diff --git a/.docker.metadata b/.docker.metadata index d1cd2ac..7559a0b 100644 --- a/.docker.metadata +++ b/.docker.metadata @@ -1,4 +1,4 @@ -48db45ee3d9f38664cf1ae3a7a6f0ab5506793b8 SOURCES/64e9980da375aae15b467ec980bce898541fd356.tar.gz +2cb8176bc19f75a8d9be33fa186070ed6ce8d7f6 SOURCES/0be3e217c42ecf554bf5117bec9c832bd3f3b6fd.tar.gz e21d6c1b9e04650915499946bb4e6a01727c7d54 SOURCES/container-storage-setup-413b408.tar.gz 0ab6f850918d4bca8b11a06d067e37e6a146d9a0 SOURCES/containerd-9c53e35.tar.gz c5e6169ea101c97d94257f48fa227f5ff0501454 SOURCES/docker-lvm-plugin-20a1f68.tar.gz diff --git a/.gitignore b/.gitignore index 850bde3..dee31b9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ -SOURCES/64e9980da375aae15b467ec980bce898541fd356.tar.gz +SOURCES/0be3e217c42ecf554bf5117bec9c832bd3f3b6fd.tar.gz SOURCES/container-storage-setup-413b408.tar.gz SOURCES/containerd-9c53e35.tar.gz SOURCES/docker-lvm-plugin-20a1f68.tar.gz diff --git a/SOURCES/docker-1804024.patch b/SOURCES/docker-1804024.patch deleted file mode 100644 index 761fc72..0000000 --- a/SOURCES/docker-1804024.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 8a8a10b7f2864827730225328a61278183c093a5 Mon Sep 17 00:00:00 2001 -From: Valentin Rothberg -Date: Mon, 2 Mar 2020 15:45:54 +0100 -Subject: [PATCH] pull: don't continue when exceeding max size - -When hitting an error that we exceeded the maximum allowed size, do not -continue to the next pull endpoint and let the error bubble up the stack -to the client. This way, we correctly report the error and do not hide -it in the logs. - -Signed-off-by: Valentin Rothberg ---- - distribution/errors.go | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/distribution/errors.go b/distribution/errors.go -index b8cf9fb9e803..b0dccd01b079 100644 ---- a/distribution/errors.go -+++ b/distribution/errors.go -@@ -113,6 +113,12 @@ func continueOnError(err error) bool { - case ImageConfigPullError: - return false - case error: -+ if strings.Contains(err.Error(), "exceeded maximum allowed size of ") { -+ // This error comes from c/image and protects against CVE-2020-1702. -+ // We should not continue on this error and let it bubble up to the -+ // client. -+ return false -+ } - return !strings.Contains(err.Error(), strings.ToLower(syscall.ENOSPC.Error())) - } - // let's be nice and fallback if the error is a completely diff --git a/SOURCES/docker-1879425.patch b/SOURCES/docker-1879425.patch new file mode 100644 index 0000000..149cc33 --- /dev/null +++ b/SOURCES/docker-1879425.patch @@ -0,0 +1,63 @@ +From 0f90cc1ecb2db92e5388e07b8662b6c4a3a64f6c Mon Sep 17 00:00:00 2001 +From: Kir Kolyshkin +Date: Tue, 15 Sep 2020 21:46:32 -0700 +Subject: [PATCH] runc run: fix panic on error + +In case (*initProcess).start did not set sentRun, and ierr is nil, +runc run panics: + +``` +panic: runtime error: invalid memory address or nil pointer dereference [recovered] + panic: runtime error: invalid memory address or nil pointer dereference +[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x68a117] + +goroutine 1 [running]: +github.com/urfave/cli.HandleAction.func1(0xc0002277d8) + /home/kir/go/src/github.com/projectatomic/runc/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x22d +panic(0x730b60, 0xa06fc0) + /usr/lib/golang/src/runtime/panic.go:969 +0x166 +github.com/opencontainers/runc/libcontainer.