From 67bd7eb5fb584a4be3b925fda25c93d90427282c Mon Sep 17 00:00:00 2001 From: Felix Geyer Date: Sun, 21 Feb 2021 17:18:35 +0000 Subject: [PATCH] Import docker.io_18.09.1+dfsg1-7.1+deb10u3.debian.tar.xz [dgit import tarball docker.io 18.09.1+dfsg1-7.1+deb10u3 docker.io_18.09.1+dfsg1-7.1+deb10u3.debian.tar.xz] --- Dockerfile | 21 + README.Debian | 99 +++ README.source | 168 ++++ TODO.Debian | 22 + changelog | 822 ++++++++++++++++++ clean | 26 + compat | 1 + control | 282 ++++++ copyright | 544 ++++++++++++ docker-doc.docs | 3 + docker.io.NEWS | 26 + docker.io.bash-completion | 1 + docker.io.dirs | 1 + docker.io.docker.default | 12 + docker.io.docker.init | 133 +++ docker.io.docker.service | 1 + docker.io.docker.socket | 1 + docker.io.docker.udev | 1 + docker.io.docs | 2 + docker.io.install | 25 + docker.io.links | 2 + docker.io.lintian-overrides | 3 + docker.io.maintscript | 6 + docker.io.manpages | 1 + docker.io.postinst | 29 + docker.io.postrm | 17 + docker.io.prerm | 23 + gbp.conf | 15 + get-orig-source.sh | 140 +++ golang-github-docker-docker-dev.install | 41 + helpers/gen-build-depends.sh | 193 ++++ helpers/gitcommit.sh | 34 + ...ldkit-build-against-google-grpc-1.11.patch | 56 ++ patches/cli-fix-manpages-build-script.patch | 18 + ...i-fix-registry-debug-message-go-1.11.patch | 26 + ...s-root-to-chroot-to-for-chroot-untar.patch | 186 ++++ ...dd-chroot-for-tar-packing-operations.patch | 248 ++++++ ...9-01-gitutils-add-validation-for-ref.patch | 86 ++ ...stMaskSecretKeys-add-more-test-cases.patch | 83 ++ ...9-02-TestMaskSecretKeys-use-subtests.patch | 70 ++ ...are-unconditionally-scrub-data-field.patch | 171 ++++ ...questMiddleware-Remove-path-handling.patch | 135 +++ ...71-Initialize-nss-libraries-in-Glibc.patch | 43 + ...1-disable-IPv6-router-advertisements.patch | 65 ++ patches/cve-2020-15157.patch | 206 +++++ patches/cve-2020-15257.patch | 744 ++++++++++++++++ patches/cve-2021-21284-1.patch | 103 +++ patches/cve-2021-21284-2.patch | 52 ++ patches/cve-2021-21284-3.patch | 347 ++++++++ patches/cve-2021-21285.patch | 53 ++ ...bian-cgroupfs-mount-convenience-copy.patch | 81 ++ patches/debian-containerd-name.patch | 98 +++ patches/debian-dockerd-binary-location.patch | 42 + patches/debian-nuke-no-prompt.patch | 21 + ...debian-systemd-unit-environment-file.patch | 20 + patches/debian-systemd-unit-tasksmax.patch | 21 + ...rib-debootstrap-curl-follow-location.patch | 25 + patches/engine-test-noinstall.patch | 23 + .../go-metrics_prometheus-fix_Observer.patch | 38 + .../libnetwork-revert-iptables-legacy.patch | 39 + patches/libnetwork_proto.patch | 38 + patches/mips-add-specific-signal-file.patch | 111 +++ patches/mips-fix-devnumber.patch | 22 + patches/netlink_syscall.patch | 58 ++ patches/series | 54 ++ patches/test--cli-fix-golang11.patch | 64 ++ ...able-containerizedengine-update-test.patch | 19 + patches/test--engine-fix-golang11.patch | 62 ++ patches/test--fix-test-errors.patch | 15 + patches/test--skip-TestAdapterReadLogs.patch | 38 + ...--skip-TestChangesWithChangesGH13590.patch | 17 + ...t--skip-TestClientWithRequestTimeout.patch | 20 + patches/test--skip-TestGetRootUIDGID.patch | 26 + patches/test--skip-TestStateRunStop.patch | 20 + patches/test--skip-network-tests.patch | 17 + .../test--skip-privileged-unit-tests.patch | 316 +++++++ rules | 185 ++++ source/format | 1 + source/lintian-overrides | 5 + tests/basic-smoke | 36 + tests/control | 7 + tests/integration | 41 + unpack-components.sh | 36 + upstream-version-gitcommits | 92 ++ vim-syntax-docker.install | 4 + vim-syntax-docker.yaml | 6 + watch | 15 + 87 files changed, 7120 insertions(+) create mode 100644 Dockerfile create mode 100644 README.Debian create mode 100644 README.source create mode 100644 TODO.Debian create mode 100644 changelog create mode 100644 clean create mode 100644 compat create mode 100644 control create mode 100644 copyright create mode 100644 docker-doc.docs create mode 100644 docker.io.NEWS create mode 100644 docker.io.bash-completion create mode 100644 docker.io.dirs create mode 100644 docker.io.docker.default create mode 100644 docker.io.docker.init create mode 120000 docker.io.docker.service create mode 120000 docker.io.docker.socket create mode 120000 docker.io.docker.udev create mode 100644 docker.io.docs create mode 100755 docker.io.install create mode 100644 docker.io.links create mode 100644 docker.io.lintian-overrides create mode 100644 docker.io.maintscript create mode 100644 docker.io.manpages create mode 100644 docker.io.postinst create mode 100644 docker.io.postrm create mode 100644 docker.io.prerm create mode 100644 gbp.conf create mode 100755 get-orig-source.sh create mode 100644 golang-github-docker-docker-dev.install create mode 100755 helpers/gen-build-depends.sh create mode 100755 helpers/gitcommit.sh create mode 100644 patches/buildkit-build-against-google-grpc-1.11.patch create mode 100644 patches/cli-fix-manpages-build-script.patch create mode 100644 patches/cli-fix-registry-debug-message-go-1.11.patch create mode 100644 patches/cve-2018-15664-01-pass-root-to-chroot-to-for-chroot-untar.patch create mode 100644 patches/cve-2018-15664-02-add-chroot-for-tar-packing-operations.patch create mode 100644 patches/cve-2019-13139-01-gitutils-add-validation-for-ref.patch create mode 100644 patches/cve-2019-13509-01-TestMaskSecretKeys-add-more-test-cases.patch create mode 100644 patches/cve-2019-13509-02-TestMaskSecretKeys-use-subtests.patch create mode 100644 patches/cve-2019-13509-03-DebugRequestMiddleware-unconditionally-scrub-data-field.patch create mode 100644 patches/cve-2019-13509-04-DebugRequestMiddleware-Remove-path-handling.patch create mode 100644 patches/cve-2019-14271-Initialize-nss-libraries-in-Glibc.patch create mode 100644 patches/cve-2020-13401-disable-IPv6-router-advertisements.patch create mode 100644 patches/cve-2020-15157.patch create mode 100644 patches/cve-2020-15257.patch create mode 100644 patches/cve-2021-21284-1.patch create mode 100644 patches/cve-2021-21284-2.patch create mode 100644 patches/cve-2021-21284-3.patch create mode 100644 patches/cve-2021-21285.patch create mode 100644 patches/debian-cgroupfs-mount-convenience-copy.patch create mode 100644 patches/debian-containerd-name.patch create mode 100644 patches/debian-dockerd-binary-location.patch create mode 100644 patches/debian-nuke-no-prompt.patch create mode 100644 patches/debian-systemd-unit-environment-file.patch create mode 100644 patches/debian-systemd-unit-tasksmax.patch create mode 100644 patches/engine-contrib-debootstrap-curl-follow-location.patch create mode 100644 patches/engine-test-noinstall.patch create mode 100644 patches/go-metrics_prometheus-fix_Observer.patch create mode 100644 patches/libnetwork-revert-iptables-legacy.patch create mode 100644 patches/libnetwork_proto.patch create mode 100644 patches/mips-add-specific-signal-file.patch create mode 100644 patches/mips-fix-devnumber.patch create mode 100644 patches/netlink_syscall.patch create mode 100644 patches/series create mode 100644 patches/test--cli-fix-golang11.patch create mode 100644 patches/test--disable-containerizedengine-update-test.patch create mode 100644 patches/test--engine-fix-golang11.patch create mode 100644 patches/test--fix-test-errors.patch create mode 100644 patches/test--skip-TestAdapterReadLogs.patch create mode 100644 patches/test--skip-TestChangesWithChangesGH13590.patch create mode 100644 patches/test--skip-TestClientWithRequestTimeout.patch create mode 100644 patches/test--skip-TestGetRootUIDGID.patch create mode 100644 patches/test--skip-TestStateRunStop.patch create mode 100644 patches/test--skip-network-tests.patch create mode 100644 patches/test--skip-privileged-unit-tests.patch create mode 100755 rules create mode 100644 source/format create mode 100644 source/lintian-overrides create mode 100755 tests/basic-smoke create mode 100644 tests/control create mode 100755 tests/integration create mode 100755 unpack-components.sh create mode 100644 upstream-version-gitcommits create mode 100644 vim-syntax-docker.install create mode 100644 vim-syntax-docker.yaml create mode 100644 watch diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..80639c66 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,21 @@ +FROM tianon/debian-devel + +RUN echo 'deb http://incoming.debian.org/debian-buildd buildd-unstable main contrib non-free' > /etc/apt/sources.list.d/incoming.list + +# start by adding just "debian/control" so we can get mk-build-deps with maximum caching +COPY control /usr/src/docker.io/debian/ +WORKDIR /usr/src/docker.io + +# get all the build deps of _this_ package in a nice repeatable way +RUN apt-get update && mk-build-deps -irt'apt-get --no-install-recommends -yV' debian/control && dpkg-checkbuilddeps + +# need our debian/ directory to compile _this_ package +COPY . /usr/src/docker.io/debian + +# go download and unpack our upstream source +RUN uscan --force-download --verbose --download-current-version +RUN DOCKER_TARBALLS=.. ./debian/helpers/download-libcontainer +RUN /tianon/extract-origtargz.sh + +# tianon is _really_ lazy, and likes a preseeded bash history +RUN echo '/tianon/extract-origtargz.sh && dpkg-buildpackage -us -uc && lintian -EvIL+pedantic' >> /root/.bash_history diff --git a/README.Debian b/README.Debian new file mode 100644 index 00000000..366feb8f --- /dev/null +++ b/README.Debian @@ -0,0 +1,99 @@ +Docker on Debian +================ + +Please refer to upstream's documentation for information about what Docker is, +how it works, and how to use it: https://docs.docker.com/ + +The following notes are things that may have impact specifically to use of the +Docker package in Debian. + +-- + +To enable docker memory limitation, the kernel needs to be loaded with +boot parameters: cgroup_enable=memory swapaccount=1. + +This is because enabling memory cgroup support has some run-time overhead, +and kernel maintainers don't want to slow down systems unnecessarily. + +http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg764104.html +https://github.com/docker/docker/issues/396 + +To instruct the kernel to enable memory cgroup support, edit +/etc/default/grub and extend GRUB_CMDLINE_LINUX_DEFAULT like: + +GRUB_CMDLINE_LINUX_DEFAULT="cgroup_enable=memory swapaccount=1" + +Then run update-grub, and reboot. + +--- + +It's worth pointing out that upstream maintains a "check-config.sh" script for +verifying not only proper kernel configuration (which isn't terribly relevant in +the Debian context), but also the host system configuration, especially and +including whether a properly mounted cgroup hierarchy can be found. If you're +using cgroupfs-mount or systemd, chances are very high that you have one, but if +not, you're likely to see strange behavior. + +In the docker.io package, one can find the "check-config.sh" script under +"/usr/share/docker.io/contrib/check-config.sh", which when run (does NOT require +root/sudo) will report on problems with your installation/configuration. + +--- + +As noted in the upstream documentation (https://docs.docker.io), Docker will +allow non-root users in the "docker" group to access "docker.sock" and thus +communicate with the daemon. To add yourself to the "docker" group, use +something like: + +adduser YOURUSER docker + +As also noted in the upstream documentation, the "docker" group (and any other +means of accessing the Docker API) is root-equivalent. If you don't trust a +user with root on your box, you shouldn't trust them with Docker either. +If you are interested in further information about the security aspects of +Docker, please be sure to read the "Docker Security" article in the +upstream documentation: + + https://docs.docker.com/engine/security/security/ + +--- + + rpc error: code = 2 desc = "oci runtime error: could not synchronise with + container process: no subsystem for mount" + +This message is very likely related to https://bugs.debian.org/843530, and thus +https://github.com/opencontainers/runc/issues/1175. + +Adding "systemd.legacy_systemd_cgroup_controller=yes" to your system boot +parameters (in Grub, etc) is probably necessary to resolve it. + +--- + +Support for the logentries.com log driver has been removed from the +Debian version as it contains no license information and is therefore +not redistributable. + +Github issues have been filed upstream: + +https://github.com/bsphere/le_go/issues/14 +https://github.com/docker/docker/issues/31020 + +--- + +## Restart dilemma + +Restarting Docker daemon terminates all running containers. Therefore +automatic restart is not an option as containers may be killed during +unattended upgrade, etc. + +This is Docker's design flaw and upstream gave up on idea of restoring +state of running containers on upgrade, bluntly stating "You must stop all +containers and plugins BEFORE upgrading" in release notes. + +** "rkt" container runtime is free from that flaw. ** + +Not restarting Docker daemon on upgrade can make CLI unusable until daemon +restart due to mismatch between CLI and running Daemon versions. + +Fortunately recommended "needrestart" package show interactive prompt to +restart Docker daemon after upgrade. diff --git a/README.source b/README.source new file mode 100644 index 00000000..5a65b9b1 --- /dev/null +++ b/README.source @@ -0,0 +1,168 @@ +## "stable" versus "edge" releases + +As per [1], starting with Docker 18.09, CE "stable" releases will be +supported for 7 months. See [2] for details. + +This package should only ever ship "stable" Community Edition (CE) +releases. + +Docker version numbers are derived from date, e.g. `date +%g.%m`. + +The every-month releases are "edge" (17.04, 17.05, etc), are only supported +for the duration of their release month. Stable releases have longer +support cycles. Monthly "Edge" releases should be avoided. + +[1]: https://docs.docker.com/install/ +[2]: https://docs.docker.com/release-notes/docker-ce/ + + +## Incompetent upstream release process + +Upstream is notorious for incredibly sloppy versioning. Docker components +are inconsistently versioned; don't depend on same version of common +libraries and different revisions of dependency libraries are privately +vendored. Basically upstream couldn't care less about consistent, semantic +versioning and re-usable components. Shameful abomination of good software +development practices... :( + +**An overview of the various docker repositories** + +Some repositories used to release on a regular basis, then stopped: + + * https://github.com/moby/moby : last release on Jun 28, 2017 + * https://github.com/docker/distribution: last release on Jul 21, 2017 + * https://github.com/docker/libnetwork : last release on May 8, 2016 + +This seem to be due to the split between Moby and Docker, although it is highly +undocumented. For the Moby repository, you have to dig up this kind of thread: +"https://github.com/moby/moby/issues/33951#issuecomment-312995683" + +Some repositories never really had any releases: + + * https://github.com/docker/cli + * https://github.com/docker/go-events + * https://github.com/docker/swarmkit + +**The docker-ce super repository** + +docker-ce is the super repository from where Docker Community Edition is +produced, and this is where things get messy. + +Basically this is where the code from the docker engine (github.com/moby/moby) +docker client (github.com/docker/cli) is pulled together. But how? Looking at +the git history, we can see cherry-picked commits, merge requests, standalone +commits, and probably other things... In the end, when a docker-ce version is +released, it doesn't seem to correspond to a particular commit of moby/moby or +docker/cli. + +At some point I thought we should ignore docker-ce, and instead package +moby/moby and docker/cli separately. But because of the workflow described +above, I now think it's a very bad idea. We have no idea of which version of +moby/moby and docker/cli work together (no semantic versions), and we can't +really find this information from a tag in docker-ce. + +So we'd better package docker-ce instead. + +**Docker-ce releases** + +Upstream tags releases in "github.com/docker/docker-ce" and we have to ship +matching bundle of Docker engine, and Docker CLI from that repository. + +Docker-ce releases monthly, with a 2 or 3 release candidates before the +final release. Other than quarterly "stable" releases there doesn't seem to +be any long-term releases. The fact that there are release candidates +probably indicates that bugs are reported, test suites are run, and things +are fixed between various rc (hopefully). + +On top of that Docker depends on very particular commits of + + * github.com/containerd/containerd + * github.com/docker/libnetwork + * github.com/docker/swarmkit + +None of the above repositories have relevant tags. + +**Docker code base is spread among several name spaces.** + +We've made a mistake trying to treat it as several reusable components. + +Upstream abuse of versioning practices is a shameful and incompetent +disgrace. Docker people, if you are reading this I hope you feel sorry. +I, Dmitry Smirnov , find it difficult to politely +express how much I despise your release process. + + +## Circular dependencies + +Let me explain practical problem with dependencies. Docker and Libnetwork +both depend on each other and on "sirupsen/logrus". When in the 2018 the +latter exhibited minor/trivial problem I could not upload neither Docker +nor Libnetwork because each FTBFS in the "other" dependency. That's why +starting with 17.12.1 libnetwork has been incorporated into "docker.io". + + +## Docker package vendoring policy + +As highlighted above, it is unsustainable and impractical to package +individual Docker "components". Many libraries of Docker name space are +only ever used by Docker and depend on "github.com/docker/docker" which +makes them part of Docker code base. + +Combined with upstream resistance to good versioning practices, we have to +ship Docker bundle producing (only) reusable package from multi upstream +tarball (MUT) source package. + +Some vendored microlibraries, unless semantically versioned, are not +worth to be introduced as standalone source package. + +Therefore "docker.io" source package will ship all essential Docker +dependencies to avoid circular dependencies. Main criteria for inclusion of +a dependency library into "docker.io" source package is dependency on +"github.com/docker/docker". Additional criteria is assessment whether +Docker dependency is reusable (e.g. semantically versioned and used by +other packages). Age of tags is to be considered as Docker team stopped +tagging most of their dependencies in favour of vendoring them by some +random commit. + + +## Bundled versus external libraries + +### runc + +We should make an effort to use "runc" package which no longer depends on +Docker since 1.0.0~rc5 (no circular/mutual dependency). runc upstream is +tagging releases so it satisfies non-bundling criteria mentioned above. + +In 2017 all reverse build-deps of runc-dev were broken when Balint Reczey + forked "runc" source package as "docker-runc" +versioned to match Docker expectations. +New package "golang-github-opencontainers-docker-runc-dev" had explicit +Conflits with "golang-github-opencontainers-runc-dev" effectively hijacking +runc because all packages depending on runc-dev also depend on docker-dev +(which depends on docker-runc-dev) hence runc-dev could not be installed +together with docker-runc-dev. Maintainer of reverse runc-dev build-deps +was very unhappy... + +Let me stress it again: Docker should not hijack runc's name space +"github.com/opencontainers/runc". Docker's fork of the latter have its +own name space: "github.com/docker/runc". + +In the unfortunate situation if we ever have to use bundled runc in Docker, +we should NOT provide docker-runc-dev package ever again (or at least avoid +Conflicts with runc-dev at all costs). I suggest testing runc package for +run-time compatibility with Docker. That works well with Docker 17.12.1. + +Do not be mislead by particular (random) RUNC_COMMIT that Docker expects +(e.g. `docker info`, "engine/vendor.conf") - we can/should not comply with +upstream's systematic abuse of versioning. + +Perhaps expected commits are not to be trusted at all: for instance in +17.12.1, CONTAINERD_COMMIT in "engine/hack/dockerfile/binaries-commits" +does not match any of containerd commits in "engine/vendor.conf". + + +## Notable upstream bugs + + https://github.com/moby/moby/issues/37272 + https://github.com/docker/distribution/issues/2623 + https://github.com/docker/distribution/issues/2609 diff --git a/TODO.Debian b/TODO.Debian new file mode 100644 index 00000000..d78785fb --- /dev/null +++ b/TODO.Debian @@ -0,0 +1,22 @@ + +## testing + + Better testing of components + + +## full rebuild of components + + Currently re-build is partial. + + +## switch packages from docker-runc-dev to opencontainers-runc-dev + + * kubernetes [partially done, needs more work] + + +## request removal of + + * docker-runc [#902059] + * docker-containerd [#902087] + * golang-libnetwork [#902058] + * swarmkit [#902086] diff --git a/changelog b/changelog new file mode 100644 index 00000000..bc764898 --- /dev/null +++ b/changelog @@ -0,0 +1,822 @@ +docker.io (18.09.1+dfsg1-7.1+deb10u3) buster-security; urgency=medium + + * Backport upstream patches for: + - CVE-2020-15157 + - CVE-2020-15257 + - CVE-2021-21284 + - CVE-2021-21285 + + -- Felix Geyer Sun, 21 Feb 2021 18:18:35 +0100 + +docker.io (18.09.1+dfsg1-7.1+deb10u2) buster-security; urgency=medium + + * Add upstream patch for CVE-2020-13401 (Closes: #962141) + + -- Felix Geyer Sun, 14 Jun 2020 22:12:29 +0200 + +docker.io (18.09.1+dfsg1-7.1+deb10u1) buster-security; urgency=medium + + [ Arnaud Rebillout ] + * Add upstream patch for CVE-2019-13139 (Closes: #933002). + * Add upstream patches for CVE-2019-13509 (Closes: #932673). + + [ Felix Geyer ] + * Add upstream patch for CVE-2019-14271 + * Cherry-pick upstream commits to fix test failures with + golang >= 1.11.6-1+deb10u1 + + -- Felix Geyer Tue, 03 Sep 2019 19:59:35 +0200 + +docker.io (18.09.1+dfsg1-7.1) unstable; urgency=medium + + * Non-maintainer upload. + + [ Hideki Yamane ] + * upstream site moved to mobyproject.org + + [ Arnaud Rebillout ] + * Add patch for CVE-2018-15664 (Closes: #929662). + + -- Shengjing Zhu Sun, 23 Jun 2019 01:25:10 +0800 + +docker.io (18.09.1+dfsg1-7) unstable; urgency=medium + + * Add patch to revert using iptables-legacy (Closes: #921600). + + -- Arnaud Rebillout Mon, 13 May 2019 09:34:45 +0700 + +docker.io (18.09.1+dfsg1-6) unstable; urgency=medium + + * Add patch to fix Debian security presence check (Closes: #925224). + + -- Arnaud Rebillout Tue, 16 Apr 2019 09:56:17 +0700 + +docker.io (18.09.1+dfsg1-5) unstable; urgency=medium + + * Install "containerd-shim" as "docker-containerd-shim" (Closes: #920935). + * Update containerd-name patch. + + -- Arnaud Rebillout Sat, 02 Feb 2019 10:00:35 +1100 + +docker.io (18.09.1+dfsg1-4) unstable; urgency=medium + + * Updated "containerd" executable name patch; + renamed "containerd-shim" executable (Closes: #920597). + + -- Dmitry Smirnov Mon, 28 Jan 2019 10:16:28 +1100 + +docker.io (18.09.1+dfsg1-3) unstable; urgency=medium + + * New patch to fix name of the "containerd" executable (Closes: #920597). + + -- Dmitry Smirnov Sun, 27 Jan 2019 23:43:53 +1100 + +docker.io (18.09.1+dfsg1-2) unstable; urgency=medium + + [ Dmitry Smirnov ] + * Standards-Version: 4.3.0. + * Upload to unstable. + + [ Arnaud Rebillout ] + * Bump runc requirement to 1.0.0~rc6. + * Add patch to skip flaky test. + * Tidy up patches. + + -- Arnaud Rebillout Sat, 26 Jan 2019 10:58:39 +1100 + +docker.io (18.09.1+dfsg1-1) experimental; urgency=medium + + * New upstream release [January 2019]. + * Remove obsolete patches, refresh remaining ones. + * New notable patches: + - build against the runc debian package. + - build against google-grpc 1.11. + - attempt to fix mips build. + - disable a test file that fails to build (known issue upstream). + * Remove various build dependencies, add new ones. + * Bump some build dependencies: + - golang-github-coreos-bbolt-dev (>= 1.3.1-coreos.5-3~). + * Vendor some build dependencies: + - docker/licensing (no debian package, no upstream release). + - golang-github-spf13-cobra/pflag-dev (docker has internal fork). + + -- Arnaud Rebillout Tue, 22 Jan 2019 19:48:15 +1100 + +docker.io (18.06.1+dfsg1-3) unstable; urgency=medium + + * Import upstream patch to use iptables-legacy (Closes: #911808). + * Un-vendor opencontainers-runtime-tools. + * Import numerous patches from upstream for go 1.11. + + -- Arnaud Rebillout Thu, 17 Jan 2019 15:37:54 +1100 + +docker.io (18.06.1+dfsg1-2) unstable; urgency=medium + + * Tighten versioned dependency on "runc". + * dev: install "libnetwork/ipamutils". + + -- Dmitry Smirnov Sun, 16 Sep 2018 13:21:33 +1000 + +docker.io (18.06.1+dfsg1-1) unstable; urgency=medium + + [ Dmitry Smirnov ] + * New upstream release [August 2018]. + * Upload to unstable (Closes: #906999). + + [ Arnaud Rebillout ] + * Cleanup /etc/init/docker.conf (Closes: #907455) + + -- Dmitry Smirnov Tue, 11 Sep 2018 14:03:46 +1000 + +docker.io (18.06.0+dfsg1-1) experimental; urgency=medium + + * New upstream release [July 2018]. + + [ Arnaud Rebillout ] + * get-orig-source: print the list of directories vendored by upstream. + + [ Dmitry Smirnov ] + * README.source: noted duration of upstream support. + * README.Debian: added note about restart dilemma. + + -- Dmitry Smirnov Fri, 10 Aug 2018 19:07:41 +1000 + +docker.io (18.03.1+dfsg1-6) unstable; urgency=medium + + * Removed obsolete "golang-ed25519-dev" from Build-Depends. + * Standards-Version: 4.1.5. + + -- Dmitry Smirnov Wed, 11 Jul 2018 20:15:24 +1000 + +docker.io (18.03.1+dfsg1-5) unstable; urgency=medium + + * New upstream patch to prevent needless calls to `pass` (Closes: #902258). + * Do not automatically restart daemon on upgrade (Closes: #786724). + * Recommends += "needrestart". + + "needrestart" prompts to restart "docker" daemon on upgrade. This way + running containers won't be killed on upgrade until user choses to + restart Docker. + Not restarting Docker on upgrade may break CLI when it disagrees with + running daemon regarding API version. + + -- Dmitry Smirnov Mon, 02 Jul 2018 14:56:46 +1000 + +docker.io (18.03.1+dfsg1-4) unstable; urgency=medium + + * Suggests += "e2fsprogs, xfsprogs" (Closes: #887222). + * rules: fixed test failure on binary-indep build (Closes: #902206). + Thanks, Santiago Vila. + + -- Dmitry Smirnov Sun, 24 Jun 2018 23:22:51 +1000 + +docker.io (18.03.1+dfsg1-3) unstable; urgency=medium + + [ Dmitry Smirnov ] + * Replaced upstream SysV init file with an improved one. + * --remove-pidfile on stop (Closes: #764921) + * don't fail when removed (Closes: #841282) + * fixed exit status: + + don't fail to stop when already stopped + + don't fail to start when already started + * removed useless check_init() + Thanks, Sam Morris. + * postinst: create "docker" group when needed (Closes: #821078). + * README.source: added comment to clarify upstream version numbering. + Thanks, Tianon Gravi + * README.source: added link describing upstream life cycle & release + policy. Thanks, Tianon Gravi. + + [ Arnaud Rebillout ] + * Added myself to uploaders. + * Bumped compat to 11 to allow installling the systemd socket + file automatically with dh_installsystemd. + * Installed systemd socket through dh_installsystemd. + + -- Dmitry Smirnov Thu, 21 Jun 2018 21:27:32 +1000 + +docker.io (18.03.1+dfsg1-2) unstable; urgency=medium + + [ Dmitry Smirnov ] + * Upload to unstable. + * Un-bundle "googleapis-gnostic-dev" and "docker-notary-dev". + * Removed "golang-github-hashicorp-consul-dev" from Build-Depends. + + [ Arnaud Rebillout ] + * Fix bash completion install. + * d/control: depend on golang-any. + * d/README.source: re-write part about docker-ce upstream workflow. + * Set required version for imdario-mergo and hashicorp-memberlist. + + -- Dmitry Smirnov Wed, 20 Jun 2018 23:40:47 +1000 + +docker.io (18.03.1+dfsg-1) experimental; urgency=medium + + * New upstream release [April 2018]. + * rules: + + properly pass daemon version. + + re-work override_dh_auto_configure with important fixes. + * New patch to disable unreliable TestAdapterReadLogs. + * Use packaged "tini", don't build it. + Thanks, Arnaud Rebillout. + + -- Dmitry Smirnov Tue, 19 Jun 2018 13:43:57 +1000 + +docker.io (17.12.1+dfsg-4) experimental; urgency=medium + + * golang-github-docker-docker-dev: + + install only selected "libnetwork" components. + + install missing "docker/cli" components. + + install "docker/docker/cli". + + -- Dmitry Smirnov Mon, 18 Jun 2018 19:32:51 +1000 + +docker.io (17.12.1+dfsg-3) experimental; urgency=medium + + * Removed versioning from -dev Breaks/Replaces: libnetwork-dev + (Closes: #901694). + * Build with consistent tags "apparmor seccomp selinux ambient" + (Closes: #901743). + Thanks, Laurent Bigonville. + * New patch to fix FTBFS on mips* architectures. + + -- Dmitry Smirnov Mon, 18 Jun 2018 12:05:10 +1000 + +docker.io (17.12.1+dfsg-2) experimental; urgency=medium + + * New patch to disable TestGetRootUIDGID, failing in sbuild. + + -- Dmitry Smirnov Sat, 16 Jun 2018 21:31:51 +1000 + +docker.io (17.12.1+dfsg-1) experimental; urgency=medium + + * Team upload. + * New upstream release [February 2018] (Closes: #850753). + * Restart on upgrade, like most daemons (Closes: #792327). + Docker's upgrade tip from 17.12.0 release notes: + "You must stop all containers and plugins BEFORE upgrading". + * New multi-upstream-tarball (MUT) layout, building all docker components + (containerd, libnetwork, swarmkit) at once; + incorporated binaries of docker-containerd and libnetwork. + * docker-dev to provide libnetwork-dev (a part of Docker). + * New patches to build on go-1.10; build with latest Go compiler. + * Declared myself as Maintainer. + + -- Dmitry Smirnov Sat, 16 Jun 2018 20:05:48 +1000 + +docker.io (1.13.1~ds3-4) unstable; urgency=medium + + * Build with go-1.7 as later versions cause [archive,tarsum] failures + (Closes: #901317). + * Re-enabled [archive,tarsum] tests. + * Build-Depends: + = golang-1.7-go | golang-go (>= 2:1.6~) + + -- Dmitry Smirnov Tue, 12 Jun 2018 00:02:27 +1000 + +docker.io (1.13.1~ds3-3) unstable; urgency=medium + + * Removed invalid team email from Uploaders (Closes: #899285). + * B-D: "libbtrfs-dev | btrfs-progs (<< 4.16.1~)" (Closes: #898876). + Thanks, Dimitri John Ledkov. + * (Build-)Depends: + - removed unused "golang-github-aanand-compose-file-dev". + - removed needless versioning and unknown alternatives. + * dev: install "runconfig" (used by "github.com/aanand/compose-file"). + * repack.sh: use correct compression type, depending on file name. + * watch file to version 4; updated "repack.sh". + + -- Dmitry Smirnov Sun, 10 Jun 2018 19:49:42 +1000 + +docker.io (1.13.1~ds3-2) unstable; urgency=medium + + * Team upload. + * Install -dev files from build directory. + + -- Dmitry Smirnov Sat, 09 Jun 2018 20:20:53 +1000 + +docker.io (1.13.1~ds3-1) unstable; urgency=medium + + * Team upload. + + [ Tianon Gravi ] + * Remove gccgo support. + Removed upstream in commit eda90f63446253f97d2011926555306f2417d208 + (https://github.com/moby/moby/pull/25978) + * Update upstream-version-gitcommits with more upstream versions + + [ Dmitry Smirnov ] + * New patch to fix CVE-2017-16539 (Closes: #900140). + * New patch to remove 10 seconds delay on purge (Closes: #853258). + * debhelper to version 11; compat to version 10. + * copyright format URL to HTTPS; bump copyright years. + * Standards-Version: 4.1.4. + * Vcs URLs to Salsa. + * Included "cliconfig" to -dev package (used by "gitlab-runner"). + * Included "reference" and "registry" into -dev package (used by "nomad"). + * Removed obsolete "golang-github-docker-engine-api-dev" from Build-Depends. + * Use more private libraries to fix build and break circular dependencies: + + github.com/docker/swarmkit + + github.com/docker/libnetwork + + github.com/docker/go-events + + github.com/docker/go-metrics + * Removed Upstart .conf file. + * rules: + + better clean, remove generated file(s). + + fixed "sirupsen/logrus" imports. + + DH_GOLANG_GO_GENERATE = 1 + + -- Dmitry Smirnov Sat, 09 Jun 2018 14:50:13 +1000 + +docker.io (1.13.1~ds2-3) unstable; urgency=medium + + * Switch from "runc" to "docker-runc" and "containerd" to + "docker-containerd", removing prefix-removing patch + (Closes: #877329, #877892) + * Update patches, especially test-disablers + + -- Tianon Gravi Sat, 14 Oct 2017 08:58:11 -0700 + +docker.io (1.13.1~ds1-2) unstable; urgency=medium + + * Make test suite pass by using assorted patches to fix or disable + tests that don't work under pbuilder. (Closes: #858269) + * Suppress some unfixable Lintian warnings. + * Verify CVE-2016-9962 is fixed. (Closes: #850952) + + -- Tim Potter Wed, 07 Jun 2017 11:43:14 +1000 + +docker.io (1.13.1~ds1-1) unstable; urgency=medium + + * New upstream release. + + -- Tim Potter Wed, 24 May 2017 11:44:10 +1000 + +docker.io (1.13.0~ds1-3) unstable; urgency=medium + + * Add api and client