-swarm-run-failed-for-loongarch64.patch diff --git a/0004-fix-docker-swarm-run-failed-for-loongarch64.patch b/0004-fix-docker-swarm-run-failed-for-loongarch64.patch new file mode 100644 index 0000000..97f621c --- /dev/null +++ b/0004-fix-docker-swarm-run-failed-for-loongarch64.patch @@ -0,0 +1,30 @@ +From d982ada96908ceef19f30d88ffda5e7956c2809e Mon Sep 17 00:00:00 2001 +From: Super User +Date: Wed, 10 Jul 2024 17:27:20 +0800 +Subject: [PATCH] fix docker swarm run failed for loongarch64 + +--- + .../moby/swarmkit/v2/manager/scheduler/filter.go | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/vendor/github.com/moby/swarmkit/v2/manager/scheduler/filter.go b/vendor/github.com/moby/swarmkit/v2/manager/scheduler/filter.go +index 4e0bb9f..97847e1 100644 +--- a/vendor/github.com/moby/swarmkit/v2/manager/scheduler/filter.go ++++ b/vendor/github.com/moby/swarmkit/v2/manager/scheduler/filter.go +@@ -305,6 +305,14 @@ func (f *PlatformFilter) platformEqual(imgPlatform, nodePlatform api.Platform) b + nodePlatform.Architecture = "arm64" + } + ++ // normalize "loongarch64" architectures to "loong64" ++ if imgPlatform.Architecture == "loongarch64" { ++ imgPlatform.Architecture = "loong64" ++ } ++ if nodePlatform.Architecture == "loongarch64" { ++ nodePlatform.Architecture = "loong64" ++ } ++ + if (imgPlatform.Architecture == "" || imgPlatform.Architecture == nodePlatform.Architecture) && (imgPlatform.OS == "" || imgPlatform.OS == nodePlatform.OS) { + return true + } +-- +2.43.0 diff --git a/moby.spec b/moby.spec index ea4931a..b2dc9b5 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: docker Version: 25.0.3 -Release: 8 +Release: 9 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -23,6 +23,7 @@ Source5: docker.sysconfig Patch0000: 0001-fix-cve-2024-29018.patch Patch0001: 0002-fix-cve-2024-32473.patch Patch0002: 0003-add-loongarch64-seccomp-support.patch +Patch0003: 0004-fix-docker-swarm-run-failed-for-loongarch64.patch Requires: %{name}-engine = %{version}-%{release} @@ -91,6 +92,7 @@ Docker client binary and related utilities %patch0000 -p1 %patch0001 -p1 %patch0002 -p1 +%patch0003 -p1 %setup -q -T -n %{_source_docker_init} -b 2 %build @@ -192,6 +194,12 @@ fi %systemd_postun_with_restart docker.service %changelog +* Fri Jul 12 2024 lvxiangcong - 25.0.3-9 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix docker swarm run failed for loongarch64 + * Tue Jul 02 2024 zhangbowei - 25.0.3-8 - Type:bugfix - ID:NA -- Gitee From 3c88542e9e01644f2300a2b37f586f75547d534f Mon Sep 17 00:00:00 2001 From: zhangxianting Date: Fri, 26 Jul 2024 10:06:11 +0800 Subject: [PATCH 11/16] fix CVE-2024-41110 (cherry picked from commit 7de97fd428cf9a6a81d91683083a8b22b3dfde4e) --- backport-CVE-2024-41110.patch | 206 ++++++++++++++++++++++++++++++++++ moby.spec | 10 +- 2 files changed, 215 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-41110.patch diff --git a/backport-CVE-2024-41110.patch b/backport-CVE-2024-41110.patch new file mode 100644 index 0000000..1af6d1e --- /dev/null +++ b/backport-CVE-2024-41110.patch @@ -0,0 +1,206 @@ +From 9659c3a52bac57e615b5fb49b0652baca448643e Mon Dec 1 00:00:00 2001 +From: Jameson Hyde +Date: Mon, 1 Dec 2018 09:57:10 +0800 +Subject: [PATCH] Authz plugin security fixes for 0-length content and path validation +https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919 +https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76 + +If url includes scheme, urlPath will drop hostname, which would not m… +…atch the auth check + +Signed-off-by: Sebastiaan van Stijn +Signed-off-by: Eli Uriegas + +--- + pkg/authorization/authz.go | 38 +++++++++++-- + pkg/authorization/authz_unix_test.go | 84 +++++++++++++++++++++++++++- + 2 files changed, 115 insertions(+), 7 deletions(-) + +diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go +index 1eb4431..d568a2b 100644 +--- a/pkg/authorization/authz.go ++++ b/pkg/authorization/authz.go +@@ -8,6 +8,8 @@ import ( + "io" + "mime" + "net/http" ++ "net/url" ++ "regexp" + "strings" + + "github.com/containerd/log" +@@ -53,10 +55,23 @@ type Ctx struct { + authReq *Request + } + ++func isChunked(r *http.Request) bool { ++ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked ++ if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") { ++ return true ++ } ++ for _, v := range r.TransferEncoding { ++ if strings.EqualFold(v, "chunked") { ++ return true ++ } ++ } ++ return false ++} ++ + // AuthZRequest authorized the request to the docker daemon using authZ plugins + func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error { + var body []byte +- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize { ++ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize { + var err error + body, r.Body, err = drainBody(r.Body) + if err != nil { +@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error { + if sendBody(ctx.requestURI, rm.Header()) { + ctx.authReq.ResponseBody = rm.RawBody() + } +- + for _, plugin := range ctx.plugins { + log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name()) + +@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) { + return nil, newBody, err + } + ++func isAuthEndpoint(urlPath string) (bool, error) { ++ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional) ++ matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath) ++ if err != nil { ++ return false, err ++ } ++ return matched, nil ++} ++ + // sendBody returns true when request/response body should be sent to AuthZPlugin +-func sendBody(url string, header http.Header) bool { ++func sendBody(inURL string, header http.Header) bool { ++ u, err := url.Parse(inURL) ++ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected ++ if err != nil { ++ return false ++ } ++ + // Skip body for auth endpoint +- if strings.HasSuffix(url, "/auth") { ++ isAuth, err := isAuthEndpoint(u.Path) ++ if isAuth || err != nil { + return false + } + +diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go +index c9b18d9..66b4d20 100644 +--- a/pkg/authorization/authz_unix_test.go ++++ b/pkg/authorization/authz_unix_test.go +@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) { + + func TestSendBody(t *testing.T) { + var ( +- url = "nothing.com" + testcases = []struct { ++ url string + contentType string + expected bool + }{ +@@ -219,15 +219,93 @@ func TestSendBody(t *testing.T) { + contentType: "", + expected: false, + }, ++ { ++ url: "nothing.com/auth", ++ contentType: "", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/auth?p1=test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/test?p1=/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, ++ { ++ url: "nothing.com/something/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, ++ { ++ url: "nothing.com/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/v1.24/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/v1/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "www.nothing.com/v1.24/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "https://www.nothing.com/v1.24/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "http://nothing.com/v1.24/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "www.nothing.com/test?p1=/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, ++ { ++ url: "http://www.nothing.com/test?p1=/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, ++ { ++ url: "www.nothing.com/something/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, ++ { ++ url: "https://www.nothing.com/something/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, + } + ) + + for _, testcase := range testcases { + header := http.Header{} + header.Set("Content-Type", testcase.contentType) ++ if testcase.url == "" { ++ testcase.url = "nothing.com" ++ } + +- if b := sendBody(url, header); b != testcase.expected { +- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b) ++ if b := sendBody(testcase.url, header); b != testcase.expected { ++ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b) + } + } + } +-- +2.33.0 + diff --git a/moby.spec b/moby.spec index b2dc9b5..2ee9bf1 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: docker Version: 25.0.3 -Release: 9 +Release: 10 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -25,6 +25,7 @@ Patch0001: 0002-fix-cve-2024-32473.patch Patch0002: 0003-add-loongarch64-seccomp-support.patch Patch0003: 0004-fix-docker-swarm-run-failed-for-loongarch64.patch +Patch9000: backport-CVE-2024-41110.patch Requires: %{name}-engine = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} @@ -93,6 +94,7 @@ Docker client binary and related utilities %patch0001 -p1 %patch0002 -p1 %patch0003 -p1 +%patch9000 -p1 %setup -q -T -n %{_source_docker_init} -b 2 %build @@ -194,6 +196,12 @@ fi %systemd_postun_with_restart docker.service %changelog +* Fri Jul 26 2024 zhangxianting - 25.0.3-10 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:fix CVE-2024-41110 + * Fri Jul 12 2024 lvxiangcong - 25.0.3-9 - Type:bugfix - ID:NA -- Gitee From d7e1a30c68af2cbe1a4cb9b616fe5f69179f7b0d Mon Sep 17 00:00:00 2001 From: tiberium Date: Mon, 9 Sep 2024 17:21:44 +0800 Subject: [PATCH 12/16] backport upstream patch to fix function declaration without a prototype(-Wstrict-prototypes) error (cherry picked from commit 706f29a8b38a56229340cf43835efde46691f4fe) --- ...n-declaration-without-a-prototype-is.patch | 72 +++++++++++++++++++ moby.spec | 10 ++- 2 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 backport-tini.c-a-function-declaration-without-a-prototype-is.patch diff --git a/backport-tini.c-a-function-declaration-without-a-prototype-is.patch b/backport-tini.c-a-function-declaration-without-a-prototype-is.patch new file mode 100644 index 0000000..f3a59ea --- /dev/null +++ b/backport-tini.c-a-function-declaration-without-a-prototype-is.patch @@ -0,0 +1,72 @@ +From a49fdd374d6d9c047e35de8b82935cc4d837e678 Mon Sep 17 00:00:00 2001 +From: Jose Quaresma +Date: Fri, 23 Sep 2022 16:31:33 +0000 +Subject: [PATCH 1/2] tini.c: a function declaration without a prototype is + deprecated in all versions of C + +| /srv/oe/build/tmp-lmp/work/corei7-64-lmp-linux/tini/0.19.0-r0/git/src/tini.c:150:18: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] +| int isolate_child() { +| ^ +| void +| /srv/oe/build/tmp-lmp/work/corei7-64-lmp-linux/tini/0.19.0-r0/git/src/tini.c:395:14: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] +| int parse_env() { +| ^ +| void +| /srv/oe/build/tmp-lmp/work/corei7-64-lmp-linux/tini/0.19.0-r0/git/src/tini.c:416:24: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] +| int register_subreaper () { +| ^ +| void +| /srv/oe/build/tmp-lmp/work/corei7-64-lmp-linux/tini/0.19.0-r0/git/src/tini.c:434:19: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] +| void reaper_check () { +| ^ +| void +| 4 errors generated. + +Signed-off-by: Jose Quaresma +--- + src/tini.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/tini.c b/src/tini.c +index 2c873f9..7914d3a 100644 +--- a/src/tini.c ++++ b/src/tini.c +@@ -147,7 +147,7 @@ int restore_signals(const signal_configuration_t* const sigconf_ptr) { + return 0; + } + +-int isolate_child() { ++int isolate_child(void) { + // Put the child into a new process group. + if (setpgid(0, 0) < 0) { + PRINT_FATAL("setpgid failed: %s", strerror(errno)); +@@ -392,7 +392,7 @@ int parse_args(const int argc, char* const argv[], char* (**child_args_ptr_ptr)[ + return 0; + } + +-int parse_env() { ++int parse_env(void) { + #if HAS_SUBREAPER + if (getenv(SUBREAPER_ENV_VAR) != NULL) { + subreaper++; +@@ -413,7 +413,7 @@ int parse_env() { + + + #if HAS_SUBREAPER +-int register_subreaper () { ++int register_subreaper (void) { + if (subreaper > 0) { + if (prctl(PR_SET_CHILD_SUBREAPER, 1)) { + if (errno == EINVAL) { +@@ -431,7 +431,7 @@ int register_subreaper () { + #endif + + +-void reaper_check () { ++void reaper_check (void) { + /* Check that we can properly reap zombies */ + #if HAS_SUBREAPER + int bit = 0; +-- +2.25.1 + diff --git a/moby.spec b/moby.spec index 2ee9bf1..268e0f5 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: docker Version: 25.0.3 -Release: 10 +Release: 11 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -26,6 +26,7 @@ Patch0002: 0003-add-loongarch64-seccomp-support.patch Patch0003: 0004-fix-docker-swarm-run-failed-for-loongarch64.patch Patch9000: backport-CVE-2024-41110.patch +Patch9001: backport-tini.c-a-function-declaration-without-a-prototype-is.patch Requires: %{name}-engine = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} @@ -96,6 +97,7 @@ Docker client binary and related utilities %patch0003 -p1 %patch9000 -p1 %setup -q -T -n %{_source_docker_init} -b 2 +%patch9001 -p1 %build export GO111MODULE=off @@ -196,6 +198,12 @@ fi %systemd_postun_with_restart docker.service %changelog +* Mon Sep 9 2024 tiberium - 25.0.3-11 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:backport upstream patch to solve -Wstrict-prototypes error + * Fri Jul 26 2024 zhangxianting - 25.0.3-10 - Type:CVE - ID:NA -- Gitee From e8023148f50a4e9c93efc08984b1aa9f761ebe25 Mon Sep 17 00:00:00 2001 From: yaoguangzhong Date: Tue, 29 Oct 2024 20:44:32 +0800 Subject: [PATCH 13/16] fix build warnings for moby.spec Signed-off-by: Guangzhong Yao --- moby.spec | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/moby.spec b/moby.spec index 268e0f5..5edc000 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: docker Version: 25.0.3 -Release: 11 +Release: 12 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -91,13 +91,13 @@ Docker client binary and related utilities %prep %setup -q -n %{_source_client} %setup -q -T -n %{_source_engine} -b 1 -%patch0000 -p1 -%patch0001 -p1 -%patch0002 -p1 -%patch0003 -p1 -%patch9000 -p1 +%patch 0000 -p1 +%patch 0001 -p1 +%patch 0002 -p1 +%patch 0003 -p1 +%patch 9000 -p1 %setup -q -T -n %{_source_docker_init} -b 2 -%patch9001 -p1 +%patch 9001 -p1 %build export GO111MODULE=off @@ -198,6 +198,9 @@ fi %systemd_postun_with_restart docker.service %changelog +* Tue Oct 29 2024 yaoguangzhong - 25.0.3-12 +- DESC:fix build warnings for moby.spec + * Mon Sep 9 2024 tiberium - 25.0.3-11 - Type:bugfix - ID:NA @@ -291,5 +294,5 @@ fi - DESC: revert any to interface{} temporarily to allow builtable with golang-1.17.x - it will be withdrawed if golang upgrade to 1.18.x in the branch -* Thu Dec 14 2022 wanglimin - 20.10.21-1 +* Wed Dec 14 2022 wanglimin - 20.10.21-1 - DESC: initial docker-20.10.21-1 -- Gitee From 83abe347acb875d182e5bfd72716e078a21bb277 Mon Sep 17 00:00:00 2001 From: yaoguangzhong Date: Tue, 29 Oct 2024 21:24:50 +0800 Subject: [PATCH 14/16] modify patch number for moby package Signed-off-by: Guangzhong Yao --- ...4-41110.patch => 0005-CVE-2024-41110.patch | 0 ...n-declaration-without-a-prototype-is.patch | 0 moby.spec | 24 ++++++++++--------- 3 files changed, 13 insertions(+), 11 deletions(-) rename backport-CVE-2024-41110.patch => 0005-CVE-2024-41110.patch (100%) rename backport-tini.c-a-function-declaration-without-a-prototype-is.patch => 0006-tini.c-a-function-declaration-without-a-prototype-is.patch (100%) diff --git a/backport-CVE-2024-41110.patch b/0005-CVE-2024-41110.patch similarity index 100% rename from backport-CVE-2024-41110.patch rename to 0005-CVE-2024-41110.patch diff --git a/backport-tini.c-a-function-declaration-without-a-prototype-is.patch b/0006-tini.c-a-function-declaration-without-a-prototype-is.patch similarity index 100% rename from backport-tini.c-a-function-declaration-without-a-prototype-is.patch rename to 0006-tini.c-a-function-declaration-without-a-prototype-is.patch