(*genericError).Error(0x0, 0xc0002ca0e0, 0xe) + /home/kir/go/src/github.com/projectatomic/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/generic_error.go:93 +0x37 +github.com/opencontainers/runc/libcontainer.createSystemError(0x7fcd20, 0x0, 0x78c23e, 0xe, 0xc000098050, 0x0) + /home/kir/go/src/github.com/projectatomic/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/generic_error.go:78 +0x14c +github.com/opencontainers/runc/libcontainer.newSystemErrorWithCause(...) + /home/kir/go/src/github.com/projectatomic/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/generic_error.go:63 +github.com/opencontainers/runc/libcontainer.(*initProcess).start(0xc000298000, 0x0, 0x0) + /home/kir/go/src/github.com/projectatomic/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/process_linux.go:361 +0x94b +.... +``` + +This is caused by the fact that `ierr` is a typed variable (rather than a +generic `error`), and when `newSystemErrorWithCause(ierr, ...)` is called +with a typed variable, the check `if err != nil` in `createSystemError` +does not work, since err has a type. This Golang peculiarity is described +in https://golang.org/doc/faq#nil_error. + +After this patch (tested by temporarily modifying the source to set +`sentRun` to `false`) it no longer panics, instead we get: + +``` +container_linux.go:247: starting container process caused "container init failed" +``` + +Signed-off-by: Kir Kolyshkin +--- + libcontainer/process_linux.go | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go +index 7c92c93a..53df9fa5 100644 +--- docker-0be3e217c42ecf554bf5117bec9c832bd3f3b6fd/runc-66aedde759f33c190954815fb765eedc1d782dd9/libcontainer/process_linux.go ++++ docker-0be3e217c42ecf554bf5117bec9c832bd3f3b6fd/runc-66aedde759f33c190954815fb765eedc1d782dd9/libcontainer/process_linux.go +@@ -364,7 +364,10 @@ loop: + return newSystemError(fmt.Errorf("container init exited prematurely")) + } + if !sentRun { +- return newSystemErrorWithCause(ierr, "container init") ++ if ierr != nil { ++ return newSystemErrorWithCause(ierr, "container init") ++ } ++ return newSystemError(errors.New("container init failed")) + } + if p.config.Config.Namespaces.Contains(configs.NEWNS) && !sentResume { + return newSystemError(fmt.Errorf("could not synchronise after executing prestart hooks with container process")) diff --git a/SOURCES/docker.service b/SOURCES/docker.service index e67f0d2..d6c28fb 100644 --- a/SOURCES/docker.service +++ b/SOURCES/docker.service @@ -1,8 +1,9 @@ [Unit] Description=Docker Application Container Engine Documentation=http://docs.docker.com -After=network.target +After=network.target rhel-push-plugin.service registries.service Wants=docker-storage-setup.service +Requires=rhel-push-plugin.service registries.service Requires=docker-cleanup.timer [Service] @@ -18,6 +19,7 @@ Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin ExecStart=/usr/bin/dockerd-current \ --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \ --default-runtime=docker-runc \ + --authorization-plugin=rhel-push-plugin \ --exec-opt native.cgroupdriver=systemd \ --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \ --init-path=/usr/libexec/docker/docker-init-current \ diff --git a/SPECS/docker.spec b/SPECS/docker.spec index 2fff8a9..4eb29f3 100644 --- a/SPECS/docker.spec +++ b/SPECS/docker.spec @@ -23,7 +23,7 @@ # docker %global git_docker https://github.com/projectatomic/docker -%global commit_docker 