Merge docker.io (19.03.4+dfsg2-2) import into refs/heads/workingbranch

test--skip-TestStateRunStop

~~~~
 state_test.go:102: ExitCode -1, expected 2, err "context deadline exceeded"
~~~~

Gbp-Pq: Name test--skip-TestStateRunStop.patch

Skip TestSignCommandLocalFlag

No idea why this test used to pass before and fails now...

~~~~
  === RUN   TestSignCommandLocalFlag
  --- FAIL: TestSignCommandLocalFlag (35.01s)
    sign_test.go:307: assertion failed: expected error to contain "error contacting notary server: dial tcp: lookup reg-name.io",
    got "Error: error contacting notary server: dial tcp 125.235.4.59:443: i/o timeout"
  ...
  FAIL github.com/docker/cli/cli/command/trust 49.235s
~~~~

Origin: vendor, Debian
Forwarded: not-needed, Debian-specific
Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Gbp-Pq: Name test--skip-TestSignCommandLocalFlag.patch

test--skip-TestGetRootUIDGID

~~~~
 FAIL: TestGetRootUIDGID (0.00s)
 idtools_unix_test.go:287:
    Error Trace: idtools_unix_test.go:287
    Error:       Not equal:
                 expected: 1009
                 actual  : 2952
    Test:        TestGetRootUIDGID
~~~~

Gbp-Pq: Name test--skip-TestGetRootUIDGID.patch

test--skip-TestClientWithRequestTimeout

~~~~
 FAIL: TestClientWithRequestTimeout (0.00s)
    client_test.go:254: assertion failed: expected an error, got nil: expected error
~~~~

Gbp-Pq: Name test--skip-TestClientWithRequestTimeout.patch

test--skip-TestAdapterReadLogs

~~~~
 FAIL: TestAdapterReadLogs (0.00s)
 panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    panic: runtime error: invalid memory address or nil pointer dereference
 [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x83273c5]

 goroutine 7 [running]:
 testing.tRunner.func1(0x1a686ab0)
    /usr/lib/go-1.10/src/testing/testing.go:742 +0x24a
 panic(0x8393cc0, 0x85d1e78)
    /usr/lib/go-1.10/src/runtime/panic.go:502 +0x1dc
 github.com/docker/docker/daemon/logger.testMessageEqual(0x1a686ab0, 0x1a65cc7c, 0x0)
    /var/lib/gitlab-runner/builds/736b76b0/1/docker-team/docker/.gopath/src/github.com/docker/docker/daemon/logger/adapter_test.go:178 +0x35
 github.com/docker/docker/daemon/logger.TestAdapterReadLogs(0x1a686ab0)
    /var/lib/gitlab-runner/builds/736b76b0/1/docker-team/docker/.gopath/src/github.com/docker/docker/daemon/logger/adapter_test.go:131 +0x710
 testing.tRunner(0x1a686ab0, 0x83fa01c)
    /usr/lib/go-1.10/src/testing/testing.go:777 +0xaa
 created by testing.(*T).Run
    /usr/lib/go-1.10/src/testing/testing.go:824 +0x243
 FAIL  github.com/docker/docker/daemon/logger  0.012s
~~~~

Gbp-Pq: Name test--skip-TestAdapterReadLogs.patch

test--skip-privileged-unit-tests

Gbp-Pq: Name test--skip-privileged-unit-tests.patch

test--skip-network-tests

Gbp-Pq: Name test--skip-network-tests.patch

test--fix-test-errors

Gbp-Pq: Name test--fix-test-errors.patch

Disable containerizedengine/update_test.go

This test FTBFS, see <https://github.com/docker/cli/pull/1561>.
Please re-enable this test when this MR is accepted.

Origin: vendor, Debian
Forwarded: not-needed, Debian-specific
Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Gbp-Pq: Name test--disable-containerizedengine-update-test.patch

mips-fix-devnumber

~~~~
github.com/docker/docker/pkg/system/stat_linux.go:13:7: cannot use s.Rdev (type uint32) as type uint64 in field value
~~~~

Gbp-Pq: Name mips-fix-devnumber.patch

libnetwork_proto_no_unrecognized_all

 Fix this by setting goproto_unrecognized_all=false which suppresses this field.