directories to dev package. + + -- Tim Potter Mon, 24 Apr 2017 16:02:32 +1000 + +docker.io (1.13.0~ds1-2) unstable; urgency=medium + + * Re-enable logfiles.com logging support after upstream license + change. + * Run nuke-graph-directory.sh using bash instead of regular sh. + * Fix dockerd location for sysvinit and upstart scripts. (Closes: #858249) + + -- Tim Potter Tue, 28 Mar 2017 15:41:55 +1100 + +docker.io (1.13.0~ds1-1) experimental; urgency=medium + + [ Paul Tagliamonte ] + * Remove myself as maintainer, and swap out tpot. Sadly, these days, I'm + mostly just in the way, and not actually helping all that much with + the Docker packaging. My last upload was basically forever ago, and + tianon and tpot have been doing all the work since than. As such, I'm + going to make an unilateral executive decision to tell everyone who + listens to actually just listen to tpot. I plan to continue to be around in + the form of cruft and chaos monkey. You should also listen to tianon. + + [ Tianon Gravi ] + * Update basic-smoke test with "set -x" for debuggability and proper Depends + * Build from within GOPATH so Go packages are resolved properly + * Split "dh_auto_build-arch" from "dh_auto_build-indep" + * Update "debian/watch" to use "uscan.tianon.xyz" so older versions are still + easily fetchable without excess work outside uscan + * Fix d/copyright text about Apache version 2.0 being in + "/usr/share/common-licenses/GPL-2" (Closes: #835440); thanks cascardo! + * Add Tim Potter to Uploaders ♥ + * Add a bit more formatting to README.Debian (and a short intro to explain + what kinds of things this file includes) + * Add an explicit note about "systemd.legacy_systemd_cgroup_controller=yes" + in README.Debian (Closes: #843530) + * Add explicit new "golang-golang-x-oauth2-google-dev" package to Depends + + [ Tim Potter ] + * Add missing "golang-github-docker-go-events-dev" B-D (Closes: #850793) + * New upstream version. + * Refresh patches and remove obsolete ones. + * Remove logentries.com log driver as upstream module is unlicensed. + + -- Tianon Gravi Fri, 19 Aug 2016 12:52:55 -0700 + +docker.io (1.11.2~ds1-6) unstable; urgency=medium + + [ Tianon Gravi ] + * Add DEP-3 headers for "skip-racy-unit-tests.patch" + * Add a note about "check-config.sh" to README.Debian; thanks Tincho! + * Add "docker-doc" to Suggests (Closes: #831748); thanks Ben! + * Remove "lxc" from Suggests (no longer a supported execution backend) + + [ Nicolas Braud-Santoni ] + * Fix /etc/docker permissions (Closes: #831324) + + -- Tianon Gravi Wed, 20 Jul 2016 16:34:52 -0700 + +docker.io (1.11.2~ds1-5) unstable; urgency=medium + + * Skip racy "TestRunCommandWithOutputAndTimeoutKilled" during build (see also + https://github.com/docker/docker/issues/22965) + + -- Tianon Gravi Tue, 12 Jul 2016 07:46:35 -0700 + +docker.io (1.11.2~ds1-4) unstable; urgency=medium + + [ Tianon Gravi ] + * Add new script to generate Build-Depends based on "go list" instead of + "hack/vendor.sh" (and update Build-Depends using it) + * Update "/etc/default/docker" text to aggressively discourage use, linking to + upstream's documentation for the recommended alternatives + ("/etc/docker/daemon.json" and systemd drop-ins) + * Update gbp.conf for pristine-tar usage now that we're no longer multi-orig + * Remove "/var/lib/docker" upon purge (Closes: #739257) + + [ Dmitry Smirnov ] + * Add support for DEB_BUILD_OPTIONS=nocheck in debian/rules + + -- Tianon Gravi Mon, 11 Jul 2016 22:09:01 -0700 + +docker.io (1.11.2~ds1-3) unstable; urgency=medium + + * Team upload. + * Updated "skip-privileged-unit-tests.patch" to skip more privileged + tests in order to fix FTBFS in pbuilder. + * Install "opts" directory to -dev package. + + -- Dmitry Smirnov Sat, 09 Jul 2016 13:49:02 +1000 + +docker.io (1.11.2~ds1-2) unstable; urgency=medium + + * Add Tim Potter (tpot) and Dmitry Smirnov (onlyjob) to debian/copyright; they + were instrumental in getting 1.11 into the archive! + * Fix golang-github-docker-docker-dev install location (Closes: #830478); + thanks nicoo! + + -- Tianon Gravi Fri, 08 Jul 2016 08:47:44 -0700 + +docker.io (1.11.2~ds1-1) unstable; urgency=medium + + * Update to 1.11.2 upstream release + (Closes: #806887, #820149, #822628, #812838) + * Add NEWS file describing the AUFS issue and the unfortunate possible + "solutions" (Closes: #799386, #805725) + * Add "/etc/docker" to the directories explicitly installed by the package + to help combat issues like #806261 + * Update "Homepage" to "dockerproject.org" (versus ".com" which now redirects) + * Update "Vcs-Browser" to use https + * Shrink the Ubuntu delta by pulling in many of the changes + * Replace "btrfs-tools" relations with "btrfs-progs" (Closes: #824833) + * Adjust "repack.sh" to allow keeping minor bits of vendor/ + * Fix bad URL in README (Closes: #816844); thanks Clint! + * Move documentation to dedicated "docker-doc" package + * Refresh patches, add minor patch to get unit tests running + * Use gccgo on non-golang architectures (Closes: #785093) + * Use "dh-golang" to calculate "Built-Using" more accurately + * Add simple "basic-smoke" DEP8 test + + -- Tianon Gravi Mon, 04 Jul 2016 09:59:44 -0700 + +docker.io (1.8.3~ds1-2) unstable; urgency=medium + + * Move "overlay" higher in priority (Closes: #799087) + * Adjust "native.cgroupdriver" to default to "cgroupfs" (Closes: #798778) + + -- Tianon Gravi Wed, 04 Nov 2015 00:09:02 -0800 + +docker.io (1.8.3~ds1-1) unstable; urgency=medium + + * Update to 1.8.3 upstream release (CVE-2014-8178, CVE-2014-8179) + + -- Tianon Gravi Thu, 29 Oct 2015 19:40:51 -0700 + +docker.io (1.8.2~ds1-2) unstable; urgency=medium + + * Swap Build-Depends order to appease buildds (Closes: #803136) + + -- Tianon Gravi Thu, 29 Oct 2015 07:23:10 -0700 + +docker.io (1.8.2~ds1-1) unstable; urgency=medium + + * Update to 1.8.2 upstream release + * Rename golang-docker-dev package to golang-github-docker-docker-dev + * Add SELinux support (Closes: #799620) + + -- Tianon Gravi Wed, 28 Oct 2015 14:21:00 -0700 + +docker.io (1.7.1~dfsg1-1) unstable; urgency=medium + + * Update to 1.7.1 upstream release + * Remove patches applied upstream; refresh other patches + * Update Build-Depends + + -- Tianon Gravi Wed, 26 Aug 2015 10:13:48 -0700 + +docker.io (1.6.2~dfsg1-2) unstable; urgency=medium + + * Add DEP8 tests + - integration: runs upstream's integration tests + * Replace "code.google.com/p/go.net" with canonical "golang.org/x/net" + (Closes: #789736) + + -- Tianon Gravi Wed, 01 Jul 2015 07:45:19 -0600 + +docker.io (1.6.2~dfsg1-1) unstable; urgency=medium + + * Update to 1.6.2 upstream release + * Update deps in d/control to match upstream's hack/vendor.sh specifications + + -- Tianon Gravi Thu, 21 May 2015 00:47:43 -0600 + +docker.io (1.6.1+dfsg1-2) unstable; urgency=medium + + * Add --no-restart-on-upgrade to dh_installinit so that we don't force + a stop on upgrade, which can cause other units to fall over. Many thanks + to Michael Stapelberg (sECuRE) for the tip! + + -- Paul Tagliamonte Sun, 10 May 2015 13:02:54 -0400 + +docker.io (1.6.1+dfsg1-1) unstable; urgency=high + + * Update to 1.6.1 upstream release (Closes: #784726) + - CVE-2015-3627 + Insecure opening of file-descriptor 1 leading to privilege escalation + - CVE-2015-3629 + Symlink traversal on container respawn allows local privilege escalation + - CVE-2015-3630 + Read/write proc paths allow host modification & information disclosure + - CVE-2015-3631 + Volume mounts allow LSM profile escalation + + -- Tianon Gravi Fri, 08 May 2015 17:57:10 -0600 + +docker.io (1.6.0+dfsg1-1) unstable; urgency=medium + + * Upload to unstable + * Backport PR 12943 to support golang-go-patricia 2.* + * Remove convenience copies of cgroupfs-mount in init.d / upstart scripts + (Re: #783143) + + -- Tianon Gravi Tue, 05 May 2015 15:10:49 -0600 + +docker.io (1.6.0+dfsg1-1~exp1) experimental; urgency=medium + + * Update to 1.6.0 upstream release + * Adjust "repack.sh" to be more tolerant of "dfsg" suffixes + + -- Tianon Gravi Thu, 16 Apr 2015 18:00:21 -0600 + +docker.io (1.6.0~rc7~dfsg1-1~exp1) experimental; urgency=low + + * Update to 1.6.0-rc7 upstream release + + -- Tianon Gravi Wed, 15 Apr 2015 19:35:46 -0600 + +docker.io (1.6.0~rc4~dfsg1-1) experimental; urgency=low + + [ Tianon Gravi ] + * Update to 1.6.0-rc4 upstream release + - drop golang 1.2 support (no longer supported upstream) + - update Homepage to https://dockerproject.com + - add check-config.sh to /usr/share/docker.io/contrib + - add "distribution" as a new multitarball orig + - backport auto "btrfs_noversion" patch from + https://github.com/docker/docker/pull/12048 + (simplifying our logic for detecting whether to use it) + - switch from dh-golang to direct install since we're not actually using the + features it offers (due to upstream's build system) + - enable "docker.service" on boot by default for restart policies to work + + [ Felipe Sateler ] + * Add Built-Using for glibc (Closes: #769351). + + -- Tianon Gravi Mon, 06 Apr 2015 17:11:33 -0600 + +docker.io (1.5.0~dfsg1-1) experimental; urgency=low + + * Update to 1.5.0 upstream release (Closes: #773495) + * Remove several patches applied upstream! + - 9637-fix-nuke-bashism.patch + - enable-non-amd64-arches.patch + * Fix btrfs-tools handling to allow for building with btrfs-tools < 1.16.1 + + -- Tianon Gravi Tue, 10 Mar 2015 22:58:49 -0600 + +docker.io (1.3.3~dfsg1-2) unstable; urgency=medium + + * Add fatal-error-old-kernels.patch to make Docker refuse to start on old, + unsupported kernels (Closes: #774376) + * Fix dh_auto_clean to clean up after the build properly, especially to avoid + FTBFS when built twice (Closes: #774482) + + -- Tianon Gravi Sat, 03 Jan 2015 00:11:47 -0700 + +docker.io (1.3.3~dfsg1-1) unstable; urgency=medium + + [ Tianon Gravi ] + * Update to 1.3.3 upstream release (Closes: #772909) + - Fix for CVE-2014-9356 (Path traversal during processing of absolute + symlinks) + - Fix for CVE-2014-9357 (Escalation of privileges during decompression of + LZMA (.xz) archives) + - Fix for CVE-2014-9358 (Path traversal and spoofing opportunities presented + through image identifiers) + * Fix bashism in nuke-graph-directory.sh (Closes: #772261) + + [ Didier Roche ] + * Support starting systemd service without /etc/default/docker + (Closes: #770293) + + -- Tianon Gravi Thu, 18 Dec 2014 21:54:12 -0700 + +docker.io (1.3.2~dfsg1-1) unstable; urgency=high + + * Severity is set to high due to the sensitive nature of the CVEs this + upload fixes. + * Update to 1.3.2 upstream release + - Fix for CVE-2014-6407 (Archive extraction host privilege escalation) + - Fix for CVE-2014-6408 (Security options applied to image could lead + to container escalation) + * Remove Daniel Mizyrycki from Uploaders. Thanks for all your work! + + -- Paul Tagliamonte Mon, 24 Nov 2014 19:14:28 -0500 + +docker.io (1.3.1~dfsg1-2) unstable; urgency=medium + + * Remove deprecated /usr/bin/docker.io symlink + - added as a temporary shim in 1.0.0~dfsg1-1 (13 Jun 2014) + - unused by package-installed files in 1.2.0~dfsg1-1 (13 Sep 2014) + + -- Tianon Gravi Fri, 07 Nov 2014 13:11:34 -0700 + +docker.io (1.3.1~dfsg1-1) unstable; urgency=high + + * Update to 1.3.1 upstream release + - fix for CVE-2014-5277 + - https://groups.google.com/d/topic/docker-user/oYm0i3xShJU/discussion + + -- Tianon Gravi Mon, 03 Nov 2014 08:26:29 -0700 + +docker.io (1.3.0~dfsg1-1) unstable; urgency=medium + + * Updated to 1.3.0 upstream release. + * Enable systemd socket activation (Closes: #752555). + + -- Tianon Gravi Fri, 17 Oct 2014 00:56:07 -0600 + +docker.io (1.2.0~dfsg1-2) unstable; urgency=medium + + * Added "golang-docker-dev" package for the reusable bits of Docker's source. + + -- Tianon Gravi Thu, 09 Oct 2014 00:08:11 +0000 + +docker.io (1.2.0~dfsg1-1) unstable; urgency=medium + + * Updated to 1.2.0 upstream release (Closes: #757183, #757023, #757024). + * Added upstream man pages. + * Updated bash and zsh completions to be installed as "docker" and "_docker". + * Updated init scripts to also be installed as "docker". + * Fixed "equivalent" typo in README.Debian (Closes: #756395). Thanks Reuben! + * Removed "docker.io" mention in README.Debian (Closes: #756290). Thanks + Olivier! + + -- Tianon Gravi Sat, 13 Sep 2014 11:43:17 -0600 + +docker.io (1.0.0~dfsg1-1) unstable; urgency=medium + + * Updated to 1.0.0 upstream release. Huzzah! + * I've removed what is commonly called a `button' of patches against + the docker package. Exact patches: + - bash-completion-docker.io.patch + - systemd-docker.io.patch + - sysvinit-provides-docker.io.patch + - zsh-completion-docker.io.patch + - mkimage-docker.io.patch + * I know y'all are guessing why; and the answer's pretty simple -- we're + no longer docker.io(1). Since the src:docker package now ships wmdocker(1), + we can safely declare a breaks/replaces on the pre-wmdocker version of the + package, allowing existing users to safely update, both src:docker and + src:docker.io side. This brings us into line with other distros, which + now ship wmdocker(1) and docker(1). + * As a stop-gap, I'm still shipping a docker.io(1) symlink to allow + migration away. + + -- Paul Tagliamonte Fri, 13 Jun 2014 21:04:53 -0400 + +docker.io (0.11.1~dfsg1-1) unstable; urgency=medium + + [ Paul Tagliamonte ] + * Use EnvironmentFile with the systemd unit file. (Closes: #746774) + * Patch out version checking code. (Closes: #747140) + * Remove all host checking for non-amd64 host arches. Let docker build + and run on all platforms now. (Closes: #747139, #739914) + + [ Tianon Gravi ] + * Updated to 0.11.1 upstream release. + * Added backported upstream patch for removing RemoteAddr assumptions + that cause events to not be delivered to more than one unix socket + listener. + + -- Tianon Gravi Fri, 09 May 2014 17:30:45 -0400 + +docker.io (0.9.1~dfsg1-2) unstable; urgency=medium + + * Added upstream apparmor patch to fix newer apparmor versions (such as the + version appearing in Ubuntu 14.04). + * Added mkimage-* docker.io binary name patches (Closes: #740855). + + -- Tianon Gravi Tue, 08 Apr 2014 23:19:08 -0400 + +docker.io (0.9.1~dfsg1-1) unstable; urgency=medium + + * Updated to 0.9.1 upstream release (Closes: #743424). + * Added cgroupfs-mount dependency (Closes: #742641). + * Added Suggests entries for optional features, chiefly lxc (Closes: #742081). + * Added notes about "root-equivalence" to README.Debian (Closes: #742387). + + -- Tianon Gravi Thu, 03 Apr 2014 21:38:30 -0400 + +docker.io (0.9.0+dfsg1-1) unstable; urgency=medium + + * Updated README.Debian to not be quite so outdated (Closes: #740850). + * Updated to 0.9.0 upstream release. + + -- Tianon Gravi Tue, 11 Mar 2014 22:24:31 -0400 + +docker.io (0.8.1+dfsg1-1) unstable; urgency=medium + + * Updated to 0.8.1 upstream release. + + -- Tianon Gravi Tue, 25 Feb 2014 20:56:31 -0500 + +docker.io (0.8.0+dfsg1-2) unstable; urgency=medium + + [ Tianon Gravi ] + * Added more license notes to debian/copyright (Closes: #738627). + + -- Tianon Gravi Sat, 15 Feb 2014 17:51:58 -0500 + +docker.io (0.8.0+dfsg1-1) unstable; urgency=medium + + [ Prach Pongpanich ] + * Added zsh completion. + + [ Tianon Gravi ] + * Updated to 0.8.0 upstream release. + * Added vim syntax files in new vim-syntax-docker package. + * Added note about minimum recommended kernel version to Description. + * Added contrib/*-integration files in /usr/share/docker.io/contrib. + + -- Tianon Gravi Mon, 10 Feb 2014 20:41:10 -0500 + +docker.io (0.7.6+dfsg1-1) unstable; urgency=medium + + [ Johan Euphrosine ] + * Updated to 0.7.6. + * Added dependency to gocapability. + * Clean patches. + + [ Tianon Gravi ] + * Added contrib/mk* scripts from upstream into /usr/share/docker.io/contrib + (Closes: #736068). + * Added upstream udev rules file to stop device-mapper devices and mounts from + appearing in desktop environments through udisks. + + -- Johan Euphrosine Wed, 22 Jan 2014 22:50:47 -0500 + +docker.io (0.7.1+dfsg1-1) unstable; urgency=medium + + [ Prach Pongpanich ] + * Fixed "docker: command not found" errors while using bash tab completion + (Closes: #735372). + + [ Tianon Gravi ] + * Updated to 0.7.1 upstream release (while we wait for gocapability to be + packaged). + * Added xz-utils recommend which is required for decompressing certain images + from the index. + + -- Tianon Gravi Wed, 15 Jan 2014 20:22:34 -0500 + +docker.io (0.6.7+dfsg1-3) unstable; urgency=medium + + * Fixed FTBFS on non-amd64 platforms by setting the correct GOPATH. + * Fixed issues with Docker finding a valid dockerinit (Closes: #734758). + * Added aufs-tools dependency. + + -- Tianon Gravi Thu, 09 Jan 2014 20:10:20 -0500 + +docker.io (0.6.7+dfsg1-2) unstable; urgency=medium + + * Added iptables dependency required for Docker to start. + * Added ca-certificates recommend required for pulling from the index. + + -- Tianon Gravi Wed, 08 Jan 2014 19:14:02 -0500 + +docker.io (0.6.7+dfsg1-1) unstable; urgency=medium + + * Initial release (Closes: #706060, #730569) + * Document missing licenses in the source tree. Bad, paultag. Thanks + alteholz. + + -- Paul Tagliamonte Tue, 07 Jan 2014 21:06:10 -0500 diff --git a/clean b/clean new file mode 100644 index 00000000..27984cfb --- /dev/null +++ b/clean @@ -0,0 +1,26 @@ +## Debian CI: +debian/.gitlab-ci.yml +debian/.yamllint + +## Useless non-doc files: +engine/docs/.gitignore +engine/docs/Dockerfile +engine/docs/Makefile +engine/docs/touch-up.sh + +## generated: +engine/dockerversion/version_autogen_unix.go +engine/dockerversion/version_autogen.go + +## Tests that cause issues: (and are difficult to patch instead of removing) +daemon/graphdriver/devmapper/*_test.go +cmd/docker/daemon_none_test.go + +## Privileged tests: +cli/cli/command/image/build_linux_test.go +engine/builder/remotecontext/tarsum_test.go +engine/daemon/graphdriver/devmapper/devmapper_test.go +engine/daemon/graphdriver/quota/projectquota_test.go +engine/daemon/graphdriver/vfs/vfs_test.go +engine/pkg/chrootarchive/archive_test.go +engine/plugin/manager_linux_test.go diff --git a/compat b/compat new file mode 100644 index 00000000..b4de3947 --- /dev/null +++ b/compat @@ -0,0 +1 @@ +11 diff --git a/control b/control new file mode 100644 index 00000000..51b1f9bd --- /dev/null +++ b/control @@ -0,0 +1,282 @@ +Source: docker.io +Section: admin +Priority: optional +Standards-Version: 4.3.0 +Maintainer: Dmitry Smirnov +Uploaders: Arnaud Rebillout + ,Tim Potter + ,Tianon Gravi + ,Paul Tagliamonte +#Build-Conflicts: golang-github-docker-docker-dev +Build-Depends: debhelper (>= 11~) ,dh-exec ,dh-golang (>= 1.14~) + ,bash-completion, + ,ca-certificates + ,git + ,golang-any (>= 2:1.10~) + ,go-md2man (>= 1.0.3~) + ,gogoprotobuf, libprotobuf-dev + ,golang-dbus-dev (>= 4.1.0~) + ,golang-etcd-server-dev +# ,golang-github-appc-cni-dev (>= 0.6.0~) + ,golang-github-armon-go-metrics-dev + ,golang-github-asaskevich-govalidator-dev + ,golang-github-aws-aws-sdk-go-dev + ,golang-github-azure-go-ansiterm-dev + ,golang-github-blang-semver-dev + ,golang-github-boltdb-bolt-dev + ,golang-github-bshuster-repo-logrus-logstash-hook-dev + ,golang-github-bsphere-le-go-dev + ,golang-github-burntsushi-toml-dev + ,golang-github-cloudflare-cfssl-dev + ,golang-github-containerd-btrfs-dev (>= 0.0~git20180306~) + ,golang-github-containerd-cgroups-dev + ,golang-github-containerd-console-dev + ,golang-github-containerd-fifo-dev + ,golang-github-containerd-go-runc-dev + ,golang-github-containerd-typeurl-dev + ,golang-github-coreos-bbolt-dev (>= 1.3.1-coreos.5-3~) + ,golang-github-coreos-go-systemd-dev (>= 17~) + ,golang-github-davecgh-go-spew-dev + ,golang-github-deckarep-golang-set-dev + ,golang-github-denverdino-aliyungo-dev + ,golang-github-dgrijalva-jwt-go-dev + ,golang-github-dgrijalva-jwt-go-v3-dev + ,golang-github-docker-docker-credential-helpers-dev (>= 0.6.1~) + ,golang-github-docker-goamz-dev + ,golang-github-docker-go-connections-dev (>= 0.3.0~) + ,golang-github-docker-go-dev + ,golang-github-docker-go-units-dev (>= 0.3.1+git20161130.10.e30f1e7) + ,golang-github-docker-libkv-dev + ,golang-github-docker-libtrust-dev + ,golang-github-docker-notary-dev (>= 0.6.1~) | golang-github-theupdateframework-notary-dev + ,golang-github-docker-spdystream-dev + ,golang-github-emicklei-go-restful-dev + ,golang-github-fluent-fluent-logger-golang-dev (>= 1.3.0~) + ,golang-github-flynn-archive-go-shlex-dev + ,golang-github-fsnotify-fsnotify-dev + ,golang-github-garyburd-redigo-dev + ,golang-github-ghodss-yaml-dev + ,golang-github-gogo-googleapis-dev + ,golang-github-googleapis-gax-go-dev + ,golang-github-googleapis-gnostic-dev + ,golang-github-google-go-cmp-dev (>= 0.2.0~) + ,golang-github-google-gofuzz-dev + ,golang-github-google-shlex-dev + ,golang-github-gorilla-mux-dev + ,golang-github-gotestyourself-gotest.tools-dev + ,golang-github-graylog2-go-gelf-dev + ,golang-github-gregjones-httpcache-dev + ,golang-github-grpc-ecosystem-go-grpc-prometheus-dev +# ,golang-github-grpc-ecosystem-grpc-gateway-dev + ,golang-github-hashicorp-go-msgpack-dev + ,golang-github-hashicorp-go-version-dev + ,golang-github-hashicorp-memberlist-dev (>= 0.1.0~) + ,golang-github-hashicorp-serf-dev + ,golang-github-imdario-mergo-dev (>= 0.3.3~) + ,golang-github-json-iterator-go-dev (>= 1.1.4~) + ,golang-github-kr-pty-dev + ,golang-github-mattn-go-shellwords-dev + ,golang-github-mattn-go-sqlite3-dev + ,golang-github-miekg-dns-dev + ,golang-github-miekg-pkcs11-dev + ,golang-github-mitchellh-hashstructure-dev +# ,golang-github-modern-go-concurrent-dev + ,golang-github-modern-go-reflect2-dev + ,golang-github-mrunalp-fileutils-dev + ,golang-github-ncw-swift-dev +#~ ,golang-github-nvveen-gotty-dev + ,golang-github-opencontainers-go-digest-dev + ,golang-github-opencontainers-image-spec-dev (>= 1.0.1~) + ,golang-github-opencontainers-runc-dev (>= 1.0.0~rc6~) + ,golang-github-opencontainers-runtime-tools-dev + ,golang-github-opencontainers-selinux-dev + ,golang-github-opencontainers-specs-dev (>= 1.0.1~) + ,golang-github-opentracing-contrib-go-stdlib-dev + ,golang-github-opentracing-opentracing-go-dev + ,golang-github-pborman-uuid-dev + ,golang-github-peterbourgon-diskv-dev (>= 2.0.1~) + ,golang-github-philhofer-fwd-dev + ,golang-github-pivotal-golang-clock-dev + ,golang-github-pmezard-go-difflib-dev + ,golang-github-prometheus-client-golang-dev (>= 0.9.0~) + ,golang-github-racksec-srslog-dev + ,golang-github-rcrowley-go-metrics-dev + ,golang-github-rsc-letsencrypt-dev + ,golang-github-samuel-go-zookeeper-dev + ,golang-github-satori-go.uuid-dev + ,golang-github-seccomp-libseccomp-golang-dev (>= 0.9.0) + ,golang-github-sirupsen-logrus-dev (>= 1.0.2~) +# ,golang-github-spf13-cobra-dev (>= 0.0.2~) +# ,golang-github-spf13-pflag-dev + ,golang-github-stevvooe-ttrpc-dev + ,golang-github-tchap-go-patricia-dev + ,golang-github-tinylib-msgp-dev + ,golang-github-tonistiigi-fifo-dev + ,golang-github-ugorji-go-codec-dev + ,golang-github-urfave-cli-dev (>= 1.20.0~) + ,golang-github-vaughan0-go-ini-dev + ,golang-github-vbatts-tar-split-dev + ,golang-github-vdemeester-shakers-dev + ,golang-github-vishvananda-netlink-dev (>= 1.0.0~) + ,golang-github-vishvananda-netns-dev (>= 0.0~git20170707~) + ,golang-github-xenolf-lego-dev +# ,golang-glog-dev + ,golang-gocapability-dev + ,golang-golang-x-net-dev + ,golang-golang-x-oauth2-google-dev | golang-golang-x-oauth2-dev + ,golang-golang-x-time-dev + ,golang-google-api-dev + ,golang-google-cloud-dev + ,golang-google-grpc-dev + ,golang-gopkg-check.v1-dev + ,golang-gopkg-inf.v0-dev + ,golang-goprotobuf-dev (>= 0.0~git20151207~) + ,golang-go-zfs-dev + ,golang-protobuf-extensions-dev + ,libapparmor-dev + ,libbtrfs-dev | btrfs-progs (<< 4.16.1~) + ,libdevmapper-dev + ,pkg-config + ,procps + ,tzdata +Homepage: https://mobyproject.org +Vcs-Browser: https://salsa.debian.org/docker-team/docker +Vcs-Git: https://salsa.debian.org/docker-team/docker.git +XS-Go-Import-Path: github.com/docker/docker + +Package: docker.io +Architecture: linux-any +Depends: ${misc:Depends} ,${perl:Depends} ,${shlibs:Depends} + ,adduser + ,iptables + ,lsb-base + ,runc (>= 1.0.0~rc6~) + ,tini +Recommends: ${apparmor:Recommends} + ,ca-certificates + ,cgroupfs-mount + ,git + ,needrestart (>= 3.1~) + ,xz-utils +Replaces: docker (<< 1.5~) ,docker-containerd ,docker-runc ,golang-libnetwork +Breaks: docker (<< 1.5~) ,docker-containerd ,docker-runc ,golang-libnetwork +Conflicts: docker-containerd ,docker-runc ,golang-libnetwork +Suggests: docker-doc + ,aufs-tools + ,btrfs-progs + ,debootstrap + ,e2fsprogs + ,rinse + ,xfsprogs + ,zfs-fuse | zfsutils +Built-Using: ${libc:Built-Using}, ${misc:Built-Using} +Description: Linux container runtime + Docker complements kernel namespacing with a high-level API which operates at + the process level. It runs unix processes with strong guarantees of isolation + and repeatability across servers. + . + Docker is a great building block for automating distributed systems: + large-scale web deployments, database clusters, continuous deployment systems, + private PaaS, service-oriented architectures, etc. + . + This package contains the daemon and client. Using docker.io on non-amd64 hosts + is not supported at this time. Please be careful when using it on anything + besides amd64. + . + Also, note that kernel version 3.8 or above is required for proper operation of + the daemon process, and that any lower versions may have subtle and/or glaring + issues. + +Package: vim-syntax-docker +Architecture: all +Depends: vim, ${misc:Depends} +Recommends: vim-addon-manager +Suggests: docker.io +Description: Docker container engine - Vim highlighting syntax files + This package provides syntax files for the Vim editor for editing Dockerfiles + from the Docker container engine. + +Package: golang-github-docker-docker-dev +Architecture: all +Depends: ${misc:Depends} + ,golang-github-azure-go-ansiterm-dev + ,golang-github-docker-distribution-dev + ,golang-github-docker-docker-credential-helpers-dev (>= 0.6.1~) + ,golang-github-docker-go-connections-dev + ,golang-github-docker-go-units-dev + ,golang-github-docker-libkv-dev + ,golang-github-fsnotify-fsnotify-dev + ,golang-github-gorilla-mux-dev + ,golang-github-mattn-go-shellwords-dev + ,golang-github-opencontainers-go-digest-dev + ,golang-github-opencontainers-image-spec-dev + ,golang-github-opencontainers-runc-dev (>= 1.0.0~rc6~) + ,golang-github-opencontainers-selinux-dev + ,golang-github-pkg-errors-dev + ,golang-github-sirupsen-logrus-dev (>= 1.0.2~) + ,golang-github-stretchr-testify-dev + ,golang-github-tchap-go-patricia-dev + ,golang-golang-x-net-dev + ,golang-golang-x-sys-dev + ,golang-google-grpc-dev + ,golang-gopkg-check.v1-dev +# libnetwork: + ,golang-dbus-dev (>= 3~) + ,golang-github-burntsushi-toml-dev + ,golang-github-deckarep-golang-set-dev + ,golang-github-docker-go-events-dev + ,golang-github-gogo-protobuf-dev + ,golang-github-hashicorp-memberlist-dev (>= 0.1.0~) + ,golang-github-hashicorp-serf-dev + ,golang-github-vishvananda-netlink-dev (>= 1.0.0~) + ,golang-github-vishvananda-netns-dev +Replaces: golang-docker-dev (<< 1.8.2~ds1-1~) + ,golang-github-docker-libnetwork-dev +Breaks: golang-docker-dev (<< 1.8.2~ds1-1~) + ,golang-github-docker-libnetwork-dev +Provides: golang-github-docker-libnetwork-dev +Description: reusable Go packages included with Docker + These packages are intentionally developed by upstream in such a way that they + are reusable to projects outside Docker and only rely on each other or other + external dependencies to be built. + +Package: golang-docker-dev +Section: oldlibs +Architecture: all +Depends: golang-github-docker-docker-dev, ${misc:Depends} +Description: Transitional package for golang-github-docker-docker-dev + This is a transitional package to ease upgrades to the + golang-github-docker-docker-dev package. It can safely be removed. + +#Package: golang-github-opencontainers-docker-runc-dev +#Section: oldlibs +#Architecture: all +#Depends: ${misc:Depends} +# ,golang-github-opencontainers-runc-dev (>= 1.0.0~) +#Description: Open Container Project - development files (Docker's version) +# This is a transitional package to ease upgrades to the +# "golang-github-opencontainers-runc-dev" package. It can safely be removed. + +Package: docker-doc +Provides: docker.io-doc +Section: doc +Architecture: all +Depends: ${misc:Depends} +Description: Linux container runtime -- documentation + Docker complements kernel namespacing with a high-level API which operates at + the process level. It runs unix processes with strong guarantees of isolation + and repeatability across servers. + . + Docker is a great building block for automating distributed systems: + large-scale web deployments, database clusters, continuous deployment systems, + private PaaS, service-oriented architectures, etc. + . + This package contains the daemon and client. Using docker.io on non-amd64 hosts + is not supported at this time. Please be careful when using it on anything + besides amd64. + . + Also, note that kernel version 3.8 or above is required for proper operation of + the daemon process, and that any lower versions may have subtle and/or glaring + issues. + . + This package provides documentation for Docker. diff --git a/copyright b/copyright new file mode 100644 index 00000000..ebb1fef9 --- /dev/null +++ b/copyright @@ -0,0 +1,544 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: Docker +Upstream-Contact: Docker, Inc. +Source: https://github.com/docker/docker +Files-Excluded: + .github + .gitignore + components/packaging + vendor/k8s.io/*/third_party/protobuf + vendor/archive + vendor/cloud.google.com + vendor/github.com/agl/ed25519 + vendor/github.com/armon/go-metrics + vendor/github.com/armon/go-radix + vendor/github.com/asaskevich/govalidator + vendor/github.com/aws/aws-sdk-go + vendor/github.com/Azure/azure-sdk-for-go + vendor/github.com/Azure/go-ansiterm + vendor/github.com/Azure/go-autorest + vendor/github.com/beorn7/perks + vendor/github.com/blang/semver + vendor/github.com/boltdb/bolt + vendor/github.com/bshuster-repo/logrus-logstash-hook + vendor/github.com/bsphere/le_go + vendor/github.com/bugsnag/bugsnag-go + vendor/github.com/bugsnag/osext + vendor/github.com/bugsnag/panicwrap + vendor/github.com/BurntSushi/toml + vendor/github.com/cloudflare/cfssl + vendor/github.com/codegangsta/cli + ~~vendor/github.com/containerd/aufs + vendor/github.com/containerd/btrfs + vendor/github.com/containerd/cgroups + vendor/github.com/containerd/console + vendor/github.com/containerd/containerd + ~~vendor/github.com/containerd/continuity + ~~vendor/github.com/containerd/cri + vendor/github.com/containerd/fifo + ~~vendor/github.com/containerd/go-cni + ~~vendor/github.com/containerd/go-runc + ~~vendor/github.com/containerd/ttrpc + vendor/github.com/containerd/typeurl + ~~vendor/github.com/containerd/zfs + ~~vendor/github.com/containernetworking/cni + ~~vendor/github.com/containernetworking/plugins + vendor/github.com/coreos/etcd + vendor/github.com/coreos/go-semver + vendor/github.com/coreos/go-systemd + vendor/github.com/coreos/pkg + vendor/github.com/cpuguy83/go-md2man + vendor/github.com/davecgh/go-spew + vendor/github.com/deckarep/golang-set + vendor/github.com/denverdino/aliyungo + vendor/github.com/dgrijalva/jwt-go + vendor/github.com/docker/distribution + vendor/github.com/docker/docker + vendor/github.com/docker/docker-credential-helpers + vendor/github.com/docker/go + vendor/github.com/docker/goamz + vendor/github.com/docker/go-connections + vendor/github.com/docker/go-events + vendor/github.com/docker/go-metrics + vendor/github.com/docker/go-units + vendor/github.com/docker/libkv + vendor/github.com/docker/libnetwork + vendor/github.com/docker/libtrust + ~~vendor/github.com/docker/licensing + vendor/github.com/docker/spdystream + vendor/github.com/docker/swarmkit + vendor/github.com/dustin/go-humanize + vendor/github.com/emicklei/go-restful + ~~vendor/github.com/fernet/fernet-go + vendor/github.com/fluent/fluent-logger-golang + vendor/github.com/flynn-archive/go-shlex + vendor/github.com/fsnotify/fsnotify + vendor/github.com/garyburd/redigo + vendor/github.com/ghodss/yaml + vendor/github.com/go-check/check + vendor/github.com/godbus/dbus + vendor/github.com/gogo/googleapis + vendor/github.com/gogo/protobuf + vendor/github.com/go-ini/ini + ~~vendor/github.com/golang/gddo + vendor/github.com/golang/glog + vendor/github.com/golang/protobuf + vendor/github.com/googleapis/gax-go + vendor/github.com/googleapis/gnostic + vendor/github.com/google/btree + vendor/github.com/google/certificate-transparency-go + vendor/github.com/google/go-cmp + vendor/github.com/google/gofuzz + vendor/github.com/google/shlex + vendor/github.com/gorilla/context + vendor/github.com/gorilla/handlers + vendor/github.com/gorilla/mux + ~~vendor/github.com/Graylog2/go-gelf + vendor/github.com/gregjones/httpcache + vendor/github.com/grpc-ecosystem/go-grpc-prometheus + vendor/github.com/grpc-ecosystem/grpc-gateway + ~~vendor/github.com/grpc-ecosystem/grpc-opentracing + vendor/github.com/hashicorp/consul + vendor/github.com/hashicorp/errwrap + ~~vendor/github.com/hashicorp/go-immutable-radix + vendor/github.com/hashicorp/golang-lru + vendor/github.com/hashicorp/go-memdb + vendor/github.com/hashicorp/go-msgpack + vendor/github.com/hashicorp/go-multierror + vendor/github.com/hashicorp/go-sockaddr + vendor/github.com/hashicorp/go-version + vendor/github.com/hashicorp/memberlist + vendor/github.com/hashicorp/serf + vendor/github.com/imdario/mergo + vendor/github.com/inconshreveable/mousetrap + ~~vendor/github.com/ishidawataru/sctp + vendor/github.com/jmespath/go-jmespath + vendor/github.com/json-iterator/go + vendor/github.com/kr/pty + vendor/github.com/mattn/go-shellwords + vendor/github.com/matttproud/golang_protobuf_extensions + vendor/github.com/Microsoft/go-winio + vendor/github.com/Microsoft/hcsshim + vendor/github.com/Microsoft/opengcs + vendor/github.com/miekg/dns + vendor/github.com/miekg/pkcs11 + vendor/github.com/mistifyio/go-zfs + vendor/github.com/mitchellh/hashstructure + vendor/github.com/mitchellh/mapstructure + ~~vendor/github.com/moby/buildkit + vendor/github.com/modern-go/concurrent + vendor/github.com/modern-go/reflect2 + ~~vendor/github.com/morikuni/aec + vendor/github.com/ncw/swift + ~~vendor/github.com/Nvveen/Gotty + vendor/github.com/opencontainers/go-digest + vendor/github.com/opencontainers/image-spec + vendor/github.com/opencontainers/runc + vendor/github.com/opencontainers/runtime-spec + vendor/github.com/opencontainers/runtime-tools + vendor/github.com/opencontainers/selinux + vendor/github.com/opentracing-contrib/go-stdlib + vendor/github.com/opentracing/opentracing-go + vendor/github.com/pborman/uuid + vendor/github.com/peterbourgon/diskv + ~~vendor/github.com/phayes/permbits + vendor/github.com/philhofer/fwd + vendor/github.com/pivotal-golang/clock + vendor/github.com/pkg/errors + vendor/github.com/pmezard/go-difflib + vendor/github.com/prometheus/client_golang + vendor/github.com/prometheus/client_model + vendor/github.com/prometheus/common + vendor/github.com/prometheus/procfs + vendor/github.com/RackSec/srslog + vendor/github.com/rcrowley/go-metrics + vendor/github.com/russross/blackfriday + vendor/github.com/samuel/go-zookeeper + vendor/github.com/satori/go.uuid + vendor/github.com/sean-/seed + vendor/github.com/seccomp/libseccomp-golang + vendor/github.com/shurcooL/sanitized_anchor_name + vendor/github.com/sirupsen/logrus + ~~vendor/github.com/spf13/cobra + ~~vendor/github.com/spf13/pflag + vendor/github.com/stevvooe/resumable + vendor/github.com/stretchr/testify + vendor/github.com/syndtr/gocapability + vendor/github.com/tchap/go-patricia + vendor/github.com/theupdateframework/notary + vendor/github.com/tinylib/msgp + ~~vendor/github.com/tonistiigi/fsutil + ~~vendor/github.com/tonistiigi/units + vendor/github.com/ugorji/go + vendor/github.com/urfave/cli + vendor/github.com/vbatts/tar-split + vendor/github.com/vdemeester/shakers + vendor/github.com/vishvananda/netlink + vendor/github.com/vishvananda/netns + vendor/github.com/xeipuuv/gojsonpointer + vendor/github.com/xeipuuv/gojsonreference + vendor/github.com/xeipuuv/gojsonschema + vendor/github.com/xenolf/lego + vendor/github.com/yvasiyarov/go-metrics + vendor/github.com/yvasiyarov/gorelic + vendor/github.com/yvasiyarov/newrelic_platform_go + vendor/go.etcd.io + vendor/golang.org + vendor/google.golang.org + vendor/go.opencensus.io + vendor/gopkg.in + vendor/gotest.tools + ~~vendor/k8s.io + vendor/rsc.io + ~~vendor/vbom.ml +Files-Excluded-containerd: + */docs +Files-Excluded-distribution: + */docs +Comment: + Thanks to custom repack script, Files-Excluded section is applied to all + components otherwise individual Files-Excluded-{component} sections would + contain too much duplication. + +Files: * +Copyright: 2012-2018 Docker, Inc. +License: Apache-2.0 + +Files: + cli/contrib/completion/zsh/* +Copyright: 2013-2014 Felix Riedel +License: BSD-3-clause-Generic + +Files: + engine/contrib/init/openrc/docker.initd +Copyright: 1999-2013 Gentoo Foundation +License: GPL-2 + +Files: + engine/contrib/selinux-fedora-24/docker-engine-selinux/* + engine/contrib/selinux-oraclelinux-7/docker-engine-selinux/* +Copyright: 2012-2016 Docker Inc. +License: GPL-2 +Comment: No explicit copyright statement; assuming upstream copyright. + +Files: + engine/contrib/syntax/vim/* +Copyright: 2013 Honza Pokorny +License: BSD-2-clause + +Files: + engine/pkg/symlink/fs.go +Copyright: 2014-2016 The Docker & Go Authors +License: BSD-3-clause-Google + +Files: + */vendor/github.com/bugsnag/osext/osext* + */vendor/github.com/containerd/continuity/sysx/asm.s +Copyright: + 2008 Google Inc. + 2014-2016 The Go Authors +License: BSD-3-clause-Google + +Files: + */vendor/github.com/containernetworking/plugins/* +Copyright: 2015-2017 CNI authors +License: Apache-2.0 + +Files: + */vendor/github.com/docker/licensing +Copyright: 2013-2017 Docker, Inc. +License: Apache-2.0 + +Files: + */vendor/github.com/fernet/fernet-go/* +Copyright: 2013 Keith Rarick +License: Expat + +Files: + */vendor/github.com/Graylog2/go-gelf/* +Copyright: 2012 SocialCode +License: Expat + +Files: + */vendor/github.com/grpc-ecosystem/grpc-opentracing/* +Copyright: 2016, gRPC Ecosystem +License: BSD-3-clause-GRPC-Opentracing + +Files: + */vendor/github.com/ishidawataru/sctp/* +Copyright: N/A +License: Apache-2.0 +Comment: The upstream distribution does not contain an explicit statement of + copyright ownership. Pursuant to the Berne Convention for the Protection of + Literary and Artistic Works, it is assumed that all content is copyright by + its respective authors unless otherwise stated. + . + https://github.com/ishidawataru/sctp/issues/23 + +Files: + vendor/github.com/morikuni/aec/* +Copyright: 2016 Taihei Morikuni +License: Expat + +Files: + */vendor/github.com/Nvveen/Gotty/* +Copyright: 2012 Neal van Veen +License: BSD-2-clause~freebsd + +Files: + */vendor/github.com/phayes/permbits/* +Copyright: 2016 Patrick D Hayes +License: Expat + +Files: + */vendor/github.com/spf13/cobra/* +Copyright: + 2013 Steve Francia + 2015 Red Hat Inc. + 2016 French Ben +License: Apache-2.0 + +Files: + */vendor/github.com/spf13/pflag/* +Copyright: + 2012 The Go Authors + 2012–2015 Alex Ogier +License: BSD-3-clause-Google + +Files: + */vendor/github.com/tonistiigi/fsutil/* +Copyright: 2017 Tõnis Tiigi +License: Expat + +Files: + */vendor/github.com/yvasiyarov/* +Copyright: + 2012 Richard Crowley + 2013 Yuriy Vasiyarov +License: BSD-2-clause + +Files: + vendor/gotest.tools/* +Copyright: 2018 gotest.tools authors +License: Apache-2.0 + +Files: + vendor/gotest.tools/internal/difflib/* +Copyright: 2013 Patrick Mezard +License: BSD-3-clause-Generic + +Files: + */vendor/k8s.io/* +Copyright: 2014-2018 The Kubernetes Authors. +License: Apache-2.0 + +Files: + */vendor/k8s.io/apimachinery/third_party/forked/golang/reflect/deep_equal.go +Copyright: 2009 The Go Authors +License: BSD-3-clause-Google + +Files: + */vendor/vbom.ml/util/* +Copyright: 2015 Frits van Bommel +License: Expat + +Files: debian/* +Copyright: + 2016-2018 Dmitry Smirnov + 2013-2014 Daniel Mizyrycki + 2013-2014 Paul Tagliamonte + 2012-2014 Michael Stapelberg + 2013-2016 Tianon Gravi + 2013-2014 Johan Euphrosine + 2014 Prach Pongpanich + 2016 Tim Potter + 2016 Michael Hudson-Doyle +License: Apache-2.0 + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the complete text of the Apache version 2.0 license + can be found in "/usr/share/common-licenses/Apache-2.0". + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR + ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: BSD-2-clause~freebsd + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + . + 1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR + ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + . + The views and conclusions contained in the software and documentation are those + of the authors and should not be interpreted as representing official policies, + either expressed or implied, of the FreeBSD Project. + +License: BSD-3-clause-Generic + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY + DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: BSD-3-clause-Google + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following disclaimer + in the documentation and/or other materials provided with the + distribution. + * Neither the name of Google Inc. nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: BSD-3-clause-GRPC-Opentracing + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + . + * Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + . + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + . + * Neither the name of grpc-opentracing nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. + +License: GPL-2 + This file is part of Buildbot. Buildbot is free software: you can + redistribute it and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation, version 2. + . + This program is distributed in the hope that it will be useful, but WITHOUT + ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + details. + . + You should have received a copy of the GNU General Public License along with + this program; if not, write to the Free Software Foundation, Inc., 51 + Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + . + On Debian systems, the complete text of the GNU GPL v2 license can be found in + "/usr/share/common-licenses/GPL-2". + +License: ISC + Permission to use, copy, modify, and/or distribute this software for + any purpose with or without fee is hereby granted, provided that the + above copyright notice and this permission notice appear in all + copies. + ․ + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/docker-doc.docs b/docker-doc.docs new file mode 100644 index 00000000..6acc67f9 --- /dev/null +++ b/docker-doc.docs @@ -0,0 +1,3 @@ +cli/docs/* +engine/docs/* +cli/NOTICE containerd/NOTICE engine/NOTICE go-metrics/NOTICE diff --git a/docker.io.NEWS b/docker.io.NEWS new file mode 100644 index 00000000..82ae42e4 --- /dev/null +++ b/docker.io.NEWS @@ -0,0 +1,26 @@ +docker.io (1.11.2~ds1-1) unstable; urgency=medium + + As of src:linux 4.0+ (specifically, >= 3.18-1~exp1), AUFS support is no longer + included in official Debian-compiled kernels. What this means to Docker users + is that if your existing images are stored within the "AUFS" graph driver that + once you update your kernel, your images (and containers) will become + inaccessible (due to the kernel not having the necessary aufs modules to mount + them). To recover from this, there are a couple options (detailed below). + + 1. Use the included nuke script to blow away your existing "/var/lib/docker" + contents and start fresh with Linux 4.0+: + + service docker stop + /usr/share/docker.io/contrib/nuke-graph-directory.sh /var/lib/docker + service docker start + + 2. Use "docker save" (see "docker help save" for usage) before booting 4.0+ to + preserve your images on-disk as tar files, then follow the nuke step from + the previous option followed by using "docker load" to re-load your images. + + 3. Update to src:linux >= 4.1.1-1~exp1 ("aufs: Apply patches to enable + building aufs out-of-tree"), and then compile the aufs modules out-of-tree + (a package for doing this module compilation automatically doesn't yet + exist at the time of this writing, but might in the future). + + -- Tianon Gravi Tue, 01 Dec 2015 01:02:44 -0800 diff --git a/docker.io.bash-completion b/docker.io.bash-completion new file mode 100644 index 00000000..009937f5 --- /dev/null +++ b/docker.io.bash-completion @@ -0,0 +1 @@ +cli/contrib/completion/bash/docker diff --git a/docker.io.dirs b/docker.io.dirs new file mode 100644 index 00000000..4d7117b0 --- /dev/null +++ b/docker.io.dirs @@ -0,0 +1 @@ +etc/docker diff --git a/docker.io.docker.default b/docker.io.docker.default new file mode 100644 index 00000000..802416a2 --- /dev/null +++ b/docker.io.docker.default @@ -0,0 +1,12 @@ +# Here in Debian, this file is sourced by: +# - /etc/init.d/docker (sysvinit) +# - /etc/init/docker (upstart) +# - systemd's docker.service + +# Use of this file for configuring your Docker daemon is discouraged. + +# The recommended alternative is "/etc/docker/daemon.json", as described in: +# https://docs.docker.com/v1.11/engine/reference/commandline/daemon/#daemon-configuration-file + +# If that does not suit your needs, try a systemd drop-in file, as described in: +# https://docs.docker.com/v1.11/engine/admin/systemd/#custom-docker-daemon-options diff --git a/docker.io.docker.init b/docker.io.docker.init new file mode 100644 index 00000000..600fba1c --- /dev/null +++ b/docker.io.docker.init @@ -0,0 +1,133 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: docker +# Required-Start: $syslog $remote_fs +# Required-Stop: $syslog $remote_fs +# Should-Start: cgroupfs-mount cgroup-lite +# Should-Stop: cgroupfs-mount cgroup-lite +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Create lightweight, portable, self-sufficient containers. +# Description: +# Docker is an open-source project to easily create lightweight, portable, +# self-sufficient containers from any application. The same container that a +# developer builds and tests on a laptop can run at scale, in production, on +# VMs, bare metal, OpenStack clusters, public clouds and more. +### END INIT INFO + +NAME=$(basename $(readlink -f "$0")) +DAEMON=/usr/sbin/dockerd +# This is the pid file managed by docker itself +DOCKER_PIDFILE=/var/run/$NAME.pid +# This is the pid file created/managed by start-stop-daemon +DOCKER_SSD_PIDFILE=/var/run/$NAME-ssd.pid +DOCKER_LOGFILE=/var/log/$NAME.log +DOCKER_OPTS= +DOCKER_DESC="Docker" + +# Exit if executable is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Define LSB log_* functions. +. /lib/lsb/init-functions || exit 1 + +fail_unless_root() { + if [ "$(id -u)" != '0' ]; then + log_failure_msg "$DOCKER_DESC must be run as root" + exit 1 + fi +} + +cgroupfs_mount() { + # see also https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount + if grep -v '^#' /etc/fstab | grep -q cgroup \ + || [ ! -e /proc/cgroups ] \ + || [ ! -d /sys/fs/cgroup ]; then + return + fi + if ! mountpoint -q /sys/fs/cgroup; then + mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup + fi + ( + cd /sys/fs/cgroup + for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do + mkdir -p $sys + if ! mountpoint -q $sys; then + if ! mount -n -t cgroup -o $sys cgroup $sys; then + rmdir $sys || true + fi + fi + done + ) +} + +case "$1" in + start) + fail_unless_root + + cgroupfs_mount + + touch "$DOCKER_LOGFILE" + chgrp docker "$DOCKER_LOGFILE" + + ulimit -n 1048576 + + # Having non-zero limits causes performance problems due to accounting overhead + # in the kernel. We recommend using cgroups to do container-local accounting. + if [ "$BASH" ]; then + ulimit -u unlimited + else + ulimit -p unlimited + fi + + log_begin_msg "Starting $DOCKER_DESC: $NAME" + $0 status >>/dev/null \ + || start-stop-daemon --start --background \ + --no-close \ + --exec "$DAEMON" \ + --pidfile "$DOCKER_SSD_PIDFILE" \ + --make-pidfile \ + -- \ + -p "$DOCKER_PIDFILE" \ + $DOCKER_OPTS \ + >> "$DOCKER_LOGFILE" 2>&1 + log_end_msg $? + ;; + + stop) + fail_unless_root + if [ -f "$DOCKER_SSD_PIDFILE" ]; then + log_begin_msg "Stopping $DOCKER_DESC: $NAME" + start-stop-daemon --stop --pidfile "$DOCKER_SSD_PIDFILE" --remove-pidfile --retry 10 + log_end_msg $? + else + log_warning_msg "Docker already stopped - file $DOCKER_SSD_PIDFILE not found." + fi + ;; + + restart) + fail_unless_root + docker_pid=`cat "$DOCKER_SSD_PIDFILE" 2>/dev/null` + [ -n "$docker_pid" ] \ + && ps -p $docker_pid > /dev/null 2>&1 \ + && $0 stop + $0 start + ;; + + force-reload) + fail_unless_root + $0 restart + ;; + + status) + status_of_proc -p "$DOCKER_SSD_PIDFILE" "$DAEMON" "$DOCKER_DESC" + ;; + + *) + echo "Usage: service docker {start|stop|restart|status}" + exit 1 + ;; +esac diff --git a/docker.io.docker.service b/docker.io.docker.service new file mode 120000 index 00000000..117f08a4 --- /dev/null +++ b/docker.io.docker.service @@ -0,0 +1 @@ +../engine/contrib/init/systemd/docker.service \ No newline at end of file diff --git a/docker.io.docker.socket b/docker.io.docker.socket new file mode 120000 index 00000000..0885e71b --- /dev/null +++ b/docker.io.docker.socket @@ -0,0 +1 @@ +../engine/contrib/init/systemd/docker.socket \ No newline at end of file diff --git a/docker.io.docker.udev b/docker.io.docker.udev new file mode 120000 index 00000000..fff6322c --- /dev/null +++ b/docker.io.docker.udev @@ -0,0 +1 @@ +../engine/contrib/udev/80-docker.rules \ No newline at end of file diff --git a/docker.io.docs b/docker.io.docs new file mode 100644 index 00000000..55774b3f --- /dev/null +++ b/docker.io.docs @@ -0,0 +1,2 @@ +engine/README.md +engine/ROADMAP.md diff --git a/docker.io.install b/docker.io.install new file mode 100755 index 00000000..9d2c5d74 --- /dev/null +++ b/docker.io.install @@ -0,0 +1,25 @@ +#!/usr/bin/dh-exec + +.gopath/src/github.com/docker/cli/build/* /usr/bin/ +.gopath/src/github.com/docker/docker/bundles/dynbinary-daemon/dockerd-${DOCKER_VERSION} => usr/sbin/dockerd + +engine/contrib/*-integration usr/share/docker.io/contrib/ +engine/contrib/check-config.sh usr/share/docker.io/contrib/ +engine/contrib/mk* usr/share/docker.io/contrib/ +engine/contrib/nuke-graph-directory.sh usr/share/docker.io/contrib/ + +cli/contrib/completion/zsh/_docker usr/share/zsh/vendor-completions/ + + +## libnetwork +.gopath/bin/proxy => usr/sbin/docker-proxy +.gopath/bin/ovrouter usr/sbin +.gopath/bin/dnet usr/bin + +## containerd: +.gopath/bin/containerd => usr/bin/docker-containerd +.gopath/bin/containerd-shim => usr/bin/docker-containerd-shim +.gopath/bin/ctr => usr/bin/docker-containerd-ctr + +## runc +##.gopath/bin/runc => usr/bin/docker-runc diff --git a/docker.io.links b/docker.io.links new file mode 100644 index 00000000..0d237b77 --- /dev/null +++ b/docker.io.links @@ -0,0 +1,2 @@ +/usr/sbin/runc /usr/sbin/docker-runc +/usr/bin/tini-static /usr/bin/docker-init diff --git a/docker.io.lintian-overrides b/docker.io.lintian-overrides new file mode 100644 index 00000000..94ca070f --- /dev/null +++ b/docker.io.lintian-overrides @@ -0,0 +1,3 @@ +docker.io: spelling-error-in-binary +docker.io: spelling-error-in-manpage +docker.io: manpage-has-errors-from-man diff --git a/docker.io.maintscript b/docker.io.maintscript new file mode 100644 index 00000000..8b1061f5 --- /dev/null +++ b/docker.io.maintscript @@ -0,0 +1,6 @@ +mv_conffile /etc/bash_completion.d/docker.io /etc/bash_completion.d/docker 1.2.0~ +mv_conffile /etc/default/docker.io /etc/default/docker 1.2.0~ +mv_conffile /etc/init.d/docker.io /etc/init.d/docker 1.2.0~ +mv_conffile /etc/init/docker.io.conf /etc/init/docker.conf 1.2.0~ +rm_conffile /etc/bash_completion.d/docker 1.11.2~ +rm_conffile /etc/init/docker.conf 18.06.0~ diff --git a/docker.io.manpages b/docker.io.manpages new file mode 100644 index 00000000..e1747faa --- /dev/null +++ b/docker.io.manpages @@ -0,0 +1 @@ +.gopath/src/github.com/docker/cli/man/man*/* diff --git a/docker.io.postinst b/docker.io.postinst new file mode 100644 index 00000000..3c1eb03c --- /dev/null +++ b/docker.io.postinst @@ -0,0 +1,29 @@ +#!/bin/sh +set -e + +case "$1" in + configure) + if [ -z "$2" ]; then + if ! getent group docker >>/dev/null 2>&1 ; then + addgroup --quiet --system docker + fi + fi + + # Ensure config directory permissions + # On a fresh install, $2 = '' and dpkg "le-nl" treat that as a + # greater version, so the body is not executed. + if dpkg --compare-versions "$2" le-nl '1.11.2~ds1-1'; then + if [ "$(stat -c '%a' /etc/docker)" = '700' ]; then + chmod 0755 /etc/docker + fi + fi + ;; + abort-*) + # How'd we get here?? + exit 1 + ;; + *) + ;; +esac + +#DEBHELPER# diff --git a/docker.io.postrm b/docker.io.postrm new file mode 100644 index 00000000..f01f7c71 --- /dev/null +++ b/docker.io.postrm @@ -0,0 +1,17 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +case "$1" in + purge) + # if we have our saved "nuke-graph-directory.sh", let's use it + # see also docker.io.prerm + if [ -x /var/lib/docker/nuke-graph-directory.sh ]; then + /var/lib/docker/nuke-graph-directory.sh /var/lib/docker + fi + ;; + + *) + ;; +esac diff --git a/docker.io.prerm b/docker.io.prerm new file mode 100644 index 00000000..71f9e6e6 --- /dev/null +++ b/docker.io.prerm @@ -0,0 +1,23 @@ +#!/bin/sh +set -e + +case "$1" in + remove) + # if we're removing, we need to save "nuke-graph-directory.sh" so that + # we can still purge "/var/lib/docker" later if necessary + # see also docker.io.postrm + if \ + [ -d /var/lib/docker ] \ + && [ -x /usr/share/docker.io/contrib/nuke-graph-directory.sh ] \ + ; then + if cp -v /usr/share/docker.io/contrib/nuke-graph-directory.sh /var/lib/docker/; then + chmod +x /var/lib/docker/nuke-graph-directory.sh || : + fi + fi + ;; + + *) + ;; +esac + +#DEBHELPER# diff --git a/gbp.conf b/gbp.conf new file mode 100644 index 00000000..6a09c3e3 --- /dev/null +++ b/gbp.conf @@ -0,0 +1,15 @@ +[DEFAULT] +cleaner = fakeroot debian/rules clean +pristine-tar = True +merge = False +debian-tag = %(version)s + +[buildpackage] +export-dir = ../build-area/ +tarball-dir = ../tarballs/ + +[dch] +id-length = 0 +meta = True +auto = True +full = True diff --git a/get-orig-source.sh b/get-orig-source.sh new file mode 100755 index 00000000..605f61b3 --- /dev/null +++ b/get-orig-source.sh @@ -0,0 +1,140 @@ +#!/bin/bash +: <<=cut + +=head1 DESCRIPTION + +This script is called by uscan(1) as per "debian/watch" to download Multi +Upstream Tarball (MUT) components. + +=head1 COPYRIGHT + +Copyright: 2018 Dmitry Smirnov + +=head1 LICENSE + +License: GPL-3+ + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +=cut + +set -e +set -u + +if [ "$1" = '--upstream-version' ]; then + version="$2" +else + printf "E: missing argument '--upstream-version'.\n" 1>&2 + exit 1 +fi + +export XZ_OPT="-6v" +DEB_SOURCE="$( dpkg-parsechangelog -SSource )" +#DEB_VERSION="$( dpkg-parsechangelog -SVersion )" +filename="$( readlink -f ../${DEB_SOURCE}_${version}.orig.tar.xz )" +[ -s "${filename}" ] || exit 1 + +get_vendor_tree() { + # Get the list of vendor directories. For github.com repositories, we want to descend + # 2 levels down the directory, so that we get a list of go packages. + local top_dirs="" + local github_dirs="" + + for dir in "$@"; do + if [ -d $dir ]; then + top_dirs="$top_dirs $dir" + fi + if [ -d $dir/github.com ]; then + github_dirs="$github_dirs $dir/github.com" + fi + done + + local top_vendored_dirs=$( find $top_dirs -mindepth 1 -maxdepth 1 -type d | grep -v 'github.com' ) + local github_vendored_dirs=$( find $github_dirs -mindepth 2 -maxdepth 2 -type d ) + printf "${top_vendored_dirs}\n${github_vendored_dirs}" \ + | sed 's;^.*/vendor/;vendor/;' \ + | sort +} + +drop_files_excluded() { + local work_dir + for work_dir in $@; do + perl -0nE 'say $1 if m{^Files\-Excluded:\s*(.*?)(?:\n\n|^Files|^Comment)}sm;' debian/copyright \ + | ( cd "${work_dir}" && xargs --no-run-if-empty rm -rf ) + done + if [ -d "${work_dir}"/vendor ]; then + find "${work_dir}"/vendor -mindepth 1 -type d -empty -delete -printf 'removed %p\n' + fi +} + +## extract main tarball: +work_dir="$( mktemp -d -t get-orig-source_${DEB_SOURCE}_XXXXXXXX )" +trap "rm -rf '${work_dir}'" EXIT +tar -xf "${filename}" -C "${work_dir}" + +## Docker specific: +vendored_dirs="$(get_vendor_tree ${work_dir}/*/components/*/vendor)" +drop_files_excluded "${work_dir}"/*/components/* + +#### Move components one level up +( cd "${work_dir}"/*/components && mv * ../ ) \ +&& rmdir "${work_dir}"/*/components + +( cd "${work_dir}" && tar -caf "${filename}" . ) + +## fetch Docker components: +for I in docker/go-events docker/go-metrics docker/libnetwork docker/distribution docker/swarmkit containerd/containerd; do + printf ":: Processing ${I}\n" 1>&2 + URL="github.com/${I}" + REV=$( grep "${URL}" "${work_dir}"/*/engine/vendor.conf | head -1 | awk '{print $2}' ) + if [ -z "${REV}" ]; then + printf "E: could not find commit for ${I}\n" 1>&2 + exit 1 + fi + component=${I##*/} + FN="$( readlink -f ../${DEB_SOURCE}_${version}.orig-${component}.tar.gz )" + + if [ ! -s "${FN}" ]; then + wget --tries=3 --timeout=40 --read-timeout=40 --continue \ + -O "${FN}" "https://${URL}/archive/${REV}.tar.gz" \ + || rm -f "${FN}" + + component_dir="$( mktemp -d -t get-orig-source_XXXXXXXX )" + mkdir "${component_dir}"/${component} + tar -xf "${FN}" -C "${component_dir}"/${component} --strip-components=1 + + if [ -d "${component_dir}"/${component}/vendor ]; then + vendored_dirs="$(printf '%s\n' ${vendored_dirs} $(get_vendor_tree ${component_dir}/${component}/vendor))" + fi + drop_files_excluded "${component_dir}"/${component} + + ( cd "${component_dir}" && tar -caf "${FN}" . ) + rm -rf "${component_dir}" + + mk-origtargz --package ${DEB_SOURCE} --version ${version} \ + --rename --repack --compression xz --directory .. \ + --component ${component} --copyright-file debian/copyright \ + "${FN}" + fi +done +##### + +echo "" +echo "Here's a tentative list for your Files-Excluded list, in d/copyright." +echo "Use it with care" +echo "" + +echo "Files-Excluded:" +echo "${vendored_dirs}" | sort | uniq | sed 's/^/ /' + +rm -rf "${work_dir}" diff --git a/golang-github-docker-docker-dev.install b/golang-github-docker-docker-dev.install new file mode 100644 index 00000000..b5cdcebe --- /dev/null +++ b/golang-github-docker-docker-dev.install @@ -0,0 +1,41 @@ +## CLI: +.gopath/src/github.com/docker/cli/cli/config usr/share/gocode/src/github.com/docker/cli/cli/ +.gopath/src/github.com/docker/cli/opts usr/share/gocode/src/github.com/docker/cli/ + + +## Legacy / compatibility with older Docker: +.gopath/src/github.com/docker/cli/cli/config/* usr/share/gocode/src/github.com/docker/docker/cliconfig/ +#.gopath/src/github.com/docker/cli/cli/config/* usr/share/gocode/src/github.com/docker/docker/cli/config/ + + +## Engine +engine/dockerversion usr/share/gocode/src/github.com/docker/docker/ +.gopath/src/github.com/docker/docker/api usr/share/gocode/src/github.com/docker/docker/ +.gopath/src/github.com/docker/docker/cli usr/share/gocode/src/github.com/docker/docker/ +.gopath/src/github.com/docker/docker/client usr/share/gocode/src/github.com/docker/docker/ +.gopath/src/github.com/docker/docker/errdefs usr/share/gocode/src/github.com/docker/docker/ +.gopath/src/github.com/docker/docker/opts usr/share/gocode/src/github.com/docker/docker/ +.gopath/src/github.com/docker/docker/pkg usr/share/gocode/src/github.com/docker/docker/ +.gopath/src/github.com/docker/docker/reference usr/share/gocode/src/github.com/docker/docker/ +.gopath/src/github.com/docker/docker/registry usr/share/gocode/src/github.com/docker/docker/ +.gopath/src/github.com/docker/docker/runconfig usr/share/gocode/src/github.com/docker/docker/ + + +## Libnetwork: +.gopath/src/github.com/docker/libnetwork/datastore usr/share/gocode/src/github.com/docker/libnetwork/ +.gopath/src/github.com/docker/libnetwork/discoverapi usr/share/gocode/src/github.com/docker/libnetwork/ +.gopath/src/github.com/docker/libnetwork/ipamutils usr/share/gocode/src/github.com/docker/libnetwork/ +.gopath/src/github.com/docker/libnetwork/ns usr/share/gocode/src/github.com/docker/libnetwork/ +.gopath/src/github.com/docker/libnetwork/options usr/share/gocode/src/github.com/docker/libnetwork/ +.gopath/src/github.com/docker/libnetwork/testutils usr/share/gocode/src/github.com/docker/libnetwork/ +.gopath/src/github.com/docker/libnetwork/types usr/share/gocode/src/github.com/docker/libnetwork/ + + +## Sub-vendoring: +engine/vendor/github.com/containerd/continuity/driver usr/share/gocode/src/github.com/docker/docker/vendor/github.com/containerd/continuity/ +engine/vendor/github.com/containerd/continuity/pathdriver usr/share/gocode/src/github.com/docker/docker/vendor/github.com/containerd/continuity/ + +engine/vendor/github.com/Nvveen/Gotty usr/share/gocode/src/github.com/docker/docker/vendor/github.com/Nvveen/ + +distribution/reference usr/share/gocode/src/github.com/docker/docker/vendor/github.com/docker/distribution/ +distribution/digestset usr/share/gocode/src/github.com/docker/docker/vendor/github.com/docker/distribution/ diff --git a/helpers/gen-build-depends.sh b/helpers/gen-build-depends.sh new file mode 100755 index 00000000..00af9e37 --- /dev/null +++ b/helpers/gen-build-depends.sh @@ -0,0 +1,193 @@ +#!/bin/bash +set -eu +set -o pipefail + +goBuildTags='apparmor cgo daemon pkcs11 selinux' + +debDir="$PWD/debian" + +debVer="$(dpkg-parsechangelog -SVersion)" +origVer="${debVer%-*}" # strip everything from the last dash +origVer="$(echo "$origVer" | sed -r 's/^[0-9]+://')" # strip epoch +upstreamVer="${origVer%%[+~]ds*}" +upstreamVer="${upstreamVer//[~]/-}" + +goImportPath="$(awk -F ': ' '$1 == "XS-Go-Import-Path" { print $2; exit }' debian/control)" +[ "$goImportPath" ] + +upstreamArchiveUri="https://$goImportPath/archive/v${upstreamVer}.tar.gz" + +tempDir="$(mktemp -d -t debian-docker-gen-build-depends-XXXXXXXXXX)" +trap "rm -rf '$tempDir'" EXIT +cd "$tempDir" + +mkdir -p "gopath/src/$goImportPath" +wget -qO archive.tar.gz "$upstreamArchiveUri" +tar \ + --extract \ + --file archive.tar.gz \ + --directory "gopath/src/$goImportPath" \ + --strip-components 1 +export GOPATH="$PWD/gopath:$PWD/gopath/src/$goImportPath/vendor" +cd "gopath/src/$goImportPath" + +IFS=$'\n' +# get the full list of "docker/docker" Go packages +goPkgs=( $(go list "$goImportPath/..." | grep -vE "^$goImportPath/vendor/") ) +# get the list of their dependencies, normalized: +# - skip stdlib, docker/docker +# - adjust known hosting locations for their top-level repos +goDeps=( $( + go list \ + -e \ + -tags "$goBuildTags" \ + -f '{{ join .Deps "\n" }}{{ "\n" }}{{ join .TestImports "\n" }}' \ + "${goPkgs[@]}" \ + | grep -vE '^$' \ + | grep -vE '^[^/]+$' \ + | grep -vE "^$goImportPath/" \ + | sort -u \ + | xargs \ + go list \ + -e \ + -f '{{ if not .Standard }}{{ .ImportPath }}{{ end }}' \ + | grep -vE '^$' \ + | sed -r \ + -e 's!^(github.com/[^/]+/[^/]+)/.*$!\1!' \ + -e 's!^(golang.org/x/[^/]+)/.*$!\1!' \ + -e 's!^(google.golang.org/[^/]+)/.*$!\1!' \ + -e 's!^(gopkg.in/[^/]+)/.*$!\1!' \ + | sort -u +) ) +unset IFS + +# converts a given "goPkg" into the relevant Debian "-dev" package name +debian_pkg() { + local goPkg="$1" + local domain="${goPkg%%/*}" + domain="${domain%%.*}" + local goPkgPath="${goPkg#*/}" + local package="golang-$domain-${goPkgPath//\//-}-dev" + package="${package,,}" + echo "$package" +} + +# converts "gitRepo" and "gitRef" into a concrete version number +git_version() { + local goPkg="$1"; shift + local gitRepo="$1"; shift + local gitRef="$1"; shift + + [ "$gitRef" ] || return + + local gitSnapshotPrefix='0.0~git' + + # normalize a few "special" cases + case "$goPkg=$gitRef" in + github.com/docker/go=*-*-*-*) + # turn "v1.5.1-1-1-gbaf439e" into "v1.5.1-1" so we can "ls-remote" and generate via commit instead of version + local remoteCommit="$(git ls-remote "$gitRepo" "refs/tags/${gitRef%-*-*}" | cut -d$'\t' -f1)" + if [ "$remoteCommit" ]; then + gitRef="$remoteCommit" + fi + ;; + + github.com/docker/libnetwork=v0.7.2-rc.1) + # TODO get newer version in the archive + gitRef='v0.7.0~rc.6' + ;; + + github.com/docker/distribution=467fc068d88aa6610691b7f1a677271a3fac4aac) + # TODO get newer version in the archive (467fc068d88aa6610691b7f1a677271a3fac4aac really corresponds to v2.5.0-rc.1+) + gitRef='v2.4.1' + ;; + + github.com/agl/ed25519=*) + gitSnapshotPrefix='0~' + ;; + + github.com/docker/containerd=*|github.com/opencontainers/runc=*) + # attempt to resolve commit to tag + local remoteTag="$(git ls-remote --tags "$gitRepo" | awk -F '[\t/]' '$1 == "'"$gitRef"'" { print $4; exit }')" + if [ "$remoteTag" ]; then + gitRef="$remoteTag" + fi + # TODO get newer (compatible) versions of each of these into the archive + case "$goPkg" in + github.com/docker/containerd) + gitRef='v0.2.1' + ;; + github.com/opencontainers/runc) + gitRef='v0.1.0' + ;; + esac + ;; + esac + + case "$gitRef" in + v[0-9]*|[0-9].*) + echo "${gitRef#v}" + return + ;; + esac + + local commitDate + case "$goPkg" in + github.com/*) + # for GitHub repos, we can shortcut the date calculation (saves a _lot_ of time) + local githubPatchUri="https://$goPkg/commit/$gitRef.patch" + commitDate="$(wget -qO- "$githubPatchUri" | awk -F ': ' '$1 == "Date" { print $2 }' | tail -1)" + # ".patch" returns potentially multiple commits, so we want the final "Date:" value, hence the "tail -1" + ;; + + *) + mkdir -p "$tempDir/git/$goPkg" + git clone --quiet "$gitRepo" "$tempDir/git/$goPkg" + local commitUnix="$(git -C "$tempDir/git/$goPkg" log -1 --format='%at' "$gitRef" --)" + commitDate="@$commitUnix" + ;; + esac + [ "$commitDate" ] + commitDate="$(TZ=UTC date --date="$commitDate" +'%Y%m%d')" + echo "$gitSnapshotPrefix$commitDate" +} + +declare -A transitionals=( + [golang-github-agl-ed25519-dev]='golang-ed25519-dev' + [golang-github-coreos-etcd-dev]='golang-etcd-server-dev' + [golang-github-go-check-check-dev]='golang-gopkg-check.v1-dev' + [golang-github-godbus-dbus-dev]='golang-dbus-dev' + [golang-github-golang-protobuf-dev]='golang-goprotobuf-dev' + [golang-github-miekg-dns-dev]='golang-dns-dev' + [golang-github-mistifyio-go-zfs-dev]='golang-go-zfs-dev' + [golang-github-syndtr-gocapability-dev]='golang-gocapability-dev' + [golang-github-ugorji-go-dev]='golang-github-ugorji-go-codec-dev' + [golang-gopkg-fsnotify.v1-dev]='golang-github-fsnotify-fsnotify-dev' + + # golang-golang-x-oauth2 version 0.0~git20161103.0.36bc617-2 introduced a separate google/ package + [golang-golang-x-oauth2-dev]='golang-golang-x-oauth2-google-dev' +) + +for goDep in "${goDeps[@]}"; do + if grep -q "^vendor/src/$goDep\$" "$debDir"/repack/keep/* 2>/dev/null; then + # skip vendored deps we don't remove + continue + fi + + debPkg="$(debian_pkg "$goDep")" + + gitRepoRef="$(awk '$1 == "clone" && $2 == "git" && $3 == "'"$goDep"'" { print ($5 && $5 != "#" ? $5 : "") "=" $4; exit }' hack/vendor.sh)" + gitRepo="${gitRepoRef%=*}" + gitRef="${gitRepoRef##$gitRepo=}" + : "${gitRepo:=https://$goDep}" + + debVer="$(git_version "$goDep" "$gitRepo" "$gitRef")" + + # deal with "golang-dns-dev" and friends of that nature + transitional="${transitionals[$debPkg]:-}" + if [ "$transitional" ]; then + echo -n "$transitional${debVer:+ (>= ${debVer}~)} | " + fi + + echo "$debPkg${debVer:+ (>= ${debVer}~)}," +done | sort diff --git a/helpers/gitcommit.sh b/helpers/gitcommit.sh new file mode 100755 index 00000000..3ca038d1 --- /dev/null +++ b/helpers/gitcommit.sh @@ -0,0 +1,34 @@ +#!