64e9980da375aae15b467ec980bce898541fd356 +%global commit_docker 0be3e217c42ecf554bf5117bec9c832bd3f3b6fd %global shortcommit_docker %(c=%{commit_docker}; echo ${c:0:7}) # docker_branch used in %%check %global docker_branch %{name}-%{version} @@ -45,9 +45,9 @@ %global shortcommit_novolume %(c=%{commit_novolume}; echo ${c:0:7}) # rhel-push-plugin -#%global git_rhel_push https://github.com/projectatomic/rhel-push-plugin -#%global commit_rhel_push af9107b2aedb235338e32a3c19507cad3f218b0d -#%global shortcommit_rhel_push %(c=%{commit_rhel_push}; echo ${c:0:7}) +%global git_rhel_push https://github.com/projectatomic/rhel-push-plugin +%global commit_rhel_push af9107b2aedb235338e32a3c19507cad3f218b0d +%global shortcommit_rhel_push %(c=%{commit_rhel_push}; echo ${c:0:7}) # docker-lvm-plugin %global git_lvm https://github.com/projectatomic/%{repo}-lvm-plugin @@ -77,15 +77,15 @@ Name: %{repo} Epoch: 2 Version: 1.13.1 -Release: 162.git%{shortcommit_docker}%{?dist} +Release: 203.git%{shortcommit_docker}%{?dist} Summary: Automates deployment of containerized applications License: ASL 2.0 URL: https://%{import_path} -ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64 %{ix86} +ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64 Source0: %{git_docker}/archive/%{commit_docker}.tar.gz Source2: %{git_dss}/archive/%{commit_dss}/container-storage-setup-%{shortcommit_dss}.tar.gz Source4: %{git_novolume}/archive/%{commit_novolume}/%{repo}-novolume-plugin-%{shortcommit_novolume}.tar.gz -#Source5: %{git_rhel_push}/archive/%{commit_rhel_push}/rhel-push-plugin-%{shortcommit_rhel_push}.tar.gz +Source5: %{git_rhel_push}/archive/%{commit_rhel_push}/rhel-push-plugin-%{shortcommit_rhel_push}.tar.gz Source6: %{git_lvm}/archive/%{commit_lvm}/%{repo}-lvm-plugin-%{shortcommit_lvm}.tar.gz Source8: %{name}.service Source9: %{name}.sysconfig @@ -123,17 +123,14 @@ Patch5: docker-1792243.patch Patch6: https://patch-diff.githubusercontent.com/raw/projectatomic/runc/pull/30.patch # https://patch-diff.githubusercontent.com/raw/projectatomic/docker/pull/369.patch Patch7: docker-CVE-2020-8945.patch -# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1734482 -# patch: https://github.com/projectatomic/docker/pull/370.patch -#Patch8: docker-1734482.patch -# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1804024 -# patch: https://patch-diff.githubusercontent.com/raw/projectatomic/docker/pull/371.patch -Patch9: docker-1804024.patch +# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1879425 +# patch: https://github.com/projectatomic/runc/pull/33.patch +Patch8: docker-1879425.patch BuildRequires: cmake BuildRequires: sed BuildRequires: git BuildRequires: glibc-static -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?centos} BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} %else BuildRequires: go-toolset-1.10 @@ -207,7 +204,7 @@ Requires: device-mapper-libs >= 7:1.02.97 Requires: oci-umount >= 2:2.3.3-3 Requires: oci-register-machine >= 1:0-5.13 Requires: oci-systemd-hook >= 1:0.1.4-9 -#Requires: %{name}-rhel-push-plugin = %{epoch}:%{version}-%{release} +Requires: %{name}-rhel-push-plugin = %{epoch}:%{version}-%{release} Requires: xz Requires: atomic-registries Requires: container-selinux >= 2:2.51-1 @@ -259,16 +256,16 @@ local volumes defined. In particular, the plugin will block `docker run` with: The only thing allowed will be just bind mounts. -#%package