 Upstream doesn't have the problem because they have pinned an older version
 of gogo/protobuf: https://github.com/docker/libnetwork/pull/2242
Author: Felix Geyer <fgeyer@debian.org>

Gbp-Pq: Name libnetwork_proto_no_unrecognized_all.patch

libnetwork_proto

Gbp-Pq: Name libnetwork_proto.patch

Update github.com/dgrijalva/jwt-go to 3.2.0 (#27)

Gbp-Pq: Name jwt-go-v3.patch

Update cni and go-cni to the v0.7.1 release (Closes #1236)

Gbp-Pq: Name containerd-cri_cni.patch

cli-fix-manpages-build-script

Gbp-Pq: Name cli-fix-manpages-build-script.patch

cli-dont-duplicate-authconfig

~~~~ gitlab-runner
src/gitlab.com/gitlab-org/gitlab-runner/helpers/docker/auth_config.go:102:22: cannot use config.AuthConfigs (type map[string]"github.com/docker/cli/cli/config/types".AuthConfig] as type map[string]"github.com/docker/docker/api/types".AuthConfig] in argument to addAll
src/gitlab.com/gitlab-org/gitlab-runner/helpers/docker/auth_config.go:130:2: cannot use newAuths (type map[string]"github.com/docker/cli/cli/config/types".AuthConfig] as type map[string]"github.com/docker/docker/api/types".AuthConfig] in return argument
src/gitlab.com/gitlab-org/gitlab-runner/helpers/docker/auth_config.go:144:26: cannot use newAuths (type "github.com/docker/cli/cli/config/types".AuthConfig)
~~~~

~~~~ nomad
src/github.com/hashicorp/nomad/drivers/docker/utils.go:118:57: cannot use cfile.AuthConfigs (type map[string]"github.com/docker/cli/cli/config/types".AuthConfig] as type map[string]"github.com/docker/docker/api/types".AuthConfig] in argument to "github.com/docker/docker/registry".ResolveAuthConfig
~~~~

Please update this patch when upstream provides a fix.

Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Gbp-Pq: Name cli-dont-duplicate-authconfig.patch

Build against google-grpc 1.11, where md.Get() does not exist.

This patch is based on the commit that introduced md.Get() in google-grpc:
<https://github.com/grpc/grpc-go/commit/291de7f0>.

Please drop this patch as soon as we build docker against google-grpc >= 1.12.

Origin: vendor, Debian
Forwarded: not-needed, Debian-specific
Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Gbp-Pq: Name buildkit-build-against-google-grpc-1.11.patch

Disable Microsoft/hcsshim

As far as I understand, this is only needed for Docker running on a
Windows host. Grepping the code shows that only Windows specific files
import Microsoft/hcsshim. The only exception is the file
`libcontainerd/remote/client.go`.

Forwarded: https://github.com/moby/moby/issues/40067
Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Gbp-Pq: Name engine-disable-microsoft-hcsshim.patch

Dont use gotestsum in hack/test/unit

gotestsum is not yet in Debian, let's just stick to 'go test' for now.

As soon as gotestsum is packaged for Debian (see #940225), we can drop
this patch, and add gotestsum as a build dependency.

This is a partial revert of the commit:
https://github.com/docker/docker-ce/commit/bef34d1

Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Origin: vendor, Debian
Forwarded: not-needed, Debian-specific

Gbp-Pq: Name debian-dont-use-gotestsum-in-hack-test-unit.patch

Dont use gotestsum in hack/test/unit

gotestsum is not yet in Debian, let's just stick to 'go test' for now.

As soon as gotestsum is packaged for Debian (see #940225), we can drop
this patch, and add gotestsum as a build dependency.

