Bug fixes in containerd storage backend and Docker itself and a single
new warning about old Docker image format deprecation.
https://github.com/moby/moby/releases/tag/v24.0.6
Signed-off-by: Stefan Agner <stefan@agner.ch>
Reviewed-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixed a number of issues that can cause Swarm encrypted overlay networks
to fail to uphold their guarantees, addressing CVE-2023-28841,
CVE-2023-28840, and CVE-2023-28842.
https://github.com/moby/moby/releases/tag/v23.0.3
Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release contains some fixes and an improved error message. For the
full list see:
https://github.com/moby/moby/releases/tag/v23.0.1
Signed-off-by: Stefan Agner <stefan@agner.ch>
Reviewed-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The seccomp and apparmor build tags have been removed in 23.0.0. Don't
use those buildtags anymore.
Signed-off-by: Stefan Agner <stefan@agner.ch>
Reviewed-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The docker-proxy binary (libnetwork) has been merged into the docker-engine
source (moby). Drop the docker-proxy package and add cmd/docker-proxy as a build
target of docker-engine instead.
563fe8e248
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This update requires a few workaround for the non-standard vendor/
structure in the docker-engine repository.
First, as the vendor/ directory exists, our go-post-process script does
not do the vendoring, and exits early, which is exactly what we need.
Second, docker-engine does not use the "new" go.mod mechanism, so it
does not ship any go.mod file, so our go-post-proces, exiting early,
does not check that the go.mod file exists, and thus does not fail,
which is again exactly what we need.
Third, docker-engine has an invalid vendor/modules.txt file that we need
to remove or go would fail to build. Since our go-post-process exits
early, there is no vendoring, and thus it does not break at download,
which once more is exactly what we need.
However, the missing go.mod and the problematic vendor/modules.txt cause
go to fail at build time, which this time is not really, even really not,
what we want...
So, we fix it up in two ways.
First, the easy part: we just remove the problematic vendor/modules.txt
file.
Second, we create a go.mod to tell the Go compiler the root import path
prefix for the module and the language version. Note that the language
version in go.mod is not required to be equal the version of the Go
compiler.
Reference: https://github.com/moby/moby/issues/44618#issuecomment-1343565705
Note that as of v23.0.0 docker-engine expects containerd to be started
by systemd if --containerd= flag is set in dockerd.service, whereas in
previous versions containerd was started by the docker daemon as a
sub-process.
There is no sysv unit for containerd, but this is OK: in the Docker sysv
init file S60dockerd, we do not set the --containerd flag. The docker
daemon will start containerd as a sub-process automatically due to the
absence of this flag.
Signed-off-by: Christian Stewart <christian@paral.in>
[yann.morin.1998@free.fr:
- run fixups in post-extract hook
- rework commit log for (hopefully) better explanations
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Bug fixes and enhancements
- Improve error message when attempting to pull an unsupported image format or OCI artifact (moby/moby#44413, moby/moby#44569)
- Fix an issue where the host's ephemeral port-range was ignored when selecting random ports for containers (moby/moby#44476).
- Fix ssh: parse error in message type 27 errors during docker build on hosts using OpenSSH 8.9 or above (moby/moby#3862).
- seccomp: block socket calls to AF_VSOCK in default profile (moby/moby#44564).
https://github.com/moby/moby/releases/tag/v20.10.22
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Partial mitigations for CVE-2022-39253 Git vulnerability and other fixes:
https://github.com/moby/moby/releases/tag/v20.10.21
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This release of Docker Engine comes with some bug-fixes, and an updated version
of Docker Compose.
Builder
Fix an issue that could result in a panic during docker builder prune or
docker system prune moby/moby#44122.
Daemon
Fix a bug where using docker volume prune would remove volumes that were
still in use if the daemon was running with "live restore" and was restarted
moby/moby#44238.
Packaging
Update Docker Compose to v2.11.2.
https://github.com/moby/moby/releases/tag/v20.10.19
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Docker network driver "overlay", "macvlan" and "ipvlan" are not used
by default. Don't force enable them in the kernel.
The main aim here is to get rid of the dummy0 network interface which
is generated by the dummy driver by default.
Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Dependency on sqlite has been removed since v17.04.0-ce.
See: https://github.com/moby/moby/pull/30208
Signed-off-by: TIAN Yuanhao <tianyuanhao3@163.com>
Reviewed-by: Christian Stewart <christian@paral.in>
Tested-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-41089: Create parent directories inside a chroot during docker
cp to prevent a specially crafted container from changing permissions of
existing files in the host’s filesystem.
- CVE-2021-41091: Lock down file permissions to prevent unprivileged users
from discovering and executing programs in /var/lib/docker.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop upstreamed patch fix-port-forwarding-with-ipv6.
Upstream commit: d29a55c6c344a536089d6b1bcd92be9cdea20641
Signed-off-by: Christian Stewart <christian@paral.in>
Tested-by: Christian Stewart <christian@paral.in>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
docker-engine 20.10.6 broke container port forwarding for hosts without IPv6
support:
docker: Error response from daemon: driver failed programming external
connectivity on endpoint naughty_moore
(038e9ed4b5ea77e1c52462d6d04ad001fbad9beb185a6511aadc217c8a271608): Error
starting userland proxy: listen tcp6 [::]:80: socket: address family not
supported by protocol.
Add a libnetwork patch from an upstream pull request to fix this, after
adjusting the patch to apply to docker-engine (which has libnetwork vendored
under vendor/github.com/docker/libnetwork):
- https://github.com/moby/libnetwork/pull/2635,
- https://github.com/moby/moby/pull/42322
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
containerd is now an independent project from Docker.
This commit renames the Buildroot package from docker-containerd to containerd,
adding a entry in Config.in.legacy accordingly.
containerd is an industry-standard container runtime with an emphasis on
simplicity, robustness and portability. It is available as a daemon for Linux
and Windows, which can manage the complete container lifecycle of its host
system: image transfer and storage, container execution and supervision,
low-level storage and network attachments, etc.
https://containerd.io
Signed-off-by: Christian Stewart <christian@paral.in>
Reviewed-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout:
- fix alphabetical ordering in package/Config.in
- also do rename in DEVELOPERS
- squash in second patch
]
Fixes various networking issues:
- Fix a regression in docker 20.10, causing IPv6 addresses no longer to be
bound by default when mapping ports moby/moby#42205
- Fix implicit IPv6 port-mappings not included in API response. Before
docker 20.10, published ports were accessible through both IPv4 and IPv6
by default, but the API only included information about the IPv4 (0.0.0.0)
mapping moby/moby#42205
- Fix a regression in docker 20.10, causing the docker-proxy to not be
terminated in all cases moby/moby#42205
- Fix iptables forwarding rules not being cleaned up upon container removal
moby/moby#42205
For more details, see the release notes:
https://docs.docker.com/engine/release-notes/#20106
Signed-off-by: Mario Fink <knif.oiram@gmail.com>
Tested-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Security fixes:
- CVE-2021-21285 Prevent an invalid image from crashing docker daemon
- CVE-2021-21284 Lock down file permissions to prevent remapped root from accessing docker state
- Ensure AppArmor and SELinux profiles are applied when building with BuildKit
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Additionally, fix the ldflags specification of the package version.
The "autogen" script does not actually configure anything anymore, and
instead exports a LDFLAGS environment variable which we can't
use. Instead, specify the version information via LDFLAGS directly in
the Buildroot makefile, similar to containerd and other packages.
While at it, fix the formatting of the hash file for the LICENSE file
hash.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The Docker developers appear to no longer be tagging releases on the
docker/engine repository on GitHub, but are tagging releases on the main
moby/moby repository, which still is the true home of "dockerd."
This commit changes the upstream repo to moby/moby with no changes required.
