Merge pull request #2317 from flatcar/containerd-1.7.22-main

upgrade Go, Runc, Docker and Containerd
flatcar · Oct 2, 2024 · e7c66ef · e7c66ef
2 parents 0f9c68d + 04fc05b
commit e7c66ef
Show file tree

Hide file tree

Showing 17 changed files with 499 additions and 8 deletions.
diff --git a/build_library/sysext_mangle_docker-flatcar b/build_library/sysext_mangle_docker-flatcar
@@ -6,6 +6,9 @@ rootfs="${1}"
 # Remove debug and contrib
 echo ">>> NOTICE: $0: removing '/usr/lib/debug/', '/usr/share/docker/contrib' from sysext"
 rm -rf "${rootfs}/usr/lib/debug/" "${rootfs}/usr/share/docker/contrib/"
+# For Docker 27.2.1, two files are symlinked to /usr/share/docker/contrib
+# There were previously shipped directly in /usr/share/docker/contrib folder
+rm -f "${rootfs}/usr/bin/dockerd-rootless-setuptool.sh" "${rootfs}/usr/bin/dockerd-rootless.sh"
 
 script_root="$(cd "$(dirname "$0")/../"; pwd)"
 files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker"

diff --git a/changelog/security/2024-09-27-docker-go.md b/changelog/security/2024-09-27-docker-go.md
@@ -0,0 +1,3 @@
+- docker ([CVE-2024-41110](https://nvd.nist.gov/vuln/detail/CVE-2024-41110))
+- Go ([CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155), [CVE-2024-34156](https://nvd.nist.gov/vuln/detail/CVE-2024-34156), [CVE-2024-34158](https://nvd.nist.gov/vuln/detail/CVE-2024-34158))
+- runc ([CVE-2024-45310](https://nvd.nist.gov/vuln/detail/CVE-2024-45310))
diff --git a/changelog/updates/2024-09-27-containerd-docker-go-runc.md b/changelog/updates/2024-09-27-containerd-docker-go-runc.md
@@ -0,0 +1,4 @@
+- containerd ([1.7.22](https://github.com/containerd/containerd/releases/tag/v1.7.22))
+- docker ([27.2.1](https://docs.docker.com/engine/release-notes/27/#2721), includes changes from [26.1.0](https://docs.docker.com/engine/release-notes/26.1/#2610)))
+- Go ([1.22.7](https://go.dev/doc/devel/release#go1.22.7))
+- runc ([1.1.14](https://github.com/opencontainers/runc/releases/tag/v1.1.14))
diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest
@@ -1,4 +1,4 @@
 DIST containerd-1.7.1.tar.gz 9682254 BLAKE2B f168070caf2b76f0be350a98f41bfdbfe6d78344d68821fb92a29f839a6e847d795e5b79436e36f985aa88028ff1c3f44f134cf6bd502ddac22453a457bd952b SHA512 e9b00ba8f4dd1b5b1088060d3822f684611d43b367ddfeb1bee1660140af85f31e9c9bfc600a67e8fc8645a625dc4e1919d9af7291bdeaa607bff7065a4fc945
 DIST containerd-1.7.2.tar.gz 9688701 BLAKE2B d31cd0e96bb2675390cc63d06114e37d532b7c666b3ffc5b0087dfcef8de23559471f08bf8a52b164c5f645faf1b8102ab2ccdd8ec417a1c74336097f0c3a899 SHA512 c0d4c02991b7e9fc341c4ef3df2d93097f5854a51b99596ed95436a79f7a586820bb8bb7c17fc43b5f38d97ea942e59490fbbf6c9710391ef9caae3d34627bc5
-DIST containerd-1.7.21.tar.gz 10188737 BLAKE2B 0a3eef5bd97b4249963d6e6b80652e2abef0ac7ece726d15efc3b1d364b3525ac7602afecfde3d376bdbec7d5ca39636e09dd8d2a96c420012ef4232afc2a6dd SHA512 fba998c8d7f2907b3e5fb09c3947c3272661ec33379c611c5110ca0151812adcd70ff6b837e97a5d4228d685902276eeb98cd82bb4c46149686e169e81943c75
+DIST containerd-1.7.22.tar.gz 10189969 BLAKE2B b1fac9764a8bac0b883849786bd20c9a8e64d764186c6362978faec5ba360636caccc6c1a7c51c6781aa51f96a4e713968d1e86b54b6fe2fa9e3dfcc07727e64 SHA512 9572f2b0f49365cc3888999a0c0b7d29694922f0cbefb33e1fbbfc71781cde402537da3a23e36fd3a600a1d819bcef9acbeee423df2699fa9e3f07cfde7f9128
 DIST containerd-1.7.6.tar.gz 9714550 BLAKE2B 863df1a8ab0f0fe6ec62893ed64824763c1b5230fe830fa268820ce0d6254c79e1ac62ab1261a74785b86b01dff83ea9109a899857fa47a48f2cf2eaf298fea8 SHA512 8b7e13c6ea544754ba7d53092d143f3fd2224b9bc874a33d8a00b781e719927f1b22ad5cd1e35b7b95e4890e630f4b92308549a970587ccdf9dbb8eb470e2703
diff --git a/...iners/containerd/containerd-1.7.21.ebuild → ...iners/containerd/containerd-1.7.22.ebuild b/...iners/containerd/containerd-1.7.21.ebuild → ...iners/containerd/containerd-1.7.22.ebuild
@@ -3,7 +3,7 @@
 