/bin/bash +set -e + +uVersion="$1" +dVersion="$2" + +if [ -z "$uVersion" ]; then + uVersion="$(cat VERSION)" +fi +if [ -z "$dVersion" ]; then + dVersion="$(dpkg-parsechangelog --show-field Version)" +fi + +if [ "${uVersion%-dev}" = "$uVersion" ]; then + # this is a straight-up release! easy-peasy + exec awk -F ': ' '$1 == "'"$uVersion"'" { print $2 }' debian/upstream-version-gitcommits +fi + +# must be a nightly, so let's look for clues about what the git commit is + +if git rev-parse &> /dev/null; then + # well, this will be easy ;) + exec git rev-parse --short HEAD +fi + +if [ "${dVersion#*+*+}" != "$dVersion" ]; then + # must be something like "1.1.2+10013+8c38a3d-1~utopic1" (nightly!) + commit="${dVersion#*+*+}" + commit="${commit%%-*}" + exec echo "$commit" +fi + +# unknown... +echo >&2 'warning: unable to determine DOCKER_GITCOMMIT' diff --git a/patches/buildkit-build-against-google-grpc-1.11.patch b/patches/buildkit-build-against-google-grpc-1.11.patch new file mode 100644 index 00000000..9f52b154 --- /dev/null +++ b/patches/buildkit-build-against-google-grpc-1.11.patch @@ -0,0 +1,56 @@ +From: Arnaud Rebillout +Date: Tue, 22 Jan 2019 12:22:52 +0700 +Subject: Build against google-grpc 1.11, where md.Get() does not exist. + +This patch is based on the commit that introduced md.Get() in google-grpc: +. + +Please drop this patch as soon as we build docker against google-grpc >= 1.12. + +Origin: vendor, Debian +Forwarded: not-needed, Debian-specific +Signed-off-by: Arnaud Rebillout +--- + client/buildid/metadata.go | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/cli/vendor/github.com/moby/buildkit/client/buildid/metadata.go ++++ b/cli/vendor/github.com/moby/buildkit/client/buildid/metadata.go +@@ -2,6 +2,7 @@ + + import ( + "context" ++ "strings" + + "google.golang.org/grpc/metadata" + ) +@@ -21,7 +22,8 @@ + return "" + } + +- if ids := md.Get(metadataKey); len(ids) == 1 { ++ k := strings.ToLower(metadataKey) ++ if ids := md[k]; len(ids) == 1 { + return ids[0] + } + +--- a/engine/vendor/github.com/moby/buildkit/client/buildid/metadata.go ++++ b/engine/vendor/github.com/moby/buildkit/client/buildid/metadata.go +@@ -2,6 +2,7 @@ + + import ( + "context" ++ "strings" + + "google.golang.org/grpc/metadata" + ) +@@ -21,7 +22,8 @@ + return "" + } + +- if ids := md.Get(metadataKey); len(ids) == 1 { ++ k := strings.ToLower(metadataKey) ++ if ids := md[k]; len(ids) == 1 { + return ids[0] + } + diff --git a/patches/cli-fix-manpages-build-script.patch b/patches/cli-fix-manpages-build-script.patch new file mode 100644 index 00000000..04412923 --- /dev/null +++ b/patches/cli-fix-manpages-build-script.patch @@ -0,0 +1,18 @@ +Description: fix man pages build +Author: Arnaud Rebillout +Forwarded: not-needed +Last-Update: 2018-04-03 + +--- a/cli/scripts/docs/generate-man.sh ++++ b/cli/scripts/docs/generate-man.sh +@@ -3,9 +3,9 @@ + set -eu -o pipefail + + mkdir -p ./man/man1 + +-go install ./vendor/github.com/cpuguy83/go-md2man ++#go install ./vendor/github.com/cpuguy83/go-md2man + + # Generate man pages from cobra commands + go build -o /tmp/gen-manpages github.com/docker/cli/man + /tmp/gen-manpages --root "$(pwd)" --target "$(pwd)/man/man1" diff --git a/patches/cli-fix-registry-debug-message-go-1.11.patch b/patches/cli-fix-registry-debug-message-go-1.11.patch new file mode 100644 index 00000000..d949d29d --- /dev/null +++ b/patches/cli-fix-registry-debug-message-go-1.11.patch @@ -0,0 +1,26 @@ +From: Kir Kolyshkin +Date: Tue, 9 Oct 2018 23:36:04 -0700 +Subject: [PATCH] cli/registry: fix a Debugf statement + +Fix this warning from go-1.11 + +> cli/registry/client/fetcher.go:234: Debugf format %s has arg +> repoEndpoint of wrong type client.repositoryEndpoint + +Signed-off-by: Kir Kolyshkin +Origin: upstream, https://github.com/docker/cli/commit/51848bf +--- + cli/registry/client/fetcher.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/cli/cli/registry/client/fetcher.go ++++ b/cli/cli/registry/client/fetcher.go +@@ -231,7 +231,7 @@ + repoEndpoint := repositoryEndpoint{endpoint: endpoint, info: repoInfo} + repo, err := c.getRepositoryForReference(ctx, namedRef, repoEndpoint) + if err != nil { +- logrus.Debugf("error with repo endpoint %s: %s", repoEndpoint, err) ++ logrus.Debugf("error %s with repo endpoint %+v", err, repoEndpoint) + if _, ok := err.(ErrHTTPProto); ok { + continue + } diff --git a/patches/cve-2018-15664-01-pass-root-to-chroot-to-for-chroot-untar.patch b/patches/cve-2018-15664-01-pass-root-to-chroot-to-for-chroot-untar.patch new file mode 100644 index 00000000..b0a1ef2a --- /dev/null +++ b/patches/cve-2018-15664-01-pass-root-to-chroot-to-for-chroot-untar.patch @@ -0,0 +1,186 @@ +From: Brian Goff +Date: Thu, 30 May 2019 11:15:09 -0700 +Subject: [PATCH] Pass root to chroot to for chroot Untar + +This is useful for preventing CVE-2018-15664 where a malicious container +process can take advantage of a race on symlink resolution/sanitization. + +Before this change chrootarchive would chroot to the destination +directory which is attacker controlled. With this patch we always chroot +to the container's root which is not attacker controlled. + +Signed-off-by: Brian Goff +Origin: upstream, https://github.com/moby/moby/pull/39292 +--- + daemon/archive.go | 7 ++- + pkg/chrootarchive/archive.go | 24 ++++++-- + pkg/chrootarchive/archive_unix.go | 34 ++++++++++-- + pkg/chrootarchive/archive_windows.go | 2 +- + 5 files changed, 55 insertions(+), 12 deletions(-) + +diff --git a/engine/daemon/archive.go b/engine/daemon/archive.go +index 9c7971b56ea3..9f56ca750392 100644 +--- a/engine/daemon/archive.go ++++ b/engine/daemon/archive.go +@@ -31,11 +31,12 @@ type archiver interface { + } + + // helper functions to extract or archive +-func extractArchive(i interface{}, src io.Reader, dst string, opts *archive.TarOptions) error { ++func extractArchive(i interface{}, src io.Reader, dst string, opts *archive.TarOptions, root string) error { + if ea, ok := i.(extractor); ok { + return ea.ExtractArchive(src, dst, opts) + } +- return chrootarchive.Untar(src, dst, opts) ++ ++ return chrootarchive.UntarWithRoot(src, dst, opts, root) + } + + func archivePath(i interface{}, src string, opts *archive.TarOptions) (io.ReadCloser, error) { +@@ -367,7 +368,7 @@ func (daemon *Daemon) containerExtractToDir(container *container.Container, path + } + } + +- if err := extractArchive(driver, content, resolvedPath, options); err != nil { ++ if err := extractArchive(driver, content, resolvedPath, options, container.BaseFS.Path()); err != nil { + return err + } + +diff --git a/engine/pkg/chrootarchive/archive.go b/engine/pkg/chrootarchive/archive.go +index 2d9d662830b7..7ebca3774c3d 100644 +--- a/engine/pkg/chrootarchive/archive.go ++++ b/engine/pkg/chrootarchive/archive.go +@@ -27,18 +27,34 @@ func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver { + // The archive may be compressed with one of the following algorithms: + // identity (uncompressed), gzip, bzip2, xz. + func Untar(tarArchive io.Reader, dest string, options *archive.TarOptions) error { +- return untarHandler(tarArchive, dest, options, true) ++ return untarHandler(tarArchive, dest, options, true, dest) ++} ++ ++// UntarWithRoot is the same as `Untar`, but allows you to pass in a root directory ++// The root directory is the directory that will be chrooted to. ++// `dest` must be a path within `root`, if it is not an error will be returned. ++// ++// `root` should set to a directory which is not controlled by any potentially ++// malicious process. ++// ++// This should be used to prevent a potential attacker from manipulating `dest` ++// such that it would provide access to files outside of `dest` through things ++// like symlinks. Normally `ResolveSymlinksInScope` would handle this, however ++// sanitizing symlinks in this manner is inherrently racey: ++// ref: CVE-2018-15664 ++func UntarWithRoot(tarArchive io.Reader, dest string, options *archive.TarOptions, root string) error { ++ return untarHandler(tarArchive, dest, options, true, root) + } + + // UntarUncompressed reads a stream of bytes from `archive`, parses it as a tar archive, + // and unpacks it into the directory at `dest`. + // The archive must be an uncompressed stream. + func UntarUncompressed(tarArchive io.Reader, dest string, options *archive.TarOptions) error { +- return untarHandler(tarArchive, dest, options, false) ++ return untarHandler(tarArchive, dest, options, false, dest) + } + + // Handler for teasing out the automatic decompression +-func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions, decompress bool) error { ++func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions, decompress bool, root string) error { + if tarArchive == nil { + return fmt.Errorf("Empty archive") + } +@@ -69,5 +85,5 @@ func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions + r = decompressedArchive + } + +- return invokeUnpack(r, dest, options) ++ return invokeUnpack(r, dest, options, root) + } +diff --git a/engine/pkg/chrootarchive/archive_unix.go b/engine/pkg/chrootarchive/archive_unix.go +index 5df8afd66205..96f07c4bb4d6 100644 +--- a/engine/pkg/chrootarchive/archive_unix.go ++++ b/engine/pkg/chrootarchive/archive_unix.go +@@ -10,6 +10,7 @@ import ( + "io" + "io/ioutil" + "os" ++ "path/filepath" + "runtime" + + "github.com/docker/docker/pkg/archive" +@@ -30,11 +31,21 @@ func untar() { + fatal(err) + } + +- if err := chroot(flag.Arg(0)); err != nil { ++ dst := flag.Arg(0) ++ var root string ++ if len(flag.Args()) > 1 { ++ root = flag.Arg(1) ++ } ++ ++ if root == "" { ++ root = dst ++ } ++ ++ if err := chroot(root); err != nil { + fatal(err) + } + +- if err := archive.Unpack(os.Stdin, "/", options); err != nil { ++ if err := archive.Unpack(os.Stdin, dst, options); err != nil { + fatal(err) + } + // fully consume stdin in case it is zero padded +@@ -45,7 +56,7 @@ func untar() { + os.Exit(0) + } + +-func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.TarOptions) error { ++func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.TarOptions, root string) error { + + // We can't pass a potentially large exclude list directly via cmd line + // because we easily overrun the kernel's max argument/environment size +@@ -57,7 +68,21 @@ func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.T + return fmt.Errorf("Untar pipe failure: %v", err) + } + +- cmd := reexec.Command("docker-untar", dest) ++ if root != "" { ++ relDest, err := filepath.Rel(root, dest) ++ if err != nil { ++ return err ++ } ++ if relDest == "." { ++ relDest = "/" ++ } ++ if relDest[0] != '/' { ++ relDest = "/" + relDest ++ } ++ dest = relDest ++ } ++ ++ cmd := reexec.Command("docker-untar", dest, root) + cmd.Stdin = decompressedArchive + + cmd.ExtraFiles = append(cmd.ExtraFiles, r) +@@ -69,6 +94,7 @@ func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.T + w.Close() + return fmt.Errorf("Untar error on re-exec cmd: %v", err) + } ++ + //write the options to the pipe for the untar exec to read + if err := json.NewEncoder(w).Encode(options); err != nil { + w.Close() +diff --git a/engine/pkg/chrootarchive/archive_windows.go b/engine/pkg/chrootarchive/archive_windows.go +index f2973132a391..bd5712c5c04c 100644 +--- a/engine/pkg/chrootarchive/archive_windows.go ++++ b/engine/pkg/chrootarchive/archive_windows.go +@@ -14,7 +14,7 @@ func chroot(path string) error { + + func invokeUnpack(decompressedArchive io.ReadCloser, + dest string, +- options *archive.TarOptions) error { ++ options *archive.TarOptions, root string) error { + // Windows is different to Linux here because Windows does not support + // chroot. Hence there is no point sandboxing a chrooted process to + // do the unpack. We call inline instead within the daemon process. diff --git a/patches/cve-2018-15664-02-add-chroot-for-tar-packing-operations.patch b/patches/cve-2018-15664-02-add-chroot-for-tar-packing-operations.patch new file mode 100644 index 00000000..91e42a82 --- /dev/null +++ b/patches/cve-2018-15664-02-add-chroot-for-tar-packing-operations.patch @@ -0,0 +1,248 @@ +From: Brian Goff +Date: Thu, 30 May 2019 14:55:52 -0700 +Subject: [PATCH] Add chroot for tar packing operations + +Previously only unpack operations were supported with chroot. +This adds chroot support for packing operations. +This prevents potential breakouts when copying data from a container. + +Signed-off-by: Brian Goff +Origin: upstream, https://github.com/moby/moby/pull/39292 +--- + daemon/archive.go | 8 +-- + daemon/export.go | 2 +- + pkg/chrootarchive/archive.go | 8 +++ + pkg/chrootarchive/archive_unix.go | 98 +++++++++++++++++++++++++- + pkg/chrootarchive/archive_windows.go | 7 ++ + pkg/chrootarchive/init_unix.go | 1 + + 6 files changed, 117 insertions(+), 7 deletions(-) + +diff --git a/engine/daemon/archive.go b/engine/daemon/archive.go +index 9f56ca750392..109376b4b566 100644 +--- a/engine/daemon/archive.go ++++ b/engine/daemon/archive.go +@@ -39,11 +39,11 @@ func extractArchive(i interface{}, src io.Reader, dst string, opts *archive.TarO + return chrootarchive.UntarWithRoot(src, dst, opts, root) + } + +-func archivePath(i interface{}, src string, opts *archive.TarOptions) (io.ReadCloser, error) { ++func archivePath(i interface{}, src string, opts *archive.TarOptions, root string) (io.ReadCloser, error) { + if ap, ok := i.(archiver); ok { + return ap.ArchivePath(src, opts) + } +- return archive.TarWithOptions(src, opts) ++ return chrootarchive.Tar(src, opts, root) + } + + // ContainerCopy performs a deprecated operation of archiving the resource at +@@ -239,7 +239,7 @@ func (daemon *Daemon) containerArchivePath(container *container.Container, path + sourceDir, sourceBase := driver.Dir(resolvedPath), driver.Base(resolvedPath) + opts := archive.TarResourceRebaseOpts(sourceBase, driver.Base(absPath)) + +- data, err := archivePath(driver, sourceDir, opts) ++ data, err := archivePath(driver, sourceDir, opts, container.BaseFS.Path()) + if err != nil { + return nil, nil, err + } +@@ -433,7 +433,7 @@ func (daemon *Daemon) containerCopy(container *container.Container, resource str + archive, err := archivePath(driver, basePath, &archive.TarOptions{ + Compression: archive.Uncompressed, + IncludeFiles: filter, +- }) ++ }, container.BaseFS.Path()) + if err != nil { + return nil, err + } +diff --git a/engine/daemon/export.go b/engine/daemon/export.go +index 27bc35967d22..01593f4e8a4f 100644 +--- a/engine/daemon/export.go ++++ b/engine/daemon/export.go +@@ -70,7 +70,7 @@ func (daemon *Daemon) containerExport(container *container.Container) (arch io.R + Compression: archive.Uncompressed, + UIDMaps: daemon.idMapping.UIDs(), + GIDMaps: daemon.idMapping.GIDs(), +- }) ++ }, basefs.Path()) + if err != nil { + rwlayer.Unmount() + return nil, err +diff --git a/engine/pkg/chrootarchive/archive.go b/engine/pkg/chrootarchive/archive.go +index 7ebca3774c3d..6ff61e6a767a 100644 +--- a/engine/pkg/chrootarchive/archive.go ++++ b/engine/pkg/chrootarchive/archive.go +@@ -87,3 +87,11 @@ func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions + + return invokeUnpack(r, dest, options, root) + } ++ ++// Tar tars the requested path while chrooted to the specified root. ++func Tar(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) { ++ if options == nil { ++ options = &archive.TarOptions{} ++ } ++ return invokePack(srcPath, options, root) ++} +diff --git a/engine/pkg/chrootarchive/archive_unix.go b/engine/pkg/chrootarchive/archive_unix.go +index 96f07c4bb4d6..ea2879dc002f 100644 +--- a/engine/pkg/chrootarchive/archive_unix.go ++++ b/engine/pkg/chrootarchive/archive_unix.go +@@ -12,9 +12,11 @@ import ( + "os" + "path/filepath" + "runtime" ++ "strings" + + "github.com/docker/docker/pkg/archive" + "github.com/docker/docker/pkg/reexec" ++ "github.com/pkg/errors" + ) + + // untar is the entry-point for docker-untar on re-exec. This is not used on +@@ -24,7 +26,7 @@ func untar() { + runtime.LockOSThread() + flag.Parse() + +- var options *archive.TarOptions ++ var options archive.TarOptions + + //read the options from the pipe "ExtraFiles" + if err := json.NewDecoder(os.NewFile(3, "options")).Decode(&options); err != nil { +@@ -45,7 +47,7 @@ func untar() { + fatal(err) + } + +- if err := archive.Unpack(os.Stdin, dst, options); err != nil { ++ if err := archive.Unpack(os.Stdin, dst, &options); err != nil { + fatal(err) + } + // fully consume stdin in case it is zero padded +@@ -57,6 +59,9 @@ func untar() { + } + + func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.TarOptions, root string) error { ++ if root == "" { ++ return errors.New("must specify a root to chroot to") ++ } + + // We can't pass a potentially large exclude list directly via cmd line + // because we easily overrun the kernel's max argument/environment size +@@ -112,3 +117,92 @@ func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.T + } + return nil + } ++ ++func tar() { ++ runtime.LockOSThread() ++ flag.Parse() ++ ++ src := flag.Arg(0) ++ var root string ++ if len(flag.Args()) > 1 { ++ root = flag.Arg(1) ++ } ++ ++ if root == "" { ++ root = src ++ } ++ ++ if err := realChroot(root); err != nil { ++ fatal(err) ++ } ++ ++ var options archive.TarOptions ++ if err := json.NewDecoder(os.Stdin).Decode(&options); err != nil { ++ fatal(err) ++ } ++ ++ rdr, err := archive.TarWithOptions(src, &options) ++ if err != nil { ++ fatal(err) ++ } ++ defer rdr.Close() ++ ++ if _, err := io.Copy(os.Stdout, rdr); err != nil { ++ fatal(err) ++ } ++ ++ os.Exit(0) ++} ++ ++func invokePack(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) { ++ if root == "" { ++ return nil, errors.New("root path must not be empty") ++ } ++ ++ relSrc, err := filepath.Rel(root, srcPath) ++ if err != nil { ++ return nil, err ++ } ++ if relSrc == "." { ++ relSrc = "/" ++ } ++ if relSrc[0] != '/' { ++ relSrc = "/" + relSrc ++ } ++ ++ // make sure we didn't trim a trailing slash with the call to `Rel` ++ if strings.HasSuffix(srcPath, "/") && !strings.HasSuffix(relSrc, "/") { ++ relSrc += "/" ++ } ++ ++ cmd := reexec.Command("docker-tar", relSrc, root) ++ ++ errBuff := bytes.NewBuffer(nil) ++ cmd.Stderr = errBuff ++ ++ tarR, tarW := io.Pipe() ++ cmd.Stdout = tarW ++ ++ stdin, err := cmd.StdinPipe() ++ if err != nil { ++ return nil, errors.Wrap(err, "error getting options pipe for tar process") ++ } ++ ++ if err := cmd.Start(); err != nil { ++ return nil, errors.Wrap(err, "tar error on re-exec cmd") ++ } ++ ++ go func() { ++ err := cmd.Wait() ++ err = errors.Wrapf(err, "error processing tar file: %s", errBuff) ++ tarW.CloseWithError(err) ++ }() ++ ++ if err := json.NewEncoder(stdin).Encode(options); err != nil { ++ stdin.Close() ++ return nil, errors.Wrap(err, "tar json encode to pipe failed") ++ } ++ stdin.Close() ++ ++ return tarR, nil ++} +diff --git a/engine/pkg/chrootarchive/archive_windows.go b/engine/pkg/chrootarchive/archive_windows.go +index bd5712c5c04c..de87113e9544 100644 +--- a/engine/pkg/chrootarchive/archive_windows.go ++++ b/engine/pkg/chrootarchive/archive_windows.go +@@ -20,3 +20,10 @@ func invokeUnpack(decompressedArchive io.ReadCloser, + // do the unpack. We call inline instead within the daemon process. + return archive.Unpack(decompressedArchive, longpath.AddPrefix(dest), options) + } ++ ++func invokePack(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) { ++ // Windows is different to Linux here because Windows does not support ++ // chroot. Hence there is no point sandboxing a chrooted process to ++ // do the pack. We call inline instead within the daemon process. ++ return archive.TarWithOptions(srcPath, options) ++} +diff --git a/engine/pkg/chrootarchive/init_unix.go b/engine/pkg/chrootarchive/init_unix.go +index a15e4bb83c40..c24fea7d9c13 100644 +--- a/engine/pkg/chrootarchive/init_unix.go ++++ b/engine/pkg/chrootarchive/init_unix.go +@@ -14,6 +14,7 @@ import ( + func init() { + reexec.Register("docker-applyLayer", applyLayer) + reexec.Register("docker-untar", untar) ++ reexec.Register("docker-tar", tar) + } + + func fatal(err error) { diff --git a/patches/cve-2019-13139-01-gitutils-add-validation-for-ref.patch b/patches/cve-2019-13139-01-gitutils-add-validation-for-ref.patch new file mode 100644 index 00000000..b95949ff --- /dev/null +++ b/patches/cve-2019-13139-01-gitutils-add-validation-for-ref.patch @@ -0,0 +1,86 @@ +From: Tonis Tiigi +Date: Wed, 6 Feb 2019 11:58:40 -0800 +Subject: [PATCH] gitutils: add validation for ref + +Signed-off-by: Tonis Tiigi +(cherry picked from commit 723b107ca4fba14580a6cd971e63d8af2e7d2bbe) +Signed-off-by: Andrew Hsu +Origin: upstream, https://github.com/moby/moby/pull/38944 +--- + builder/remotecontext/git/gitutils.go | 7 ++++++- + builder/remotecontext/git/gitutils_test.go | 21 ++++++++++++++++++--- + 2 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/engine/builder/remotecontext/git/gitutils.go b/engine/builder/remotecontext/git/gitutils.go +index 77a45beff31c..6213963db2e1 100644 +--- a/engine/builder/remotecontext/git/gitutils.go ++++ b/engine/builder/remotecontext/git/gitutils.go +@@ -102,6 +102,11 @@ func parseRemoteURL(remoteURL string) (gitRepo, error) { + u.Fragment = "" + repo.remote = u.String() + } ++ ++ if strings.HasPrefix(repo.ref, "-") { ++ return gitRepo{}, errors.Errorf("invalid refspec: %s", repo.ref) ++ } ++ + return repo, nil + } + +@@ -124,7 +129,7 @@ func fetchArgs(remoteURL string, ref string) []string { + args = append(args, "--depth", "1") + } + +- return append(args, "origin", ref) ++ return append(args, "origin", "--", ref) + } + + // Check if a given git URL supports a shallow git clone, +diff --git a/engine/builder/remotecontext/git/gitutils_test.go b/engine/builder/remotecontext/git/gitutils_test.go +index 8c39679081f1..34dd495b5ca3 100644 +--- a/engine/builder/remotecontext/git/gitutils_test.go ++++ b/engine/builder/remotecontext/git/gitutils_test.go +@@ -59,7 +59,7 @@ func TestCloneArgsSmartHttp(t *testing.T) { + }) + + args := fetchArgs(serverURL.String(), "master") +- exp := []string{"fetch", "--depth", "1", "origin", "master"} ++ exp := []string{"fetch", "--depth", "1", "origin", "--", "master"} + assert.Check(t, is.DeepEqual(exp, args)) + } + +@@ -75,13 +75,13 @@ func TestCloneArgsDumbHttp(t *testing.T) { + }) + + args := fetchArgs(serverURL.String(), "master") +- exp := []string{"fetch", "origin", "master"} ++ exp := []string{"fetch", "origin", "--", "master"} + assert.Check(t, is.DeepEqual(exp, args)) + } + + func TestCloneArgsGit(t *testing.T) { + args := fetchArgs("git://github.com/docker/docker", "master") +- exp := []string{"fetch", "--depth", "1", "origin", "master"} ++ exp := []string{"fetch", "--depth", "1", "origin", "--", "master"} + assert.Check(t, is.DeepEqual(exp, args)) + } + +@@ -276,3 +276,18 @@ func TestValidGitTransport(t *testing.T) { + } + } + } ++ ++func TestGitInvalidRef(t *testing.T) { ++ gitUrls := []string{ ++ "git://github.com/moby/moby#--foo bar", ++ "git@github.com/moby/moby#--upload-pack=sleep;:", ++ "git@g.com:a/b.git#-B", ++ "git@g.com:a/b.git#with space", ++ } ++ ++ for _, url := range gitUrls { ++ _, err := Clone(url) ++ assert.Assert(t, err != nil) ++ assert.Check(t, is.Contains(strings.ToLower(err.Error()), "invalid refspec")) ++ } ++} diff --git a/patches/cve-2019-13509-01-TestMaskSecretKeys-add-more-test-cases.patch b/patches/cve-2019-13509-01-TestMaskSecretKeys-add-more-test-cases.patch new file mode 100644 index 00000000..30611cf5 --- /dev/null +++ b/patches/cve-2019-13509-01-TestMaskSecretKeys-add-more-test-cases.patch @@ -0,0 +1,83 @@ +From: Sebastiaan van Stijn +Date: Tue, 2 Jul 2019 13:21:04 +0200 +Subject: [PATCH] TestMaskSecretKeys: add more test-cases + +Add tests for + +- case-insensitive matching of fields +- recursive masking + +Signed-off-by: Sebastiaan van Stijn +(cherry picked from commit db5f811216e70bcb4a10e477c1558d6c68f618c5) +Signed-off-by: Tibor Vass +(cherry picked from commit 18dac2cf32faeaada3bd4e8e2bffa576ad4329fe) +Signed-off-by: Sebastiaan van Stijn +Origin: upstream, https://github.com/docker/engine/pull/298 +--- + api/server/middleware/debug_test.go | 30 ++++++++++++++++++++++++++--- + 1 file changed, 27 insertions(+), 3 deletions(-) + +diff --git a/engine/api/server/middleware/debug_test.go b/engine/api/server/middleware/debug_test.go +index a64b73e0d718..3d78d7e08450 100644 +--- a/engine/api/server/middleware/debug_test.go ++++ b/engine/api/server/middleware/debug_test.go +@@ -23,7 +23,6 @@ func TestMaskSecretKeys(t *testing.T) { + input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, + expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, + }, +- + { + path: "/secrets/create?key=val", + input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, +@@ -32,8 +31,13 @@ func TestMaskSecretKeys(t *testing.T) { + { + path: "/v1.30/some/other/path", + input: map[string]interface{}{ +- "password": "pass", ++ "password": "pass", ++ "secret": "secret", ++ "jointoken": "jointoken", ++ "unlockkey": "unlockkey", ++ "signingcakey": "signingcakey", + "other": map[string]interface{}{ ++ "password": "pass", + "secret": "secret", + "jointoken": "jointoken", + "unlockkey": "unlockkey", +@@ -41,8 +45,13 @@ func TestMaskSecretKeys(t *testing.T) { + }, + }, + expected: map[string]interface{}{ +- "password": "*****", ++ "password": "*****", ++ "secret": "*****", ++ "jointoken": "*****", ++ "unlockkey": "*****", ++ "signingcakey": "*****", + "other": map[string]interface{}{ ++ "password": "*****", + "secret": "*****", + "jointoken": "*****", + "unlockkey": "*****", +@@ -50,6 +59,21 @@ func TestMaskSecretKeys(t *testing.T) { + }, + }, + }, ++ { ++ path: "/v1.30/some/other/path", ++ input: map[string]interface{}{ ++ "PASSWORD": "pass", ++ "other": map[string]interface{}{ ++ "PASSWORD": "pass", ++ }, ++ }, ++ expected: map[string]interface{}{ ++ "PASSWORD": "*****", ++ "other": map[string]interface{}{ ++ "PASSWORD": "*****", ++ }, ++ }, ++ }, + } + + for _, testcase := range tests { diff --git a/patches/cve-2019-13509-02-TestMaskSecretKeys-use-subtests.patch b/patches/cve-2019-13509-02-TestMaskSecretKeys-use-subtests.patch new file mode 100644 index 00000000..b4d04f12 --- /dev/null +++ b/patches/cve-2019-13509-02-TestMaskSecretKeys-use-subtests.patch @@ -0,0 +1,70 @@ +From: Sebastiaan van Stijn +Date: Tue, 2 Jul 2019 13:29:24 +0200 +Subject: [PATCH] TestMaskSecretKeys: use subtests + +Signed-off-by: Sebastiaan van Stijn +(cherry picked from commit 32d70c7e21631224674cd60021d3ec908c2d888c) +Signed-off-by: Tibor Vass +(cherry picked from commit ebb542b3f88d7f5551f6b6e1d8d2774a2c166409) +Signed-off-by: Sebastiaan van Stijn +Origin: https://github.com/docker/engine/pull/298 +--- + api/server/middleware/debug_test.go | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/engine/api/server/middleware/debug_test.go b/engine/api/server/middleware/debug_test.go +index 3d78d7e08450..e19a0ced2fbd 100644 +--- a/engine/api/server/middleware/debug_test.go ++++ b/engine/api/server/middleware/debug_test.go +@@ -9,26 +9,31 @@ import ( + + func TestMaskSecretKeys(t *testing.T) { + tests := []struct { ++ doc string + path string + input map[string]interface{} + expected map[string]interface{} + }{ + { ++ doc: "secret create with API version", + path: "/v1.30/secrets/create", + input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, + expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, + }, + { ++ doc: "secret create with API version and trailing slashes", + path: "/v1.30/secrets/create//", + input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, + expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, + }, + { ++ doc: "secret create with query param", + path: "/secrets/create?key=val", + input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, + expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, + }, + { ++ doc: "other paths with API version", + path: "/v1.30/some/other/path", + input: map[string]interface{}{ + "password": "pass", +@@ -60,6 +65,7 @@ func TestMaskSecretKeys(t *testing.T) { + }, + }, + { ++ doc: "other paths with API version case insensitive", + path: "/v1.30/some/other/path", + input: map[string]interface{}{ + "PASSWORD": "pass", +@@ -77,7 +83,9 @@ func TestMaskSecretKeys(t *testing.T) { + } + + for _, testcase := range tests { +- maskSecretKeys(testcase.input, testcase.path) +- assert.Check(t, is.DeepEqual(testcase.expected, testcase.input)) ++ t.Run(testcase.doc, func(t *testing.T) { ++ maskSecretKeys(testcase.input, testcase.path) ++ assert.Check(t, is.DeepEqual(testcase.expected, testcase.input)) ++ }) + } + } diff --git a/patches/cve-2019-13509-03-DebugRequestMiddleware-unconditionally-scrub-data-field.patch b/patches/cve-2019-13509-03-DebugRequestMiddleware-unconditionally-scrub-data-field.patch new file mode 100644 index 00000000..63f12c52 --- /dev/null +++ b/patches/cve-2019-13509-03-DebugRequestMiddleware-unconditionally-scrub-data-field.patch @@ -0,0 +1,171 @@ +From: Sebastiaan van Stijn +Date: Tue, 2 Jul 2019 14:21:03 +0200 +Subject: [PATCH] DebugRequestMiddleware: unconditionally scrub data field + +Commit 77b8465d7e68ca102d7aae839c7b3fe0ecd28398 added a secret update +endpoint to allow updating labels on existing secrets. However, when +implementing the endpoint, the DebugRequestMiddleware was not updated +to scrub the Data field (as is being done when creating a secret). + +When updating a secret (to set labels), the Data field should be either +`nil` (not set), or contain the same value as the existing secret. In +situations where the Data field is set, and the `dockerd` daemon is +running with debugging enabled / log-level debug, the base64-encoded +value of the secret is printed to the daemon logs. + +The docker cli does not have a `docker secret update` command, but +when using `docker stack deploy`, the docker cli sends the secret +data both when _creating_ a stack, and when _updating_ a stack, thus +leaking the secret data if the daemon runs with debug enabled: + +1. Start the daemon in debug-mode + + dockerd --debug + +2. Initialize swarm + + docker swarm init + +3. Create a file containing a secret + + echo secret > my_secret.txt + +4. Create a docker-compose file using that secret + + cat > docker-compose.yml <<'EOF' + version: "3.3" + services: + web: + image: nginx:alpine + secrets: + - my_secret + secrets: + my_secret: + file: ./my_secret.txt + EOF + +5. Deploy the stack + + docker stack deploy -c docker-compose.yml test + +6. Verify that the secret is scrubbed in the daemon logs + + DEBU[2019-07-01T22:36:08.170617400Z] Calling POST /v1.30/secrets/create + DEBU[2019-07-01T22:36:08.171364900Z] form data: {"Data":"*****","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"} + +7. Re-deploy the stack to trigger an "update" + + docker stack deploy -c docker-compose.yml test + +8. Notice that this time, the Data field is not scrubbed, and the base64-encoded secret is logged + + DEBU[2019-07-01T22:37:35.828819400Z] Calling POST /v1.30/secrets/w3hgvwpzl8yooq5ctnyp71v52/update?version=34 + DEBU[2019-07-01T22:37:35.829993700Z] form data: {"Data":"c2VjcmV0Cg==","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"} + +This patch modifies `maskSecretKeys` to unconditionally scrub `Data` fields. +Currently, only the `secrets` and `configs` endpoints use a field with this +name, and no other POST API endpoints use a data field, so scrubbing this +field unconditionally will only scrub requests for those endpoints. + +If a new endpoint is added in future where this field should not be scrubbed, +we can re-introduce more fine-grained (path-specific) handling. + +This patch introduces some change in behavior: + +- In addition to secrets, requests to create or update _configs_ will + now have their `Data` field scrubbed. Generally, the actual data should + not be interesting for debugging, so likely will not be problematic. + In addition, scrubbing this data for configs may actually be desirable, + because (even though they are not explicitely designed for this purpose) + configs may contain sensitive data (credentials inside a configuration + file, e.g.). +- Requests that send key/value pairs as a "map" and that contain a + key named "data", will see the value of that field scrubbed. This + means that (e.g.) setting a `label` named `data` on a config, will + scrub/mask the value of that label. +- Note that this is already the case for any label named `jointoken`, + `password`, `secret`, `signingcakey`, or `unlockkey`. + +Signed-off-by: Sebastiaan van Stijn +(cherry picked from commit c7ce4be93ae8edd2da62a588e01c67313a4aba0c) +Signed-off-by: Tibor Vass +(cherry picked from commit 73db8c77bfb2d0cbdf71ce491f3d3e66c9dd5be6) +Signed-off-by: Sebastiaan van Stijn +Origin: upstream, https://github.com/docker/engine/pull/298 +--- + api/server/middleware/debug.go | 24 ++++++++++++++---------- + api/server/middleware/debug_test.go | 18 ++++++++++++++++++ + 2 files changed, 32 insertions(+), 10 deletions(-) + +diff --git a/engine/api/server/middleware/debug.go b/engine/api/server/middleware/debug.go +index 2cef1d46c3d3..31165bf91849 100644 +--- a/engine/api/server/middleware/debug.go ++++ b/engine/api/server/middleware/debug.go +@@ -71,9 +71,22 @@ func maskSecretKeys(inp interface{}, path string) { + } + + if form, ok := inp.