Package: docker.io / 18.09.1+dfsg1-7.1

Metadata

Package Version Patches format
docker.io 18.09.1+dfsg1-7.1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
debian systemd unit tasksmax.patch | (download)

engine/contrib/init/systemd/docker.service | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] docker.service: don't limit tasks
debian systemd unit environment file.patch | (download)

engine/contrib/init/systemd/docker.service | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 use environmentfile with the systemd unit file.
Bug-Debian: http://bugs.debian.org/746774
debian containerd name.patch | (download)

containerd/cmd/containerd-shim/main_unix.go | 2 1 + 1 - 0 !
containerd/runtime/v1/linux/runtime.go | 2 1 + 1 - 0 !
containerd/runtime/v2/shim/util.go | 2 1 + 1 - 0 !
engine/daemon/daemon.go | 2 1 + 1 - 0 !
engine/daemon/daemon_unix.go | 2 1 + 1 - 0 !
engine/hack/make/.binary-setup | 4 2 + 2 - 0 !
engine/libcontainerd/supervisor/remote_daemon.go | 2 1 + 1 - 0 !
7 files changed, 8 insertions(+), 8 deletions(-)

 "fix" containerd executable name.


debian dockerd binary location.patch | (download)

engine/contrib/init/systemd/docker.service | 2 1 + 1 - 0 !
engine/contrib/init/sysvinit-debian/docker | 2 1 + 1 - 0 !
engine/contrib/init/upstart/docker.conf | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 fhs compliance.


debian cgroupfs mount convenience copy.patch | (download)

engine/contrib/init/sysvinit-debian/docker | 25 0 + 25 - 0 !
engine/contrib/init/upstart/docker.conf | 23 0 + 23 - 0 !
2 files changed, 48 deletions(-)

 remove convenience copies of cgroupfs-mount in init.d / upstart
debian nuke no prompt.patch | (download)

engine/contrib/nuke-graph-directory.sh | 4 0 + 4 - 0 !
1 file changed, 4 deletions(-)

 remove prompt and delay


buildkit build against google grpc 1.11.patch | (download)

cli/vendor/github.com/moby/buildkit/client/buildid/metadata.go | 4 3 + 1 - 0 !
engine/vendor/github.com/moby/buildkit/client/buildid/metadata.go | 4 3 + 1 - 0 !
2 files changed, 6 insertions(+), 2 deletions(-)

 build against google-grpc 1.11, where md.get() does not exist.

This patch is based on the commit that introduced md.Get() in google-grpc:
<https://github.com/grpc/grpc-go/commit/291de7f0>.

Please drop this patch as soon as we build docker against google-grpc >= 1.12.

cli fix manpages build script.patch | (download)

cli/scripts/docs/generate-man.sh | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix man pages build
cli fix registry debug message go 1.11.patch | (download)

cli/cli/registry/client/fetcher.go | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] cli/registry: fix a debugf statement

Fix this warning from go-1.11

> cli/registry/client/fetcher.go:234: Debugf format %s has arg
> repoEndpoint of wrong type client.repositoryEndpoint

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
cve 2018 15664 01 pass root to chroot to for chroot untar.patch | (download)

engine/daemon/archive.go | 7 4 + 3 - 0 !
engine/pkg/chrootarchive/archive.go | 24 20 + 4 - 0 !
engine/pkg/chrootarchive/archive_unix.go | 34 30 + 4 - 0 !
engine/pkg/chrootarchive/archive_windows.go | 2 1 + 1 - 0 !
4 files changed, 55 insertions(+), 12 deletions(-)

 [patch] pass root to chroot to for chroot untar

This is useful for preventing CVE-2018-15664 where a malicious container
process can take advantage of a race on symlink resolution/sanitization.