 EAPI=8
 inherit go-module systemd
-GIT_REVISION=174e0d1785eeda18dc2beba45e1d5a188771636b
+GIT_REVISION=b2ce781edcbd6cb758f172ecab61c79d607cc41d
 
 DESCRIPTION="A daemon to control runC"
 HOMEPAGE="https://containerd.io/"
@@ -22,7 +22,7 @@ DEPEND="
 # recommended version of runc is found in script/setup/runc-version
 RDEPEND="
 	${DEPEND}
-	~app-containers/runc-1.1.13[apparmor?,seccomp?]
+	~app-containers/runc-1.1.14[apparmor?,seccomp?]
 "
 
 BDEPEND="

diff --git a/...pends/hard-host-depends-0.0.1-r211.ebuild → ...pends/hard-host-depends-0.0.1-r212.ebuild b/...pends/hard-host-depends-0.0.1-r211.ebuild → ...pends/hard-host-depends-0.0.1-r212.ebuild
diff --git a/...c/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild b/...c/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
@@ -36,7 +36,7 @@ RDEPEND="${RDEPEND}
 	app-text/xmlto
 	dev-build/gtk-doc-am
 	dev-lang/go-bootstrap
-	dev-lang/go:1.21
+	dev-lang/go:1.22
 	dev-lang/nasm
 	=dev-lang/python-3*
 	dev-lang/swig

diff --git a/sdk_container/src/third_party/coreos-overlay/dev-lang/go/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-lang/go/Manifest
@@ -1 +1 @@
-DIST go1.21.13.src.tar.gz 26997630 BLAKE2B 41098fcd889b0501b2580933b144b317e28f86aee30352f32fafdc66f7607677a62927104b10702f01464fe3eff3ed2999c9913756ed8526df49f523c8a6f945 SHA512 f316984154ead8256d9ec0613e3cfef5699553387d87c24bb2a96265f986bf4450838e6451841def3713d65ebaa9bf55e36ff39c5690d79522e1c1ba7655be2f
+DIST go1.22.7.src.tar.gz 27562038 BLAKE2B c4dd868ac6966029fd72e61d9c82ac26162f4eb26f77a3a6a7e8bc609223069c004786066ca66f24f4d595de1da4f4ee18b368f80ac94e832c8bd9edde407094 SHA512 60b37916e31c3482e8395580a29757971df5e1783dc13a9914261007e07aa8b1b9c1a0b874883e297903e16c7831117b8f814aeff0a0d4398948c97c9d73b73a
diff --git a/...eos-overlay/dev-lang/go/go-1.21.13.ebuild → ...reos-overlay/dev-lang/go/go-1.22.7.ebuild b/...eos-overlay/dev-lang/go/go-1.21.13.ebuild → ...reos-overlay/dev-lang/go/go-1.22.7.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-depend.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-depend.eclass
@@ -13,7 +13,7 @@
 # @CODE
 # COREOS_GO_VERSION=go1.20
 # @CODE
-export COREOS_GO_VERSION="${COREOS_GO_VERSION:-go1.21}"
+export COREOS_GO_VERSION="${COREOS_GO_VERSION:-go1.22}"
 
 case "${EAPI:-0}" in
 	5|6) DEPEND="dev-lang/go:${COREOS_GO_VERSION#go}=" ;;