This is a partial revert of the docker/cli commits:
- 3bd3996f72ca281cec288dd6e7f4fdaa0e1eeb00
- 277f61415ec99d5fbae75c15013f2fdfb0017af4

Origin: vendor, Debian
Forwarded: not-needed, Debian-specific
Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Gbp-Pq: Name debian-dont-use-gotestsum-in-cli.patch

debian-nuke-no-prompt

Gbp-Pq: Name debian-nuke-no-prompt.patch

debian-cgroupfs-mount-convenience-copy

Gbp-Pq: Name debian-cgroupfs-mount-convenience-copy.patch

debian-dockerd-binary-location

Gbp-Pq: Name debian-dockerd-binary-location.patch

debian-containerd-name

Gbp-Pq: Name debian-containerd-name.patch

debian-systemd-unit-environment-file

Gbp-Pq: Name debian-systemd-unit-environment-file.patch

docker.service: don't limit tasks

Signed-off-by: Pierre Carrier <pierre@meteor.com>
Gbp-Pq: Name debian-systemd-unit-tasksmax.patch

docker.io (19.03.4+dfsg2-2) unstable; urgency=medium

  * Removed unused package from Build-Depends.
  * Standards-Version: 4.4.1.

[dgit import unpatched docker.io 19.03.4+dfsg2-2]

Import docker.io_19.03.4+dfsg2-2.debian.tar.xz

[dgit import tarball docker.io 19.03.4+dfsg2-2 docker.io_19.03.4+dfsg2-2.debian.tar.xz]

Import docker.io_19.03.4+dfsg2.orig.tar.xz

[dgit import orig docker.io_19.03.4+dfsg2.orig.tar.xz]

Import docker.io_19.03.4+dfsg2.orig-containerd.tar.xz

[dgit import orig docker.io_19.03.4+dfsg2.orig-containerd.tar.xz]

Import docker.io_19.03.4+dfsg2.orig-distribution.tar.xz

[dgit import orig docker.io_19.03.4+dfsg2.orig-distribution.tar.xz]

Import docker.io_19.03.4+dfsg2.orig-go-events.tar.xz

[dgit import orig docker.io_19.03.4+dfsg2.orig-go-events.tar.xz]

Import docker.io_19.03.4+dfsg2.orig-libnetwork.tar.xz

[dgit import orig docker.io_19.03.4+dfsg2.orig-libnetwork.tar.xz]

Import docker.io_19.03.4+dfsg2.orig-swarmkit.tar.xz

[dgit import orig docker.io_19.03.4+dfsg2.orig-swarmkit.tar.xz]

Merge docker.io (18.09.9+dfsg1-5) import into refs/heads/workingbranch

test--skip-privileged-unit-tests

Gbp-Pq: Name test--skip-privileged-unit-tests.patch

test--skip-network-tests

Gbp-Pq: Name test--skip-network-tests.patch

test--skip-TestStateRunStop

~~~~
 state_test.go:102: ExitCode -1, expected 2, err "context deadline exceeded"
~~~~

Gbp-Pq: Name test--skip-TestStateRunStop.patch

test--skip-TestGetRootUIDGID

~~~~
 FAIL: TestGetRootUIDGID (0.00s)
 idtools_unix_test.go:287:
    Error Trace: idtools_unix_test.go:287
    Error:       Not equal:
                 expected: 1009
                 actual  : 2952
    Test:        TestGetRootUIDGID
~~~~

Gbp-Pq: Name test--skip-TestGetRootUIDGID.patch

test--skip-TestChangesWithChangesGH13590

Gbp-Pq: Name test--skip-TestChangesWithChangesGH13590.patch

test--skip-TestAdapterReadLogs

~~~~
 FAIL: TestAdapterReadLogs (0.00s)
 panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    panic: runtime error: invalid memory address or nil pointer dereference
 [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x83273c5]

 goroutine 7 [running]:
 testing.tRunner.func1(0x1a686ab0)
    /usr/lib/go-1.10/src/testing/testing.go:742 +0x24a
 panic(0x8393cc0, 0x85d1e78)
    /usr/lib/go-1.10/src/runtime/panic.go:502 +0x1dc
 github.com/docker/docker/daemon/logger.testMessageEqual(0x1a686ab0, 0x1a65cc7c, 0x0)
    /var/lib/gitlab-runner/builds/736b76b0/1/docker-team/docker/.gopath/src/github.com/docker/docker/daemon/logger/adapter_test.go:178 +0x35
 github.com/docker/docker/daemon/logger.TestAdapterReadLogs(0x1a686ab0)
    /var/lib/gitlab-runner/builds/736b76b0/1/docker-team/docker/.gopath/src/github.com/docker/docker/daemon/logger/adapter_test.go:131 +0x710
 testing.tRunner(0x1a686ab0, 0x83fa01c)
    /usr/lib/go-1.10/src/testing/testing.go:777 +0xaa
 created by testing.(*T).Run
    /usr/lib/go-1.10/src/testing/testing.go:824 +0x243
 FAIL  github.com/docker/docker/daemon/logger  0.012s
~~~~