Signed-off-by: Christian Stewart <christian@paral.in>
v1 -> v2:
- updated hash
- changed upstream to moby/moby
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With the go.mod integration, the DOCKER_ENGINE_SRC_SUBDIR has become
useless, drop it.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In preparation for the go.mod integration, define the
DOCKER_ENGINE_GOMOD variable.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
according to https://wiki.gentoo.org/wiki/Docker#Kernel /
docker-engine/contrib/check-config.sh.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Peter: synchronize with contrib/check-config.sh, only enforce DM options if
device mapper driver is enabled]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit 35e240105f, gvfs needs
dynamic library as it uses shared_module to build libgvfs_dbus and
libgioremote_volume_monitor
Fixes:
- http://autobuild.buildroot.org/results/89a02fda05e75bfc9bd4fa17fea3bec23fd5da3d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
- CVE-2020-13401: Disable IPv6 Router Advertisements to prevent address
spoofing
An attacker in a container, with the CAP_NET_RAW capability, can craft
IPv6 router advertisements, and consequently spoof external IPv6 hosts,
obtain sensitive information, or cause a denial of service.
In addition, 19.03.9..11 fixes a number of issues. For details, see:
https://docs.docker.com/engine/release-notes/
Signed-off-by: Christian Stewart <christian@paral.in>
[Peter: mention security impact, extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
- Improve mitigation for CVE-2019-14271 for some nscd configuration.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2019-14271: In Docker 19.03.x before 19.03.1 linked against the GNU C
Library (aka glibc), code injection can occur when the nsswitch facility
dynamically loads a library inside a chroot that contains the contents of
the container
Signed-off-by: Christian Stewart <christian@paral.in>
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
All these packages have an upstream-provided service, but buildroot
enabled manually the services in exactly the same way as the [Install]
section.
This is not needed anymore
Signed-off-by: Jérémy Rosen <jeremy.rosen@smile.fr>
[yann.morin.1998@free.fr: fix check-package errors]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security vulnerability:
CVE-2019-13509: Docker Engine in debug mode may sometimes add secrets to the
debug log. This applies to a scenario where docker stack deploy is run to
redeploy a stack that includes (non external) secrets. It potentially
applies to other API users of the stack API if they resend the secret.
And a number of other non-security issues.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are
vulnerable to a symlink-exchange attack with Directory Traversal, giving
attackers arbitrary read-write access to the host filesystem with root
privileges, because daemon/archive.go does not do archive operations on a
frozen filesystem (or from within a chroot).
And includes additional post-18.09.6 fixes:
Builder
- Fixed a panic error when building dockerfiles that contain only comments.
moby/moby#38487
- Added a workaround for GCR authentication issue. moby/moby#38246
- Builder-next: Fixed a bug in the GCR token cache implementation
workaround. moby/moby#39183
Runtime
- Added performance optimizations in aufs and layer store that helps in
massively parallel container creation and removal. moby/moby#39107,
moby/moby#39135
- daemon: fixed a mirrors validation issue. moby/moby#38991
- Docker no longer supports sorting UID and GID ranges in ID maps.
moby/moby#39288
Logging
- Added a fix that now allows large log lines for logger plugins.
moby/moby#39038
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
On Github, a large number of projects name their tag vXYZ (i.e v3.0,
v0.1, etc.). In some packages we do:
<pkg>_VERSION = v0.3
<pkg>_SITE = $(call github foo,bar,$(<pkg>_VERSION))
And in some other packages we do:
<pkg>_VERSION = 0.3
<pkg>_SITE = $(call github foo,bar,v$(<pkg>_VERSION))
I.e in one case we consider the version to be v0.3, in the other case
we consider 0.3 to be the version.
The problem with v0.3 is that when used in conjunction with
release-monitoring.org, it doesn't work very well, because
release-monitoring.org has the concept of "version prefix" and using
that they drop the "v" prefix for the version.
Therefore, a number of packages in Buildroot have a version that
doesn't match with release-monitoring.org because Buildroot has 'v0.3'
and release-monitoring.org has '0.3'.
Since really the version number of 0.3, is makes sense to update our
packages to drop this 'v'.
This commit only addresses the (common) case of github packages where
the prefix is simply 'v'. Other cases will be handled by separate
commits. Also, there are a few cases that couldn't be handled
mechanically that aren't covered by this commit.
Signed-off-by: Victor Huesca <victor.huesca@bootlin.com>
[Arnout: don't change flatbuffers, json-for-modern-cpp, libpagekite,
python-scapy3k, softether]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