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -8,7 +8,7 @@
 # (the following packages are "unstable" upstream; we're stabilising these)
 
 # Handled by automation
-=app-containers/containerd-1.7.21 ~amd64 ~arm64 # DO NOT EDIT THIS LINE. Added by containerd-apply-patch.sh on 2024-08-30 08:19:45
+=app-containers/containerd-1.7.22 ~amd64 ~arm64 # DO NOT EDIT THIS LINE. Added by containerd-apply-patch.sh on 2024-09-13 08:19:35
 
 # Keep versions on both arches in sync.
 =app-containers/cri-tools-1.27.0 ~arm64
@@ -20,7 +20,7 @@
 # modifications made to the ebuilds were clobbered, so these are here
 # to keep using the same version. Can be dropped when these or newer
 # get stabilized in Gentoo.
-=app-containers/runc-1.1.13 ~amd64 ~arm64
+=app-containers/runc-1.1.14 ~amd64 ~arm64
 
 # Seems to be the only available ebuild in portage-stable right now.
 =app-crypt/adcli-0.9.2 ~arm64
@@ -109,3 +109,7 @@ dev-util/catalyst ~amd64 ~arm64
 =virtual/perl-Exporter-5.780.0 ~arm64
 =virtual/perl-File-Spec-3.900.0 ~arm64
 =virtual/perl-IO-1.550.0 ~arm64
+
+# Accept unstable for Docker and its CLI.
+=app-containers/docker-27.2.1 ~amd64 ~arm64
+=app-containers/docker-cli-27.2.1 ~amd64 ~arm64
diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/Manifest
@@ -2,3 +2,4 @@ DIST docker-cli-26.1.0-man.tar.xz 79004 BLAKE2B 36dcf969c6567680990420d6d177101b
 DIST docker-cli-26.1.0.tar.gz 7213165 BLAKE2B 302236467f2b6f3f46b0f0c75e89c2cef0cd251d36e12f78a67c906cfb85b842b998fd3b07f4a2dfc0a04825a9b105d90f11d176055ded397f2d4e9145639d5d SHA512 1a1e9af1a836765ffa91f7f2e1b27911e2b6b373c308a7db332a7cd1825459ab1c04a93d03c9947b631bead0af21d9f03e06c3a60855cc56ca7039e50e38ba87
 DIST docker-cli-27.2.0-man.tar.xz 79052 BLAKE2B 019299b8cd0adbb1a3749f9aa37b1e38bf212b2c13eee81ae49f843bcc56ff3f41413e1021bebf5c88b4406d7928c2c40de026df861195aa2df79d9c724f8b87 SHA512 d61d6f9f9139f2d22268932d795a50e7b9b1ff993699ba87ca9353cb9908ac18c103a34ee9a486f3537988d6ba7317b05588cd84ff8327b86826ab7ed5023947
 DIST docker-cli-27.2.0.tar.gz 7236608 BLAKE2B 828f002d83de47efad370e28df2f5e50f75da7952bf4fcbe30d3d66c9bc281ee99fab820f7bca002c8eb13fa29b7518e951974b62008e213662c1d384a286c0d SHA512 5dce9e974a96b2518a73d50a9421d12feeb9cc792bb89000f26e04a91fdddade2648dea39aa721e48c9b07bfc18f7a6676fb7e286ae779556753886ec45e86c3
+DIST docker-cli-27.2.1.tar.gz 7235741 BLAKE2B 461d177ff05cf27cf271e355cb6ce65a908e6263e10042bb1ae3963e376461d18a93ed79119b3551350a513ce065af3dbbcc9c82d0c7a68b366b3f012a9563f8 SHA512 2e89062fc906eec6879787b21a76d291159fb5e22c6a30c78d915c7a1c76ae03fca0cb7e4fc7f78e1747120fb64b652dbc9ca925a77c41ec9df44136bb2a83fa
diff --git a/...ntainer/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-27.2.1.ebuild b/...ntainer/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-27.2.1.ebuild
@@ -0,0 +1,74 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+GIT_COMMIT=9e34c9bb39efd8bf96d4ec044de454ef1f24c668
+
+EGO_PN="github.com/docker/cli"