Gbp-Pq: Name test--skip-TestAdapterReadLogs.patch

test--fix-test-errors

Gbp-Pq: Name test--fix-test-errors.patch

Disable containerizedengine/update_test.go

This test FTBFS, see <https://github.com/docker/cli/pull/1561>.
Please re-enable this test when this MR is accepted.

Origin: vendor, Debian
Forwarded: not-needed, Debian-specific
Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Gbp-Pq: Name test--disable-containerizedengine-update-test.patch

bump opencontainers/selinux to v1.2

Gbp-Pq: Name selinux-docker.patch

bump opencontainers/selinux to v1.2

Gbp-Pq: Name selinux-containerd_cri.patch

netlink_syscall

Gbp-Pq: Name netlink_syscall.patch

mips-fix-devnumber

~~~~
github.com/docker/docker/pkg/system/stat_linux.go:13:7: cannot use s.Rdev (type uint32) as type uint64 in field value
~~~~

Gbp-Pq: Name mips-fix-devnumber.patch

SIGSKTFLT does not exist on MIPS, instead SIGEMT does.

SIGRTMAX is also 127 on MIPS.

This patch is merged upstream on master, please drop it when necessary.

Signed-off-by: Kasper Fabæch Brandt <poizan@poizan.dk>
Origin: upstream, https://github.com/moby/moby/pull/37491

Gbp-Pq: Name mips-add-specific-signal-file.patch

libnetwork_proto_no_unrecognized_all

 Fix this by setting goproto_unrecognized_all=false which suppresses this field.

 Upstream doesn't have the problem because they have pinned an older version
 of gogo/protobuf: https://github.com/docker/libnetwork/pull/2242
Author: Felix Geyer <fgeyer@debian.org>

Gbp-Pq: Name libnetwork_proto_no_unrecognized_all.patch

libnetwork_proto

Gbp-Pq: Name libnetwork_proto.patch

Update sctp package This commit updates the vendored ishidawataru/sctp and adapts its used types.

Gbp-Pq: Name libnetwork-update-sctp.patch

Update github.com/dgrijalva/jwt-go to 3.2.0 (#27)

Gbp-Pq: Name jwt-go-v3.patch

go-metrics_prometheus-fix_Observer

Gbp-Pq: Name go-metrics_prometheus-fix_Observer.patch

export_oci-caps

Gbp-Pq: Name export_oci-caps.patch

mkimage: Fix Debian security presence check

Add Location following since security redirects to security-cdn and caused the repository to be added on Debian unstable.

Signed-off-by: Mattias Jernberg <nostrad@gmail.com>
Origin: upstream, https://github.com/docker/engine/commit/8db5403

Gbp-Pq: Name engine-contrib-debootstrap-curl-follow-location.patch

cli-fix-manpages-build-script

Gbp-Pq: Name cli-fix-manpages-build-script.patch

Build against google-grpc 1.11, where md.Get() does not exist.

This patch is based on the commit that introduced md.Get() in google-grpc:
<https://github.com/grpc/grpc-go/commit/291de7f0>.

Please drop this patch as soon as we build docker against google-grpc >= 1.12.

Origin: vendor, Debian
Forwarded: not-needed, Debian-specific
Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Gbp-Pq: Name buildkit-build-against-google-grpc-1.11.patch

Dont use gotestsum in hack/test/unit

gotestsum is not yet in Debian, let's just stick to 'go test' for now.

As soon as gotestsum is packaged for Debian (see #940225), we can drop
this patch, and add gotestsum as a build dependency.