Before this change chrootarchive would chroot to the destination
directory which is attacker controlled. With this patch we always chroot
to the container's root which is not attacker controlled.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
cve 2018 15664 02 add chroot for tar packing operations.patch | (download)

engine/daemon/archive.go | 8 4 + 4 - 0 !
engine/daemon/export.go | 2 1 + 1 - 0 !
engine/pkg/chrootarchive/archive.go | 8 8 + 0 - 0 !
engine/pkg/chrootarchive/archive_unix.go | 98 96 + 2 - 0 !
engine/pkg/chrootarchive/archive_windows.go | 7 7 + 0 - 0 !
engine/pkg/chrootarchive/init_unix.go | 1 1 + 0 - 0 !
6 files changed, 117 insertions(+), 7 deletions(-)

 [patch] add chroot for tar packing operations

Previously only unpack operations were supported with chroot.
This adds chroot support for packing operations.
This prevents potential breakouts when copying data from a container.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
engine contrib debootstrap curl follow location.patch | (download)

engine/contrib/mkimage/debootstrap | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 mkimage: fix debian security presence check

Add Location following since security redirects to security-cdn and caused the repository to be added on Debian unstable.

Signed-off-by: Mattias Jernberg <nostrad@gmail.com>
engine test noinstall.patch | (download)

engine/hack/test/unit | 4 0 + 4 - 0 !
1 file changed, 4 deletions(-)

 prevents test-time installation that causes ftbfs.
~~~~
 go test net: open /usr/lib/go-1.10/pkg/linux_amd64/net.a: permission denied
~~~~


go metrics_prometheus fix_Observer.patch | (download)

go-metrics/timer.go | 11 8 + 3 - 0 !
1 file changed, 8 insertions(+), 3 deletions(-)

 fixes ftbfs
 vendor/github.com/docker/go-metrics/timer.go:39:17:
 cannot use lt.m.WithLabelValues(labels...) (type prometheus.Observer) as type prometheus.Histogram in field value:
        prometheus.Observer does not implement prometheus.Histogram (missing Collect method)


libnetwork_proto.patch | (download)

libnetwork/agent.go | 2 1 + 1 - 0 !
libnetwork/drivers/overlay/overlay.go | 2 1 + 1 - 0 !
libnetwork/networkdb/networkdb.go | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 fix generation of .pb.go files.


libnetwork revert iptables legacy.patch | (download)

libnetwork/iptables/iptables.go | 9 2 + 7 - 0 !
1 file changed, 2 insertions(+), 7 deletions(-)

 [patch] revert "debian has iptables-legacy and iptables-nft now"

This reverts commit 7da66eea9f68e4abc83ed2892114ec565eddd66a.

Libnetwork should only use the iptables binary. Iptables v1.8 and above
uses the nftables backend. The translations for all the rules used by
libnetwork is supported by the new iptables binary.

Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
mips add specific signal file.patch | (download)

engine/pkg/signal/signal_linux.go | 2 2 + 0 - 0 !
engine/pkg/signal/signal_linux_mipsx.go | 84 84 + 0 - 0 !
2 files changed, 86 insertions(+)

 [patch] sigsktflt does not exist on mips, instead sigemt does.

SIGRTMAX is also 127 on MIPS.

This patch is merged upstream on master, please drop it when necessary.

Signed-off-by: Kasper Fabæch Brandt <poizan@poizan.dk>
mips fix devnumber.patch | (download)

engine/pkg/system/stat_linux.go | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix ftbfs on mips
~~~~
github.com/docker/docker/pkg/system/stat_linux.go:13:7: cannot use s.Rdev (type uint32) as type uint64 in field value
~~~~


netlink_syscall.patch | (download)

libnetwork/drivers/overlay/ov_network.go | 3 2 + 1 - 0 !
libnetwork/ipvs/ipvs.go | 5 3 + 2 - 0 !
2 files changed, 5 insertions(+), 3 deletions(-)

 fixes ftbfs
 cannot use &tv (type *syscall.Timeval) as type *unix.Timeval


test disable containerizedengine update test.patch | (download)

cli/internal/containerizedengine/update_test.go | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 disable containerizedengine/update_test.go

This test FTBFS, see <https://github.com/docker/cli/pull/1561>.
Please re-enable this test when this MR is accepted.

