diff --git a/VERSION-openeuler b/VERSION-openeuler index 32c6fec7deac0da31793a3c2567e147d4b5a6d4e..9ce0e89343f61c51dbfe23e1fbab6ac93caa8bf9 100644 --- a/VERSION-openeuler +++ b/VERSION-openeuler @@ -1 +1 @@ -18.09.0.100 +18.09.0.102 diff --git a/docker-engine-openeuler.spec b/docker-engine-openeuler.spec index affba47df873d740459f328c25492f6254014155..5e5cf893b01cc6bcb7742899a3eed472ce622151 100644 --- a/docker-engine-openeuler.spec +++ b/docker-engine-openeuler.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 101 +Release: 102 Summary: The open-source application container engine Group: Tools/Docker @@ -200,3 +200,23 @@ fi %endif %changelog +* Sat Dec 28 2020 liuzekun - 18.09.0-102 +- Type:bugfix +- ID:NA +- CVE:NA +- SUG:restart +- DESC: +1.delete stale containerd object on start failure +2.remove redundant word item +3.delete event is not need to process +4.stat process exit file when kill process dire +5.sync cli vendor +6.fix CVE-2020-13401 +7.do not add w to LDFLAGS +8.add files in proc for mask +9.fix docker load files leak +10.do not sync if BYPAAS_SYNC is false +11.fix panic on single character volumes +12.fix stats memory usage display error +13.add more messages for ops when device not found +14.mask proc pin_memory diff --git a/patch/0161-docker-Delete-stale-containerd-object-on-start-failure.patch b/patch/0161-docker-Delete-stale-containerd-object-on-start-failure.patch new file mode 100644 index 0000000000000000000000000000000000000000..8d8c1cc41ccab9063ab2bece9b65e8f1d17356b5 --- /dev/null +++ b/patch/0161-docker-Delete-stale-containerd-object-on-start-failure.patch @@ -0,0 +1,54 @@ +From 5ba30cd1dc6000ee53b34f628cbff91d7f6d7231 Mon Sep 17 00:00:00 2001 +From: Brian Goff +Date: Wed, 12 Dec 2018 12:04:09 -0800 +Subject: [PATCH] Delete stale containerd object on start failure + +containerd has two objects with regard to containers. +There is a "container" object which is metadata and a "task" which is +manging the actual runtime state. + +When docker starts a container, it creartes both the container metadata +and the task at the same time. So when a container exits, docker deletes +both of these objects as well. + +This ensures that if, on start, when we go to create the container metadata object +in containerd, if there is an error due to a name conflict that we go +ahead and clean that up and try again. + +Signed-off-by: Brian Goff +--- + components/engine/daemon/start.go | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/components/engine/daemon/start.go b/components/engine/daemon/start.go +index 393e00b..57a7267 100644 +--- a/components/engine/daemon/start.go ++++ b/components/engine/daemon/start.go +@@ -177,9 +177,22 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint + return err + } + +- err = daemon.containerd.Create(context.Background(), container.ID, spec, createOptions) ++ ctx := context.TODO() ++ ++ err = daemon.containerd.Create(ctx, container.ID, spec, createOptions) + if err != nil { +- return translateContainerdStartErr(container.Path, container.SetExitCode, err) ++ if errdefs.IsConflict(err) { ++ logrus.WithError(err).WithField("container", container.ID).Error("Container not cleaned up from containerd from previous run") ++ // best effort to clean up old container object ++ daemon.containerd.DeleteTask(ctx, container.ID) ++ if err := daemon.containerd.Delete(ctx, container.ID); err != nil && !errdefs.IsNotFound(err) { ++ logrus.WithError(err).WithField("container", container.ID).Error("Error cleaning up stale containerd container object") ++ } ++ err = daemon.containerd.Create(ctx, container.ID, spec, createOptions) ++ } ++ if err != nil { ++ return translateContainerdStartErr(container.Path, container.SetExitCode, err) ++ } + } + + // TODO(mlaventure): we need to specify checkpoint options here +-- +1.8.3.1 + diff --git a/patch/0162-docker-remove-redundant-word-item.patch b/patch/0162-docker-remove-redundant-word-item.patch new file mode 100644 index 0000000000000000000000000000000000000000..69de191dff366fbeb11d26142156d96f1ba62be7 --- /dev/null +++ b/patch/0162-docker-remove-redundant-word-item.patch @@ -0,0 +1,25 @@ +From 92266f008637a02ebffa2aa2704a09701b07a405 Mon Sep 17 00:00:00 2001 +From: liuzekun +Date: Mon, 27 Apr 2020 09:43:21 +0800 +Subject: [PATCH] docker: remove redundant word item + +Signed-off-by: liuzekun +--- + components/cli/vendor/github.com/asaskevich/govalidator/types.go | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/components/cli/vendor/github.com/asaskevich/govalidator/types.go b/components/cli/vendor/github.com/asaskevich/govalidator/types.go +index 4f7e9274..78be68c6 100644 +--- a/components/cli/vendor/github.com/asaskevich/govalidator/types.go ++++ b/components/cli/vendor/github.com/asaskevich/govalidator/types.go +@@ -370,7 +370,6 @@ var ISO3166List = []ISO3166Entry{ + {"Spain", "Espagne (l')", "ES", "ESP", "724"}, + {"South Sudan", "Soudan du Sud (le)", "SS", "SSD", "728"}, + {"Sudan (the)", "Soudan (le)", "SD", "SDN", "729"}, +- {"Western Sahara*", "Sahara occidental (le)*", "EH", "ESH", "732"}, + {"Suriname", "Suriname (le)", "SR", "SUR", "740"}, + {"Svalbard and Jan Mayen", "Svalbard et l'Île Jan Mayen (le)", "SJ", "SJM", "744"}, + {"Swaziland", "Swaziland (le)", "SZ", "SWZ", "748"}, +-- +2.19.1 + diff --git a/patch/0163-docker-delete-event-is-not-need-to-process.patch b/patch/0163-docker-delete-event-is-not-need-to-process.patch new file mode 100644 index 0000000000000000000000000000000000000000..fef6e369bbfd38c971496aeb994280368c601dd4 --- /dev/null +++ b/patch/0163-docker-delete-event-is-not-need-to-process.patch @@ -0,0 +1,27 @@ +From 0fe29ca9d45ddcb36f009a8da5f858f49a8e2844 Mon Sep 17 00:00:00 2001 +From: liuzekun +Date: Wed, 8 Apr 2020 17:32:03 +0800 +Subject: [PATCH] docker: delete event is not need to access processEvent + +reason: delete event is not need to access processEvent, continue it + +Signed-off-by: liuzekun +--- + components/engine/libcontainerd/client_daemon.go | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/components/engine/libcontainerd/client_daemon.go b/components/engine/libcontainerd/client_daemon.go +index 858d6429..05c439c5 100755 +--- a/components/engine/libcontainerd/client_daemon.go ++++ b/components/engine/libcontainerd/client_daemon.go +@@ -895,6 +895,7 @@ func (c *client) processEventStream(ctx context.Context, ns string) { + "ExitStatus": t.ExitStatus, + "ExitedAt": t.ExitedAt, + }).Infof("event") ++ continue + default: + c.logger.WithFields(logrus.Fields{ + "topic": ev.Topic, +-- +2.19.1 + diff --git