This is a partial revert of the commit:
https://github.com/docker/docker-ce/commit/bef34d1

Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Origin: vendor, Debian
Forwarded: not-needed, Debian-specific

Gbp-Pq: Name debian-dont-use-gotestsum-in-hack-test-unit.patch

debian-nuke-no-prompt

Gbp-Pq: Name debian-nuke-no-prompt.patch

debian-cgroupfs-mount-convenience-copy

Gbp-Pq: Name debian-cgroupfs-mount-convenience-copy.patch

debian-dockerd-binary-location

Gbp-Pq: Name debian-dockerd-binary-location.patch

debian-containerd-name

Gbp-Pq: Name debian-containerd-name.patch

debian-systemd-unit-environment-file

Gbp-Pq: Name debian-systemd-unit-environment-file.patch

docker.service: don't limit tasks

Signed-off-by: Pierre Carrier <pierre@meteor.com>
Gbp-Pq: Name debian-systemd-unit-tasksmax.patch

docker.io (18.09.9+dfsg1-5) unstable; urgency=medium

  [ Arnaud Rebillout ]
  * Drop unused build depends

  [ Dmitry Smirnov ]
  * Patch Docker to use jwt-go v3.
  * Use golang-github-dgrijalva-jwt-go-dev (not -v3).
  * dev: install new "containerd/*" files
         (as required by "singularity-container").

[dgit import unpatched docker.io 18.09.9+dfsg1-5]

Import docker.io_18.09.9+dfsg1-5.debian.tar.xz

[dgit import tarball docker.io 18.09.9+dfsg1-5 docker.io_18.09.9+dfsg1-5.debian.tar.xz]

Import docker.io_18.09.9+dfsg1.orig.tar.xz

[dgit import orig docker.io_18.09.9+dfsg1.orig.tar.xz]

Import docker.io_18.09.9+dfsg1.orig-containerd.tar.xz

[dgit import orig docker.io_18.09.9+dfsg1.orig-containerd.tar.xz]

Import docker.io_18.09.9+dfsg1.orig-distribution.tar.xz

[dgit import orig docker.io_18.09.9+dfsg1.orig-distribution.tar.xz]

Import docker.io_18.09.9+dfsg1.orig-go-events.tar.xz

[dgit import orig docker.io_18.09.9+dfsg1.orig-go-events.tar.xz]

Import docker.io_18.09.9+dfsg1.orig-go-metrics.tar.xz

[dgit import orig docker.io_18.09.9+dfsg1.orig-go-metrics.tar.xz]

Import docker.io_18.09.9+dfsg1.orig-libnetwork.tar.xz

[dgit import orig docker.io_18.09.9+dfsg1.orig-libnetwork.tar.xz]

Import docker.io_18.09.9+dfsg1.orig-swarmkit.tar.xz

[dgit import orig docker.io_18.09.9+dfsg1.orig-swarmkit.tar.xz]

Merge docker.io (18.09.1+dfsg1-9) import into refs/heads/workingbranch

Adjust tests for changes in Go 1.12.8 / 1.11.13

```
00:38:11 === Failed
00:38:11 === FAIL: opts TestParseDockerDaemonHost (0.00s)
00:38:11     hosts_test.go:87: tcp tcp:a.b.c.d address expected error "Invalid bind address format: tcp:a.b.c.d" return, got "parse tcp://tcp:a.b.c.d: invalid port \":a.b.c.d\" after host" and addr
00:38:11     hosts_test.go:87: tcp tcp:a.b.c.d/path address expected error "Invalid bind address format: tcp:a.b.c.d/path" return, got "parse tcp://tcp:a.b.c.d/path: invalid port \":a.b.c.d\" after host" and addr
00:38:11
00:38:11 === FAIL: opts TestParseTCP (0.00s)
00:38:11     hosts_test.go:129: tcp tcp:a.b.c.d address expected error Invalid bind address format: tcp:a.b.c.d return, got parse tcp://tcp:a.b.c.d: invalid port ":a.b.c.d" after host and addr
00:38:11     hosts_test.go:129: tcp tcp:a.b.c.d/path address expected error Invalid bind address format: tcp:a.b.c.d/path return, got parse tcp://tcp:a.b.c.d/path: invalid port ":a.b.c.d" after host and addr
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 683766613a8c1dca8f95b19ddb7e083bb3aef266)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Gbp-Pq: Name test--engine-fix-golang11.patch

Fix test for Go 1.12.x

After switching to Go 1.12, the format-string causes an error;