diff --git a/moby.spec b/moby.spec index 5edc000..71c5899 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: docker Version: 25.0.3 -Release: 12 +Release: 13 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -20,13 +20,12 @@ Source2: tini-0.19.0.tar.gz Source3: docker.service Source4: docker.socket Source5: docker.sysconfig -Patch0000: 0001-fix-cve-2024-29018.patch -Patch0001: 0002-fix-cve-2024-32473.patch -Patch0002: 0003-add-loongarch64-seccomp-support.patch -Patch0003: 0004-fix-docker-swarm-run-failed-for-loongarch64.patch - -Patch9000: backport-CVE-2024-41110.patch -Patch9001: backport-tini.c-a-function-declaration-without-a-prototype-is.patch +Patch0001: 0001-fix-cve-2024-29018.patch +Patch0002: 0002-fix-cve-2024-32473.patch +Patch0003: 0003-add-loongarch64-seccomp-support.patch +Patch0004: 0004-fix-docker-swarm-run-failed-for-loongarch64.patch +Patch0005: 0005-CVE-2024-41110.patch +Patch0006: 0006-tini.c-a-function-declaration-without-a-prototype-is.patch Requires: %{name}-engine = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} @@ -91,13 +90,13 @@ Docker client binary and related utilities %prep %setup -q -n %{_source_client} %setup -q -T -n %{_source_engine} -b 1 -%patch 0000 -p1 %patch 0001 -p1 %patch 0002 -p1 %patch 0003 -p1 -%patch 9000 -p1 +%patch 0004 -p1 +%patch 0005 -p1 %setup -q -T -n %{_source_docker_init} -b 2 -%patch 9001 -p1 +%patch 0006 -p1 %build export GO111MODULE=off @@ -198,6 +197,9 @@ fi %systemd_postun_with_restart docker.service %changelog +* Tue Oct 29 2024 yaoguangzhong - 25.0.3-13 +- DESC:modify patch number + * Tue Oct 29 2024 yaoguangzhong - 25.0.3-12 - DESC:fix build warnings for moby.spec -- Gitee From aef69ee6a15ae89c1a6151e9ad2f8e2607e17420 Mon Sep 17 00:00:00 2001 From: yaoguangzhong Date: Thu, 31 Oct 2024 10:37:50 +0800 Subject: [PATCH 15/16] backport upstream patch to fix libnetwork/osl test TestAddRemoveInterface Signed-off-by: Guangzhong Yao --- ...work-osl-test-TestAddRemoveInterface.patch | 76 +++++++++++++++++++ moby.spec | 7 +- 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch diff --git a/0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch b/0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch new file mode 100644 index 0000000..d7e75ba --- /dev/null +++ b/0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch @@ -0,0 +1,76 @@ +From c72e458a7273bf7e542082ef2bbe3d50ca1a62dd Mon Sep 17 00:00:00 2001 +From: Rob Murray +Date: Thu, 18 Jan 2024 21:01:41 +0000 +Subject: [PATCH] Fix libnetwork/osl test TestAddRemoveInterface + +For some time, when adding an interface with no IPv6 address (an +interface to a network that does not have IPv6 enabled), we've been +disabling IPv6 on that interface. + +As part of a separate change, I'm removing that logic - there's nothing +wrong with having IPv6 enabled on an interface with no routable address. +The difference is that the kernel will assign a link-local address. + +TestAddRemoveInterface does this... +- Assign an IPv6 link-local address to one end of a veth interface, and + add it to a namespace. +- Add a bridge with no assigned IPv6 address to the namespace. +- Remove the veth interface from the namespace. +- Put the veth interface back into the namespace, still with an + explicitly assigned IPv6 link local address. + +When IPv6 is disabled on the bridge interface, the test passes. + +But, when IPv6 is enabled, the bridge gets a kernel assigned link-local +address. + +Then, when re-adding the veth interface, the test generates an error in +'osl/interface_linux.go:checkRouteConflict()'. The conflict is between +the explicitly assigned fe80::2 on the veth, and a route for fe80::/64 +belonging to the bridge. + +So, in preparation for not-disabling IPv6 on these interfaces, use a +unique-local address in the test instead of link-local. + +I don't think that changes the intent