a/patch/0164-docker-stat-process-exit-file-when-kill-process-dire.patch b/patch/0164-docker-stat-process-exit-file-when-kill-process-dire.patch new file mode 100644 index 0000000000000000000000000000000000000000..4fbb7de09a189176b829d21c1910a9227ca37ce7 --- /dev/null +++ b/patch/0164-docker-stat-process-exit-file-when-kill-process-dire.patch @@ -0,0 +1,36 @@ +From 3f285224ade14c9d64dfc81cf9b5d969343a641e Mon Sep 17 00:00:00 2001 +From: liuzekun +Date: Wed, 8 Apr 2020 19:49:38 +0800 +Subject: [PATCH] docker: stat process exit file when kill process directly + +reason: stat process exit file when kill process directly + +Signed-off-by: liuzekun +--- + components/engine/daemon/container_operations_unix.go | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go +index 2cc2b2e3..df2f3261 100644 +--- a/components/engine/daemon/container_operations_unix.go ++++ b/components/engine/daemon/container_operations_unix.go +@@ -346,6 +346,16 @@ func killProcessDirectly(cntr *container.Container) error { + // Ensure that we don't kill ourselves + if pid := cntr.GetPID(); pid != 0 { + logrus.Infof("Container %s failed to exit within 10 seconds of kill - trying direct SIGKILL", stringid.TruncateID(cntr.ID)) ++ pattern := fmt.Sprintf("/var/run/docker/containerd/exit/moby/%s.%d.*", cntr.ID, pid) ++ efiles, err := filepath.Glob(pattern) ++ if err != nil { ++ logrus.Warnf("Match exit file with pattern %q failed: %s", pattern, err.Error()) ++ } ++ if len(efiles) != 0 { ++ logrus.Infof("Find process exit files with pattern %q: %+v, skip force kill because the process is exit already", pattern, efiles) ++ return errNoSuchProcess{pid, 9} ++ } ++ + if err := unix.Kill(pid, 9); err != nil { + if err != unix.ESRCH { + return err +-- +2.19.1 + diff --git a/patch/0165-docker-sync-cli-vendor.patch b/patch/0165-docker-sync-cli-vendor.patch new file mode 100644 index 0000000000000000000000000000000000000000..cfdcee2edeafa742ccf7a9000bf4a78844b2f54c --- /dev/null +++ b/patch/0165-docker-sync-cli-vendor.patch @@ -0,0 +1,38 @@ +From c4ead7f7e914244e43eab849cf68c34c3460b41c Mon Sep 17 00:00:00 2001 +From: jingrui +Date: Thu, 14 May 2020 22:57:37 +0800 +Subject: [PATCH] docker: sync cli vendor + +Change-Id: I9dbfd3e2c918d47806abdcdc27bf709c0e297780 +Signed-off-by: jingrui +--- + .../docker/docker/builder/remotecontext/git/gitutils.go | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/components/cli/vendor/github.com/docker/docker/builder/remotecontext/git/gitutils.go b/components/cli/vendor/github.com/docker/docker/builder/remotecontext/git/gitutils.go +index 77a45beff3..a9079153e0 100644 +--- a/components/cli/vendor/github.com/docker/docker/builder/remotecontext/git/gitutils.go ++++ b/components/cli/vendor/github.com/docker/docker/builder/remotecontext/git/gitutils.go +@@ -102,6 +102,10 @@ func parseRemoteURL(remoteURL string) (gitRepo, error) { + u.Fragment = "" + repo.remote = u.String() + } ++ ++ if strings.HasPrefix(repo.ref, "-") { ++ return gitRepo{}, errors.Errorf("invalid refspec: %s", repo.ref) ++ } + return repo, nil + } + +@@ -124,7 +128,7 @@ func fetchArgs(remoteURL string, ref string) []string { + args = append(args, "--depth", "1") + } + +- return append(args, "origin", ref) ++ return append(args, "origin", "--", ref) + } + + // Check if a given git URL supports a shallow