```
=== Errors
cli/config/config_test.go:154:3: Fatalf format %q has arg config of wrong type *github.com/docker/cli/cli/config/configfile.ConfigFile
cli/config/config_test.go:217:3: Fatalf format %q has arg config of wrong type *github.com/docker/cli/cli/config/configfile.ConfigFile
cli/config/config_test.go:253:3: Fatalf format %q has arg config of wrong type *github.com/docker/cli/cli/config/configfile.ConfigFile
cli/config/config_test.go:288:3: Fatalf format %q has arg config of wrong type *github.com/docker/cli/cli/config/configfile.ConfigFile
cli/config/config_test.go:435:3: Fatalf format %q has arg config of wrong type *github.com/docker/cli/cli/config/configfile.ConfigFile
cli/config/config_test.go:448:3: Fatalf format %q has arg config of wrong type *github.com/docker/cli/cli/config/configfile.ConfigFile

DONE 1115 tests, 2 skipped, 6 errors in 215.984s
make: *** [Makefile:22: test-coverage] Error 2
Exited with code 2
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d4877fb2259feac2c76762ccd3001999cb7f0d58)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Gbp-Pq: Name test--cli-fix-golang12.patch

Adjust tests for changes in Go 1.12.8 / 1.11.13

For now, just verifying that an error is returned, but not checking the
error message itself, because those are not under our control, and may
change with different Go versions.

```
=== Failed
=== FAIL: opts TestParseDockerDaemonHost (0.00s)
    hosts_test.go:87: tcp tcp:a.b.c.d address expected error "Invalid bind address format: tcp:a.b.c.d" return, got "parse tcp://tcp:a.b.c.d: invalid port \":a.b.c.d\" after host" and addr
    hosts_test.go:87: tcp tcp:a.b.c.d/path address expected error "Invalid bind address format: tcp:a.b.c.d/path" return, got "parse tcp://tcp:a.b.c.d/path: invalid port \":a.b.c.d\" after host" and addr

=== FAIL: opts TestParseTCP (0.00s)
    hosts_test.go:129: tcp tcp:a.b.c.d address expected error Invalid bind address format: tcp:a.b.c.d return, got parse tcp://tcp:a.b.c.d: invalid port ":a.b.c.d" after host and addr
    hosts_test.go:129: tcp tcp:a.b.c.d/path address expected error Invalid bind address format: tcp:a.b.c.d/path return, got parse tcp://tcp:a.b.c.d/path: invalid port ":a.b.c.d" after host and addr
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Gbp-Pq: Name test--cli-fix-golang11.patch

test--skip-privileged-unit-tests

Gbp-Pq: Name test--skip-privileged-unit-tests.patch

test--skip-network-tests

Gbp-Pq: Name test--skip-network-tests.patch

test--skip-TestStateRunStop

~~~~
 state_test.go:102: ExitCode -1, expected 2, err "context deadline exceeded"
~~~~

Gbp-Pq: Name test--skip-TestStateRunStop.patch

test--skip-TestGetRootUIDGID

~~~~
 FAIL: TestGetRootUIDGID (0.00s)
 idtools_unix_test.go:287:
    Error Trace: idtools_unix_test.go:287
    Error:       Not equal:
                 expected: 1009
                 actual  : 2952
    Test:        TestGetRootUIDGID
~~~~

Gbp-Pq: Name test--skip-TestGetRootUIDGID.patch

Skip TestClientWithRequestTimeout

This test seems to be flaky. Please follow-up upstream for more details:
<https://github.com/moby/moby/issues/38587>

Origin: vendor, Debian
Forwarded: not-needed, Debian-specific
Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Gbp-Pq: Name test--skip-TestClientWithRequestTimeout.patch

test--skip-TestChangesWithChangesGH13590

Gbp-Pq: Name test--skip-TestChangesWithChangesGH13590.patch

test--skip-TestAdapterReadLogs