(map[string]interface{}); ok { ++ scrub := []string{ ++ // Note: The Data field contains the base64-encoded secret in 'secret' ++ // and 'config' create and update requests. Currently, no other POST ++ // API endpoints use a data field, so we scrub this field unconditionally. ++ // Change this handling to be conditional if a new endpoint is added ++ // in future where this field should not be scrubbed. ++ "data", ++ "jointoken", ++ "password", ++ "secret", ++ "signingcakey", ++ "unlockkey", ++ } + loop0: + for k, v := range form { +- for _, m := range []string{"password", "secret", "jointoken", "unlockkey", "signingcakey"} { ++ for _, m := range scrub { + if strings.EqualFold(m, k) { + form[k] = "*****" + continue loop0 +@@ -81,14 +94,5 @@ func maskSecretKeys(inp interface{}, path string) { + } + maskSecretKeys(v, path) + } +- +- // Route-specific redactions +- if strings.HasSuffix(path, "/secrets/create") { +- for k := range form { +- if k == "Data" { +- form[k] = "*****" +- } +- } +- } + } + } +diff --git a/engine/api/server/middleware/debug_test.go b/engine/api/server/middleware/debug_test.go +index e19a0ced2fbd..361273feda6c 100644 +--- a/engine/api/server/middleware/debug_test.go ++++ b/engine/api/server/middleware/debug_test.go +@@ -32,6 +32,24 @@ func TestMaskSecretKeys(t *testing.T) { + input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, + expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, + }, ++ { ++ doc: "secret update with API version", ++ path: "/v1.30/secrets/mysecret/update", ++ input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, ++ expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, ++ }, ++ { ++ doc: "secret update with API version and trailing slashes", ++ path: "/v1.30/secrets/mysecret/update//", ++ input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, ++ expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, ++ }, ++ { ++ doc: "secret update with query parameter", ++ path: "/secrets/mysecret/update?version=34", ++ input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, ++ expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, ++ }, + { + doc: "other paths with API version", + path: "/v1.30/some/other/path", diff --git a/patches/cve-2019-13509-04-DebugRequestMiddleware-Remove-path-handling.patch b/patches/cve-2019-13509-04-DebugRequestMiddleware-Remove-path-handling.patch new file mode 100644 index 00000000..56e6f0ee --- /dev/null +++ b/patches/cve-2019-13509-04-DebugRequestMiddleware-Remove-path-handling.patch @@ -0,0 +1,135 @@ +From: Sebastiaan van Stijn +Date: Wed, 3 Jul 2019 16:16:22 +0200 +Subject: [PATCH] DebugRequestMiddleware: Remove path handling + +Path-specific rules were removed, so this is no longer used. + +Signed-off-by: Sebastiaan van Stijn +(cherry picked from commit 530e63c1a61b105a6f7fc143c5acb9b5cd87f958) +Signed-off-by: Tibor Vass +(cherry picked from commit f8a0f26843bc5aff33cf9201b75bd4bdbb48a3ad) +Signed-off-by: Sebastiaan van Stijn +Origin: upstream, https://github.com/docker/engine/pull/298 +--- + api/server/middleware/debug.go | 16 +++-------- + api/server/middleware/debug_test.go | 42 +++-------------------------- + 2 files changed, 8 insertions(+), 50 deletions(-) + +diff --git a/engine/api/server/middleware/debug.go b/engine/api/server/middleware/debug.go +index 31165bf91849..a02c1bc7de34 100644 +--- a/engine/api/server/middleware/debug.go ++++ b/engine/api/server/middleware/debug.go +@@ -41,7 +41,7 @@ func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWri + + var postForm map[string]interface{} + if err := json.Unmarshal(b, &postForm); err == nil { +- maskSecretKeys(postForm, r.RequestURI) ++ maskSecretKeys(postForm) + formStr, errMarshal := json.Marshal(postForm) + if errMarshal == nil { + logrus.Debugf("form data: %s", string(formStr)) +@@ -54,18 +54,10 @@ func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWri + } + } + +-func maskSecretKeys(inp interface{}, path string) { +- // Remove any query string from the path +- idx := strings.Index(path, "?") +- if idx != -1 { +- path = path[:idx] +- } +- // Remove trailing / characters +- path = strings.TrimRight(path, "/") +- ++func maskSecretKeys(inp interface{}) { + if arr, ok := inp.([]interface{}); ok { + for _, f := range arr { +- maskSecretKeys(f, path) ++ maskSecretKeys(f) + } + return + } +@@ -92,7 +84,7 @@ func maskSecretKeys(inp interface{}, path string) { + continue loop0 + } + } +- maskSecretKeys(v, path) ++ maskSecretKeys(v) + } + } + } +diff --git a/engine/api/server/middleware/debug_test.go b/engine/api/server/middleware/debug_test.go +index 361273feda6c..fb1740d54a47 100644 +--- a/engine/api/server/middleware/debug_test.go ++++ b/engine/api/server/middleware/debug_test.go +@@ -10,49 +10,16 @@ import ( + func TestMaskSecretKeys(t *testing.T) { + tests := []struct { + doc string +- path string + input map[string]interface{} + expected map[string]interface{} + }{ + { +- doc: "secret create with API version", +- path: "/v1.30/secrets/create", ++ doc: "secret/config create and update requests", + input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, + expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, + }, + { +- doc: "secret create with API version and trailing slashes", +- path: "/v1.30/secrets/create//", +- input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, +- expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, +- }, +- { +- doc: "secret create with query param", +- path: "/secrets/create?key=val", +- input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, +- expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, +- }, +- { +- doc: "secret update with API version", +- path: "/v1.30/secrets/mysecret/update", +- input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, +- expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, +- }, +- { +- doc: "secret update with API version and trailing slashes", +- path: "/v1.30/secrets/mysecret/update//", +- input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, +- expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, +- }, +- { +- doc: "secret update with query parameter", +- path: "/secrets/mysecret/update?version=34", +- input: map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}}, +- expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}}, +- }, +- { +- doc: "other paths with API version", +- path: "/v1.30/some/other/path", ++ doc: "masking other fields (recursively)", + input: map[string]interface{}{ + "password": "pass", + "secret": "secret", +@@ -83,8 +50,7 @@ func TestMaskSecretKeys(t *testing.T) { + }, + }, + { +- doc: "other paths with API version case insensitive", +- path: "/v1.30/some/other/path", ++ doc: "case insensitive field matching", + input: map[string]interface{}{ + "PASSWORD": "pass", + "other": map[string]interface{}{ +@@ -102,7 +68,7 @@ func TestMaskSecretKeys(t *testing.T) { + + for _, testcase := range tests { + t.Run(testcase.doc, func(t *testing.T) { +- maskSecretKeys(testcase.input, testcase.path) ++ maskSecretKeys(testcase.input) + assert.Check(t, is.DeepEqual(testcase.expected, testcase.input)) + }) + } diff --git a/patches/cve-2019-14271-Initialize-nss-libraries-in-Glibc.patch b/patches/cve-2019-14271-Initialize-nss-libraries-in-Glibc.patch new file mode 100644 index 00000000..832cb5af --- /dev/null +++ b/patches/cve-2019-14271-Initialize-nss-libraries-in-Glibc.patch @@ -0,0 +1,43 @@ +From 706204124878a97142be511c0c46bcc16b43b0bd Mon Sep 17 00:00:00 2001 +From: Justin Cormack +Date: Thu, 25 Jul 2019 15:24:39 +0100 +Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic + libraries are loaded in the host environment not in the chroot from untrusted + files. + +See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234 + +Signed-off-by: Justin Cormack +Signed-off-by: Tibor Vass +(cherry picked from commit a316b10dab79d9298b02c7930958ed52e0ccf4e4) +--- + pkg/engine/chrootarchive/archive.go | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/engine/pkg/chrootarchive/archive.go b/engine/pkg/chrootarchive/archive.go +index 6ff61e6a767a..83ed0c6b2feb 100644 +--- a/engine/pkg/chrootarchive/archive.go ++++ b/engine/pkg/chrootarchive/archive.go +@@ -4,13 +4,22 @@ import ( + "fmt" + "io" + "io/ioutil" ++ "net" + "os" ++ "os/user" + "path/filepath" + + "github.com/docker/docker/pkg/archive" + "github.com/docker/docker/pkg/idtools" + ) + ++func init() { ++ // initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host ++ // environment not in the chroot from untrusted files. ++ _, _ = user.Lookup("docker") ++ _, _ = net.LookupHost("localhost") ++} ++ + // NewArchiver returns a new Archiver which uses chrootarchive.Untar + func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver { + if idMapping == nil { diff --git a/patches/cve-2020-13401-disable-IPv6-router-advertisements.patch b/patches/cve-2020-13401-disable-IPv6-router-advertisements.patch new file mode 100644 index 00000000..1423ce32 --- /dev/null +++ b/patches/cve-2020-13401-disable-IPv6-router-advertisements.patch @@ -0,0 +1,65 @@ +From 153d0769a1181bf591a9637fd487a541ec7db1e6 Mon Sep 17 00:00:00 2001 +From: Samuel Karp +Date: Fri, 3 Apr 2020 16:23:18 -0700 +Subject: [PATCH] bridge: disable IPv6 router advertisements + +Signed-off-by: Samuel Karp +--- + libnetwork/drivers/bridge/bridge.go | 6 ++++++ + libnetwork/drivers/bridge/setup_device.go | 19 +++++++++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/drivers/bridge/bridge.go b/drivers/bridge/bridge.go +index b617ea7bc4..22ee29e238 100644 +--- a/libnetwork/drivers/bridge/bridge.go ++++ b/libnetwork/drivers/bridge/bridge.go +@@ -679,6 +679,12 @@ func (d *driver) createNetwork(config *networkConfiguration) (err error) { + bridgeAlreadyExists := bridgeIface.exists() + if !bridgeAlreadyExists { + bridgeSetup.queueStep(setupDevice) ++ bridgeSetup.queueStep(setupDefaultSysctl) ++ } ++ ++ // For the default bridge, set expected sysctls ++ if config.DefaultBridge { ++ bridgeSetup.queueStep(setupDefaultSysctl) + } + + // Even if a bridge exists try to setup IPv4. +diff --git a/drivers/bridge/setup_device.go b/drivers/bridge/setup_device.go +index 548ad951df..1343305ae9 100644 +--- a/libnetwork/drivers/bridge/setup_device.go ++++ b/libnetwork/drivers/bridge/setup_device.go +@@ -2,6 +2,9 @@ package bridge + + import ( + "fmt" ++ "io/ioutil" ++ "os" ++ "path/filepath" + + "github.com/docker/docker/pkg/parsers/kernel" + "github.com/docker/libnetwork/netutils" +@@ -49,6 +52,22 @@ func setupDevice(config *networkConfiguration, i *bridgeInterface) error { + return err + } + ++func setupDefaultSysctl(config *networkConfiguration, i *bridgeInterface) error { ++ // Disable IPv6 router advertisements originating on the bridge ++ sysPath := filepath.Join("/proc/sys/net/ipv6/conf/", config.BridgeName, "accept_ra") ++ if _, err := os.Stat(sysPath); err != nil { ++ logrus. ++ WithField("bridge", config.BridgeName). ++ WithField("syspath", sysPath). ++ Info("failed to read ipv6 net.ipv6.conf..accept_ra") ++ return nil ++ } ++ if err := ioutil.WriteFile(sysPath, []byte{'0', '\n'}, 0644); err != nil { ++ return fmt.Errorf("libnetwork: Unable to disable IPv6 router advertisement: %v", err) ++ } ++ return nil ++} ++ + // SetupDeviceUp ups the given bridge interface. + func setupDeviceUp(config *networkConfiguration, i *bridgeInterface) error { + err := i.nlh.LinkSetUp(i.Link) diff --git a/patches/cve-2020-15157.patch b/patches/cve-2020-15157.patch new file mode 100644 index 00000000..b9b7ab75 --- /dev/null +++ b/patches/cve-2020-15157.patch @@ -0,0 +1,206 @@ +From 1ead8d9deb3b175bf40413b8c47b3d19c2262726 Mon Sep 17 00:00:00 2001 +From: Sergey Kanzhelev +Date: Thu, 24 Sep 2020 18:35:46 +0000 +Subject: [PATCH] treat manifest provided URLs differently + +--- + remotes/docker/fetcher.go | 25 ++++-- + remotes/docker/fetcher_test.go | 137 +++++++++++++++++++++++++++++++++ + 2 files changed, 154 insertions(+), 8 deletions(-) + +diff --git a/containerd/remotes/docker/fetcher.go b/containerd/remotes/docker/fetcher.go +index 4a2ce3c393..1708b68fea 100644 +--- a/containerd/remotes/docker/fetcher.go ++++ b/containerd/remotes/docker/fetcher.go +@@ -56,6 +56,23 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R + } + + return newHTTPReadSeeker(desc.Size, func(offset int64) (io.ReadCloser, error) { ++ if len(desc.URLs) > 0 { ++ db := *r.dockerBase ++ db.auth = nil // do not authenticate ++ nr := dockerFetcher{ ++ dockerBase: &db, ++ } ++ for _, u := range desc.URLs { ++ log.G(ctx).WithField("url", u).Debug("trying alternative url") ++ rc, err := nr.open(ctx, u, desc.MediaType, offset) ++ if err != nil { ++ log.G(ctx).WithField("error", err).Debug("error trying url") ++ continue // try one of the other urls. ++ } ++ ++ return rc, nil ++ } ++ } + for _, u := range urls { + rc, err := r.open(ctx, u, desc.MediaType, offset) + if err != nil { +@@ -142,14 +159,6 @@ func (r dockerFetcher) open(ctx context.Context, u, mediatype string, offset int + func (r *dockerFetcher) getV2URLPaths(ctx context.Context, desc ocispec.Descriptor) ([]string, error) { + var urls []string + +- if len(desc.URLs) > 0 { +- // handle fetch via external urls. +- for _, u := range desc.URLs { +- log.G(ctx).WithField("url", u).Debug("adding alternative url") +- urls = append(urls, u) +- } +- } +- + switch desc.MediaType { + case images.MediaTypeDockerSchema2Manifest, images.MediaTypeDockerSchema2ManifestList, + images.MediaTypeDockerSchema1Manifest, +diff --git a/containerd/remotes/docker/fetcher_test.go b/containerd/remotes/docker/fetcher_test.go +index 8b7beb758d..b72de6249b 100644 +--- a/rcontainerd/remotes/docker/fetcher_test.go ++++ b/containerd/remotes/docker/fetcher_test.go +@@ -23,7 +23,12 @@ import ( + "math/rand" + "net/http" + "net/http/httptest" ++ "net/url" + "testing" ++ ++ "github.com/containerd/containerd/images" ++ digest "github.com/opencontainers/go-digest" ++ ocispec "github.com/opencontainers/image-spec/specs-go/v1" + ) + + func TestFetcherOpen(t *testing.T) { +@@ -92,3 +97,135 @@ func TestFetcherOpen(t *testing.T) { + t.Fatal("expected error opening with invalid server response") + } + } ++ ++func TestFetcherFetch(t *testing.T) { ++ content := make([]byte, 128) ++ rand.New(rand.NewSource(1)).Read(content) ++ start := 0 ++ ++ s := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { ++ t.Helper() ++ ++ if r.RequestURI == "/404" { ++ // no authorization must be provided with the initial GET ++ if r.Header["Authorization"] != nil { ++ t.Errorf("no authorization can be used with manifest-specified URLs") ++ return ++ } ++ ++ rw.WriteHeader(http.StatusNotFound) ++ return ++ } ++ ++ if r.RequestURI == "/401" { ++ if r.Header["Authorization"] == nil { ++ rw.Header().Set("Docker-Distribution-Api-Version", "registry/2.0") ++ rw.Header().Set("WWW-Authenticate", "Basic realm=\"https://url\"") ++ rw.WriteHeader(http.StatusUnauthorized) ++ return ++ } ++ ++ // no authorization must be provided for manifest-defined URLs ++ t.Errorf("no authorization can be used with manifest-specified URLs") ++ return ++ } ++ ++ if r.Header["Authorization"] == nil { ++ rw.Header().Set("Docker-Distribution-Api-Version", "registry/2.0") ++ rw.Header().Set("WWW-Authenticate", "Basic realm=\"https://url\"") ++ rw.WriteHeader(http.StatusUnauthorized) ++ return ++ } ++ ++ // authorizer must set Authorize header for the manifest URL ++ if start > 0 { ++ rw.Header().Set("content-range", fmt.Sprintf("bytes %d-127/128", start)) ++ } ++ rw.Header().Set("content-length", fmt.Sprintf("%d", len(content[start:]))) ++ rw.Write(content[start:]) ++ })) ++ defer s.Close() ++ ++ baseURL, _ := url.Parse(s.URL) ++ db := &dockerBase{ ++ client: s.Client(), ++ base: *baseURL, ++ } ++ db.auth = NewAuthorizer(db.client, func(a string) (string, string, error) { ++ return "Authorize", "Basic blah", nil ++ }) ++ ++ f := dockerFetcher{dockerBase: db} ++ ++ ctx := context.Background() ++ ++ desc := ocispec.Descriptor{ ++ MediaType: images.MediaTypeDockerSchema2Manifest, ++ Digest: digest.FromBytes([]byte("digest")), ++ Size: 10, ++ URLs: []string{fmt.Sprintf("%s/404", s.URL), fmt.Sprintf("%s/401", s.URL)}, ++ Annotations: map[string]string{}, ++ } ++ ++ rc, err := f.Fetch(ctx, desc) ++ if err != nil { ++ t.Fatalf("failed to open: %+v", err) ++ } ++ b, err := ioutil.ReadAll(rc) ++ if err != nil { ++ t.Fatal(err) ++ } ++ expected := content[0:] ++ if len(b) != len(expected) { ++ t.Errorf("unexpected length %d, expected %d", len(b), len(expected)) ++ return ++ } ++ for i, c := range expected { ++ if b[i] != c { ++ t.Errorf("unexpected byte %x at %d, expected %x", b[i], i, c) ++ return ++ } ++ } ++} ++ ++func TestFetcherGetV2URLPaths(t *testing.T) { ++ content := make([]byte, 128) ++ rand.New(rand.NewSource(1)).Read(content) ++ start := 0 ++ ++ s := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { ++ if start > 0 { ++ rw.Header().Set("content-range", fmt.Sprintf("bytes %d-127/128", start)) ++ } ++ rw.Header().Set("content-length", fmt.Sprintf("%d", len(content[start:]))) ++ rw.Write(content[start:]) ++ })) ++ defer s.Close() ++ ++ f := dockerFetcher{&dockerBase{ ++ client: s.Client(), ++ }} ++ ctx := context.Background() ++ ++ desc := ocispec.Descriptor{ ++ MediaType: images.MediaTypeDockerSchema2Manifest, ++ Digest: "digest", ++ Size: 10, ++ URLs: []string{"first", "second"}, ++ Annotations: map[string]string{}, ++ } ++ ++ urls, err := f.getV2URLPaths(ctx, desc) ++ ++ if err != nil { ++ t.Errorf("unexpected error %v", err) ++ return ++ } ++ ++ // blobs and manifest/digest ++ // URLs from the descriptor should not be added to the list of alternative sources ++ if len(urls) != 2 { ++ t.Errorf("unexpected number of urls: %d, expected %d", len(urls), 2) ++ return ++ } ++} diff --git a/patches/cve-2020-15257.patch b/patches/cve-2020-15257.patch new file mode 100644 index 00000000..48f9bc45 --- /dev/null +++ b/patches/cve-2020-15257.patch @@ -0,0 +1,744 @@ +From 3519233e1b5a408c7e92b0af4293000820a0089b Mon Sep 17 00:00:00 2001 +From: Tianon Gravi +Date: Tue, 24 Nov 2020 12:38:31 +0000 +Subject: [PATCH] Fix CVE-2020-15257 + +This is the 1.2 backport. It's the Samuel Karp patch with additional changes: + + - Add ReadAddress function from commit 84a24711e88 + - Add "horten the unix socket path for shim" commit (a631796fda6) + +Below is the original commit message: + +----------------------------------------------------------------------- + +Use path based unix socket for shims + +This allows filesystem based ACLs for configuring access to the socket of a +shim. + +Co-authored-by: Samuel Karp +Signed-off-by: Samuel Karp +Signed-off-by: Michael Crosby +Signed-off-by: Michael Crosby + +----------------------------------------------------------------------- + +containerd-shim: use path-based unix socket + +This allows filesystem-based ACLs for configuring access to the socket +of a shim. + +Ported from Michael Crosby's similar patch for v2 shims. + +Signed-off-by: Samuel Karp + +----------------------------------------------------------------------- + +Co-authored-by: Paulo Flabiano Smorigo +Co-authored-by: varsha teratipally +Signed-off-by: Tianon Gravi +--- + cmd/containerd-shim/main_unix.go | 16 +++-- + cmd/ctr/commands/shim/shim.go | 12 +++- + container_test.go | 58 +++++++++++++++ + runtime/v1/linux/bundle.go | 37 +++++++++- + runtime/v1/shim/client/client.go | 117 ++++++++++++++++++++++++++++--- + runtime/v2/runc/service.go | 18 +++-- + runtime/v2/shim/shim.go | 7 +- + runtime/v2/shim/shim_unix.go | 8 +-- + runtime/v2/shim/util.go | 20 ++++++ + runtime/v2/shim/util_unix.go | 97 ++++++++++++++++++++++--- + runtime/v2/shim/util_windows.go | 6 ++ + 11 files changed, 358 insertions(+), 38 deletions(-) + +diff --git a/containerd/cmd/containerd-shim/main_unix.go b/containerd/cmd/containerd-shim/main_unix.go +index eb34ee7d19..66e0eda257 100644 +--- a/containerd/cmd/containerd-shim/main_unix.go ++++ b/containerd/cmd/containerd-shim/main_unix.go +@@ -65,7 +65,7 @@ var ( + func init() { + flag.BoolVar(&debugFlag, "debug", false, "enable debug output in logs") + flag.StringVar(&namespaceFlag, "namespace", "", "namespace that owns the shim") +- flag.StringVar(&socketFlag, "socket", "", "abstract socket path to serve") ++ flag.StringVar(&socketFlag, "socket", "", "socket path to serve") + flag.StringVar(&addressFlag, "address", "", "grpc address back to main containerd") + flag.StringVar(&workdirFlag, "workdir", "", "path used to storge large temporary data") + flag.StringVar(&runtimeRootFlag, "runtime-root", proc.RuncRoot, "root directory for the runtime") +@@ -196,10 +196,18 @@ func serve(ctx context.Context, server *ttrpc.Server, path string) error { + l, err = net.FileListener(os.NewFile(3, "socket")) + path = "[inherited from parent]" + } else { +- if len(path) > 106 { +- return errors.Errorf("%q: unix socket path too long (> 106)", path) ++ const ( ++ abstractSocketPrefix = "\x00" ++ socketPathLimit = 106 ++ ) ++ p := strings.TrimPrefix(path, "unix://") ++ if len(p) == len(path) { ++ p = abstractSocketPrefix + p + } +- l, err = net.Listen("unix", "\x00"+path) ++ if len(p) > socketPathLimit { ++ return errors.Errorf("%q: unix socket path too long (> %d)", p, socketPathLimit) ++ } ++ l, err = net.Listen("unix", p) + } + if err != nil { + return err +diff --git a/containerd/cmd/ctr/commands/shim/shim.go b/containerd/cmd/ctr/commands/shim/shim.go +index ec08cc68bb..3dbb8b062f 100644 +--- a/containerd/cmd/ctr/commands/shim/shim.go ++++ b/containerd/cmd/ctr/commands/shim/shim.go +@@ -231,7 +231,7 @@ func getTaskService(context *cli.Context) (task.TaskService, error) { + return nil, errors.New("socket path must be specified") + } + +- conn, err := net.Dial("unix", "\x00"+bindSocket) ++ conn, err := connectToAddress(bindSocket) + if err != nil { + return nil, err + } +@@ -243,3 +243,13 @@ func getTaskService(context *cli.Context) (task.TaskService, error) { + + return task.NewTaskClient(client), nil + } ++ ++// as we changed the socket address from abstract, we need to have a backward ++// compatibility to handle the abstract sockets as well. ++func connectToAddress(address string) (net.Conn, error) { ++ conn, err := net.Dial("unix", address) ++ if err != nil { ++ return net.Dial("unix", "\x00"+address) ++ } ++ return conn, err ++} +diff --git a/containerd/container_test.go b/containerd/container_test.go +index aa04a31ad3..2e825acddc 100644 +--- a/containerd/container_test.go ++++ b/containerd/container_test.go +@@ -32,7 +32,9 @@ import ( + // Register the typeurl + "github.com/containerd/containerd/cio" + "github.com/containerd/containerd/containers" ++ "github.com/containerd/containerd/namespaces" + "github.com/containerd/containerd/oci" ++ "github.com/containerd/containerd/platforms" + _ "github.com/containerd/containerd/runtime" + "github.com/containerd/typeurl" + specs "github.com/opencontainers/runtime-spec/specs-go" +@@ -1577,3 +1579,59 @@ func TestShortRunningTaskPid(t *testing.T) { + } + defer task.Delete(ctx, WithProcessKill) + } ++ ++func TestShimSockLength(t *testing.T) { ++ t.Parallel() ++ ++ // Max length of namespace should be 76 ++ namespace := strings.Repeat("n", 76) ++ ++ ctx, cancel := context.WithCancel(context.Background()) ++ defer cancel() ++ ++ ctx = namespaces.WithNamespace(ctx, namespace) ++ ++ client, err := newClient(t, address) ++ if err != nil { ++ t.Fatal(err) ++ } ++ defer client.Close() ++ ++ image, err := client.Pull(ctx, testImage, ++ WithPlatformMatcher(platforms.Default()), ++ WithPullUnpack, ++ ) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ id := strings.Repeat("c", 64) ++ ++ // We don't have limitation with length of container name, ++ // but 64 bytes of sha256 is the common case ++ container, err := client.NewContainer(ctx, id, ++ WithNewSnapshot(id, image), ++ WithNewSpec(oci.WithImageConfig(image), withExitStatus(0)), ++ ) ++ if err != nil { ++ t.Fatal(err) ++ } ++ defer container.Delete(ctx, WithSnapshotCleanup) ++ ++ task, err := container.NewTask(ctx, empty()) ++ if err != nil { ++ t.Fatal(err) ++ } ++ defer task.Delete(ctx) ++ ++ statusC, err := task.Wait(ctx) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ if err := task.Start(ctx); err != nil { ++ t.Fatal(err) ++ } ++ ++ <-statusC ++} +diff --git a/containerd/runtime/v1/linux/bundle.go b/containerd/runtime/v1/linux/bundle.go +index d73866a2fd..84c06f2ab4 100644 +--- a/containerd/runtime/v1/linux/bundle.go ++++ b/containerd/runtime/v1/linux/bundle.go +@@ -20,6 +20,8 @@ package linux + + import ( + "context" ++ "crypto/sha256" ++ "fmt" + "io/ioutil" + "os" + "path/filepath" +@@ -88,7 +90,7 @@ func ShimRemote(c *Config, daemonAddress, cgroup string, exitHandler func()) Shi + return func(b *bundle, ns string, ropts *runctypes.RuncOptions) (shim.Config, client.Opt) { + config := b.shimConfig(ns, c, ropts) + return config, +- client.WithStart(c.Shim, b.shimAddress(ns), daemonAddress, cgroup, c.ShimDebug, exitHandler) ++ client.WithStart(c.Shim, b.shimAddress(ns, daemonAddress), daemonAddress, cgroup, c.ShimDebug, exitHandler) + } + } + +@@ -102,7 +104,7 @@ func ShimLocal(c *Config, exchange *exchange.Exchange) ShimOpt { + // ShimConnect is a ShimOpt for connecting to an existing remote shim + func ShimConnect(c *Config, onClose func()) ShimOpt { + return func(b *bundle, ns string, ropts *runctypes.RuncOptions) (shim.Config, client.Opt) { +- return b.shimConfig(ns, c, ropts), client.WithConnect(b.shimAddress(ns), onClose) ++ return b.shimConfig(ns, c, ropts), client.WithConnect(b.decideShimAddress(ns), onClose) + } + } + +@@ -114,6 +116,11 @@ func (b *bundle) NewShimClient(ctx context.Context, namespace string, getClientO + + // Delete deletes the bundle from disk + func (b *bundle) Delete() error { ++ address, _ := b.loadAddress() ++ if address != "" { ++ // we don't care about errors here ++ client.RemoveSocket(address) ++ } + err := os.RemoveAll(b.path) + if err == nil { + return os.RemoveAll(b.workDir) +@@ -126,10 +133,34 @@ func (b *bundle) Delete() error { + return errors.Wrapf(err, "Failed to remove both bundle and workdir locations: %v", err2) + } + +-func (b *bundle) shimAddress(namespace string) string { ++func (b *bundle) legacyShimAddress(namespace string) string { + return filepath.Join(string(filepath.Separator), "containerd-shim", namespace, b.id, "shim.sock") + } + ++const socketRoot = "/run/containerd" ++ ++func (b *bundle) shimAddress(namespace, socketPath string) string { ++ d := sha256.Sum256([]byte(filepath.Join(socketPath, namespace, b.id))) ++ return fmt.Sprintf("unix://%s/%x", filepath.Join(socketRoot, "s"), d) ++} ++ ++func (b *bundle) loadAddress() (string, error) { ++ addressPath := filepath.Join(b.path, "address") ++ data, err := ioutil.ReadFile(addressPath) ++ if err != nil { ++ return "", err ++ } ++ return string(data), nil ++} ++ ++func (b *bundle) decideShimAddress(namespace string) string { ++ address, err := b.loadAddress() ++ if err != nil { ++ return b.legacyShimAddress(namespace) ++ } ++ return address ++} ++ + func (b *bundle) shimConfig(namespace string, c *Config, runcOptions *runctypes.RuncOptions) shim.Config { + var ( + criuPath string +diff --git a/containerd/runtime/v1/shim/client/client.go b/containerd/runtime/v1/shim/client/client.go +index 880dd74985..3238ac3e8c 100644 +--- a/containerd/runtime/v1/shim/client/client.go ++++ b/containerd/runtime/v1/shim/client/client.go +@@ -20,10 +20,12 @@ package client + + import ( + "context" ++ "fmt" + "io" + "net" + "os" + "os/exec" ++ "path/filepath" + "strings" + "sync" + "syscall" +@@ -54,9 +56,17 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa + return func(ctx context.Context, config shim.Config) (_ shimapi.ShimService, _ io.Closer, err error) { + socket, err := newSocket(address) + if err != nil { +- return nil, nil, err ++ if !eaddrinuse(err) { ++ return nil, nil, err ++ } ++ if err := RemoveSocket(address); err != nil { ++ return nil, nil, errors.Wrap(err, "remove already used socket") ++ } ++ if socket, err = newSocket(address); err != nil { ++ return nil, nil, err ++ } + } +- defer socket.Close() ++ + f, err := socket.File() + if err != nil { + return nil, nil, errors.Wrapf(err, "failed to get fd for socket %s", address) +@@ -101,12 +111,18 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa + go func() { + cmd.Wait() + exitHandler() ++ socket.Close() ++ RemoveSocket(address) + }() + log.G(ctx).WithFields(logrus.Fields{ + "pid": cmd.Process.Pid, + "address": address, + "debug": debug, + }).Infof("shim %s started", binary) ++ ++ if err := writeAddress(filepath.Join(config.Path, "address"), address); err != nil { ++ return nil, nil, err ++ } + // set shim in cgroup if it is provided + if cgroup != "" { + if err := setCgroup(cgroup, cmd); err != nil { +@@ -128,6 +144,26 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa + } + } + ++func eaddrinuse(err error) bool { ++ cause := errors.Cause(err) ++ netErr, ok := cause.(*net.OpError) ++ if !ok { ++ return false ++ } ++ if netErr.Op != "listen" { ++ return false ++ } ++ syscallErr, ok := netErr.Err.(*os.SyscallError) ++ if !ok { ++ return false ++ } ++ errno, ok := syscallErr.Err.(syscall.Errno) ++ if !ok { ++ return false ++ } ++ return errno == syscall.EADDRINUSE ++} ++ + func newCommand(binary, daemonAddress string, debug bool, config shim.Config, socket *os.File) (*exec.Cmd, error) { + selfExe, err := os.Executable() + if err != nil { +@@ -166,31 +202,92 @@ func newCommand(binary, daemonAddress string, debug bool, config shim.Config, so + return cmd, nil + } + ++// writeAddress writes a address file atomically ++func writeAddress(path, address string) error { ++ path, err := filepath.Abs(path) ++ if err != nil { ++ return err ++ } ++ tempPath := filepath.Join(filepath.Dir(path), fmt.Sprintf(".%s", filepath.Base(path))) ++ f, err := os.OpenFile(tempPath, os.O_RDWR|os.O_CREATE|os.O_EXCL|os.O_SYNC, 0666) ++ if err != nil { ++ return err ++ } ++ _, err = f.WriteString(address) ++ f.Close() ++ if err != nil { ++ return err ++ } ++ return os.Rename(tempPath, path) ++} ++ ++const ( ++ abstractSocketPrefix = "\x00" ++ socketPathLimit = 106 ++) ++ ++type socket string ++ ++func (s socket) isAbstract() bool { ++ return !strings.HasPrefix(string(s), "unix://") ++} ++ ++func (s socket) path() string { ++ path := strings.TrimPrefix(string(s), "unix://") ++ // if there was no trim performed, we assume an abstract socket ++ if len(path) == len(s) { ++ path = abstractSocketPrefix + path ++ } ++ return path ++} ++ + func newSocket(address string) (*net.UnixListener, error) { +- if len(address) > 106 { +- return nil, errors.Errorf("%q: unix socket path too long (> 106)", address) ++ if len(address) > socketPathLimit { ++ return nil, errors.Errorf("%q: unix socket path too long (> %d)", address, socketPathLimit) ++ } ++ var ( ++ sock = socket(address) ++ path = sock.path() ++ ) ++ if !sock.isAbstract() { ++ if err := os.MkdirAll(filepath.Dir(path), 0600); err != nil { ++ return nil, errors.Wrapf(err, "%s", path) ++ } + } +- l, err := net.Listen("unix", "\x00"+address) ++ l, err := net.Listen("unix", path) + if err != nil { +- return nil, errors.Wrapf(err, "failed to listen to abstract unix socket %q", address) ++ return nil, errors.Wrapf(err, "failed to listen to unix socket %q (abstract: %t)", address, sock.isAbstract()) ++ } ++ if err := os.Chmod(path, 0600); err != nil { ++ l.Close() ++ return nil, err + } + + return l.