git clone, +-- +2.17.1 + diff --git a/patch/0167-docker-fix-CVE-2020-13401.patch b/patch/0167-docker-fix-CVE-2020-13401.patch new file mode 100644 index 0000000000000000000000000000000000000000..b3bd2b3180cc7318ada603cf0ea25ecc54867653 --- /dev/null +++ b/patch/0167-docker-fix-CVE-2020-13401.patch @@ -0,0 +1,69 @@ +From 727ce265564d1dc3031221a84f95abad20a20f11 Mon Sep 17 00:00:00 2001 +From: jingrui +Date: Thu, 11 Jun 2020 21:55:49 +0800 +Subject: [PATCH] docker: fix CVE-2020-13401 + +Change-Id: I267bde21d88927a0beb7599651b856a2dd1371d3 +Signed-off-by: jingrui +--- + .../libnetwork/drivers/bridge/bridge.go | 6 ++++++ + .../libnetwork/drivers/bridge/setup_device.go | 19 +++++++++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go +index 535da3c1ad..3288ff8652 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go +@@ -679,6 +679,12 @@ func (d *driver) createNetwork(config *networkConfiguration) (err error) { + bridgeAlreadyExists := bridgeIface.exists() + if !bridgeAlreadyExists { + bridgeSetup.queueStep(setupDevice) ++ bridgeSetup.queueStep(setupDefaultSysctl) ++ } ++ ++ // For the default bridge, set expected sysctls ++ if config.DefaultBridge { ++ bridgeSetup.queueStep(setupDefaultSysctl) + } + + // Even if a bridge exists try to setup IPv4. +diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/setup_device.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/setup_device.go +index a9dfd06771..9822236dfd 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/setup_device.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/bridge/setup_device.go +@@ -2,6 +2,9 @@ package bridge + + import ( + "fmt" ++ "io/ioutil" ++ "os" ++ "path/filepath" + + "github.com/docker/docker/pkg/parsers/kernel" + "github.com/docker/libnetwork/netutils" +@@ -50,6 +53,22 @@ func setupDevice(config *networkConfiguration, i *bridgeInterface) error { + return err + } + ++func setupDefaultSysctl(config *networkConfiguration, i *bridgeInterface) error { ++ // Disable IPv6 router advertisements originating on the bridge ++ sysPath := filepath.Join("/proc/sys/net/ipv6/conf/", config.BridgeName, "accept_ra") ++ if _, err := os.Stat(sysPath); err != nil { ++ logrus. ++ WithField("bridge", config.BridgeName). ++ WithField("syspath", sysPath). ++ Info("failed to read ipv6 net.ipv6.conf..accept_ra") ++ return nil ++ } ++ if err := ioutil.WriteFile(sysPath, []byte{'0', '\n'}, 0644); err != nil { ++ return fmt.Errorf("libnetwork: Unable to disable IPv6 router advertisement: %v", err) ++ } ++ return nil ++} ++ + // SetupDeviceUp ups the given bridge interface. + func setupDeviceUp(config *networkConfiguration, i *bridgeInterface) error { + err := i.nlh.LinkSetUp(i.Link) +-- +2.17.1 + diff --git a/patch/0168-docker-do-not-add-w-to-LDFLAGS.patch b/patch/0168-docker-do-not-add-w-to-LDFLAGS.patch new file mode 100644 index 0000000000000000000000000000000000000000..5486839e9a6efc6789cf59502072a03d30305baa --- /dev/null +++ b/patch/0168-docker-do-not-add-w-to-LDFLAGS.patch @@ -0,0 +1,79 @@ +From b23e7a179e68f194516b542bea375c44122e1037 Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Tue, 11 Aug 2020 08:00:12 +0800 +Subject: [PATCH] docker: do not add "-w" to LDFLAG + +reason: for gdb debug, do not add "-w" to LDFLAGS + +Signed-off-by: xiadanni1 +--- + components/cli/scripts/build/.variables | 1 - + components/cli/scripts/build/dynbinary | 5 ++++- + components/engine/hack/make.sh | 5 ----- + components/engine/hack/make/.binary | 5 ++++- + 4 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/components/cli/scripts/build/.variables b/components/cli/scripts/build/.variables +index a23e379..7b78e62 100755 +--- a/components/cli/scripts/build/.variables ++++ b/components/cli/scripts/build/.variables +@@ -13,7 +13,6 @@ if test -n "${PLATFORM}"; then + fi + + export LDFLAGS="\ +- -w \ + ${PLATFORM_LDFLAGS} \ + -X \"github.com/docker/cli/cli.GitCommit=${GITCOMMIT}\" \ + -X \"github.com/docker/cli/cli.BuildTime=${BUILDTIME}\" \ +diff --git a/components/cli/scripts/build/dynbinary b/components/cli/scripts/build/dynbinary +index 2442166..40941bb 100755 +--- a/components/cli/scripts/build/dynbinary ++++ b/components/cli/scripts/build/dynbinary +@@ -13,7 +13,10 @@ export CGO_ENABLED=1 + BEP_DIR=/tmp/docker-build-bep + BEP_FLAGS="-tmpdir=$BEP_DIR" + mkdir -p $BEP_DIR ++GC_FLAGS="-gcflags=-trimpath=$GOPATH" ++ASM_FLAGS="-asmflags=-trimpath=$GOPATH" + +-go build -o "${TARGET}" -tags pkcs11 --ldflags " -buildid=IdByIsula -extldflags=-zrelro -extldflags=-znow $BEP_FLAGS ${LDFLAGS}" -buildmode=pie "${SOURCE}" ++set -x ++go build $GC_FLAGS $ASM_FLAGS -o "${TARGET}" -tags pkcs11 --ldflags " -buildid=IdByIsula -extldflags=-zrelro -extldflags=-znow $BEP_FLAGS ${LDFLAGS}" -buildmode=pie "${SOURCE}" + + ln -sf "$(basename "${TARGET}")" build/docker +diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh +index f4a51e7..d24a7b7 100755 +--- a/components/engine/hack/make.sh ++++ b/components/engine/hack/make.sh +@@ -137,12 +137,7 @@ if \ + fi + + # Use these flags when compiling the tests and final binary +- + IAMSTATIC='true' +-if [ -z "$DOCKER_DEBUG" ]; then +- LDFLAGS='-w' +-fi +- + LDFLAGS_STATIC='' + EXTLDFLAGS_STATIC='-static' + # ORIG_BUILDFLAGS is necessary for the cross target which cannot always build +diff --git a/components/engine/hack/make/.binary b/components/engine/hack/make/.binary +index f76b6f7..35bb836 100755 +--- a/components/engine/hack/make/.binary ++++ b/components/engine/hack/make/.binary +@@ -63,7 +63,10 @@ echo "Building: $DEST/$BINARY_FULLNAME" + BEP_DIR=/tmp/dockerd-build-bep + BEP_FLAGS="-tmpdir=$BEP_DIR" + mkdir -p $BEP_DIR +-go build \ ++GC_FLAGS="-gcflags=-trimpath=$GOPATH" ++ASM_FLAGS="-asmflags=-trimpath=$GOPATH" ++set -x ++go build $GC_FLAGS $ASM_FLAGS \ + -o "$DEST/$BINARY_FULLNAME" \ + "${BUILDFLAGS[@]}" \ + -ldflags " +-- +1.8.3.1 + diff --git a/patch/0169-docker-add-files-in-proc-for-mask.patch b/patch/0169-docker-add-files-in-proc-for-mask.patch new file mode 100644 index 0000000000000000000000000000000000000000..18d6522e8a2d4f3edaef1603e19efece401b0e60 --- /dev/null +++ b/patch/0169-docker-add-files-in-proc-for-mask.patch @@ -0,0 +1,42 @@ +From c9db33aaad779afff04db8beb5b6d7e7e512a66d Mon Sep 17 00:00:00 2001 +From: liuzekun +Date: Mon, 24 Aug 2020 09:42:21 -0400 +Subject: [PATCH] docker: add files in proc for mask + +Signed-off-by: liuzekun +--- + components/engine/oci/defaults.go | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/components/engine/oci/defaults.go b/components/engine/oci/defaults.go +index cd4985f5..ec748a6d 100644 +--- a/components/engine/oci/defaults.go ++++ b/components/engine/oci/defaults.go +@@ -65,7 +65,7 @@ func DefaultLinuxSpec() specs.Spec { + Effective: defaultCapabilities(), + }, + }, +- Root: &specs.Root{}, ++ Root: &specs.Root{}, + Hooks: &specs.Hooks{}, + } + s.Mounts = []specs.Mount{ +@@ -128,9 +128,15 @@ func DefaultLinuxSpec() specs.Spec { + "/proc/keys", + "/proc/latency_stats", + "/proc/livepatch", ++ "/proc/lru_info", ++ "/proc/lru_info_file", + "/proc/memstat", + "/proc/net_namespace", + "/proc/oom_extend", ++ "/proc/pagealloc_statistics", ++ "/proc/pagealloc_bt", ++ "/proc/slaballoc_bt", ++ "/proc/slaballoc_module", + "/proc/sched_debug", + "/proc/scsi", + "/proc/sig_catch", +-- +2.19.1 + diff --git a/patch/0170-docker-fix-docker-load-files-leak.patch b/patch/0170-docker-fix-docker-load-files-leak.patch new file mode 100644 index 0000000000000000000000000000000000000000..75bfa1bb86de5c243589ee28aee3ab8d4a87292f --- /dev/null +++ b/patch/0170-docker-fix-docker-load-files-leak.patch @@ -0,0 +1,27 @@ +From e7dd426dc3d962eae0e934dcb8fe4d805f8ea4ca Mon Sep 17 00:00:00 2001 +From: liuzekun +Date: Wed, 16 Sep 2020 22:40:49 -0400 +Subject: [PATCH] fix docker load files leak + +Signed-off-by: liuzekun +--- + components/engine/daemon/graphdriver/devmapper/deviceset.go | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/components/engine/daemon/graphdriver/devmapper/deviceset.go b/components/engine/daemon/graphdriver/devmapper/deviceset.go +index f5c0b04..ff90c44 100644 +--- a/components/engine/daemon/graphdriver/devmapper/deviceset.go ++++ b/components/engine/daemon/graphdriver/devmapper/deviceset.go +@@ -2285,6 +2285,9 @@ func (devices *DeviceSet) unmountAndDeactivateAll(dir string) { + // and the device will be released when that container dies. + if err := unix.Unmount(fullname, unix.MNT_DETACH); err != nil && err != unix.EINVAL { + logger.Warnf("Shutdown unmounting %s, error: %s", fullname, err) ++ } else if err == nil { ++ logger.Debugf("Remove %s", fullname) ++ os.RemoveAll(fullname) + } + + if devInfo, err := devices.lookupDevice(name); err != nil { +-- +2.19.1 + diff --git a/patch/0171-docker-do-not-sync-if-BYPAAS_SYNC-is-false.patch b/patch/0171-docker-do-not-sync-if-BYPAAS_SYNC-is-false.patch new file mode 100644 index 0000000000000000000000000000000000000000..63334a2968a3539bca55b159a72418b2831c8cc7 --- /dev/null +++ b/patch/0171-docker-do-not-sync-if-BYPAAS_SYNC-is-false.patch @@ -0,0 +1,28 @@ +From bbc6fce3870ff7f43c87efe13247bb185817aa67 Mon Sep 17 00:00:00 2001 +From: liuzekun +Date: Wed, 14 Oct 2020 04:36:56 -0400 +Subject: [PATCH] do not sync if BYPAAS_SYNC is false + +Signed-off-by: liuzekun +--- + components/engine/pkg/devicemapper/devmapper.go | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/components/engine/pkg/devicemapper/devmapper.go b/components/engine/pkg/devicemapper/devmapper.go +index 06ddc3e9..a5c30cb3 100644 +--- a/components/engine/pkg/devicemapper/devmapper.go ++++ b/components/engine/pkg/devicemapper/devmapper.go +@@ -477,7 +477,9 @@ func BlockDeviceDiscard(path string) error { + + // Without this sometimes the remove of the device that happens after + // discard fails with EBUSY. +- unix.Sync() ++ if os.Getenv("DOCKER_BYPASS_SYNC_SYSCALL") != "false" { ++ unix.Sync() ++ } + + return nil + } +-- +2.19.1 + diff --git a/patch/0172-docker-fix-panic-on-single-character-volumes.patch b/patch/0172-docker-fix-panic-on-single-character-volumes.patch new file mode 100644 index 0000000000000000000000000000000000000000..f0bdb97a48db6cb3a40b9d2c676e4fe94d8f5189 --- /dev/null +++ b/patch/0172-docker-fix-panic-on-single-character-volumes.patch @@ -0,0 +1,27 @@ +From 0a2c746c0d560d18502f84078d233166934e9eb9 Mon Sep 17 00:00:00 2001 +From: liuzekun +Date: Wed, 11 Nov 2020 23:47:30 -0500 +Subject: [PATCH] fix panic on single-character volumes + +Signed-off-by: liuzekun +--- + components/cli/cli/compose/loader/volume.go | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/components/cli/cli/compose/loader/volume.go b/components/cli/cli/compose/loader/volume.go +index 9c2792e0..f043f4aa 100644 +--- a/components/cli/cli/compose/loader/volume.go ++++ b/components/cli/cli/compose/loader/volume.go +@@ -111,6 +111,9 @@ func isFilePath(source string) bool { + case '.', '/', '~': + return true + } ++ if len([]rune(source)) == 1 { ++ return false ++ } + + // windows named pipes + if strings.HasPrefix(source, `\\`) { +-- +2.19.1 + diff --git a/patch/0173-docker-fix-stats-memory-usage-display-error.patch b/patch/0173-docker-fix-stats-memory-usage-display-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..08d68273e8fbb63c720afc4922c8e169ca42ba0f --- /dev/null +++ b/patch/0173-docker-fix-stats-memory-usage-display-error.patch @@ -0,0 +1,38 @@ +From d26341e4c447ddbb6bd289845b7b47f0e4348c62 Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Wed, 11 Nov 2020 17:35:06 +0800 +Subject: [PATCH] docker:fix stats memory usage display error + +fix stats memory usage display error +use total_inactive_file not cache to calculate memory usage +The new stat definition corresponds to containerd/CRI and cadvisor. + +https://github.com/containerd/cri/blob/c1115d4e57f55a5f45fb3efd29d3181ce26d5c6a/pkg/server/container_stats_list_unix.go#L106-L129 +https://github.com/google/cadvisor/commit/307d1b1cb320fef66fab02db749f07a459245451 + +Signed-off-by: xiadanni1 +Signed-off-by: Akihiro Suda +--- + components/cli/cli/command/container/stats_helpers.go | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/components/cli/cli/command/container/stats_helpers.go b/components/cli/cli/command/container/stats_helpers.go +index 2300ce5..c254212 100644 +--- a/components/cli/cli/command/container/stats_helpers.go ++++ b/components/cli/cli/command/container/stats_helpers.go +@@ -226,7 +226,11 @@ func calculateNetwork(network map[string]types.NetworkStats) (float64, float64) + // calculateMemUsageUnixNoCache calculate memory usage of the container. + // Page cache is intentionally excluded to avoid misinterpretation of the output. + func calculateMemUsageUnixNoCache(mem types.MemoryStats) float64 { +- return float64(mem.Usage - mem.Stats["cache"]) ++ if v, isCgroup1 := mem.Stats["total_inactive_file"]; isCgroup1 && v < mem.Usage { ++ return float64(mem.Usage - v) ++ } ++ ++ return float64(mem.Usage) + } + + func calculateMemPercentUnixNoCache(limit float64, usedNoCache float64) float64 { +-- +1.8.3.1 + diff --git a/patch/0174-docker-add-more-messages-for-ops-when-device-not-fo.patch b/patch/0174-docker-add-more-messages-for-ops-when-device-not-fo.patch new file mode 100644 index 0000000000000000000000000000000000000000..4863e7637f42c51901e96643d3003a6e05d4a0f0 --- /dev/null +++ b/patch/0174-docker-add-more-messages-for-ops-when-device-not-fo.patch @@ -0,0 +1,27 @@ +From 19ce3a9a435ddb67a4e7a081cd23bb5cc19abc92 Mon Sep 17 00:00:00 2001 +From: liuzekun +Date: Thu, 30 Jul 2020 05:09:42 -0400 +Subject: [PATCH] dockerd: add more messages for ops when device not found in + the host + +Signed-off-by: liuzekun +--- + components/engine/daemon/daemon_unix.