~~~~
 FAIL: TestAdapterReadLogs (0.00s)
 panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    panic: runtime error: invalid memory address or nil pointer dereference
 [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x83273c5]

 goroutine 7 [running]:
 testing.tRunner.func1(0x1a686ab0)
    /usr/lib/go-1.10/src/testing/testing.go:742 +0x24a
 panic(0x8393cc0, 0x85d1e78)
    /usr/lib/go-1.10/src/runtime/panic.go:502 +0x1dc
 github.com/docker/docker/daemon/logger.testMessageEqual(0x1a686ab0, 0x1a65cc7c, 0x0)
    /var/lib/gitlab-runner/builds/736b76b0/1/docker-team/docker/.gopath/src/github.com/docker/docker/daemon/logger/adapter_test.go:178 +0x35
 github.com/docker/docker/daemon/logger.TestAdapterReadLogs(0x1a686ab0)
    /var/lib/gitlab-runner/builds/736b76b0/1/docker-team/docker/.gopath/src/github.com/docker/docker/daemon/logger/adapter_test.go:131 +0x710
 testing.tRunner(0x1a686ab0, 0x83fa01c)
    /usr/lib/go-1.10/src/testing/testing.go:777 +0xaa
 created by testing.(*T).Run
    /usr/lib/go-1.10/src/testing/testing.go:824 +0x243
 FAIL  github.com/docker/docker/daemon/logger  0.012s
~~~~

Gbp-Pq: Name test--skip-TestAdapterReadLogs.patch

test--fix-test-errors

Gbp-Pq: Name test--fix-test-errors.patch

Disable containerizedengine/update_test.go

This test FTBFS, see <https://github.com/docker/cli/pull/1561>.
Please re-enable this test when this MR is accepted.

Origin: vendor, Debian
Forwarded: not-needed, Debian-specific
Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com>
Gbp-Pq: Name test--disable-containerizedengine-update-test.patch

netlink_syscall

Gbp-Pq: Name netlink_syscall.patch

mips-fix-devnumber

~~~~
github.com/docker/docker/pkg/system/stat_linux.go:13:7: cannot use s.Rdev (type uint32) as type uint64 in field value
~~~~

Gbp-Pq: Name mips-fix-devnumber.patch

SIGSKTFLT does not exist on MIPS, instead SIGEMT does.

SIGRTMAX is also 127 on MIPS.

This patch is merged upstream on master, please drop it when necessary.

Signed-off-by: Kasper Fabæch Brandt <poizan@poizan.dk>
Origin: upstream, https://github.com/moby/moby/pull/37491

Gbp-Pq: Name mips-add-specific-signal-file.patch

libnetwork_proto_no_unrecognized_all

 Fix this by setting goproto_unrecognized_all=false which suppresses this field.

 Upstream doesn't have the problem because they have pinned an older version
 of gogo/protobuf: https://github.com/docker/libnetwork/pull/2242
Author: Felix Geyer <fgeyer@debian.org>

Gbp-Pq: Name libnetwork_proto_no_unrecognized_all.patch

Revert "debian has iptables-legacy and iptables-nft now"

This reverts commit 7da66eea9f68e4abc83ed2892114ec565eddd66a.

Libnetwork should only use the iptables binary. Iptables v1.8 and above
uses the nftables backend. The translations for all the rules used by
libnetwork is supported by the new iptables binary.

Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
Origin: upstream, https://github.com/docker/libnetwork/pull/2343

Gbp-Pq: Name libnetwork-revert-iptables-legacy.patch

libnetwork_proto

Gbp-Pq: Name libnetwork_proto.patch

go-metrics_prometheus-fix_Observer

Gbp-Pq: Name go-metrics_prometheus-fix_Observer.patch

engine-test-noinstall