(*net.UnixListener), nil + } + ++// RemoveSocket removes the socket at the specified address if ++// it exists on the filesystem ++func RemoveSocket(address string) error { ++ sock := socket(address) ++ if !sock.isAbstract() { ++ return os.Remove(sock.path()) ++ } ++ return nil ++} ++ + func connect(address string, d func(string, time.Duration) (net.Conn, error)) (net.Conn, error) { + return d(address, 100*time.Second) + } + +-func annonDialer(address string, timeout time.Duration) (net.Conn, error) { +- address = strings.TrimPrefix(address, "unix://") +- return net.DialTimeout("unix", "\x00"+address, timeout) ++func anonDialer(address string, timeout time.Duration) (net.Conn, error) { ++ return net.DialTimeout("unix", socket(address).path(), timeout) + } + + // WithConnect connects to an existing shim + func WithConnect(address string, onClose func()) Opt { + return func(ctx context.Context, config shim.Config) (shimapi.ShimService, io.Closer, error) { +- conn, err := connect(address, annonDialer) ++ conn, err := connect(address, anonDialer) + if err != nil { + return nil, nil, err + } +diff --git a/containerd/runtime/v2/runc/service.go b/containerd/runtime/v2/runc/service.go +index 347216ec76..675af57dad 100644 +--- a/containerd/runtime/v2/runc/service.go ++++ b/containerd/runtime/v2/runc/service.go +@@ -143,20 +143,26 @@ func (s *service) StartShim(ctx context.Context, id, containerdBinary, container + if err != nil { + return "", err + } +- address, err := shim.SocketAddress(ctx, id) ++ address, err := shim.SocketAddress(ctx, containerdAddress, id) + if err != nil { + return "", err + } + socket, err := shim.NewSocket(address) + if err != nil { +- return "", err ++ if !shim.SocketEaddrinuse(err) { ++ return "", err ++ } ++ if err := shim.RemoveSocket(address); err != nil { ++ return "", errors.Wrap(err, "remove already used socket") ++ } ++ if socket, err = shim.NewSocket(address); err != nil { ++ return "", err ++ } + } +- defer socket.Close() + f, err := socket.File() + if err != nil { + return "", err + } +- defer f.Close() + + cmd.ExtraFiles = append(cmd.ExtraFiles, f) + +@@ -165,6 +171,7 @@ func (s *service) StartShim(ctx context.Context, id, containerdBinary, container + } + defer func() { + if err != nil { ++ _ = shim.RemoveSocket(address) + cmd.Process.Kill() + } + }() +@@ -582,6 +589,9 @@ func (s *service) Connect(ctx context.Context, r *taskAPI.ConnectRequest) (*task + + func (s *service) Shutdown(ctx context.Context, r *taskAPI.ShutdownRequest) (*ptypes.Empty, error) { + s.cancel() ++ if address, err := shim.ReadAddress("address"); err == nil { ++ _ = shim.RemoveSocket(address) ++ } + os.Exit(0) + return empty, nil + } +diff --git a/containerd/runtime/v2/shim/shim.go b/containerd/runtime/v2/shim/shim.go +index 39484c1912..b5fb3ff6d0 100644 +--- a/containerd/runtime/v2/shim/shim.go ++++ b/containerd/runtime/v2/shim/shim.go +@@ -77,7 +77,7 @@ func parseFlags() { + flag.BoolVar(&debugFlag, "debug", false, "enable debug output in logs") + flag.StringVar(&namespaceFlag, "namespace", "", "namespace that owns the shim") + flag.StringVar(&idFlag, "id", "", "id of the task") +- flag.StringVar(&socketFlag, "socket", "", "abstract socket path to serve") ++ flag.StringVar(&socketFlag, "socket", "", "socket path to serve") + flag.StringVar(&bundlePath, "bundle", "", "path to the bundle if not workdir") + + flag.StringVar(&addressFlag, "address", "", "grpc address back to main containerd") +@@ -239,11 +239,14 @@ func serve(ctx context.Context, server *ttrpc.Server, path string) error { + return err + } + go func() { +- defer l.Close() + if err := server.Serve(ctx, l); err != nil && + !strings.Contains(err.Error(), "use of closed network connection") { + logrus.WithError(err).Fatal("containerd-shim: ttrpc server failure") + } ++ l.Close() ++ if address, err := ReadAddress("address"); err == nil { ++ _ = RemoveSocket(address) ++ } + }() + return nil + } +diff --git a/containerd/runtime/v2/shim/shim_unix.go b/containerd/runtime/v2/shim/shim_unix.go +index 1a54821637..0d5694331d 100644 +--- a/containerd/runtime/v2/shim/shim_unix.go ++++ b/containerd/runtime/v2/shim/shim_unix.go +@@ -59,15 +59,15 @@ func serveListener(path string) (net.Listener, error) { + l, err = net.FileListener(os.NewFile(3, "socket")) + path = "[inherited from parent]" + } else { +- if len(path) > 106 { +- return nil, errors.Errorf("%q: unix socket path too long (> 106)", path) ++ if len(path) > socketPathLimit { ++ return nil, errors.Errorf("%q: unix socket path too long (> %d)", path, socketPathLimit) + } +- l, err = net.Listen("unix", "\x00"+path) ++ l, err = net.Listen("unix", path) + } + if err != nil { + return nil, err + } +- logrus.WithField("socket", path).Debug("serving api on abstract socket") ++ logrus.WithField("socket", path).Debug("serving api on socket") + return l, nil + } + +diff --git a/containerd/runtime/v2/shim/util.go b/containerd/runtime/v2/shim/util.go +index b7034ce50b..a5da124f9c 100644 +--- a/containerd/runtime/v2/shim/util.go ++++ b/containerd/runtime/v2/shim/util.go +@@ -19,6 +19,7 @@ package shim + import ( + "context" + "fmt" ++ "io/ioutil" + "net" + "os" + "os/exec" +@@ -126,3 +127,22 @@ func WriteAddress(path, address string) error { + } + return os.Rename(tempPath, path) + } ++ ++// ErrNoAddress is returned when the address file has no content ++var ErrNoAddress = errors.New("no shim address") ++ ++// ReadAddress returns the shim's socket address from the path ++func ReadAddress(path string) (string, error) { ++ path, err := filepath.Abs(path) ++ if err != nil { ++ return "", err ++ } ++ data, err := ioutil.ReadFile(path) ++ if err != nil { ++ return "", err ++ } ++ if len(data) == 0 { ++ return "", ErrNoAddress ++ } ++ return string(data), nil ++} +diff --git a/containerd/runtime/v2/shim/util_unix.go b/containerd/runtime/v2/shim/util_unix.go +index 262fe2b363..d8a57a1da8 100644 +--- a/containerd/runtime/v2/shim/util_unix.go ++++ b/containerd/runtime/v2/shim/util_unix.go +@@ -20,7 +20,10 @@ package shim + + import ( + "context" ++ "crypto/sha256" ++ "fmt" + "net" ++ "os" + "path/filepath" + "strings" + "syscall" +@@ -31,6 +34,8 @@ import ( + "github.com/pkg/errors" + ) + ++const socketPathLimit = 106 ++ + func getSysProcAttr() *syscall.SysProcAttr { + return &syscall.SysProcAttr{ + Setpgid: true, +@@ -42,29 +47,101 @@ func SetScore(pid int) error { + return sys.SetOOMScore(pid, sys.OOMScoreMaxKillable) + } + +-// SocketAddress returns an abstract socket address +-func SocketAddress(ctx context.Context, id string) (string, error) { ++const socketRoot = "/run/containerd" ++ ++// SocketAddress returns a socket address ++func SocketAddress(ctx context.Context, socketPath, id string) (string, error) { + ns, err := namespaces.NamespaceRequired(ctx) + if err != nil { + return "", err + } +- return filepath.Join(string(filepath.Separator), "containerd-shim", ns, id, "shim.sock"), nil ++ d := sha256.Sum256([]byte(filepath.Join(socketPath, ns, id))) ++ return fmt.Sprintf("unix://%s/%x", filepath.Join(socketRoot, "s"), d), nil + } + +-// AnonDialer returns a dialer for an abstract socket ++// AnonDialer returns a dialer for a socket + func AnonDialer(address string, timeout time.Duration) (net.Conn, error) { +- address = strings.TrimPrefix(address, "unix://") +- return net.DialTimeout("unix", "\x00"+address, timeout) ++ return net.DialTimeout("unix", socket(address).path(), timeout) + } + + // NewSocket returns a new socket + func NewSocket(address string) (*net.UnixListener, error) { +- if len(address) > 106 { +- return nil, errors.Errorf("%q: unix socket path too long (> 106)", address) ++ var ( ++ sock = socket(address) ++ path = sock.path() ++ ) ++ if !sock.isAbstract() { ++ if err := os.MkdirAll(filepath.Dir(path), 0600); err != nil { ++ return nil, errors.Wrapf(err, "%s", path) ++ } + } +- l, err := net.Listen("unix", "\x00"+address) ++ l, err := net.Listen("unix", path) + if err != nil { +- return nil, errors.Wrapf(err, "failed to listen to abstract unix socket %q", address) ++ return nil, err ++ } ++ if err := os.Chmod(path, 0600); err != nil { ++ os.Remove(sock.path()) ++ l.Close() ++ return nil, err + } + return l.(*net.UnixListener), nil + } ++ ++const abstractSocketPrefix = "\x00" ++ ++type socket string ++ ++func (s socket) isAbstract() bool { ++ return !strings.HasPrefix(string(s), "unix://") ++} ++ ++func (s socket) path() string { ++ path := strings.TrimPrefix(string(s), "unix://") ++ // if there was no trim performed, we assume an abstract socket ++ if len(path) == len(s) { ++ path = abstractSocketPrefix + path ++ } ++ return path ++} ++ ++// RemoveSocket removes the socket at the specified address if ++// it exists on the filesystem ++func RemoveSocket(address string) error { ++ sock := socket(address) ++ if !sock.isAbstract() { ++ return os.Remove(sock.path()) ++ } ++ return nil ++} ++ ++// SocketEaddrinuse returns true if the provided error is caused by the ++// EADDRINUSE error number ++func SocketEaddrinuse(err error) bool { ++ netErr, ok := err.(*net.OpError) ++ if !ok { ++ return false ++ } ++ if netErr.Op != "listen" { ++ return false ++ } ++ syscallErr, ok := netErr.Err.(*os.SyscallError) ++ if !ok { ++ return false ++ } ++ errno, ok := syscallErr.Err.(syscall.Errno) ++ if !ok { ++ return false ++ } ++ return errno == syscall.EADDRINUSE ++} ++ ++// CanConnect returns true if the socket provided at the address ++// is accepting new connections ++func CanConnect(address string) bool { ++ conn, err := AnonDialer(address, 100*time.Millisecond) ++ if err != nil { ++ return false ++ } ++ conn.Close() ++ return true ++} +diff --git a/containerd/runtime/v2/shim/util_windows.go b/containerd/runtime/v2/shim/util_windows.go +index 594a0f75b3..4562119738 100644 +--- a/containerd/runtime/v2/shim/util_windows.go ++++ b/containerd/runtime/v2/shim/util_windows.go +@@ -88,3 +88,9 @@ func NewSocket(address string) (net.Listener, error) { + } + return l, nil + } ++ ++// RemoveSocket removes the socket at the specified address if ++// it exists on the filesystem ++func RemoveSocket(address string) error { ++ return nil ++} diff --git a/patches/cve-2021-21284-1.patch b/patches/cve-2021-21284-1.patch new file mode 100644 index 00000000..2450839e --- /dev/null +++ b/patches/cve-2021-21284-1.patch @@ -0,0 +1,103 @@ +From 1342c51d5e809d2994e6f7e490c8d2b3b12c28ae Mon Sep 17 00:00:00 2001 +From: Brian Goff +Date: Tue, 6 Oct 2020 19:30:07 +0000 +Subject: [PATCH] Ensure MkdirAllAndChown also sets perms + +Generally if we ever need to change perms of a dir, between versions, +this ensures the permissions actually change when we think it should +change without having to handle special cases if it already existed. + +Signed-off-by: Brian Goff +(cherry picked from commit edb62a3ace8c4303822a391b38231e577f8c2ee8) +Signed-off-by: Tibor Vass +--- + pkg/idtools/idtools.go | 11 ++++++++--- + pkg/idtools/idtools_unix.go | 14 ++++++++++---- + 2 files changed, 18 insertions(+), 7 deletions(-) + +diff --git a/engine/pkg/idtools/idtools.go b/engine/pkg/idtools/idtools.go +index b3af7a4226e6..bb147b7e0e86 100644 +--- a/engine/pkg/idtools/idtools.go ++++ b/engine/pkg/idtools/idtools.go +@@ -35,13 +35,13 @@ const ( + + // MkdirAllAndChown creates a directory (include any along the path) and then modifies + // ownership to the requested uid/gid. If the directory already exists, this +-// function will still change ownership to the requested uid/gid pair. ++// function will still change ownership and permissions. + func MkdirAllAndChown(path string, mode os.FileMode, owner Identity) error { + return mkdirAs(path, mode, owner, true, true) + } + + // MkdirAndChown creates a directory and then modifies ownership to the requested uid/gid. +-// If the directory already exists, this function still changes ownership. ++// If the directory already exists, this function still changes ownership and permissions. + // Note that unlike os.Mkdir(), this function does not return IsExist error + // in case path already exists. + func MkdirAndChown(path string, mode os.FileMode, owner Identity) error { +@@ -50,7 +50,7 @@ func MkdirAndChown(path string, mode os.FileMode, owner Identity) error { + + // MkdirAllAndChownNew creates a directory (include any along the path) and then modifies + // ownership ONLY of newly created directories to the requested uid/gid. If the +-// directories along the path exist, no change of ownership will be performed ++// directories along the path exist, no change of ownership or permissions will be performed + func MkdirAllAndChownNew(path string, mode os.FileMode, owner Identity) error { + return mkdirAs(path, mode, owner, true, false) + } +@@ -262,3 +262,8 @@ func parseSubidFile(path, username string) (ranges, error) { + } + return rangeList, nil + } ++ ++// CurrentIdentity returns the identity of the current process ++func CurrentIdentity() Identity { ++ return Identity{UID: os.Getuid(), GID: os.Getegid()} ++} +diff --git a/engine/pkg/idtools/idtools_unix.go b/engine/pkg/idtools/idtools_unix.go +index fb239743a01a..329d5d04edcc 100644 +--- a/engine/pkg/idtools/idtools_unix.go ++++ b/engine/pkg/idtools/idtools_unix.go +@@ -39,7 +39,7 @@ func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting + } + + // short-circuit--we were called with an existing directory and chown was requested +- return lazyChown(path, owner.UID, owner.GID, stat) ++ return setPermissions(path, mode, owner.UID, owner.GID, stat) + } + + if os.IsNotExist(err) { +@@ -70,7 +70,7 @@ func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting + // even if it existed, we will chown the requested path + any subpaths that + // didn't exist when we called MkdirAll + for _, pathComponent := range paths { +- if err := lazyChown(pathComponent, owner.UID, owner.GID, nil); err != nil { ++ if err := setPermissions(pathComponent, mode, owner.UID, owner.GID, nil); err != nil { + return err + } + } +@@ -213,10 +213,11 @@ func callGetent(args string) (io.Reader, error) { + return bytes.NewReader(out), nil + } + +-// lazyChown performs a chown only if the uid/gid don't match what's requested ++// setPermissions performs a chown/chmod only if the uid/gid don't match what's requested + // Normally a Chown is a no-op if uid/gid match, but in some cases this can still cause an error, e.g. if the + // dir is on an NFS share, so don't call chown unless we absolutely must. +-func lazyChown(p string, uid, gid int, stat *system.StatT) error { ++// Likewise for setting permissions. ++func setPermissions(p string, mode os.FileMode, uid, gid int, stat *system.StatT) error { + if stat == nil { + var err error + stat, err = system.Stat(p) +@@ -224,6 +225,11 @@ func lazyChown(p string, uid, gid int, stat *system.StatT) error { + return err + } + } ++ if os.FileMode(stat.Mode()).Perm() != mode.Perm() { ++ if err := os.Chmod(p, mode.Perm()); err != nil { ++ return err ++ } ++ } + if stat.UID() == uint32(uid) && stat.GID() == uint32(gid) { + return nil + } diff --git a/patches/cve-2021-21284-2.patch b/patches/cve-2021-21284-2.patch new file mode 100644 index 00000000..31681738 --- /dev/null +++ b/patches/cve-2021-21284-2.patch @@ -0,0 +1,52 @@ +From 5eff67a2c294b7e72607e0949ebc0de21710e4d3 Mon Sep 17 00:00:00 2001 +From: Brian Goff +Date: Tue, 6 Oct 2020 19:40:30 +0000 +Subject: [PATCH] Do not set DOCKER_TMP to be owned by remapped root + +The remapped root does not need access to this dir. +Having this owned by the remapped root opens the host up to an +uprivileged user on the host being able to escalate privileges. + +While it would not be normal for the remapped UID to be used outside of +the container context, it could happen. + +Signed-off-by: Brian Goff +(cherry picked from commit bfedd2725971303efb7a2fe5d6990317b381622f) +Signed-off-by: Tibor Vass +--- + daemon/daemon.go | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/engine/daemon/daemon.go b/engine/daemon/daemon.go +index acc619a6af14..24205cd1dc3d 100644 +--- a/engine/daemon/daemon.go ++++ b/engine/daemon/daemon.go +@@ -748,7 +748,7 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S + } + + // set up the tmpDir to use a canonical path +- tmp, err := prepareTempDir(config.Root, rootIDs) ++ tmp, err := prepareTempDir(config.Root) + if err != nil { + return nil, fmt.Errorf("Unable to get the TempDir under %s: %s", config.Root, err) + } +@@ -1289,7 +1289,7 @@ func (daemon *Daemon) Subnets() ([]net.IPNet, []net.IPNet) { + // prepareTempDir prepares and returns the default directory to use + // for temporary files. + // If it doesn't exist, it is created. If it exists, its content is removed. +-func prepareTempDir(rootDir string, rootIdentity idtools.Identity) (string, error) { ++func prepareTempDir(rootDir string) (string, error) { + var tmpDir string + if tmpDir = os.Getenv("DOCKER_TMPDIR"); tmpDir == "" { + tmpDir = filepath.Join(rootDir, "tmp") +@@ -1307,9 +1307,7 @@ func prepareTempDir(rootDir string, rootIdentity idtools.Identity) (string, erro + } + } + } +- // We don't remove the content of tmpdir if it's not the default, +- // it may hold things that do not belong to us. +- return tmpDir, idtools.MkdirAllAndChown(tmpDir, 0700, rootIdentity) ++ return tmpDir, idtools.MkdirAllAndChown(tmpDir, 0700, idtools.CurrentIdentity()) + } + + func (daemon *Daemon) setGenericResources(conf *config.Config) error { diff --git a/patches/cve-2021-21284-3.patch b/patches/cve-2021-21284-3.patch new file mode 100644 index 00000000..0c29a227 --- /dev/null +++ b/patches/cve-2021-21284-3.patch @@ -0,0 +1,347 @@ +From 67de83e70bca92ae6a08e28a03b3fc8fcca9f3f1 Mon Sep 17 00:00:00 2001 +From: Brian Goff +Date: Tue, 6 Oct 2020 19:43:24 +0000 +Subject: [PATCH] Use real root with 0701 perms + +Various dirs in /var/lib/docker contain data that needs to be mounted +into a container. For this reason, these dirs are set to be owned by the +remapped root user, otherwise there can be permissions issues. +However, this uneccessarily exposes these dirs to an unprivileged user +on the host. + +Instead, set the ownership of these dirs to the real root (or rather the +UID/GID of dockerd) with 0701 permissions, which allows the remapped +root to enter the directories but not read/write to them. +The remapped root needs to enter these dirs so the container's rootfs +can be configured... e.g. to mount /etc/resolve.conf. + +This prevents an unprivileged user from having read/write access to +these dirs on the host. +The flip side of this is now any user can enter these directories. + +Signed-off-by: Brian Goff +(cherry picked from commit e908cc39018c015084ffbffbc5703ccba5c2fbb7) + +Cherry-pick conflict with eb14d936bfc296f0a85bf4dc9e9bb1f4b4a01282: +Kept old `container` variable name. +Signed-off-by: Tibor Vass +--- + daemon/container_operations_unix.go | 2 +- + daemon/create.go | 6 ++---- + daemon/daemon.go | 2 +- + daemon/daemon_unix.go | 14 ++++++++++---- + daemon/graphdriver/aufs/aufs.go | 9 +++------ + daemon/graphdriver/btrfs/btrfs.go | 10 +++------- + daemon/graphdriver/overlay/overlay.go | 16 +++++++--------- + daemon/graphdriver/overlay2/overlay.go | 12 ++++-------- + daemon/graphdriver/vfs/driver.go | 5 ++--- + daemon/graphdriver/zfs/zfs.go | 6 +----- + volume/local/local.go | 11 +++++++++-- + 11 files changed, 43 insertions(+), 50 deletions(-) + +diff --git a/engine/daemon/container_operations_unix.go b/engine/daemon/container_operations_unix.go +index 3fcdc1913bed..ad8cb4c83aa7 100644 +--- a/engine/daemon/container_operations_unix.go ++++ b/engine/daemon/container_operations_unix.go +@@ -411,5 +411,5 @@ func (daemon *Daemon) setupContainerMountsRoot(c *container.Container) error { + if err != nil { + return err + } +- return idtools.MkdirAllAndChown(p, 0700, daemon.idMapping.RootPair()) ++ return idtools.MkdirAllAndChown(p, 0701, idtools.CurrentIdentity()) + } +diff --git a/engine/daemon/create.go b/engine/daemon/create.go +index f9db0ca83454..9f8590b860d1 100644 +--- a/engine/daemon/create.go ++++ b/engine/daemon/create.go +@@ -194,12 +194,10 @@ func (daemon *Daemon) create(opts createOpts) (retC *container.Container, retErr + } + container.RWLayer = rwLayer + +- rootIDs := daemon.idMapping.RootPair() +- +- if err := idtools.MkdirAndChown(container.Root, 0700, rootIDs); err != nil { ++ if err := idtools.MkdirAndChown(container.Root, 0701, idtools.CurrentIdentity()); err != nil { + return nil, err + } +- if err := idtools.MkdirAndChown(container.CheckpointDir(), 0700, rootIDs); err != nil { ++ if err := idtools.MkdirAndChown(container.CheckpointDir(), 0700, idtools.CurrentIdentity()); err != nil { + return nil, err + } + +diff --git a/engine/daemon/daemon.go b/engine/daemon/daemon.go +index 24205cd1dc3d..e75cee6c8c18 100644 +--- a/engine/daemon/daemon.go ++++ b/engine/daemon/daemon.go +@@ -813,7 +813,7 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S + } + + daemonRepo := filepath.Join(config.Root, "containers") +- if err := idtools.MkdirAllAndChown(daemonRepo, 0700, rootIDs); err != nil { ++ if err := idtools.MkdirAllAndChown(daemonRepo, 0701, idtools.CurrentIdentity()); err != nil { + return nil, err + } + +diff --git a/engine/daemon/daemon_unix.go b/engine/daemon/daemon_unix.go +index a14f029c92cc..44dd67a61dab 100644 +--- a/engine/daemon/daemon_unix.go ++++ b/engine/daemon/daemon_unix.go +@@ -1206,7 +1206,7 @@ func setupRemappedRoot(config *config.Config) (*idtools.IdentityMapping, error) + return &idtools.IdentityMapping{}, nil + } + +-func setupDaemonRoot(config *config.Config, rootDir string, rootIdentity idtools.Identity) error { ++func setupDaemonRoot(config *config.Config, rootDir string, remappedRoot idtools.Identity) error { + config.Root = rootDir + // the docker root metadata directory needs to have execute permissions for all users (g+x,o+x) + // so that syscalls executing as non-root, operating on subdirectories of the graph root +@@ -1231,10 +1231,16 @@ func setupDaemonRoot(config *config.Config, rootDir string, rootIdentity idtools + // a new subdirectory with ownership set to the remapped uid/gid (so as to allow + // `chdir()` to work for containers namespaced to that uid/gid) + if config.RemappedRoot != "" { +- config.Root = filepath.Join(rootDir, fmt.Sprintf("%d.%d", rootIdentity.UID, rootIdentity.GID)) ++ id := idtools.CurrentIdentity() ++ // First make sure the current root dir has the correct perms. ++ if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil { ++ return errors.Wrapf(err, "could not create or set daemon root permissions: %s", config.Root) ++ } ++ ++ config.Root = filepath.Join(rootDir, fmt.Sprintf("%d.%d", remappedRoot.UID, remappedRoot.GID)) + logrus.Debugf("Creating user namespaced daemon root: %s", config.Root) + // Create the root directory if it doesn't exist +- if err := idtools.MkdirAllAndChown(config.Root, 0700, rootIdentity); err != nil { ++ if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil { + return fmt.Errorf("Cannot create daemon root: %s: %v", config.Root, err) + } + // we also need to verify that any pre-existing directories in the path to +@@ -1247,7 +1253,7 @@ func setupDaemonRoot(config *config.Config, rootDir string, rootIdentity idtools + if dirPath == "/" { + break + } +- if !idtools.CanAccess(dirPath, rootIdentity) { ++ if !idtools.CanAccess(dirPath, remappedRoot) { + return fmt.Errorf("a subdirectory in your graphroot path (%s) restricts access to the remapped root uid/gid; please fix by allowing 'o+x' permissions on existing directories", config.Root) + } + } +diff --git a/engine/daemon/graphdriver/aufs/aufs.go b/engine/daemon/graphdriver/aufs/aufs.go +index bbd19a82b000..086e75b97866 100644 +--- a/engine/daemon/graphdriver/aufs/aufs.go ++++ b/engine/daemon/graphdriver/aufs/aufs.go +@@ -130,18 +130,15 @@ func Init(root string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap + locker: locker.New(), + } + +- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) +- if err != nil { +- return nil, err +- } ++ currentID := idtools.CurrentIdentity() + // Create the root aufs driver dir +- if err := idtools.MkdirAllAndChown(root, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil { ++ if err := idtools.MkdirAllAndChown(root, 0701, currentID); err != nil { + return nil, err + } + + // Populate the dir structure + for _, p := range paths { +- if err := idtools.MkdirAllAndChown(path.Join(root, p), 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil { ++ if err := idtools.MkdirAllAndChown(path.Join(root, p), 0701, currentID); err != nil { + return nil, err + } + } +diff --git a/engine/daemon/graphdriver/btrfs/btrfs.go b/engine/daemon/graphdriver/btrfs/btrfs.go +index fcaedc6eab18..b1b287904c5e 100644 +--- a/engine/daemon/graphdriver/btrfs/btrfs.go ++++ b/engine/daemon/graphdriver/btrfs/btrfs.go +@@ -70,11 +70,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap + return nil, graphdriver.ErrPrerequisites + } + +- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) +- if err != nil { +- return nil, err +- } +- if err := idtools.MkdirAllAndChown(home, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil { ++ if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil { + return nil, err + } + +@@ -525,7 +521,7 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error { + if err != nil { + return err + } +- if err := idtools.MkdirAllAndChown(subvolumes, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil { ++ if err := idtools.MkdirAllAndChown(subvolumes, 0701, idtools.CurrentIdentity()); err != nil { + return err + } + if parent == "" { +@@ -560,7 +556,7 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error { + if err := d.setStorageSize(path.Join(subvolumes, id), driver); err != nil { + return err + } +- if err := idtools.MkdirAllAndChown(quotas, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil { ++ if err := idtools.MkdirAllAndChown(quotas, 0700, idtools.CurrentIdentity()); err != nil { + return err + } + if err := ioutil.WriteFile(path.Join(quotas, id), []byte(fmt.Sprint(driver.options.size)), 0644); err != nil { +diff --git a/engine/daemon/graphdriver/overlay/overlay.go b/engine/daemon/graphdriver/overlay/overlay.go +index e837a595e17c..3edffd252bd4 100644 +--- a/engine/daemon/graphdriver/overlay/overlay.go ++++ b/engine/daemon/graphdriver/overlay/overlay.go +@@ -156,12 +156,8 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap + logrus.WithField("storage-driver", "overlay").Warn(overlayutils.ErrDTypeNotSupported("overlay", backingFs)) + } + +- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) +- if err != nil { +- return nil, err +- } + // Create the driver home dir +- if err := idtools.MkdirAllAndChown(home, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil { ++ if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil { + return nil, err + } + +@@ -265,10 +261,11 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr + } + root := idtools.Identity{UID: rootUID, GID: rootGID} + +- if err := idtools.MkdirAllAndChown(path.Dir(dir), 0700, root); err != nil { ++ currentID := idtools.CurrentIdentity() ++ if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, currentID); err != nil { + return err + } +- if err := idtools.MkdirAndChown(dir, 0700, root); err != nil { ++ if err := idtools.MkdirAndChown(dir, 0701, currentID); err != nil { + return err + } + +@@ -281,6 +278,7 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr + + // Toplevel images are just a "root" dir + if parent == "" { ++ // This must be 0755 otherwise unprivileged users will in the container will not be able to read / in the container + return idtools.MkdirAndChown(path.Join(dir, "root"), 0755, root) + } + +@@ -301,7 +299,7 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr + if err := idtools.MkdirAndChown(path.Join(dir, "work"), 0700, root); err != nil { + return err + } +- return ioutil.WriteFile(path.Join(dir, "lower-id"), []byte(parent), 0666) ++ return ioutil.WriteFile(path.Join(dir, "lower-id"), []byte(parent), 0600) + } + + // Otherwise, copy the upper and the lower-id from the parent +@@ -311,7 +309,7 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr + return err + } + +- if err := ioutil.WriteFile(path.Join(dir, "lower-id"), lowerID, 0666); err != nil { ++ if err := ioutil.WriteFile(path.Join(dir, "lower-id"), lowerID, 0600); err != nil { + return err + } + +diff --git a/engine/daemon/graphdriver/overlay2/overlay.go b/engine/daemon/graphdriver/overlay2/overlay.go +index 7b2475ea7e8d..1db8ac4cd8ab 100644 +--- a/engine/daemon/graphdriver/overlay2/overlay.go ++++ b/engine/daemon/graphdriver/overlay2/overlay.go +@@ -165,12 +165,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap + logger.Warn(overlayutils.ErrDTypeNotSupported("overlay2", backingFs)) + } + +- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) +- if err != nil { +- return nil, err +- } +- // Create the driver home dir +- if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil { ++ if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0701, idtools.CurrentIdentity()); err != nil { + return nil, err + } + +@@ -339,11 +334,12 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr + return err + } + root := idtools.Identity{UID: rootUID, GID: rootGID} ++ current := idtools.CurrentIdentity() + +- if err := idtools.MkdirAllAndChown(path.Dir(dir), 0700, root); err != nil { ++ if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, current); err != nil { + return err + } +- if err := idtools.MkdirAndChown(dir, 0700, root); err != nil { ++ if err := idtools.MkdirAndChown(dir, 0701, current); err != nil { + return err + } + +diff --git a/engine/daemon/graphdriver/vfs/driver.go b/engine/daemon/graphdriver/vfs/driver.go +index d7f14ecb622d..3134c6631fdd 100644 +--- a/engine/daemon/graphdriver/vfs/driver.go ++++ b/engine/daemon/graphdriver/vfs/driver.go +@@ -38,8 +38,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap + home: home, + idMapping: idtools.NewIDMappingsFromMaps(uidMaps, gidMaps), + } +- rootIDs := d.idMapping.RootPair() +- if err := idtools.MkdirAllAndChown(home, 0700, rootIDs); err != nil { ++ if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil { + return nil, err + } + +@@ -141,7 +140,7 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error { + func (d *Driver) create(id, parent string, size uint64) error { + dir := d.dir(id) + rootIDs := d.idMapping.RootPair() +- if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0700, rootIDs); err != nil { ++ if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0701, idtools.CurrentIdentity()); err != nil { + return err + } + if err := idtools.MkdirAndChown(dir, 0755, rootIDs); err != nil { +diff --git a/engine/daemon/graphdriver/zfs/zfs.go b/engine/daemon/graphdriver/zfs/zfs.go +index c83446cf8f77..b887b0950203 100644 +--- a/engine/daemon/graphdriver/zfs/zfs.go ++++ b/engine/daemon/graphdriver/zfs/zfs.go +@@ -103,11 +103,7 @@ func Init(base string, opt []string, uidMaps, gidMaps []idtools.IDMap) (graphdri + return nil, fmt.Errorf("BUG: zfs get all -t filesystem -rHp '%s' should contain '%s'", options.fsName, options.fsName) + } + +- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) +- if err != nil { +- return nil, fmt.Errorf("Failed to get root uid/guid: %v", err) +- } +- if err := idtools.MkdirAllAndChown(base, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil { ++ if err := idtools.MkdirAllAndChown(base, 0701, idtools.CurrentIdentity()); err != nil { + return nil, fmt.Errorf("Failed to create '%s': %v", base, err) + } + +diff --git a/engine/volume/local/local.go b/engine/volume/local/local.go +index 6dc894873dd8..aeb98aba61ff 100644 +--- a/engine/volume/local/local.go ++++ b/engine/volume/local/local.go +@@ -49,7 +49,7 @@ type activeMount struct { + func New(scope string, rootIdentity idtools.Identity) (*Root, error) { + rootDirectory := filepath.Join(scope, volumesPathName) + +- if err := idtools.MkdirAllAndChown(rootDirectory, 0700, rootIdentity); err != nil { ++ if err := idtools.MkdirAllAndChown(rootDirectory, 0701, idtools.CurrentIdentity()); err != nil { + return nil, err + } + +@@ -146,8 +146,15 @@ func (r *Root) Create(name string, opts map[string]string) (volume.Volume, error + } + + path := r.DataPath(name) ++ volRoot := filepath.Dir(path) ++ // Root dir does not need to be accessed by the remapped root ++ if err := idtools.MkdirAllAndChown(volRoot, 0701, idtools.CurrentIdentity()); err != nil { ++ return nil, errors.Wrapf(errdefs.System(err), "error while creating volume root path '%s'", volRoot) ++ } ++ ++ // Remapped root does need access to the data path + if err := idtools.MkdirAllAndChown(path, 0755, r.rootIdentity); err != nil { +- return nil, errors.Wrapf(errdefs.System(err), "error while creating volume path '%s'", path) ++ return nil, errors.Wrapf(errdefs.System(err), "error while creating volume data path '%s'", path) + } + + var err error diff --git a/patches/cve-2021-21285.patch b/patches/cve-2021-21285.patch new file mode 100644 index 00000000..ccc83562 --- /dev/null +++ b/patches/cve-2021-21285.patch @@ -0,0 +1,53 @@ +From 420b1d36250f9cfdc561f086f25a213ecb669b6f Mon Sep 17 00:00:00 2001 +From: Brian Goff +Date: Mon, 12 Oct 2020 18:08:28 +0000 +Subject: [PATCH] pull: Validate layer digest format + +Otherwise a malformed or empty digest may cause a panic. + +Signed-off-by: Brian Goff +(cherry picked from commit a7d4af84bd2f189b921c3ec60796aa825e3a0f2a) +Signed-off-by: Tibor Vass +--- + builder/builder-next/adapters/containerimage/pull.go | 3 +++ + distribution/pull_v2.go | 6 ++++++ + 2 files changed, 9 insertions(+) + +diff --git a/engine/builder/builder-next/adapters/containerimage/pull.go b/engine/builder/builder-next/adapters/containerimage/pull.go +index 729ef52ae865..9d6e07e27d8a 100644 +--- a/engine/builder/builder-next/adapters/containerimage/pull.go ++++ b/engine/builder/builder-next/adapters/containerimage/pull.go +@@ -526,6 +526,9 @@ func (p *puller) Snapshot(ctx context.Context) (cache.ImmutableRef, error) { + layers := make([]xfer.DownloadDescriptor, 0, len(mfst.Layers)) + + for i, desc := range mfst.Layers { ++ if err := desc.Digest.Validate(); err != nil { ++ return nil, errors.Wrap(err, "layer digest could not be validated") ++ } + ongoing.add(desc) + layers = append(layers, &layerDescriptor{ + desc: desc, +diff --git a/engine/distribution/pull_v2.go b/engine/distribution/pull_v2.go +index 3307458fdff6..cb47264b9a6c 100644 +--- a/engine/distribution/pull_v2.go ++++ b/engine/distribution/pull_v2.go +@@ -477,6 +477,9 @@ func (p *v2Puller) pullSchema1(ctx context.Context, ref reference.Reference, unv + // to top-most, so that the downloads slice gets ordered correctly. + for i := len(verifiedManifest.FSLayers) - 1; i >= 0; i-- { + blobSum := verifiedManifest.FSLayers[i].BlobSum ++ if err = blobSum.Validate(); err != nil { ++ return "", "", errors.Wrapf(err, "could not validate layer digest %q", blobSum) ++ } + + var throwAway struct { + ThrowAway bool `json:"throwaway,omitempty"` +@@ -575,6 +578,9 @@ func (p *v2Puller) pullSchema2Layers(ctx context.Context, target distribution.De + // Note that the order of this loop is in the direction of bottom-most + // to top-most, so that the downloads slice gets ordered correctly. + for _, d := range mfst.Layers { ++ if err := d.Digest.Validate(); err != nil { ++ return "", "", errors.Wrapf(err, "could not validate layer digest %q", d.Digest) ++ } + layerDescriptor := &v2LayerDescriptor{ + digest: d.Digest, + repo: p.repo, diff --git a/patches/debian-cgroupfs-mount-convenience-copy.patch b/patches/debian-cgroupfs-mount-convenience-copy.patch new file mode 100644 index 00000000..b22da9d2 --- /dev/null +++ b/patches/debian-cgroupfs-mount-convenience-copy.patch @@ -0,0 +1,81 @@ +Author: Tianon Gravi +Description: remove convenience copies of cgroupfs-mount in init.d / upstart +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/783143 + +--- a/engine/contrib/init/sysvinit-debian/docker ++++ b/engine/contrib/init/sysvinit-debian/docker +@@ -58,39 +58,14 @@ + exit 1 + fi + } + +-cgroupfs_mount() { +- # see also https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount +- if grep -v '^#' /etc/fstab | grep -q cgroup \ +- || [ ! -e /proc/cgroups ] \ +- || [ ! -d /sys/fs/cgroup ]; then +- return +- fi +- if ! mountpoint -q /sys/fs/cgroup; then +- mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup +- fi +- ( +- cd /sys/fs/cgroup +- for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do +- mkdir -p $sys +- if ! mountpoint -q $sys; then +- if ! mount -n -t cgroup -o $sys cgroup $sys; then +- rmdir $sys || true +- fi +- fi +- done +- ) +-} +- + case "$1" in + start) + check_init + + fail_unless_root + +- cgroupfs_mount +- + touch "$DOCKER_LOGFILE" + chgrp docker "$DOCKER_LOGFILE" + + ulimit -n 1048576 +--- a/engine/contrib/init/upstart/docker.conf ++++ b/engine/contrib/init/upstart/docker.conf +@@ -12,31 +12,8 @@ + respawn + + kill timeout 20 + +-pre-start script +- # see also https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount +- if grep -v '^#' /etc/fstab | grep -q cgroup \ +- || [ ! -e /proc/cgroups ] \ +- || [ ! -d /sys/fs/cgroup ]; then +- exit 0 +- fi +- if ! mountpoint -q /sys/fs/cgroup; then +- mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup +- fi +- ( +- cd /sys/fs/cgroup +- for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do +- mkdir -p $sys +- if ! mountpoint -q $sys; then +- if ! mount -n -t cgroup -o $sys cgroup $sys; then +- rmdir $sys || true +- fi +- fi +- done +- ) +-end script +- + script + # modify these in /etc/default/$UPSTART_JOB (/etc/default/docker) + DOCKERD=/usr/sbin/dockerd + DOCKER_OPTS= diff --git a/patches/debian-containerd-name.patch b/patches/debian-containerd-name.patch new file mode 100644 index 00000000..128f216c --- /dev/null +++ b/patches/debian-containerd-name.patch @@ -0,0 +1,98 @@ +Last-Update: 2019-01-27 +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920597 +Author: Dmitry Smirnov +Description: "fix" containerd executable name. + +--- a/engine/hack/make/.binary-setup ++++ b/engine/hack/make/.binary-setup +@@ -1,9 +1,9 @@ + #!