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go +index 5a59b324..af50fa37 100644 +--- a/components/engine/daemon/daemon_unix.go ++++ b/components/engine/daemon/daemon_unix.go +@@ -262,7 +262,7 @@ func getBlkioThrottleDevices(devs []*blkiodev.ThrottleDevice) ([]specs.LinuxThro + + for _, d := range devs { + if err := unix.Stat(d.Path, &stat); err != nil { +- return nil, err ++ return nil, errors.Wrapf(err, "Failed to stat device %q", d.Path) + } + d := specs.LinuxThrottleDevice{Rate: d.Rate} + d.Major = int64(stat.Rdev / 256) +-- +2.19.1 + diff --git a/patch/0175-docker-mask-proc-pin_memory.patch b/patch/0175-docker-mask-proc-pin_memory.patch new file mode 100644 index 0000000000000000000000000000000000000000..4b0502dfe6b59da17458842e31b48833455e02c1 --- /dev/null +++ b/patch/0175-docker-mask-proc-pin_memory.patch @@ -0,0 +1,25 @@ +From 017c3377f0bd5230c0fa1699bd193baa527f0b8f Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Fri, 20 Nov 2020 18:34:45 +0800 +Subject: [PATCH] docker:mask /proc/pin_memory + +Signed-off-by: xiadanni1 +--- + components/engine/oci/defaults.go | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/components/engine/oci/defaults.go b/components/engine/oci/defaults.go +index ec748a6..e763cb7 100644 +--- a/components/engine/oci/defaults.go ++++ b/components/engine/oci/defaults.go +@@ -135,6 +135,7 @@ func DefaultLinuxSpec() specs.Spec { + "/proc/oom_extend", + "/proc/pagealloc_statistics", + "/proc/pagealloc_bt", ++ "/proc/pin_memory", + "/proc/slaballoc_bt", + "/proc/slaballoc_module", + "/proc/sched_debug", +-- +1.8.3.1 + diff --git a/series.conf b/series.conf index 141c9ce15849e30696803091ca31a4811eeebb1b..1b6b8cfc5e543767064a44ef4746dbcc0d76b3d6 100644 --- a/series.conf +++ b/series.conf @@ -156,3 +156,18 @@ patch/0157-docker-Support-check-manifest-and-layer-s-DiffID-inf.patch patch/0158-docker-support-private-registry.patch patch/0159-docker-extend-timeout-in-cli-testcases.patch patch/0160-docker-create-a-soft-link-from-runtime-default-to-ru.patch +patch/0161-docker-Delete-stale-containerd-object-on-start-failure.patch +patch/0162-docker-remove-redundant-word-item.patch +patch/0163-docker-delete-event-is-not-need-to-process.patch +patch/0164-docker-stat-process-exit-file-when-kill-process-dire.patch +patch/0165-docker-sync-cli-vendor.patch +patch/0167-docker-fix-CVE-2020-13401.patch +patch/0168-docker-do-not-add-w-to-LDFLAGS.patch +patch/0169-docker-add-files-in-proc-for-mask.patch +patch/0170-docker-fix-docker-load-files-leak.patch +patch/0171-docker-do-not-sync-if-BYPAAS_SYNC-is-false.patch +patch/0172-docker-fix-panic-on-single-character-volumes.patch +patch/0173-docker-fix-stats-memory-usage-display-error.patch +patch/0174-docker-add-more-messages-for-ops-when-device-not-fo.patch +patch/0175-docker-mask-proc-pin_memory.patch +#end