of the test. + +With the change to not-always disable IPv6, it is possible to repro the +problem with a real container, disconnect and re-connect a user-defined +network with '--subnet fe80::/64' while the container's connected to an +IPv4 network. So, strictly speaking, that will be a regression. + +But, it's also possible to repro the problem in master, by disconnecting +and re-connecting the fe80::/64 network while another IPv6 network is +connected. So, I don't think it's a problem we need to address, perhaps +other than by prohibiting '--subnet fe80::/64'. + +Signed-off-by: Rob Murray +--- + libnetwork/osl/sandbox_linux_test.go | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libnetwork/osl/sandbox_linux_test.go b/libnetwork/osl/sandbox_linux_test.go +index dd1ac18275..c1c54b0627 100644 +--- a/libnetwork/osl/sandbox_linux_test.go ++++ b/libnetwork/osl/sandbox_linux_test.go +@@ -72,7 +72,7 @@ func newInfo(t *testing.T, hnd *netlink.Handle) (*Namespace, error) { + } + addr.IP = ip4 + +- ip6, addrv6, err := net.ParseCIDR("fe80::2/64") ++ ip6, addrv6, err := net.ParseCIDR("fdac:97b4:dbcc::2/64") + if err != nil { + return nil, err + } +@@ -116,7 +116,7 @@ func newInfo(t *testing.T, hnd *netlink.Handle) (*Namespace, error) { + return &Namespace{ + iFaces: []*Interface{intf1, intf2, intf3}, + gw: net.ParseIP("192.168.1.1"), +- gwv6: net.ParseIP("fe80::1"), ++ gwv6: net.ParseIP("fdac:97b4:dbcc::1/64"), + }, nil + } + +-- +2.42.0.windows.2 + diff --git a/moby.spec b/moby.spec index 71c5899..7e8231c 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: docker Version: 25.0.3 -Release: 13 +Release: 14 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -26,6 +26,7 @@ Patch0003: 0003-add-loongarch64-seccomp-support.patch Patch0004: 0004-fix-docker-swarm-run-failed-for-loongarch64.patch Patch0005: 0005-CVE-2024-41110.patch Patch0006: 0006-tini.c-a-function-declaration-without-a-prototype-is.patch +Patch0007: 0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch Requires: %{name}-engine = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} @@ -95,6 +96,7 @@ Docker client binary and related utilities %patch 0003 -p1 %patch 0004 -p1 %patch 0005 -p1 +%patch 0007 -p1 %setup -q -T -n %{_source_docker_init} -b 2 %patch 0006 -p1 @@ -197,6 +199,9 @@ fi %systemd_postun_with_restart docker.service %changelog +* Thu Oct 31 2024 yaoguangzhong - 25.0.3-14 +- DESC:backport upstream patch to fix libnetwork/osl test TestAddRemoveInterface + * Tue Oct 29 2024 yaoguangzhong - 25.0.3-13 - DESC:modify patch number -- Gitee From 669dbe11e1f408453dc574145feb8e86da3dfa06 Mon Sep 17 00:00:00 2001 From: ChendongSun Date: Fri, 1 Nov 2024 06:55:33 +0000 Subject: [PATCH 16/16] omit missing Created field from ImageInspect response Signed-off-by: ChendongSun --- ...-Created-field-from-ImageInspect-res.patch | 87 +++++++++++++++++++ moby.spec | 7 +- 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 0008-api-omit-missing-Created-field-from-ImageInspect-res.patch diff --git a/0008-api-omit-missing-Created-field-from-ImageInspect-res.patch b/0008-api-omit-missing-Created-field-from-ImageInspect-res.patch new file mode 100644 index 0000000..05551c2 --- /dev/null +++ b/0008-api-omit-missing-Created-field-from-ImageInspect-res.patch @@ -0,0 +1,87 @@ +From 5d9e13bc8453c856f055769008dac9311f43c265 Mon Sep 17 00:00:00 2001 +From: Bjorn Neergaard +Date: Mon, 26 Feb 2024 10:25:08 -0700 +Subject: [PATCH] api: omit missing Created field from ImageInspect response + +Signed-off-by: Bjorn Neergaard +--- + api/swagger.yaml | 8 ++++++-- + api/types/types.go | 5 ++++- + docs/api/v1.44.yaml | 8 ++++++-- + docs/api/version-history.md | 5 ++--- + 4 files changed, 18 insertions(+), 8 deletions(-) + +diff --git a/api/swagger.yaml b/api/swagger.yaml +index 5e448edad6..350d37a96c 100644 +--- a/api/swagger.yaml ++++ b/api/swagger.yaml +@@ -1742,9 +1742,13 @@ definitions: + Created: + description: | + Date and time at which the image was created, formatted in +- [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds, or empty if the field was not set in the image config. ++ [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds. ++ ++ This information is only available if present in the image, ++ and omitted otherwise. + type: "string" +- x-nullable: false ++ format: "dateTime" ++ x-nullable: true + example: "2022-02-04T21:20:12.497794809Z" + Container: + description: | +diff --git a/api/types/types.go b/api/types/types.go +index 5c56a0cafe..56a8b77d45 100644 +--- a/api/types/types.go ++++ b/api/types/types.go +@@ -72,7 +72,10 @@ type ImageInspect struct { + + // Created is the date and time at which the image was created, formatted in + // RFC 3339 nano-seconds (time.RFC3339Nano). +- Created string ++ // ++ // This information is only available if present in the image, ++ // and omitted otherwise. ++ Created string `json:",omitempty"` + + // Container is the ID of the container that was used to create the image. + // +diff --git a/docs/api/v1.44.yaml b/docs/api/v1.44.yaml +index 5e448edad6..350d37a96c 100644 +--- a/docs/api/v1.44.yaml ++++ b/docs/api/v1.44.yaml +@@ -1742,9 +1742,13 @@ definitions: + Created: + description: | + Date and time at which the image was created, formatted in +- [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds, or empty if the field was not set in the image config. ++ [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds. ++ ++ This information is only available if present in the image, ++ and omitted otherwise. + type: "string" +- x-nullable: false ++ format: "dateTime" ++ x-nullable: true + example: "2022-02-04T21:20:12.497794809Z" + Container: + description: | +diff --git a/docs/api/version-history.md b/docs/api/version-history.md +index fe04753249..b2d086e61e 100644 +--- a/docs/api/version-history.md ++++ b/docs/api/version-history.md +@@ -79,9 +79,8 @@ keywords: "API, Docker, rcli, REST, documentation" + `SecondaryIPv6Addresses` available in `NetworkSettings` when calling `GET /containers/{id}/json` are + deprecated and will be removed in a future release. You should instead look for the default network in + `NetworkSettings.Networks`. +-* `GET /images/{id}/json` now responds with an empty `Created` field +- (previously it was `0001-01-01T00:00:00Z`) if the `Created` field is missing +- from the image config. ++* `GET /images/{id}/json` omits the `Created` field (previously it was `0001-01-01T00:00:00Z`) ++ if the `Created` field is missing from the image config. + + ## v1.43 API changes + +-- +2.33.0 \ No newline at end of file diff --git a/moby.spec b/moby.spec index 7e8231c..f8767c9 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: docker Version: 25.0.3 -Release: 14 +Release: 15 Summary: The open-source application container engine License: ASL 2.0 URL: https://www.docker.com @@ -27,6 +27,7 @@ Patch0004: 0004-fix-docker-swarm-run-failed-for-loongarch64.patch Patch0005: 0005-CVE-2024-41110.patch Patch0006: 0006-tini.c-a-function-declaration-without-a-prototype-is.patch Patch0007: 0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch +Patch0008: 0008-api-omit-missing-Created-field-from-ImageInspect-res.patch Requires: %{name}-engine = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} @@ -97,6 +98,7 @@ Docker client binary and related utilities %patch 0004 -p1 %patch 0005 -p1 %patch 0007 -p1 +%patch 0008 -p1 %setup -q -T -n %{_source_docker_init} -b 2 %patch 0006 -p1 @@ -199,6 +201,9 @@ fi %systemd_postun_with_restart docker.service %changelog +* Fri Nov 1 2024 sunchendong - 25.0.3-15 +- DESC:omit missing Created field from ImageInspect response + * Thu Oct 31 2024 yaoguangzhong - 25.0.3-14 - DESC:backport upstream patch to fix libnetwork/osl test TestAddRemoveInterface -- Gitee