rhel-push-plugin -#License: GPLv2 -#Summary: Avoids pushing a RHEL-based image to docker.io registry +%package rhel-push-plugin +License: GPLv2 +Summary: Avoids pushing a RHEL-based image to docker.io registry -#%description rhel-push-plugin -#In order to use this plugin you must be running at least Docker 1.10 which -#has support for authorization plugins. +%description rhel-push-plugin +In order to use this plugin you must be running at least Docker 1.10 which +has support for authorization plugins. -#This plugin avoids any RHEL based image to be pushed to the default docker.io -#registry preventing users to violate the RH subscription agreement. +This plugin avoids any RHEL based image to be pushed to the default docker.io +registry preventing users to violate the RH subscription agreement. %package lvm-plugin License: LGPLv3 @@ -293,7 +290,7 @@ tar zxf %{SOURCE2} tar zxf %{SOURCE4} # untar rhel-push-plugin -#tar zxf %{SOURCE5} +tar zxf %{SOURCE5} # untar lvm-plugin tar zxf %{SOURCE6} @@ -343,9 +340,8 @@ cd - %patch6 -p1 %patch7 -p1 -# https://bugzilla.redhat.com/show_bug.cgi?id=1734482 -#%patch8 -p1 -%patch9 -p1 +# https://bugzilla.redhat.com/show_bug.cgi?id=1879425 +%patch8 -p1 %build # compile docker-proxy first - otherwise deps in gopath conflict with the others below and this fails. Remove libnetwork libs then. @@ -367,7 +363,7 @@ pushd _build mkdir -p src/%{provider}.%{provider_tld}/{%{name},projectatomic} ln -s $(dirs +1 -l) src/%{import_path} ln -s $(dirs +1 -l)/%{repo}-novolume-plugin-%{commit_novolume} src/%{provider}.%{provider_tld}/projectatomic/%{repo}-novolume-plugin -# ln -s $(dirs +1 -l)/rhel-push-plugin-%{commit_rhel_push} src/%{provider}.%{provider_tld}/projectatomic/rhel-push-plugin + ln -s $(dirs +1 -l)/rhel-push-plugin-%{commit_rhel_push} src/%{provider}.%{provider_tld}/projectatomic/rhel-push-plugin ln -s $(dirs +1 -l)/%{repo}-lvm-plugin-%{commit_lvm} src/%{provider}.%{provider_tld}/projectatomic/%{repo}-lvm-plugin popd @@ -376,10 +372,10 @@ pushd $(pwd)/_build/src %gobuild %{provider}.%{provider_tld}/projectatomic/%{repo}-novolume-plugin popd -#export GOPATH=$(pwd)/rhel-push-plugin-%{commit_rhel_push}/Godeps/_workspace:$(pwd)/_build -#pushd $(pwd)/_build/src -#%gobuild %{provider}.%{provider_tld}/projectatomic/rhel-push-plugin -#popd +export GOPATH=$(pwd)/rhel-push-plugin-%{commit_rhel_push}/Godeps/_workspace:$(pwd)/_build +pushd $(pwd)/_build/src +%gobuild %{provider}.%{provider_tld}/projectatomic/rhel-push-plugin +popd export GOPATH=$(pwd)/%{repo}-lvm-plugin-%{commit_lvm}/Godeps/_workspace:$(pwd)/_build pushd $(pwd)/_build/src @@ -402,7 +398,7 @@ export GOPATH=$(pwd)/_build:$(pwd)/vendor # build %%{name} manpages man/md2man-all.sh go-md2man -in %{repo}-novolume-plugin-%{commit_novolume}/man/%{repo}-novolume-plugin.8.md -out %{repo}-novolume-plugin.8 -#go-md2man -in rhel-push-plugin-%{commit_rhel_push}/man/rhel-push-plugin.8.md -out rhel-push-plugin.8 +go-md2man -in rhel-push-plugin-%{commit_rhel_push}/man/rhel-push-plugin.8.md -out rhel-push-plugin.8 go-md2man -in %{repo}-lvm-plugin-%{commit_lvm}/man/%{repo}-lvm-plugin.8.md -out %{repo}-lvm-plugin.8 # build %%{name} binary @@ -567,12 +563,12 @@ install -d %{buildroot}%{_mandir}/man8 install -p -m 644 %{repo}-novolume-plugin.8 %{buildroot}%{_mandir}/man8 # install rhel-push-plugin executable, unitfile, socket and man -#install -d %{buildroot}%{_libexecdir}/%{repo} -#install -p -m 755 _build/src/rhel-push-plugin %{buildroot}%{_libexecdir}/%{repo}/rhel-push-plugin -#install -p -m 644 rhel-push-plugin-%{commit_rhel_push}/systemd/rhel-push-plugin.service %{buildroot}%{_unitdir}/rhel-push-plugin.service -#install -p -m 644 rhel-push-plugin-%{commit_rhel_push}/systemd/rhel-push-plugin.socket %{buildroot}%{_unitdir}/rhel-push-plugin.socket -#install -d %{buildroot}%{_mandir}/man8 -#install -p -m 644 rhel-push-plugin.8 %{buildroot}%{_mandir}/man8 +install -d %{buildroot}%{_libexecdir}/%{repo} +install -p -m 755 _build/src/rhel-push-plugin %{buildroot}%{_libexecdir}/%{repo}/rhel-push-plugin +install -p -m 644 rhel-push-plugin-%{commit_rhel_push}/systemd/rhel-push-plugin.service %{buildroot}%{_unitdir}/rhel-push-plugin.service +install -p -m 644 rhel-push-plugin-%{commit_rhel_push}/systemd/rhel-push-plugin.socket %{buildroot}%{_unitdir}/rhel-push-plugin.socket +install -d %{buildroot}%{_mandir}/man8 +install -p -m 644 rhel-push-plugin.8 %{buildroot}%{_mandir}/man8 # install %%{repo}-lvm-plugin executable, unitfile, socket and man install -d %{buildroot}/%{_libexecdir}/%{repo} @@ -652,14 +648,14 @@ exit 0 %postun novolume-plugin %systemd_postun_with_restart %{name}-novolume-plugin.service -#%post rhel-push-plugin -#%systemd_post rhel-push-plugin.service +%post rhel-push-plugin +%systemd_post rhel-push-plugin.service -#%preun rhel-push-plugin -#%systemd_preun rhel-push-plugin.service +%preun rhel-push-plugin +%systemd_preun rhel-push-plugin.service -#%postun rhel-push-plugin -#%systemd_postun_with_restart rhel-push-plugin.service +%postun rhel-push-plugin +%systemd_postun_with_restart rhel-push-plugin.service %posttrans # Install a default docker-storage-setup based on kernel version. @@ -755,12 +751,12 @@ fi %{_libexecdir}/%{repo}/%{repo}-novolume-plugin %{_unitdir}/%{repo}-novolume-plugin.* -#%files rhel-push-plugin -#%license rhel-push-plugin-%{commit_rhel_push}/LICENSE -#%doc rhel-push-plugin-%{commit_rhel_push}/README.md -#%{_mandir}/man8/rhel-push-plugin.8.gz -#%{_libexecdir}/%{repo}/rhel-push-plugin -#%{_unitdir}/rhel-push-plugin.* +%files rhel-push-plugin +%license rhel-push-plugin-%{commit_rhel_push}/LICENSE +%doc rhel-push-plugin-%{commit_rhel_push}/README.md +%{_mandir}/man8/rhel-push-plugin.8.gz +%{_libexecdir}/%{repo}/rhel-push-plugin +%{_unitdir}/rhel-push-plugin.* %files lvm-plugin %license %{repo}-lvm-plugin-%{commit_lvm}/LICENSE @@ -776,9 +772,26 @@ fi %{_bindir}/%{name}-v1.10-migrator-* %changelog -* Mon Jun 22 2020 Jindrich Novy - 2:1.13.1-162.git64e9980 +* Tue Oct 27 2020 Jindrich Novy - 2:1.13.1-203.git0be3e21 +- do not enable CollectMode support yet because it is not still present in + 7.6-ALT +- Related: #1766665 + +* Tue Sep 29 2020 Jindrich Novy - 2:1.13.1-202.git0be3e21 +- fix "runc run: fix panic on failed init start" +- Resolves: #1879425 + +* Tue Sep 22 2020 Jindrich Novy - 2:1.13.1-201.git0be3e21 +- fix "Race condition in kubelet cgroup destroy process" +- Resolves: #1766665 + +* Mon Jun 22 2020 Jindrich Novy - 2:1.13.1-200.git0be3e21 - rebuilt +* Wed Jun 10 2020 Jindrich Novy - 2:1.13.1-162.git0be3e21 +- update docker to 0be3e21: fixes "dockerd leaks SELinux MCS labels" +- Resolves: #1734482 + * Tue Mar 03 2020 Jindrich Novy - 2:1.13.1-161.git64e9980 - make failure message for CVE-2020-1702 more obvious (#1804024) - drop patch for #1734482 as it breaks compilation