/usr/bin/env bash + + DOCKER_DAEMON_BINARY_NAME='dockerd' + DOCKER_RUNC_BINARY_NAME='runc' +-DOCKER_CONTAINERD_BINARY_NAME='containerd' ++DOCKER_CONTAINERD_BINARY_NAME='docker-containerd' + DOCKER_CONTAINERD_CTR_BINARY_NAME='ctr' +-DOCKER_CONTAINERD_SHIM_BINARY_NAME='containerd-shim' ++DOCKER_CONTAINERD_SHIM_BINARY_NAME='docker-containerd-shim' + DOCKER_PROXY_BINARY_NAME='docker-proxy' + DOCKER_INIT_BINARY_NAME='docker-init' +--- a/engine/daemon/daemon.go ++++ b/engine/daemon/daemon.go +@@ -978,9 +978,9 @@ + }) + + go d.execCommandGC() + +- d.containerd, err = libcontainerd.NewClient(ctx, d.containerdCli, filepath.Join(config.ExecRoot, "containerd"), ContainersNamespace, d) ++ d.containerd, err = libcontainerd.NewClient(ctx, d.containerdCli, filepath.Join(config.ExecRoot, "docker-containerd"), ContainersNamespace, d) + if err != nil { + return nil, err + } + +--- a/engine/daemon/daemon_unix.go ++++ b/engine/daemon/daemon_unix.go +@@ -53,9 +53,9 @@ + + const ( + // DefaultShimBinary is the default shim to be used by containerd if none + // is specified +- DefaultShimBinary = "containerd-shim" ++ DefaultShimBinary = "docker-containerd-shim" + + // DefaultRuntimeBinary is the default runtime to be used by + // containerd if none is specified + DefaultRuntimeBinary = "runc" +--- a/engine/libcontainerd/supervisor/remote_daemon.go ++++ b/engine/libcontainerd/supervisor/remote_daemon.go +@@ -26,9 +26,9 @@ + healthCheckTimeout = 3 * time.Second + shutdownTimeout = 15 * time.Second + startupTimeout = 15 * time.Second + configFile = "containerd.toml" +- binaryName = "containerd" ++ binaryName = "docker-containerd" + pidFile = "containerd.pid" + ) + + type pluginConfigs struct { +--- a/containerd/cmd/containerd-shim/main_unix.go ++++ b/containerd/cmd/containerd-shim/main_unix.go +@@ -69,9 +69,9 @@ + flag.StringVar(&criuFlag, "criu", "", "path to criu binary") + flag.BoolVar(&systemdCgroupFlag, "systemd-cgroup", false, "set runtime to use systemd-cgroup") + // currently, the `containerd publish` utility is embedded in the daemon binary. + // The daemon invokes `containerd-shim -containerd-binary ...` with its own os.Executable() path. +- flag.StringVar(&containerdBinaryFlag, "containerd-binary", "containerd", "path to containerd binary (used for `containerd publish`)") ++ flag.StringVar(&containerdBinaryFlag, "containerd-binary", "docker-containerd", "path to containerd binary (used for `containerd publish`)") + flag.Parse() + } + + func main() { +--- a/containerd/runtime/v1/linux/runtime.go ++++ b/containerd/runtime/v1/linux/runtime.go +@@ -59,9 +59,9 @@ + + const ( + configFilename = "config.json" + defaultRuntime = "runc" +- defaultShim = "containerd-shim" ++ defaultShim = "docker-containerd-shim" + ) + + func init() { + plugin.Register(&plugin.Registration{ +--- a/containerd/runtime/v2/shim/util.go ++++ b/containerd/runtime/v2/shim/util.go +@@ -29,9 +29,9 @@ + "github.com/containerd/containerd/namespaces" + "github.com/pkg/errors" + ) + +-const shimBinaryFormat = "containerd-shim-%s-%s" ++const shimBinaryFormat = "docker-containerd-shim-%s-%s" + + // Command returns the shim command with the provided args and configuration + func Command(ctx context.Context, runtime, containerdAddress, path string, cmdArgs ...string) (*exec.Cmd, error) { + ns, err := namespaces.NamespaceRequired(ctx) diff --git a/patches/debian-dockerd-binary-location.patch b/patches/debian-dockerd-binary-location.patch new file mode 100644 index 00000000..6b5f88df --- /dev/null +++ b/patches/debian-dockerd-binary-location.patch @@ -0,0 +1,42 @@ +Forwarded: not-needed +Description: FHS compliance. + +--- a/engine/contrib/init/systemd/docker.service ++++ b/engine/contrib/init/systemd/docker.service +@@ -10,9 +10,9 @@ + # the default is not to use systemd for cgroups because the delegate issues still + # exists and systemd currently does not support the cgroup feature set required + # for containers run by docker + EnvironmentFile=-/etc/default/docker +-ExecStart=/usr/bin/dockerd -H fd:// $DOCKER_OPTS ++ExecStart=/usr/sbin/dockerd -H fd:// $DOCKER_OPTS + ExecReload=/bin/kill -s HUP $MAINPID + LimitNOFILE=1048576 + # Having non-zero Limit*s causes performance problems due to accounting overhead + # in the kernel. We recommend using cgroups to do container-local accounting. +--- a/engine/contrib/init/sysvinit-debian/docker ++++ b/engine/contrib/init/sysvinit-debian/docker +@@ -21,9 +21,9 @@ + + BASE=docker + + # modify these in /etc/default/$BASE (/etc/default/docker) +-DOCKERD=/usr/bin/dockerd ++DOCKERD=/usr/sbin/dockerd + # This is the pid file managed by docker itself + DOCKER_PIDFILE=/var/run/$BASE.pid + # This is the pid file created/managed by start-stop-daemon + DOCKER_SSD_PIDFILE=/var/run/$BASE-ssd.pid +--- a/engine/contrib/init/upstart/docker.conf ++++ b/engine/contrib/init/upstart/docker.conf +@@ -37,9 +37,9 @@ + end script + + script + # modify these in /etc/default/$UPSTART_JOB (/etc/default/docker) +- DOCKERD=/usr/bin/dockerd ++ DOCKERD=/usr/sbin/dockerd + DOCKER_OPTS= + if [ -f /etc/default/$UPSTART_JOB ]; then + . /etc/default/$UPSTART_JOB + fi diff --git a/patches/debian-nuke-no-prompt.patch b/patches/debian-nuke-no-prompt.patch new file mode 100644 index 00000000..28720ec5 --- /dev/null +++ b/patches/debian-nuke-no-prompt.patch @@ -0,0 +1,21 @@ +Last-Update: 2018-06-09 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853258 +Forwarded: not-needed +Author: Dmitry Smirnov +Description: remove prompt and delay + +--- a/engine/contrib/nuke-graph-directory.sh ++++ b/engine/contrib/nuke-graph-directory.sh +@@ -27,12 +27,8 @@ + dir="$(readlink -f "$dir")" + + echo + echo "Nuking $dir ..." +-echo ' (if this is wrong, press Ctrl+C NOW!)' +-echo +- +-( set -x; sleep 10 ) + echo + + dir_in_dir() { + inner="$1" diff --git a/patches/debian-systemd-unit-environment-file.patch b/patches/debian-systemd-unit-environment-file.patch new file mode 100644 index 00000000..aab70f67 --- /dev/null +++ b/patches/debian-systemd-unit-environment-file.patch @@ -0,0 +1,20 @@ +Author: Paul R. Tagliamonte +Last-Update: 2014-05-07 +Description: Use EnvironmentFile with the systemd unit file. +Bug-Debian: http://bugs.debian.org/746774 +Forwarded: no + +--- a/engine/contrib/init/systemd/docker.service ++++ b/engine/contrib/init/systemd/docker.service +@@ -9,9 +9,10 @@ + Type=notify + # the default is not to use systemd for cgroups because the delegate issues still + # exists and systemd currently does not support the cgroup feature set required + # for containers run by docker +-ExecStart=/usr/bin/dockerd -H fd:// ++EnvironmentFile=-/etc/default/docker ++ExecStart=/usr/bin/dockerd -H fd:// $DOCKER_OPTS + ExecReload=/bin/kill -s HUP $MAINPID + LimitNOFILE=1048576 + # Having non-zero Limit*s causes performance problems due to accounting overhead + # in the kernel. We recommend using cgroups to do container-local accounting. diff --git a/patches/debian-systemd-unit-tasksmax.patch b/patches/debian-systemd-unit-tasksmax.patch new file mode 100644 index 00000000..26a52d84 --- /dev/null +++ b/patches/debian-systemd-unit-tasksmax.patch @@ -0,0 +1,21 @@ +From 33a8ab29ed9e51697772a0642b8d651b9a845532 Mon Sep 17 00:00:00 2001 +From: Pierre Carrier , Tianon Gravi +Date: Thu, 24 Mar 2016 16:14:30 -0700 +Subject: [PATCH] docker.service: don't limit tasks +Origin: https://github.com/docker/docker/pull/21491 + +Signed-off-by: Pierre Carrier + +--- a/engine/contrib/init/systemd/docker.service ++++ b/engine/contrib/init/systemd/docker.service +@@ -18,9 +18,9 @@ + LimitNPROC=infinity + LimitCORE=infinity + # Uncomment TasksMax if your systemd version supports it. + # Only systemd 226 and above support this version. +-#TasksMax=infinity ++TasksMax=infinity + TimeoutStartSec=0 + # set delegate yes so that systemd does not reset the cgroups of docker containers + Delegate=yes + # kill only the docker process, not all processes in the cgroup diff --git a/patches/engine-contrib-debootstrap-curl-follow-location.patch b/patches/engine-contrib-debootstrap-curl-follow-location.patch new file mode 100644 index 00000000..2c062ba0 --- /dev/null +++ b/patches/engine-contrib-debootstrap-curl-follow-location.patch @@ -0,0 +1,25 @@ +From: Mattias Jernberg +Date: Wed, 5 Dec 2018 19:35:17 +0100 +Subject: mkimage: Fix Debian security presence check + +Add Location following since security redirects to security-cdn and caused the repository to be added on Debian unstable. + +Signed-off-by: Mattias Jernberg +Origin: upstream, https://github.com/docker/engine/commit/8db5403 +--- + contrib/mkimage/debootstrap | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/engine/contrib/mkimage/debootstrap b/engine/contrib/mkimage/debootstrap +index 9f7d8987ad2a..a919429b0bde 100755 +--- a/engine/contrib/mkimage/debootstrap ++++ b/engine/contrib/mkimage/debootstrap +@@ -193,7 +193,7 @@ if [ -z "$DONT_TOUCH_SOURCES_LIST" ]; then + case "$lsbDist" in + debian) + # updates and security! +- if curl -o /dev/null -s --head --fail "http://security.debian.org/dists/$suite/updates/main/binary-$(rootfs_chroot dpkg --print-architecture)/Packages.gz"; then ++ if curl -o /dev/null -s --head --location --fail "http://security.debian.org/dists/$suite/updates/main/binary-$(rootfs_chroot dpkg --print-architecture)/Packages.gz"; then + ( + set -x + sed -i " diff --git a/patches/engine-test-noinstall.patch b/patches/engine-test-noinstall.patch new file mode 100644 index 00000000..6e16fe26 --- /dev/null +++ b/patches/engine-test-noinstall.patch @@ -0,0 +1,23 @@ +Last-Update: 2018-06-18 +Forwarded: not-needed +Author: Dmitry Smirnov +Description: prevents test-time installation that causes FTBFS. +~~~~ + go test net: open /usr/lib/go-1.10/pkg/linux_amd64/net.a: permission denied +~~~~ + +--- a/engine/hack/test/unit ++++ b/engine/hack/test/unit +@@ -18,12 +18,8 @@ + + exclude_paths="/vendor/|/integration" + pkg_list=$(go list $TESTDIRS | grep -vE "($exclude_paths)") + +-# install test dependencies once before running tests for each package. This +-# significantly reduces the runtime. +-go test -i "${BUILDFLAGS[@]}" $pkg_list +- + for pkg in $pkg_list; do + go test "${BUILDFLAGS[@]}" \ + -cover \ + -coverprofile=profile.out \ diff --git a/patches/go-metrics_prometheus-fix_Observer.patch b/patches/go-metrics_prometheus-fix_Observer.patch new file mode 100644 index 00000000..77d7ffb6 --- /dev/null +++ b/patches/go-metrics_prometheus-fix_Observer.patch @@ -0,0 +1,38 @@ +Origin: upstream, https://github.com/docker/go-metrics/commit/db152003892af64a8a892e1ee49edf8b6580a657.patch +Forarded: not-needed +Description: fixes FTBFS + vendor/github.com/docker/go-metrics/timer.go:39:17: + cannot use lt.m.WithLabelValues(labels...) (type prometheus.Observer) as type prometheus.Histogram in field value: + prometheus.Observer does not implement prometheus.Histogram (missing Collect method) + +--- a/go-metrics/timer.go ++++ b/go-metrics/timer.go +@@ -47,9 +47,9 @@ + lt.m.Collect(c) + } + + type timer struct { +- m prometheus.Histogram ++ m prometheus.Observer + } + + func (t *timer) Update(duration time.Duration) { + t.m.Observe(duration.Seconds()) +@@ -59,10 +59,15 @@ + t.m.Observe(time.Since(since).Seconds()) + } + + func (t *timer) Describe(c chan<- *prometheus.Desc) { +- t.m.Describe(c) ++ c <- t.m.(prometheus.Metric).Desc() + } + + func (t *timer) Collect(c chan<- prometheus.Metric) { +- t.m.Collect(c) ++ // Are there any observers that don't implement Collector? It is really ++ // unclear what the point of the upstream change was, but we'll let this ++ // panic if we get an observer that doesn't implement collector. In this ++ // case, we should almost always see metricVec objects, so this should ++ // never panic. ++ t.m.(prometheus.Collector).Collect(c) + } diff --git a/patches/libnetwork-revert-iptables-legacy.patch b/patches/libnetwork-revert-iptables-legacy.patch new file mode 100644 index 00000000..a72a3164 --- /dev/null +++ b/patches/libnetwork-revert-iptables-legacy.patch @@ -0,0 +1,39 @@ +From: Arko Dasgupta +Date: Fri, 1 Mar 2019 11:43:02 -0800 +Subject: [PATCH] Revert "debian has iptables-legacy and iptables-nft now" + +This reverts commit 7da66eea9f68e4abc83ed2892114ec565eddd66a. + +Libnetwork should only use the iptables binary. Iptables v1.8 and above +uses the nftables backend. The translations for all the rules used by +libnetwork is supported by the new iptables binary. + +Signed-off-by: Arko Dasgupta +Origin: upstream, https://github.com/docker/libnetwork/pull/2343 +--- + libnetwork/iptables/iptables.go | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/libnetwork/iptables/iptables.go b/libnetwork/iptables/iptables.go +index 6a108e93d0..4b8d8832e9 100644 +--- a/libnetwork/iptables/iptables.go ++++ b/libnetwork/iptables/iptables.go +@@ -87,16 +87,11 @@ func initFirewalld() { + } + + func detectIptables() { +- path, err := exec.LookPath("iptables-legacy") // debian has iptables-legacy and iptables-nft now ++ path, err := exec.LookPath("iptables") + if err != nil { +- path, err = exec.LookPath("iptables") +- if err != nil { +- return +- } ++ return + } +- + iptablesPath = path +- + supportsXlock = exec.Command(iptablesPath, "--wait", "-L", "-n").Run() == nil + mj, mn, mc, err := GetVersion() + if err != nil { diff --git a/patches/libnetwork_proto.patch b/patches/libnetwork_proto.patch new file mode 100644 index 00000000..78810766 --- /dev/null +++ b/patches/libnetwork_proto.patch @@ -0,0 +1,38 @@ +Last-Update: 2018-06-15 +Forwarded: not-needed +Author: Dmitry Smirnov +Description: fix generation of .pb.go files. + +--- a/libnetwork/drivers/overlay/overlay.go ++++ b/libnetwork/drivers/overlay/overlay.go +@@ -1,7 +1,7 @@ + package overlay + +-//go:generate protoc -I.:../../Godeps/_workspace/src/github.com/gogo/protobuf --gogo_out=import_path=github.com/docker/libnetwork/drivers/overlay,Mgogoproto/gogo.proto=github.com/gogo/protobuf/gogoproto:. overlay.proto ++//go:generate protoc -I.:../../../../../github.com/gogo/protobuf --gogo_out=import_path=github.com/docker/libnetwork/drivers/overlay,Mgogoproto/gogo.proto=github.com/gogo/protobuf/gogoproto:. overlay.proto + + import ( + "context" + "fmt" +--- a/libnetwork/agent.go ++++ b/libnetwork/agent.go +@@ -1,7 +1,7 @@ + package libnetwork + +-//go:generate protoc -I.:Godeps/_workspace/src/github.com/gogo/protobuf --gogo_out=import_path=github.com/docker/libnetwork,Mgogoproto/gogo.proto=github.com/gogo/protobuf/gogoproto:. agent.proto ++//go:generate protoc -I.:../../../github.com/gogo/protobuf --gogo_out=import_path=github.com/docker/libnetwork,Mgogoproto/gogo.proto=github.com/gogo/protobuf/gogoproto:. agent.proto + + import ( + "encoding/json" + "fmt" +--- a/libnetwork/networkdb/networkdb.go ++++ b/libnetwork/networkdb/networkdb.go +@@ -1,7 +1,7 @@ + package networkdb + +-//go:generate protoc -I.:../vendor/github.com/gogo/protobuf --gogo_out=import_path=github.com/docker/libnetwork/networkdb,Mgogoproto/gogo.proto=github.com/gogo/protobuf/gogoproto:. networkdb.proto ++//go:generate protoc -I.:../../../../github.com/gogo/protobuf --gogo_out=import_path=github.com/docker/libnetwork/networkdb,Mgogoproto/gogo.proto=github.com/gogo/protobuf/gogoproto:. networkdb.proto + + import ( + "context" + "fmt" diff --git a/patches/mips-add-specific-signal-file.patch b/patches/mips-add-specific-signal-file.patch new file mode 100644 index 00000000..09d36272 --- /dev/null +++ b/patches/mips-add-specific-signal-file.patch @@ -0,0 +1,111 @@ +From: poizan42 +Date: Wed, 18 Jul 2018 14:31:16 +0200 +Subject: [PATCH] SIGSKTFLT does not exist on MIPS, instead SIGEMT does. + +SIGRTMAX is also 127 on MIPS. + +This patch is merged upstream on master, please drop it when necessary. + +Signed-off-by: Kasper Fabæch Brandt +Origin: upstream, https://github.com/moby/moby/pull/37491 +--- + pkg/signal/signal_linux.go | 2 + + pkg/signal/signal_linux_mipsx.go | 84 ++++++++++++++++++++++++++++++++ + 2 files changed, 86 insertions(+) + create mode 100644 pkg/signal/signal_linux_mipsx.go + +--- a/engine/pkg/signal/signal_linux.go ++++ b/engine/pkg/signal/signal_linux.go +@@ -1,3 +1,5 @@ ++// +build !mips,!mipsle,!mips64,!mips64le ++ + package signal // import "github.com/docker/docker/pkg/signal" + + import ( +--- /dev/null ++++ b/engine/pkg/signal/signal_linux_mipsx.go +@@ -0,0 +1,84 @@ ++// +build linux ++// +build mips mipsle mips64 mips64le ++ ++package signal // import "github.com/docker/docker/pkg/signal" ++ ++import ( ++ "syscall" ++ ++ "golang.org/x/sys/unix" ++) ++ ++const ( ++ sigrtmin = 34 ++ sigrtmax = 127 ++) ++ ++// SignalMap is a map of Linux signals. ++var SignalMap = map[string]syscall.Signal{ ++ "ABRT": unix.SIGABRT, ++ "ALRM": unix.SIGALRM, ++ "BUS": unix.SIGBUS, ++ "CHLD": unix.SIGCHLD, ++ "CLD": unix.SIGCLD, ++ "CONT": unix.SIGCONT, ++ "FPE": unix.SIGFPE, ++ "HUP": unix.SIGHUP, ++ "ILL": unix.SIGILL, ++ "INT": unix.SIGINT, ++ "IO": unix.SIGIO, ++ "IOT": unix.SIGIOT, ++ "KILL": unix.SIGKILL, ++ "PIPE": unix.SIGPIPE, ++ "POLL": unix.SIGPOLL, ++ "PROF": unix.SIGPROF, ++ "PWR": unix.SIGPWR, ++ "QUIT": unix.SIGQUIT, ++ "SEGV": unix.SIGSEGV, ++ "SIGEMT": unix.SIGEMT, ++ "STOP": unix.SIGSTOP, ++ "SYS": unix.SIGSYS, ++ "TERM": unix.SIGTERM, ++ "TRAP": unix.SIGTRAP, ++ "TSTP": unix.SIGTSTP, ++ "TTIN": unix.SIGTTIN, ++ "TTOU": unix.SIGTTOU, ++ "URG": unix.SIGURG, ++ "USR1": unix.SIGUSR1, ++ "USR2": unix.SIGUSR2, ++ "VTALRM": unix.SIGVTALRM, ++ "WINCH": unix.SIGWINCH, ++ "XCPU": unix.SIGXCPU, ++ "XFSZ": unix.SIGXFSZ, ++ "RTMIN": sigrtmin, ++ "RTMIN+1": sigrtmin + 1, ++ "RTMIN+2": sigrtmin + 2, ++ "RTMIN+3": sigrtmin + 3, ++ "RTMIN+4": sigrtmin + 4, ++ "RTMIN+5": sigrtmin + 5, ++ "RTMIN+6": sigrtmin + 6, ++ "RTMIN+7": sigrtmin + 7, ++ "RTMIN+8": sigrtmin + 8, ++ "RTMIN+9": sigrtmin + 9, ++ "RTMIN+10": sigrtmin + 10, ++ "RTMIN+11": sigrtmin + 11, ++ "RTMIN+12": sigrtmin + 12, ++ "RTMIN+13": sigrtmin + 13, ++ "RTMIN+14": sigrtmin + 14, ++ "RTMIN+15": sigrtmin + 15, ++ "RTMAX-14": sigrtmax - 14, ++ "RTMAX-13": sigrtmax - 13, ++ "RTMAX-12": sigrtmax - 12, ++ "RTMAX-11": sigrtmax - 11, ++ "RTMAX-10": sigrtmax - 10, ++ "RTMAX-9": sigrtmax - 9, ++ "RTMAX-8": sigrtmax - 8, ++ "RTMAX-7": sigrtmax - 7, ++ "RTMAX-6": sigrtmax - 6, ++ "RTMAX-5": sigrtmax - 5, ++ "RTMAX-4": sigrtmax - 4, ++ "RTMAX-3": sigrtmax - 3, ++ "RTMAX-2": sigrtmax - 2, ++ "RTMAX-1": sigrtmax - 1, ++ "RTMAX": sigrtmax, ++} diff --git a/patches/mips-fix-devnumber.patch b/patches/mips-fix-devnumber.patch new file mode 100644 index 00000000..8294880c --- /dev/null +++ b/patches/mips-fix-devnumber.patch @@ -0,0 +1,22 @@ +Last-Update: 2018-03-18 +Forwarded: not-needed +Author: Dmitry Smirnov +Bug-Upstream: https://github.com/moby/moby/issues/28058 +Description: fix FTBFS on mips +~~~~ +github.com/docker/docker/pkg/system/stat_linux.go:13:7: cannot use s.Rdev (type uint32) as type uint64 in field value +~~~~ + +--- a/engine/pkg/system/stat_linux.go ++++ b/engine/pkg/system/stat_linux.go +@@ -7,9 +7,9 @@ + return &StatT{size: s.Size, + mode: s.Mode, + uid: s.Uid, + gid: s.Gid, +- rdev: s.Rdev, ++ rdev: uint64(s.Rdev), + mtim: s.Mtim}, nil + } + + // FromStatT converts a syscall.Stat_t type to a system.Stat_t type diff --git a/patches/netlink_syscall.patch b/patches/netlink_syscall.patch new file mode 100644 index 00000000..50545ad1 --- /dev/null +++ b/patches/netlink_syscall.patch @@ -0,0 +1,58 @@ +Last-Update: 2018-06-12 +Forwarded: not-needed +Bug-Upstream: https://github.com/docker/libnetwork/issues/2110 +Author: Dmitry Smirnov +Description: fixes FTBFS + cannot use &tv (type *syscall.Timeval) as type *unix.Timeval + +--- a/libnetwork/drivers/overlay/ov_network.go ++++ b/libnetwork/drivers/overlay/ov_network.go +@@ -26,8 +26,9 @@ + "github.com/sirupsen/logrus" + "github.com/vishvananda/netlink" + "github.com/vishvananda/netlink/nl" + "github.com/vishvananda/netns" ++ "golang.org/x/sys/unix" + ) + + var ( + hostMode bool +@@ -759,9 +760,9 @@ + if err != nil { + return + } + // set the receive timeout to not remain stuck on the RecvFrom if the fd gets closed +- tv := syscall.NsecToTimeval(soTimeout.Nanoseconds()) ++ tv := unix.NsecToTimeval(soTimeout.Nanoseconds()) + err = nlSock.SetReceiveTimeout(&tv) + }) + n.nlSocket = nlSock + +--- a/libnetwork/ipvs/ipvs.go ++++ b/libnetwork/ipvs/ipvs.go +@@ -10,8 +10,9 @@ + "fmt" + + "github.com/vishvananda/netlink/nl" + "github.com/vishvananda/netns" ++ "golang.org/x/sys/unix" + ) + + const ( + netlinkRecvSocketsTimeout = 3 * time.Second +@@ -89,13 +90,13 @@ + if err != nil { + return nil, err + } + // Add operation timeout to avoid deadlocks +- tv := syscall.NsecToTimeval(netlinkSendSocketTimeout.Nanoseconds()) ++ tv := unix.NsecToTimeval(netlinkSendSocketTimeout.Nanoseconds()) + if err := sock.SetSendTimeout(&tv); err != nil { + return nil, err + } +- tv = syscall.NsecToTimeval(netlinkRecvSocketsTimeout.Nanoseconds()) ++ tv = unix.NsecToTimeval(netlinkRecvSocketsTimeout.Nanoseconds()) + if err := sock.SetReceiveTimeout(&tv); err != nil { + return nil, err + } + diff --git a/patches/series b/patches/series new file mode 100644 index 00000000..11bbeacc --- /dev/null +++ b/patches/series @@ -0,0 +1,54 @@ +debian-systemd-unit-tasksmax.patch +# If upstream ever adds EnvFile, remove this patch. +# (see also https://github.com/docker/docker/pull/7220#issuecomment-50076589) +debian-systemd-unit-environment-file.patch +debian-containerd-name.patch +debian-dockerd-binary-location.patch +debian-cgroupfs-mount-convenience-copy.patch +debian-nuke-no-prompt.patch + +buildkit-build-against-google-grpc-1.11.patch + +cli-fix-manpages-build-script.patch +cli-fix-registry-debug-message-go-1.11.patch + +cve-2018-15664-01-pass-root-to-chroot-to-for-chroot-untar.patch +cve-2018-15664-02-add-chroot-for-tar-packing-operations.patch +cve-2019-13139-01-gitutils-add-validation-for-ref.patch +cve-2019-13509-01-TestMaskSecretKeys-add-more-test-cases.patch +cve-2019-13509-02-TestMaskSecretKeys-use-subtests.patch +cve-2019-13509-03-DebugRequestMiddleware-unconditionally-scrub-data-field.patch +cve-2019-13509-04-DebugRequestMiddleware-Remove-path-handling.patch +cve-2019-14271-Initialize-nss-libraries-in-Glibc.patch +cve-2020-13401-disable-IPv6-router-advertisements.patch +cve-2020-15157.patch +cve-2020-15257.patch +cve-2021-21284-1.patch +cve-2021-21284-2.patch +cve-2021-21284-3.patch +cve-2021-21285.patch + +engine-contrib-debootstrap-curl-follow-location.patch +engine-test-noinstall.patch + +go-metrics_prometheus-fix_Observer.patch + +libnetwork_proto.patch +libnetwork-revert-iptables-legacy.patch + +mips-add-specific-signal-file.patch +mips-fix-devnumber.patch + +netlink_syscall.patch + +test--disable-containerizedengine-update-test.patch +test--fix-test-errors.patch +test--skip-TestAdapterReadLogs.patch +test--skip-TestChangesWithChangesGH13590.patch +test--skip-TestClientWithRequestTimeout.patch +test--skip-TestGetRootUIDGID.patch +test--skip-TestStateRunStop.patch +test--skip-network-tests.patch +test--skip-privileged-unit-tests.patch +test--cli-fix-golang11.patch +test--engine-fix-golang11.patch diff --git a/patches/test--cli-fix-golang11.patch b/patches/test--cli-fix-golang11.patch new file mode 100644 index 00000000..224c79db --- /dev/null +++ b/patches/test--cli-fix-golang11.patch @@ -0,0 +1,64 @@ +From de1523d221d7e719fe470c63c3cd908092e772df Mon Sep 17 00:00:00 2001 +From: Sebastiaan van Stijn +Date: Wed, 14 Aug 2019 10:04:43 +0200 +Subject: [PATCH] Adjust tests for changes in Go 1.12.8 / 1.11.13 + +For now, just verifying that an error is returned, but not checking the +error message itself, because those are not under our control, and may +change with different Go versions. + +``` +=== Failed +=== FAIL: opts TestParseDockerDaemonHost (0.00s) + hosts_test.go:87: tcp tcp:a.b.c.d address expected error "Invalid bind address format: tcp:a.b.c.d" return, got "parse tcp://tcp:a.b.c.d: invalid port \":a.b.c.d\" after host" and addr + hosts_test.go:87: tcp tcp:a.b.c.d/path address expected error "Invalid bind address format: tcp:a.b.c.d/path" return, got "parse tcp://tcp:a.b.c.d/path: invalid port \":a.b.c.d\" after host" and addr + +=== FAIL: opts TestParseTCP (0.00s) + hosts_test.go:129: tcp tcp:a.b.c.d address expected error Invalid bind address format: tcp:a.b.c.d return, got parse tcp://tcp:a.b.c.d: invalid port ":a.b.c.d" after host and addr + hosts_test.go:129: tcp tcp:a.b.c.d/path address expected error Invalid bind address format: tcp:a.b.c.d/path return, got parse tcp://tcp:a.b.c.d/path: invalid port ":a.b.c.d" after host and addr +``` + +Signed-off-by: Sebastiaan van Stijn + +--- docker.io-18.09.1+dfsg1.orig/cli/opts/hosts_test.go ++++ docker.io-18.09.1+dfsg1/cli/opts/hosts_test.go +@@ -53,8 +53,8 @@ func TestParseHost(t *testing.T) { + func TestParseDockerDaemonHost(t *testing.T) { + invalids := map[string]string{ + +- "tcp:a.b.c.d": "Invalid bind address format: tcp:a.b.c.d", +- "tcp:a.b.c.d/path": "Invalid bind address format: tcp:a.b.c.d/path", ++ "tcp:a.b.c.d": "", ++ "tcp:a.b.c.d/path": "", + "udp://127.0.0.1": "Invalid bind address format: udp://127.0.0.1", + "udp://127.0.0.1:2375": "Invalid bind address format: udp://127.0.0.1:2375", + "tcp://unix:///run/docker.sock": "Invalid proto, expected tcp: unix:///run/docker.sock", +@@ -83,7 +83,7 @@ func TestParseDockerDaemonHost(t *testin + "localhost:5555/path": "tcp://localhost:5555/path", + } + for invalidAddr, expectedError := range invalids { +- if addr, err := parseDockerDaemonHost(invalidAddr); err == nil || err.Error() != expectedError { ++ if addr, err := parseDockerDaemonHost(invalidAddr); err == nil || expectedError != "" && err.Error() != expectedError { + t.Errorf("tcp %v address expected error %q return, got %q and addr %v", invalidAddr, expectedError, err, addr) + } + } +@@ -99,8 +99,8 @@ func TestParseTCP(t *testing.T) { + defaultHTTPHost = "tcp://127.0.0.1:2376" + ) + invalids := map[string]string{ +- "tcp:a.b.c.d": "Invalid bind address format: tcp:a.b.c.d", +- "tcp:a.b.c.d/path": "Invalid bind address format: tcp:a.b.c.d/path", ++ "tcp:a.b.c.d": "", ++ "tcp:a.b.c.d/path": "", + "udp://127.0.0.1": "Invalid proto, expected tcp: udp://127.0.0.1", + "udp://127.0.0.1:2375": "Invalid proto, expected tcp: udp://127.0.0.1:2375", + } +@@ -125,7 +125,7 @@ func TestParseTCP(t *testing.T) { + "localhost:5555/path": "tcp://localhost:5555/path", + } + for invalidAddr, expectedError := range invalids { +- if addr, err := ParseTCPAddr(invalidAddr, defaultHTTPHost); err == nil || err.Error() != expectedError { ++ if addr, err := ParseTCPAddr(invalidAddr, defaultHTTPHost); err == nil || expectedError != "" && err.Error() != expectedError { + t.Errorf("tcp %v address expected error %v return, got %s and addr %v", invalidAddr, expectedError, err, addr) + } + } diff --git a/patches/test--disable-containerizedengine-update-test.patch b/patches/test--disable-containerizedengine-update-test.patch new file mode 100644 index 00000000..4bcb1533 --- /dev/null +++ b/patches/test--disable-containerizedengine-update-test.patch @@ -0,0 +1,19 @@ +From: Arnaud Rebillout +Date: Fri, 18 Jan 2019 18:54:15 +0700 +Subject: Disable containerizedengine/update_test.go + +This test FTBFS, see . +Please re-enable this test when this MR is accepted. + +Origin: vendor, Debian +Forwarded: not-needed, Debian-specific +Signed-off-by: Arnaud Rebillout + +--- a/cli/internal/containerizedengine/update_test.go ++++ b/cli/internal/containerizedengine/update_test.go +@@ -1,3 +1,5 @@ ++// +build ignore ++ + package containerizedengine + + import ( diff --git a/patches/test--engine-fix-golang11.patch b/patches/test--engine-fix-golang11.patch new file mode 100644 index 00000000..ded5d3e6 --- /dev/null +++ b/patches/test--engine-fix-golang11.patch @@ -0,0 +1,62 @@ +From 64c958a587ff3835d1bacc573e9db3d400dbb0ad Mon Sep 17 00:00:00 2001 +From: Sebastiaan van Stijn +Date: Wed, 14 Aug 2019 02:51:08 +0200 +Subject: [PATCH] Adjust tests for changes in Go 1.12.8 / 1.11.13 + +``` +00:38:11 === Failed +00:38:11 === FAIL: opts TestParseDockerDaemonHost (0.00s) +00:38:11 hosts_test.go:87: tcp tcp:a.b.c.d address expected error "Invalid bind address format: tcp:a.b.c.d" return, got "parse tcp://tcp:a.b.c.d: invalid port \":a.b.c.d\" after host" and addr +00:38:11 hosts_test.go:87: tcp tcp:a.b.c.d/path address expected error "Invalid bind address format: tcp:a.b.c.d/path" return, got "parse tcp://tcp:a.b.c.d/path: invalid port \":a.b.c.d\" after host" and addr +00:38:11 +00:38:11 === FAIL: opts TestParseTCP (0.00s) +00:38:11 hosts_test.go:129: tcp tcp:a.b.c.d address expected error Invalid bind address format: tcp:a.b.c.d return, got parse tcp://tcp:a.b.c.d: invalid port ":a.b.c.d" after host and addr +00:38:11 hosts_test.go:129: tcp tcp:a.b.c.d/path address expected error Invalid bind address format: tcp:a.b.c.d/path return, got parse tcp://tcp:a.b.c.d/path: invalid port ":a.b.c.d" after host and addr +``` + +Signed-off-by: Sebastiaan van Stijn +(cherry picked from commit 683766613a8c1dca8f95b19ddb7e083bb3aef266) +Signed-off-by: Sebastiaan van Stijn + +--- docker.io-18.09.1+dfsg1.orig/engine/opts/hosts_test.go ++++ docker.io-18.09.1+dfsg1/engine/opts/hosts_test.go +@@ -53,8 +53,8 @@ func TestParseHost(t *testing.T) { + func TestParseDockerDaemonHost(t *testing.T) { + invalids := map[string]string{ + +- "tcp:a.b.c.d": "Invalid bind address format: tcp:a.b.c.d", +- "tcp:a.b.c.d/path": "Invalid bind address format: tcp:a.b.c.d/path", ++ "tcp:a.b.c.d": "", ++ "tcp:a.b.c.d/path": "", + "udp://127.0.0.1": "Invalid bind address format: udp://127.0.0.1", + "udp://127.0.0.1:2375": "Invalid bind address format: udp://127.0.0.1:2375", + "tcp://unix:///run/docker.sock": "Invalid proto, expected tcp: unix:///run/docker.sock", +@@ -83,7 +83,7 @@ func TestParseDockerDaemonHost(t *testin + "localhost:5555/path": "tcp://localhost:5555/path", + } + for invalidAddr, expectedError := range invalids { +- if addr, err := parseDaemonHost(invalidAddr); err == nil || err.Error() != expectedError { ++ if addr, err := parseDaemonHost(invalidAddr); err == nil || expectedError != "" && err.Error() != expectedError { + t.Errorf("tcp %v address expected error %q return, got %q and addr %v", invalidAddr, expectedError, err, addr) + } + } +@@ -99,8 +99,8 @@ func TestParseTCP(t *testing.T) { + defaultHTTPHost = "tcp://127.0.0.1:2376" + ) + invalids := map[string]string{ +- "tcp:a.b.c.d": "Invalid bind address format: tcp:a.b.c.d", +- "tcp:a.b.c.d/path": "Invalid bind address format: tcp:a.b.c.d/path", ++ "tcp:a.b.c.d": "", ++ "tcp:a.b.c.d/path": "", + "udp://127.0.0.1": "Invalid proto, expected tcp: udp://127.0.0.1", + "udp://127.0.0.1:2375": "Invalid proto, expected tcp: udp://127.0.0.1:2375", + } +@@ -125,7 +125,7 @@ func TestParseTCP(t *testing.T) { + "localhost:5555/path": "tcp://localhost:5555/path", + } + for invalidAddr, expectedError := range invalids { +- if addr, err := ParseTCPAddr(invalidAddr, defaultHTTPHost); err == nil || err.Error() != expectedError { ++ if addr, err := ParseTCPAddr(invalidAddr, defaultHTTPHost); err == nil || expectedError != "" && err.Error() != expectedError { + t.Errorf("tcp %v address expected error %v return, got %s and addr %v", invalidAddr, expectedError, err, addr) + } + } diff --git a/patches/test--fix-test-errors.patch b/patches/test--fix-test-errors.patch new file mode 100644 index 00000000..e2dfb44b --- /dev/null +++ b/patches/test--fix-test-errors.patch @@ -0,0 +1,15 @@ +Description: update several tests for text/path errors +Author: Tianon Gravi +Forwarded: not-needed + +--- a/engine/pkg/authorization/authz_unix_test.go ++++ b/engine/pkg/authorization/authz_unix_test.go +@@ -346,6 +346,8 @@ + t.Fatal(err) + } + ++ t.Skip("Skipping plugin tests -- Unix socket path is too long: unix:///"+path.Join(pwd, pluginAddress)) ++ + client, err := plugins.NewClient("unix:///"+path.Join(pwd, pluginAddress), &tlsconfig.Options{InsecureSkipVerify: true}) + if err != nil { + t.Fatalf("Failed to create client %v", err) diff --git a/patches/test--skip-TestAdapterReadLogs.patch b/patches/test--skip-TestAdapterReadLogs.patch new file mode 100644 index 00000000..b3af56db --- /dev/null +++ b/patches/test--skip-TestAdapterReadLogs.patch @@ -0,0 +1,38 @@ +Last-Update: 2018-06-19 +Forwarded: not-needed +Author: Dmitry Smirnov +Description: disable unreliable test, failing randomly on multiple architectures. +~~~~ + FAIL: TestAdapterReadLogs (0.00s) + panic: runtime error: invalid memory address or nil pointer dereference [recovered] + panic: runtime error: invalid memory address or nil pointer dereference + [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x83273c5] + + goroutine 7 [running]: + testing.tRunner.func1(0x1a686ab0) + /usr/lib/go-1.10/src/testing/testing.go:742 +0x24a + panic(0x8393cc0, 0x85d1e78) + /usr/lib/go-1.10/src/runtime/panic.go:502 +0x1dc + github.com/docker/docker/daemon/logger.testMessageEqual(0x1a686ab0, 0x1a65cc7c, 0x0) + /var/lib/gitlab-runner/builds/736b76b0/1/docker-team/docker/.gopath/src/github.com/docker/docker/daemon/logger/adapter_test.go:178 +0x35 + github.com/docker/docker/daemon/logger.TestAdapterReadLogs(0x1a686ab0) + /var/lib/gitlab-runner/builds/736b76b0/1/docker-team/docker/.gopath/src/github.com/docker/docker/daemon/logger/adapter_test.go:131 +0x710 + testing.tRunner(0x1a686ab0, 0x83fa01c) + /usr/lib/go-1.10/src/testing/testing.go:777 +0xaa + created by testing.