~~~~
 go test net: open /usr/lib/go-1.10/pkg/linux_amd64/net.a: permission denied
~~~~

Gbp-Pq: Name engine-test-noinstall.patch

mkimage: Fix Debian security presence check

Add Location following since security redirects to security-cdn and caused the repository to be added on Debian unstable.

Signed-off-by: Mattias Jernberg <nostrad@gmail.com>
Origin: upstream, https://github.com/docker/engine/commit/8db5403

Gbp-Pq: Name engine-contrib-debootstrap-curl-follow-location.patch

Initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host environment not in the chroot from untrusted files.

See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit a316b10dab79d9298b02c7930958ed52e0ccf4e4)

Gbp-Pq: Name cve-2019-14271-Initialize-nss-libraries-in-Glibc.patch

DebugRequestMiddleware: Remove path handling

Path-specific rules were removed, so this is no longer used.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 530e63c1a61b105a6f7fc143c5acb9b5cd87f958)
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit f8a0f26843bc5aff33cf9201b75bd4bdbb48a3ad)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Origin: upstream, https://github.com/docker/engine/pull/298

Gbp-Pq: Name cve-2019-13509-04-DebugRequestMiddleware-Remove-path-handling.patch

DebugRequestMiddleware: unconditionally scrub data field

Commit 77b8465d7e68ca102d7aae839c7b3fe0ecd28398 added a secret update
endpoint to allow updating labels on existing secrets. However, when
implementing the endpoint, the DebugRequestMiddleware was not updated
to scrub the Data field (as is being done when creating a secret).

When updating a secret (to set labels), the Data field should be either
`nil` (not set), or contain the same value as the existing secret. In
situations where the Data field is set, and the `dockerd` daemon is
running with debugging enabled / log-level debug, the base64-encoded
value of the secret is printed to the daemon logs.

The docker cli does not have a `docker secret update` command, but
when using `docker stack deploy`, the docker cli sends the secret
data both when _creating_ a stack, and when _updating_ a stack, thus
leaking the secret data if the daemon runs with debug enabled:

1. Start the daemon in debug-mode

        dockerd --debug

2. Initialize swarm

        docker swarm init

3. Create a file containing a secret

        echo secret > my_secret.txt

4. Create a docker-compose file using that secret

        cat > docker-compose.yml <<'EOF'
        version: "3.3"
        services:
          web:
            image: nginx:alpine
            secrets:
              - my_secret
        secrets:
          my_secret:
            file: ./my_secret.txt
        EOF

5. Deploy the stack

        docker stack deploy -c docker-compose.yml test

6. Verify that the secret is scrubbed in the daemon logs

        DEBU[2019-07-01T22:36:08.170617400Z] Calling POST /v1.30/secrets/create
        DEBU[2019-07-01T22:36:08.171364900Z] form data: {"Data":"*****","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"}

7. Re-deploy the stack to trigger an "update"

        docker stack deploy -c docker-compose.yml test

8. Notice that this time, the Data field is not scrubbed, and the base64-encoded secret is logged

        DEBU[2019-07-01T22:37:35.828819400Z] Calling POST /v1.30/secrets/w3hgvwpzl8yooq5ctnyp71v52/update?version=34
        DEBU[2019-07-01T22:37:35.829993700Z] form data: {"Data":"c2VjcmV0Cg==","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"}

This patch modifies `maskSecretKeys` to unconditionally scrub `Data` fields.
Currently, only the `secrets` and `configs` endpoints use a field with this
name, and no other POST API endpoints use a data field, so scrubbing this
field unconditionally will only scrub requests for those endpoints.

If a new endpoint is added in future where this field should not be scrubbed,
we can re-introduce more fine-grained (path-specific) handling.

This patch introduces some change in behavior:

- In addition to secrets, requests to create or update _configs_ will
  now have their `Data` field scrubbed. Generally, the actual data should
  not be interesting for debugging, so likely will not be problematic.
  In addition, scrubbing this data for configs may actually be desirable,
  because (even though they are not explicitely designed for this purpose)
  configs may contain sensitive data (credentials inside a configuration
  file, e.g.).
- Requests that send key/value pairs as a "map" and that contain a
  key named "data", will see the value of that field scrubbed. This
  means that (e.g.) setting a `label` named `data` on a config, will
  scrub/mask the value of that label.
- Note that this is already the case for any label named `jointoken`,
  `password`, `secret`, `signingcakey`, or `unlockkey`.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c7ce4be93ae8edd2da62a588e01c67313a4aba0c)
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 73db8c77bfb2d0cbdf71ce491f3d3e66c9dd5be6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Origin: upstream, https://github.com/docker/engine/pull/298

Gbp-Pq: Name cve-2019-13509-03-DebugRequestMiddleware-unconditionally-scrub-data-field.patch

TestMaskSecretKeys: use subtests

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 32d70c7e21631224674cd60021d3ec908c2d888c)
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit ebb542b3f88d7f5551f6b6e1d8d2774a2c166409)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Origin: https://github.com/docker/engine/pull/298

Gbp-Pq: Name cve-2019-13509-02-TestMaskSecretKeys-use-subtests.patch