test fix test errors.patch | (download)

engine/pkg/authorization/authz_unix_test.go | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 update several tests for text/path errors
test skip TestAdapterReadLogs.patch | (download)

engine/daemon/logger/adapter_test.go | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 disable unreliable test, failing randomly on multiple architectures.
~~~~
 FAIL: TestAdapterReadLogs (0.00s)
 panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    panic: runtime error: invalid memory address or nil pointer dereference
 [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x83273c5]

 goroutine 7 [running]:
 testing.tRunner.func1(0x1a686ab0)
    /usr/lib/go-1.10/src/testing/testing.go:742 +0x24a
 panic(0x8393cc0, 0x85d1e78)
    /usr/lib/go-1.10/src/runtime/panic.go:502 +0x1dc
 github.com/docker/docker/daemon/logger.testMessageEqual(0x1a686ab0, 0x1a65cc7c, 0x0)
    /var/lib/gitlab-runner/builds/736b76b0/1/docker-team/docker/.gopath/src/github.com/docker/docker/daemon/logger/adapter_test.go:178 +0x35
 github.com/docker/docker/daemon/logger.TestAdapterReadLogs(0x1a686ab0)
    /var/lib/gitlab-runner/builds/736b76b0/1/docker-team/docker/.gopath/src/github.com/docker/docker/daemon/logger/adapter_test.go:131 +0x710
 testing.tRunner(0x1a686ab0, 0x83fa01c)
    /usr/lib/go-1.10/src/testing/testing.go:777 +0xaa
 created by testing.(*T).Run
    /usr/lib/go-1.10/src/testing/testing.go:824 +0x243
 FAIL  github.com/docker/docker/daemon/logger  0.012s
~~~~


test skip TestChangesWithChangesGH13590.patch | (download)

engine/pkg/archive/changes_test.go | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 disable test, does not appear to work under pbuilder.


test skip TestClientWithRequestTimeout.patch | (download)

engine/pkg/plugins/client_test.go | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 skip testclientwithrequesttimeout

This test seems to be flaky. Please follow-up upstream for more details:
<https://github.com/moby/moby/issues/38587>

test skip TestGetRootUIDGID.patch | (download)

engine/pkg/idtools/idtools_unix_test.go | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 disable test failing is sbuild.
~~~~
 FAIL: TestGetRootUIDGID (0.00s)
 idtools_unix_test.go:287:
    Error Trace: idtools_unix_test.go:287
    Error:       Not equal:
                 expected: 1009
                 actual  : 2952
    Test:        TestGetRootUIDGID
~~~~


test skip TestStateRunStop.patch | (download)

engine/container/state_test.go | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 disabled unreliable test.
~~~~
 state_test.go:102: ExitCode -1, expected 2, err "context deadline exceeded"
~~~~


test skip network tests.patch | (download)

cli/cli/command/image/push_test.go | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 disable failing test due to dependency on network.


test skip privileged unit tests.patch | (download)

cli/cli/command/image/build_test.go | 2 2 + 0 - 0 !
engine/builder/dockerfile/internals_test.go | 4 4 + 0 - 0 !
engine/daemon/graphdriver/aufs/aufs_test.go | 1 1 + 0 - 0 !
engine/daemon/graphdriver/overlay/overlay_test.go | 5 5 + 0 - 0 !
engine/daemon/graphdriver/overlay2/overlay_test.go | 5 5 + 0 - 0 !
engine/daemon/oci_linux_test.go | 1 1 + 0 - 0 !
engine/layer/mount_test.go | 2 2 + 0 - 0 !
engine/pkg/archive/archive_linux_test.go | 2 2 + 0 - 0 !
engine/pkg/archive/archive_test.go | 6 6 + 0 - 0 !
engine/pkg/mount/mount_unix_test.go | 3 3 + 0 - 0 !
engine/pkg/mount/sharedsubtree_linux_test.go | 4 4 + 0 - 0 !
engine/volume/local/local_test.go | 4 4 + 0 - 0 !
12 files changed, 39 insertions(+)

 allow skipping "privileged" tests with "-test.short"