+MY_PV=${PV/_/-}
+inherit bash-completion-r1  golang-vcs-snapshot
+
+DESCRIPTION="the command line binary for docker"
+HOMEPAGE="https://www.docker.com/"
+SRC_URI="https://github.com/docker/cli/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+# SRC_URI+=" https://dev.gentoo.org/~williamh/dist/${P}-man.tar.xz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc64 ~riscv ~x86"
+IUSE="hardened selinux"
+
+RDEPEND="!<app-containers/docker-20.10.1
+	selinux? ( sec-policy/selinux-docker )"
+BDEPEND="
+	>=dev-lang/go-1.16.6"
+
+RESTRICT="installsources strip test"
+
+S="${WORKDIR}/${P}/src/${EGO_PN}"
+
+src_unpack() {
+	golang-vcs-snapshot_src_unpack
+	set -- ${A}
+	# Flatcar: skip unpacking temporarily
+	# unpack ${2}
+}
+
+src_prepare() {
+	default
+	sed -i 's@dockerd\?\.exe@@g' contrib/completion/bash/docker || die
+}
+
+src_compile() {
+	export DISABLE_WARN_OUTSIDE_CONTAINER=1
+	export GOPATH="${WORKDIR}/${P}"
+	# setup CFLAGS and LDFLAGS for separate build target
+	# see https://github.com/tianon/docker-overlay/pull/10
+	CGO_CFLAGS+=" -I${ESYSROOT}/usr/include"
+	CGO_LDFLAGS+=" -L${ESYSROOT}/usr/$(get_libdir)"
+		emake \
+		LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" \
+		VERSION="${PV}" \
+		GITCOMMIT="${GIT_COMMIT}" \
+		dynbinary
+}
+
+src_install() {
+	dobin build/docker
+	# Flatcar: skip installing manpages temporarily
+	# doman "${WORKDIR}"/man/man?/*
+	dobashcomp contrib/completion/bash/*
+	bashcomp_alias docker dockerd
+	insinto /usr/share/fish/vendor_completions.d/
+	doins contrib/completion/fish/docker.fish
+	insinto /usr/share/zsh/site-functions
+	doins contrib/completion/zsh/_*
+}
+
+pkg_postinst() {
+	has_version "app-containers/docker-buildx" && return
+	ewarn "the 'docker build' command is deprecated and will be removed in a"
+	ewarn "future release. If you need this functionality, install"
+	ewarn "app-containers/docker-buildx."
+}
diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/docker/Manifest
@@ -1,2 +1,3 @@
 DIST docker-26.1.0.tar.gz 16390376 BLAKE2B 6703e9b153c430bc28aed2e7de7bada0203353d61f0a2ce3d49ddbd017eab196a685dd1ab1e719a6b287813eb5fa4f2c612e2cf1ab95789d6e79ebe5dac7ace3 SHA512 47b6b9af9947016884614b6bc25977e1db281da95c9b8b34c753c21c664a737a893f9fa65d92cbb897735aae3893567e106e6bababb5507e069b1e0981e48d50
 DIST docker-27.2.0.tar.gz 16689537 BLAKE2B faf0bae9f7da127d5b65b9989acd82dc726bc3f09ace502df151b9f03a84b6f1ec2a946d905263aaa7d2e7d7a3cd4ad1a09291dcfc6691e73cc9a8738f150d55 SHA512 97abaf56d2249c1514beacf17fc9096848b960846e064f1a9bd800a59762a1f1888b32e83b3e8289e23656496ca0293fea65931210d68faaa8a713aab6e48b65
+DIST docker-27.2.1.tar.gz 16769375 BLAKE2B a2a33d76702f5a208b22cbb12202f4fd69dfce79a6a8ed3c3fe0df161696c922ab764a1796cd265a0cba0737894daf759baf21ecff364f3caea5fd440831dcb9 SHA512 2ca29e53074c1ff7b527f709ae542daa2754cfc35c70ae92bd71b4c7d5d54cd6d373ab078c811900dc694347cb149387681f6cf26634c81651a8e91e31790de7