(*T).Run + /usr/lib/go-1.10/src/testing/testing.go:824 +0x243 + FAIL github.com/docker/docker/daemon/logger 0.012s +~~~~ + +--- a/engine/daemon/logger/adapter_test.go ++++ b/engine/daemon/logger/adapter_test.go +@@ -137,8 +137,9 @@ + return a + } + + func TestAdapterReadLogs(t *testing.T) { ++t.Skip("DM - skipping dodgy test") + plugin := newMockLoggingPlugin() + l := newMockPluginAdapter(plugin) + + testMsg := []Message{ diff --git a/patches/test--skip-TestChangesWithChangesGH13590.patch b/patches/test--skip-TestChangesWithChangesGH13590.patch new file mode 100644 index 00000000..540e5c9a --- /dev/null +++ b/patches/test--skip-TestChangesWithChangesGH13590.patch @@ -0,0 +1,17 @@ +Last-Update: Wed Jun 7 11:39:46 2017 +Forwarded: not-needed +Author: Tim Potter +Description: disable test, does not appear to work under pbuilder. + +--- a/engine/pkg/archive/changes_test.go ++++ b/engine/pkg/archive/changes_test.go +@@ -177,8 +177,9 @@ + } + + // See https://github.com/docker/docker/pull/13590 + func TestChangesWithChangesGH13590(t *testing.T) { ++ t.Skip("DM - skipped, doesn't work under pbuilder") + // TODO Windows. There may be a way of running this, but turning off for now + // as createSampleDir uses symlinks. + if runtime.GOOS == "windows" { + t.Skip("symlinks on Windows") diff --git a/patches/test--skip-TestClientWithRequestTimeout.patch b/patches/test--skip-TestClientWithRequestTimeout.patch new file mode 100644 index 00000000..b86ec586 --- /dev/null +++ b/patches/test--skip-TestClientWithRequestTimeout.patch @@ -0,0 +1,20 @@ +From: Arnaud Rebillout +Date: Thu, 24 Jan 2019 15:22:58 +0700 +Subject: Skip TestClientWithRequestTimeout + +This test seems to be flaky. Please follow-up upstream for more details: + + +Origin: vendor, Debian +Forwarded: not-needed, Debian-specific +Signed-off-by: Arnaud Rebillout +--- a/engine/pkg/plugins/client_test.go ++++ b/engine/pkg/plugins/client_test.go +@@ -237,6 +237,7 @@ + } + + func TestClientWithRequestTimeout(t *testing.T) { ++ t.Skip("DM - skipping flaky test") + timeout := 1 * time.Millisecond + testHandler := func(w http.ResponseWriter, r *http.Request) { + time.Sleep(timeout + 1*time.Millisecond) diff --git a/patches/test--skip-TestGetRootUIDGID.patch b/patches/test--skip-TestGetRootUIDGID.patch new file mode 100644 index 00000000..d15bd400 --- /dev/null +++ b/patches/test--skip-TestGetRootUIDGID.patch @@ -0,0 +1,26 @@ +Last-Update: 2018-06-16 +Forwarded: not-needed +Author: Dmitry Smirnov +Description: disable test failing is sbuild. +~~~~ + FAIL: TestGetRootUIDGID (0.00s) + idtools_unix_test.go:287: + Error Trace: idtools_unix_test.go:287 + Error: Not equal: + expected: 1009 + actual : 2952 + Test: TestGetRootUIDGID +~~~~ + +--- a/engine/pkg/idtools/idtools_unix_test.go ++++ b/engine/pkg/idtools/idtools_unix_test.go +@@ -266,8 +266,9 @@ + } + } + + func TestGetRootUIDGID(t *testing.T) { ++t.Skip("DM - skipping malfunctioning test, fails on sbuild") + uidMap := []IDMap{ + { + ContainerID: 0, + HostID: os.Getuid(), diff --git a/patches/test--skip-TestStateRunStop.patch b/patches/test--skip-TestStateRunStop.patch new file mode 100644 index 00000000..7d70ba9b --- /dev/null +++ b/patches/test--skip-TestStateRunStop.patch @@ -0,0 +1,20 @@ +Last-Update: 2018-08-02 +Forwarded: not-needed +Author: Dmitry Smirnov +Description: disabled unreliable test. +~~~~ + state_test.go:102: ExitCode -1, expected 2, err "context deadline exceeded" +~~~~ + +--- a/engine/container/state_test.go ++++ b/engine/container/state_test.go +@@ -28,8 +28,9 @@ + } + } + + func TestStateRunStop(t *testing.T) { ++t.Skip("DM - disabled unreliable test") + s := NewState() + + // Begin another wait with WaitConditionRemoved. It should complete + // within 200 milliseconds. diff --git a/patches/test--skip-network-tests.patch b/patches/test--skip-network-tests.patch new file mode 100644 index 00000000..a6955dbe --- /dev/null +++ b/patches/test--skip-network-tests.patch @@ -0,0 +1,17 @@ +Last-Update: 2018-06-16 +Forwarded: not-needed +Author: Dmitry Smirnov +Description: disable failing test due to dependency on network. + +--- a/cli/cli/command/image/push_test.go ++++ b/cli/cli/command/image/push_test.go +@@ -12,8 +12,9 @@ + "gotest.tools/assert" + ) + + func TestNewPushCommandErrors(t *testing.T) { ++t.Skip("DM - skipping network test") + testCases := []struct { + name string + args []string + expectedError string diff --git a/patches/test--skip-privileged-unit-tests.patch b/patches/test--skip-privileged-unit-tests.patch new file mode 100644 index 00000000..08e91b2c --- /dev/null +++ b/patches/test--skip-privileged-unit-tests.patch @@ -0,0 +1,316 @@ +Description: allow skipping "privileged" tests with "-test.short" +Author: Tianon Gravi +Forwarded: no + +--- a/engine/builder/dockerfile/internals_test.go ++++ b/engine/builder/dockerfile/internals_test.go +@@ -19,6 +19,7 @@ + ) + + func TestEmptyDockerfile(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test") + defer cleanup() + +@@ -28,6 +29,7 @@ + } + + func TestSymlinkDockerfile(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test") + defer cleanup() + +@@ -43,6 +45,7 @@ + } + + func TestDockerfileOutsideTheBuildContext(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test") + defer cleanup() + +@@ -52,6 +55,7 @@ + } + + func TestNonExistingDockerfile(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test") + defer cleanup() + +--- a/engine/daemon/graphdriver/overlay2/overlay_test.go ++++ b/engine/daemon/graphdriver/overlay2/overlay_test.go +@@ -37,22 +37,27 @@ + // This avoids creating a new driver for each test if all tests are run + // Make sure to put new tests between TestOverlaySetup and TestOverlayTeardown + func TestOverlaySetup(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + graphtest.GetDriver(t, driverName) + } + + func TestOverlayCreateEmpty(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + graphtest.DriverTestCreateEmpty(t, driverName) + } + + func TestOverlayCreateBase(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + graphtest.DriverTestCreateBase(t, driverName) + } + + func TestOverlayCreateSnap(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + graphtest.DriverTestCreateSnap(t, driverName) + } + + func TestOverlay128LayerRead(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + graphtest.DriverTestDeepLayerRead(t, 128, driverName) + } + +--- a/engine/volume/local/local_test.go ++++ b/engine/volume/local/local_test.go +@@ -31,6 +31,7 @@ + } + + func TestRemove(t *testing.T) { ++t.Skip("DM - skipping privileged test") + skip.If(t, runtime.GOOS == "windows", "FIXME: investigate why this test fails on CI") + rootDir, err := ioutil.TempDir("", "local-volume-test") + if err != nil { +@@ -74,6 +75,7 @@ + } + + func TestInitializeWithVolumes(t *testing.T) { ++ t.Skip("DM - skipping privileged tests") + rootDir, err := ioutil.TempDir("", "local-volume-test") + if err != nil { + t.Fatal(err) +@@ -106,6 +108,7 @@ + } + + func TestCreate(t *testing.T) { ++ t.Skip("DM - skipping privileged tests") + rootDir, err := ioutil.TempDir("", "local-volume-test") + if err != nil { + t.Fatal(err) +@@ -178,6 +181,7 @@ + } + + func TestCreateWithOpts(t *testing.T) { ++t.Skip("DM - skipping privileged test") + skip.If(t, runtime.GOOS == "windows") + skip.If(t, os.Getuid() != 0, "requires mounts") + rootDir, err := ioutil.TempDir("", "local-volume-test") +--- a/engine/pkg/mount/mount_unix_test.go ++++ b/engine/pkg/mount/mount_unix_test.go +@@ -25,6 +25,7 @@ + } + + func TestMounted(t *testing.T) { ++t.Skip("DM - skipping privileged test") + if os.Getuid() != 0 { + t.Skip("root required") + } +@@ -80,6 +81,7 @@ + } + + func TestMountReadonly(t *testing.T) { ++t.Skip("DM - skipping privileged test") + if os.Getuid() != 0 { + t.Skip("root required") + } +@@ -129,6 +131,7 @@ + } + + func TestGetMounts(t *testing.T) { ++t.Skip("DM - skipping privileged test") + mounts, err := GetMounts(nil) + if err != nil { + t.Fatal(err) +--- a/engine/pkg/mount/sharedsubtree_linux_test.go ++++ b/engine/pkg/mount/sharedsubtree_linux_test.go +@@ -12,6 +12,7 @@ + + // nothing is propagated in or out + func TestSubtreePrivate(t *testing.T) { ++t.Skip("DM - skipping privileged test") + if os.Getuid() != 0 { + t.Skip("root required") + } +@@ -114,6 +115,7 @@ + // Testing that when a target is a shared mount, + // then child mounts propagate to the source + func TestSubtreeShared(t *testing.T) { ++t.Skip("DM - skipping privileged test") + if os.Getuid() != 0 { + t.Skip("root required") + } +@@ -186,6 +188,7 @@ + // testing that mounts to a shared source show up in the slave target, + // and that mounts into a slave target do _not_ show up in the shared source + func TestSubtreeSharedSlave(t *testing.T) { ++t.Skip("DM - skipping privileged test") + if os.Getuid() != 0 { + t.Skip("root required") + } +@@ -294,6 +297,7 @@ + } + + func TestSubtreeUnbindable(t *testing.T) { ++t.Skip("DM - skipping privileged test") + if os.Getuid() != 0 { + t.Skip("root required") + } +--- a/engine/daemon/graphdriver/overlay/overlay_test.go ++++ b/engine/daemon/graphdriver/overlay/overlay_test.go +@@ -19,22 +19,27 @@ + // This avoids creating a new driver for each test if all tests are run + // Make sure to put new tests between TestOverlaySetup and TestOverlayTeardown + func TestOverlaySetup(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + graphtest.GetDriver(t, "overlay") + } + + func TestOverlayCreateEmpty(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + graphtest.DriverTestCreateEmpty(t, "overlay") + } + + func TestOverlayCreateBase(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + graphtest.DriverTestCreateBase(t, "overlay") + } + + func TestOverlayCreateSnap(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + graphtest.DriverTestCreateSnap(t, "overlay") + } + + func TestOverlay50LayerRead(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + graphtest.DriverTestDeepLayerRead(t, 50, "overlay") + } + +--- a/engine/pkg/archive/archive_test.go ++++ b/engine/pkg/archive/archive_test.go +@@ -264,6 +264,7 @@ + } + + func TestUntarPathWithInvalidDest(t *testing.T) { ++t.Skip("DM - skipping privileged test") + tempFolder, err := ioutil.TempDir("", "docker-archive-test") + assert.NilError(t, err) + defer os.RemoveAll(tempFolder) +@@ -436,6 +437,7 @@ + } + + func TestCopyWithTarInexistentDestWillCreateIt(t *testing.T) { ++t.Skip("DM - skipping privileged test") + skip.If(t, os.Getuid() != 0, "skipping test that requires root") + tempFolder, err := ioutil.TempDir("", "docker-archive-test") + if err != nil { +@@ -729,6 +731,7 @@ + } + + func TestTarWithOptionsChownOptsAlwaysOverridesIdPair(t *testing.T) { ++t.Skip("DM - skipping privileged test") + origin, err := ioutil.TempDir("", "docker-test-tar-chown-opt") + assert.NilError(t, err) + +@@ -780,6 +783,7 @@ + } + + func TestTarWithOptions(t *testing.T) { ++t.Skip("DM - skipping privileged test") + // TODO Windows: Figure out how to fix this test. + if runtime.GOOS == "windows" { + t.Skip("Failing on Windows") +@@ -970,6 +974,7 @@ + } + + func TestUntarHardlinkToSymlink(t *testing.T) { ++t.Skip("DM - skipping privileged test") + // TODO Windows. There may be a way of running this, but turning off for now + skip.If(t, runtime.GOOS == "windows", "hardlinks on Windows") + skip.If(t, os.Getuid() != 0, "skipping test that requires root") +@@ -1200,6 +1205,7 @@ + } + + func TestReplaceFileTarWrapper(t *testing.T) { ++t.Skip("DM - skipping privileged test") + filesInArchive := 20 + testcases := []struct { + doc string +--- a/engine/pkg/archive/archive_linux_test.go ++++ b/engine/pkg/archive/archive_linux_test.go +@@ -85,6 +85,7 @@ + } + + func TestOverlayTarUntar(t *testing.T) { ++t.Skip("DM - skipping privileged test") + oldmask, err := system.Umask(0) + assert.NilError(t, err) + defer system.Umask(oldmask) +@@ -124,6 +125,7 @@ + } + + func TestOverlayTarAUFSUntar(t *testing.T) { ++t.Skip("DM - skipping privileged test") + oldmask, err := system.Umask(0) + assert.NilError(t, err) + defer system.Umask(oldmask) +--- a/cli/cli/command/image/build_test.go ++++ b/cli/cli/command/image/build_test.go +@@ -25,6 +25,7 @@ + ) + + func TestRunBuildDockerfileFromStdinWithCompress(t *testing.T) { ++t.Skip("DM - skipping privileged test") + buffer := new(bytes.Buffer) + fakeBuild := newFakeBuild() + fakeImageBuild := func(ctx context.Context, context io.Reader, options types.ImageBuildOptions) (types.ImageBuildResponse, error) { +@@ -122,6 +123,7 @@ + // TODO: test "context selection" logic directly when runBuild is refactored + // to support testing (ex: docker/cli#294) + func TestRunBuildFromGitHubSpecialCase(t *testing.T) { ++t.Skip("DM - disabled due to network access") + cmd := NewBuildCommand(test.NewFakeCli(nil)) + // Clone a small repo that exists so git doesn't prompt for credentials + cmd.SetArgs([]string{"github.com/docker/for-win"}) +--- a/engine/daemon/oci_linux_test.go ++++ b/engine/daemon/oci_linux_test.go +@@ -89,6 +89,7 @@ + } + + func TestGetSourceMount(t *testing.T) { ++t.Skip("Skipped failing test") + // must be able to find source mount for / + mnt, _, err := getSourceMount("/") + assert.NilError(t, err) +--- a/engine/layer/mount_test.go ++++ b/engine/layer/mount_test.go +@@ -12,6 +12,7 @@ + ) + + func TestMountInit(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + // TODO Windows: Figure out why this is failing + if runtime.GOOS == "windows" { + t.Skip("Failing on Windows") +@@ -120,6 +121,7 @@ + } + + func TestMountChanges(t *testing.T) { ++ t.Skip("DM - skipping privileged test") + // TODO Windows: Figure out why this is failing + if runtime.GOOS == "windows" { + t.Skip("Failing on Windows") +--- a/engine/daemon/graphdriver/aufs/aufs_test.go ++++ b/engine/daemon/graphdriver/aufs/aufs_test.go +@@ -31,6 +31,7 @@ + } + + func testInit(dir string, t testing.TB) graphdriver.Driver { ++ t.Skip("DM - skipping privileged test") + d, err := Init(dir, nil, nil, nil) + if err != nil { + if err == graphdriver.ErrNotSupported { diff --git a/rules b/rules new file mode 100755 index 00000000..84769c17 --- /dev/null +++ b/rules @@ -0,0 +1,185 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +## Disable compiler cache (`go env GOCACHE`, `go help cache`). +export GOCACHE=off + +export HOME=$(CURDIR)/debian/tmp + +#export DH_GOLANG_BUILDPKG := github.com/docker/docker github.com/docker/cli +export DH_GOLANG_GO_GENERATE := 1 +export DH_GOLANG_INSTALL_ALL := 1 +export DH_GOLANG_INSTALL_EXTRA := testdata/ +export DH_GOLANG_EXCLUDES := \ + integration-cli \ + vendor + +# temporary build path (see http://golang.org/doc/code.html#GOPATH) +OUR_GOPATH := $(CURDIR)/.gopath +export GOPATH := $(OUR_GOPATH) + +export DOCKER_VERSION := $(shell cat VERSION) +export DOCKER_GITCOMMIT := $(shell ./debian/helpers/gitcommit.sh $(DOCKER_VERSION)) +ifndef DOCKER_GITCOMMIT + $(error Missing DOCKER_GITCOMMIT - see debian/upstream-version-gitcommits) +endif + +export BUILDTIME := $(shell dpkg-parsechangelog -SDate) + +# have "make.sh" keep "bundle/$(DOCKER_VERSION)" around between runs (we clean it up appropriately ourselves) +export KEEPBUNDLE := 1 + +## AppArmor can be optionally used in Debian and is there by default in Ubuntu, +## so we need support for it compiled into our binary same story with SELinux. +export DOCKER_BUILDTAGS := apparmor seccomp selinux ambient + +## prefer Go 1.7 explicitly if it's available (golang-1.7-go) +#export PATH := /usr/lib/go-1.7/bin:$(PATH) + +APPARMOR_RECOMMENDS := $(shell dpkg-vendor --is Ubuntu && echo apparmor) +BUILT_LIBC := $(shell dpkg-query -f '$${source:Package} (= $${source:Version})' -W libc-dev-bin) + +%: + dh $@ --buildsystem=golang --with=bash-completion,golang --builddirectory=.gopath + +override_dh_clean: + dh_clean + $(RM) -v -r autogen bundles man/man*/ +# -find . -type f -name '*.pb.go' -delete -printf 'removed %p\n' ## delete generated .pb.go files + ## Remove Files-Excluded (when built from checkout or non-DFSG tarball): + $(RM) -rv `perl -0nE 'say grep { $$_=q{ */}.$$_ } split(/\s+/,$$1) if m{^Files\-Excluded:\s*(.*?)(?:\n\n|^Files|^Comment:)}sm;' debian/copyright` + -find */vendor -mindepth 1 -type d -empty -delete -printf 'removed %p\n' + +override_dh_auto_configure: +## dh_auto_configure symlinks dirs from "/usr/share/gocode/src" into +## $(OUR_GOPATH) unless folders already exist there in which case files +## are copied. Pre-making directories allows us to use debhelper to +## create proper GOPATH source tree yet have certain directories writable +## even if they are provided by already installed package. + mkdir -pv $(OUR_GOPATH)/src/github.com/docker/cli + mkdir -pv $(OUR_GOPATH)/src/github.com/docker/docker + mkdir -pv $(OUR_GOPATH)/src/github.com/docker/libnetwork + mkdir -pv $(OUR_GOPATH)/src/github.com/docker/swarmkit + mkdir -pv $(OUR_GOPATH)/src/github.com/docker/distribution + mkdir -pv $(OUR_GOPATH)/src/github.com/docker/go-events + mkdir -pv $(OUR_GOPATH)/src/github.com/docker/go-metrics + mkdir -pv $(OUR_GOPATH)/src/github.com/containerd/containerd + +# ## Prepare builddirectory but throw away sourcedirectory. + DH_GOPKG="__IGNORE__" dh_auto_configure + +## Each package must be removed from working tree first, in case some +## of the packages that we are going to build are already installed. +## This is also useful for building in unclean environment. +## +## This is _necessary_ to avoid merging packages that we build with +## pre-installed packages. See #827226 for details. +## Debhelper knows only about "main" DH_GOPKG package but we build several +## and we have to ensure that build tree is properly prepared. + $(RM) -r $(OUR_GOPATH)/src/github.com/docker/cli + cp -ra cli $(OUR_GOPATH)/src/github.com/docker/cli + + $(RM) -r $(OUR_GOPATH)/src/github.com/docker/docker + cp -ra engine $(OUR_GOPATH)/src/github.com/docker/docker + + $(RM) -r $(OUR_GOPATH)/src/github.com/docker/libnetwork + cp -ra libnetwork $(OUR_GOPATH)/src/github.com/docker/libnetwork + + $(RM) -r $(OUR_GOPATH)/src/github.com/docker/swarmkit + cp -ra swarmkit $(OUR_GOPATH)/src/github.com/docker/swarmkit + + $(RM) -r $(OUR_GOPATH)/src/github.com/docker/distribution + cp -ra distribution $(OUR_GOPATH)/src/github.com/docker/distribution + + $(RM) -r $(OUR_GOPATH)/src/github.com/docker/go-events + cp -ra go-events $(OUR_GOPATH)/src/github.com/docker/go-events + + $(RM) -r $(OUR_GOPATH)/src/github.com/docker/go-metrics + cp -ra go-metrics $(OUR_GOPATH)/src/github.com/docker/go-metrics + + $(RM) -r $(OUR_GOPATH)/src/github.com/containerd/containerd + cp -ra containerd $(OUR_GOPATH)/src/github.com/containerd/containerd + +# cp -ra containerd/vendor/github.com/containerd/continuity $(OUR_GOPATH)/src/github.com/containerd/ +# cp -ra engine/vendor/github.com/docker/distribution $(OUR_GOPATH)/src/github.com/docker/ + +override_dh_auto_build-indep: + # noop + +override_dh_auto_build-arch: +## order is important: + +## ## FIXME: DH_GOLANG_BUILDPKG --> DH_GOPKG + DH_GOLANG_BUILDPKG="github.com/docker/distribution" dh_auto_build -v + + DH_GOPKG="github.com/docker/libnetwork" dh_auto_build -v + +## ## FIXME: DH_GOLANG_BUILDPKG --> DH_GOPKG + DH_GOLANG_BUILDPKG="github.com/docker/swarmkit" dh_auto_build -v + + export DH_GOPKG="github.com/containerd/containerd" ;\ + export REV="`grep $${DH_GOPKG} engine/vendor.conf | head -1 | awk '{print $$2}'`" ;\ + dh_auto_build -v -- -tags "$(DOCKER_BUILDTAGS)" \ + -ldflags "-X $${DH_GOPKG}/version.Version=$(DOCKER_VERSION) -X $${DH_GOPKG}/version.Revision=$${REV}" + + DH_GOPKG="github.com/docker/go-events" dh_auto_build -v + DH_GOPKG="github.com/docker/go-metrics" dh_auto_build -v + +## build ("cd" first to ensure we build from within GOPATH) + cd '$(OUR_GOPATH)/src/github.com/docker/docker' \ + && VERSION=$(DOCKER_VERSION) ./hack/make.sh dynbinary + + cd '$(OUR_GOPATH)/src/github.com/docker/cli' \ + && DISABLE_WARN_OUTSIDE_CONTAINER=1 LDFLAGS='' \ + $(MAKE) VERSION=$(DOCKER_VERSION) GITCOMMIT=$(DOCKER_GITCOMMIT) dynbinary manpages + +# # compile man pages +# ./man/md2man-all.sh -q + +override_dh_auto_test-indep: + DH_GOLANG_EXCLUDES="integration-cli integration test/integration" \ + dh_auto_test -v --max-parallel=4 -- -short + +override_dh_auto_test-arch: +### [[[ DO NOT DISABLE TESTS ]]] [[[ DO *NOT* DISABLE TESTS ]]] + DH_GOLANG_EXCLUDES="integration-cli integration test/integration" \ + dh_auto_test -v --max-parallel=4 -- -short +ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) + ## Test engine: +# cd '$(OUR_GOPATH)/src/$(DH_GOPKG)' \ +# && TESTFLAGS='-test.short' ./hack/make.sh test-unit + cd $(OUR_GOPATH)/src/github.com/docker/docker \ + && TESTFLAGS='-test.short' ./hack/test/unit + + ## Test CLI: + cd $(OUR_GOPATH)/src/github.com/docker/cli \ + && DISABLE_WARN_OUTSIDE_CONTAINER=1 $(MAKE) test-unit + + .gopath/bin/containerd -version +endif + +override_dh_install: + ## Do not install extra license files: + dh_install -XLICENSE + +override_dh_auto_install: + ## skip dh_auto_install to stop dh_golang trying to copy bits + ## for /usr/share/gocode (we use dh_install/dh-exec for that) + +override_dh_installinit: + dh_installinit -v --name=docker --no-stop-on-upgrade --no-restart-after-upgrade + +override_dh_installsystemd: + dh_installsystemd -v --name=docker --no-stop-on-upgrade --no-restart-after-upgrade + +override_dh_installudev: + # use priority z80 to match the upstream priority of 80 + dh_installudev -v --name=docker --priority=z80 + +override_dh_gencontrol: + echo 'apparmor:Recommends=$(APPARMOR_RECOMMENDS)' >> debian/docker.io.substvars + echo 'libc:Built-Using=$(BUILT_LIBC)' >> debian/docker.io.substvars + dh_gencontrol diff --git a/source/format b/source/format new file mode 100644 index 00000000..163aaf8d --- /dev/null +++ b/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/source/lintian-overrides b/source/lintian-overrides new file mode 100644 index 00000000..2a07e111 --- /dev/null +++ b/source/lintian-overrides @@ -0,0 +1,5 @@ +## Files-Excluded leftovers: +source-contains-empty-directory */vendor/* + +## Acknowledged: +dh-exec-subst-unknown-variable debian/docker.io.install DOCKER_VERSION diff --git a/tests/basic-smoke b/tests/basic-smoke new file mode 100755 index 00000000..eae62a1f --- /dev/null +++ b/tests/basic-smoke @@ -0,0 +1,36 @@ +#!/bin/bash +set -eux +set -o pipefail + +exitTraps=( 'true' ) +doExit() { + for exitTrap in "${exitTraps[@]}"; do + eval "$exitTrap" || true + done +} +trap 'doExit' EXIT +defer() { + exitTraps=( "$@" "${exitTraps[@]}" ) +} + +/etc/init.d/docker start +defer '/etc/init.d/docker stop' +defer 'journalctl -u docker | tail' + +# make sure Docker itself is working before we go too deep down the rabbit hole +docker version + +tempDir="$(mktemp -d)" +defer "rm -rf '$tempDir'" + +debootstrap \ + --variant=minbase \ + stable \ + "$tempDir" \ + http://httpredir.debian.org/debian + +tar -cC "$tempDir" . | docker import - debian +defer 'docker rmi debian' + +docker run --name test debian true +defer 'docker rm -f test' diff --git a/tests/control b/tests/control new file mode 100644 index 00000000..1824f5c9 --- /dev/null +++ b/tests/control @@ -0,0 +1,7 @@ +Tests: basic-smoke +Depends: aufs-tools, debian-archive-keyring, debootstrap, @ +Restrictions: allow-stderr isolation-machine needs-root + +#Tests: integration +#Depends: ca-certificates, curl, git, golang-check.v1-dev, jq, @, @builddeps@ +#Restrictions: allow-stderr isolation-machine needs-root rw-build-tree diff --git a/tests/integration b/tests/integration new file mode 100755 index 00000000..6b40edcb --- /dev/null +++ b/tests/integration @@ -0,0 +1,41 @@ +#!/bin/bash +set -e + +# apply patches +dpkg-source --before-build . + +# prepare the environment +./debian/rules dh_configure +export GOPATH="$PWD/.gopath" +export DOCKER_GITCOMMIT="$(./debian/helpers/gitcommit.sh)" + +# docker's tests need an unprivileged user available at this username +useradd --system --gid docker --comment 'Docker Test Suite Unprivileged User' unprivilegeduser + +# https://github.com/docker/docker/blob/7307998a44237a8943792c279b81ff5a387a86fa/builder/dockerfile/builder.go#L34-L44 +proxyArgs=( + http_proxy + https_proxy + ftp_proxy + no_proxy +) +DOCKER_BUILD_ARGS= +for proxyArgBase in "${proxyArgs[@]}"; do + for proxyArg in "${proxyArgBase^^}" "$proxyArgBase"; do + if [ -n "${!proxyArg}" ]; then + [ -z "$DOCKER_BUILD_ARGS" ] || DOCKER_BUILD_ARGS+=' ' + DOCKER_BUILD_ARGS+="--build-arg ${proxyArg}=${!proxyArg}" + fi + done +done +export DOCKER_BUILD_ARGS + +# run the tests +./hack/make.sh test-integration-cli + +# clean up cruft we've created +./debian/rules clean +userdel --force unprivilegeduser + +# unapply patches +dpkg-source --after-build . diff --git a/unpack-components.sh b/unpack-components.sh new file mode 100755 index 00000000..9554ca55 --- /dev/null +++ b/unpack-components.sh @@ -0,0 +1,36 @@ +#!/bin/bash +: <<=cut + +=head1 DESCRIPTION + +Unpack MUT components. + +=head1 SYNOPSIS + + ./debian/unpack-components.sh + +=cut + +set -e +set -u + +DEB_SOURCE="$( dpkg-parsechangelog -SSource )" +DEB_VERSION_UPSTREAM="$( dpkg-parsechangelog -SVersion | sed -e 's/-[^-]*$//' )" + +if ls ../${DEB_SOURCE}_${DEB_VERSION_UPSTREAM}.orig-*.tar.* 2>>/dev/null; then + for T in ../${DEB_SOURCE}_${DEB_VERSION_UPSTREAM}.orig-*.tar.*; do + C="${T##*.orig-}" + C="${C%%.tar*}" + mkdir -p "${C}" + tar xf ${T} -C "${C}" --strip-components=1 + if [ "$(ls -m ${C})" == "${C}" ]; then + ## --strip-components=1 did not work. + mv "${C}" "${C}.tmp" + mv "${C}.tmp/${C}" . + rmdir "${C}.tmp" + fi + done +else + printf "W: no components to extract.\n" + exit 0 +fi diff --git a/upstream-version-gitcommits b/upstream-version-gitcommits new file mode 100644 index 00000000..4252c767 --- /dev/null +++ b/upstream-version-gitcommits @@ -0,0 +1,92 @@ +# To determine the proper value for this, download +# https://download.docker.com/linux/static/CHANNEL/x86_64/docker-VERSION-ce.tgz +# extract "docker", run "./docker -v", which will list the exact build hash needed. +# https://github.com/docker/docker-ce/releases + +0.5.3: 17c92b8 +0.6.0: f4a4f1c +0.6.1: 5105263 +0.6.2: 081543c +0.6.3: b0a49a3 +0.6.4: 2f74b1c +0.6.5: 3ff8459 +0.6.6: 6d42040 +0.6.7: cb48ecc +0.7.0: 0d078b6 +0.7.1: 88df052 +0.7.2: 28b162e +0.7.3: 8502ad4 +0.7.4: 010d74e +0.7.5: c348c04 +0.7.6: bc3b2ec +0.8.0: cc3a8c8 +0.8.1: a1598d1 +0.9.0: 2b3fdf2 +0.9.1: 3600720 +0.10.0: dc9c28f +0.11.0: 15209c3 +0.11.1: fb99f99 +0.12.0: 14680bf +1.0.0: 63fe64c +1.0.1: 990021a +1.1.0: 79812e3 +1.1.1: bd609d2 +1.1.2: d84a070 +1.2.0: fa7b24f +1.3.0: c78088f +1.3.1: 4e9bbfa +1.3.2: 39fa2fa +1.3.3: d344625 +1.4.0: 4595d4f +1.4.1: 5bc2ff8 +1.5.0: a8a31ef +1.6.0: 4749651 +1.6.1: 97cd073 +1.6.2: 7c8fca2 +1.7.0: 0baf609 +1.7.1: 786b29d +1.8.0: 0d03096 +1.8.1: d12ea79 +1.8.2: 0a8c2e3 +1.8.3: f4bf5c7 +1.9.0: 76d6bc9 +1.9.1: a34a1d5 +1.10.0: 590d5108 +1.10.1: 9e83765 +1.10.2: c3959b1 +1.10.3: 20f81dd +1.11.0: 4dc5990 +1.11.1: 5604cbe +1.11.2: b9f10c9 +1.12.0: 8eab29e +1.12.1: 23cf638 +1.12.2: bb80604 +1.12.3: 6b644ec +1.12.4: 1564f02 +1.12.5: 7392c3b +1.12.6: 78d1802 +1.13.0: 49bf474 +1.13.1: 092cba3 +17.03.0: 60ccb22 +17.03.1: c6d412e +17.03.2: f5ec1e2 +17.04.0: 4845c56 +17.05.0: 89658be +17.06.0: 02c1d87 +17.06.1: 874a737 +17.06.2: cec0b72 +17.07.0-ce: 8784753 +17.09.0-ce: afdb6d4 +17.10.0-ce: f4ffd25 +17.11.0-ce: 1caf76c +17.12.0-ce: c97c6d6 +17.12.1-ce: 7390fc6 +18.01.0: 03596f5 +18.02.0: fc4de44 +18.02.0-ce: fc4de44 +18.03.0: 0520e24 +18.03.0-ce: 0520e24 +18.03.1-ce: 9ee9f40 +18.06.0-ce: 0ffa825 +18.06.1-ce: e68fc7a +18.09.1: 4c52b90 diff --git a/vim-syntax-docker.install b/vim-syntax-docker.install new file mode 100644 index 00000000..6ea7862a --- /dev/null +++ b/vim-syntax-docker.install @@ -0,0 +1,4 @@ +engine/contrib/syntax/vim/doc/* /usr/share/vim/addons/doc/ +engine/contrib/syntax/vim/ftdetect/* /usr/share/vim/addons/ftdetect/ +engine/contrib/syntax/vim/syntax/* /usr/share/vim/addons/syntax/ +debian/vim-syntax-docker.yaml /usr/share/vim/registry/ diff --git a/vim-syntax-docker.yaml b/vim-syntax-docker.yaml new file mode 100644 index 00000000..517b5914 --- /dev/null +++ b/vim-syntax-docker.yaml @@ -0,0 +1,6 @@ +addon: dockerfile +description: "Addon to highlight Docker's Dockerfiles" +files: + - doc/dockerfile.txt + - ftdetect/dockerfile.vim + - syntax/dockerfile.vim diff --git a/watch b/watch new file mode 100644 index 00000000..9e75d2ce --- /dev/null +++ b/watch @@ -0,0 +1,15 @@ +# uscan(1) configuration file. +version=4 + +opts="\ +pgpmode=none,\ +repacksuffix=+dfsg1,\ +repack,compression=xz,\ +uversionmangle=s{\-ce}{},\ +dversionmangle=s{[+~](dfsg|ds)\d*}{},\ +" https://uscan.tianon.xyz/github.com/docker/docker-ce \ + .*/archive/v?(\d[\d\.]+)(?:\-ce)?\.tar\.gz debian ./debian/get-orig-source.sh + +# /(releases|tags) paginates too soon on github.com +# so we lose historical versions too early for tianon's taste. +# https://github.com/docker/docker/releases -- 2.30.2