!375 [sync] PR-374: docker:sync some patches

From: @openeuler-sync-bot 
Reviewed-by: @xuxuepeng 
Signed-off-by: @xuxuepeng

VERSION-vendor

@@ -1 +1 @@
-18.09.0.339
+18.09.0.346

docker.spec

@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 339
+Release: 346
 Epoch: 2
 Summary: The open-source application container engine
 Group: Tools/Docker
@@ -213,6 +213,36 @@ fi
 %endif
 
 %changelog
+* Sat Feb 22 2025 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-346
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:sync some patches
+
+* Fri Dec 06 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-345
+- Type:CVE
+- CVE:CVE-2024-36623
+- SUG:NA
+- DESC:fix CVE-2024-36623
+
+* Mon Dec 02 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-344
+- Type:CVE
+- CVE:CVE-2024-36621
+- SUG:NA
+- DESC:fix missing lock in ensurelayer
+
+* Sat Aug 31 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-341
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:try to reconnect when containerd grpc return unexpected EOF
+
+* Fri Aug 02 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-340
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:add clone3 seccomp whitelist for arm64
+
 * Fri Jul 26 2024 zhongjiawei<zhongjiawei1@huawei.com> - 18.09.0-339
 - Type:CVE
 - CVE:CVE-2024-41110

git-commit

@@ -1 +1 @@
-bb54f3063f3fc856630a6f3d5a52bf065d5eb045
+e3f8eeda3df9321c490e4adb3cb8172b3e845e82

patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch

@@ -0,0 +1,41 @@
+From c2bc614038532cfbd1db9bfe8ff3949b1867a5c5 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Fri, 2 Aug 2024 16:26:00 +0800
+Subject: [PATCH] docker:add clone3 seccomp whitelist for arm64
+
+---
+ components/engine/profiles/seccomp/seccomp_default.go | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go
+index 2c670623..a90e441c 100644
+--- a/components/engine/profiles/seccomp/seccomp_default.go
++++ b/components/engine/profiles/seccomp/seccomp_default.go
+@@ -482,7 +482,6 @@ func DefaultProfile() *types.Seccomp {
+ 		{
+ 			Names: []string{
+ 				"modify_ldt",
+-				"clone3",
+ 			},
+ 			Action: types.ActAllow,
+ 			Args:   []*types.Arg{},
+@@ -490,6 +489,16 @@ func DefaultProfile() *types.Seccomp {
+ 				Arches: []string{"amd64", "x32", "x86"},
+ 			},
+ 		},
++		{
++                        Names: []string{
++				"clone3",
++                        },
++                        Action: types.ActAllow,
++                        Args:   []*types.Arg{},
++                        Includes: types.Filter{
++                                Arches: []string{"arm64", "amd64", "x32", "x86"},
++                        },
++                },
+ 		{
+ 			Names: []string{
+ 				"s390_pci_mmio_read",
+-- 
+2.33.0
+

patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch

@@ -0,0 +1,57 @@
+From 68ea83ecea0e38d084c0d15c9e99c0b4494b1f32 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Thu, 22 Aug 2024 20:22:43 +0800
+Subject: [PATCH] docker: try to reconnect when containerd grpc return
+ unexpected EOF
+
+---
+ .../engine/libcontainerd/client_daemon.go     | 26 ++++++++++++++-----
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/components/engine/libcontainerd/client_daemon.go b/components/engine/libcontainerd/client_daemon.go
+index 09ce6e1f5..14f420ed8 100755
+--- a/components/engine/libcontainerd/client_daemon.go
++++ b/components/engine/libcontainerd/client_daemon.go
+@@ -38,9 +38,12 @@ import (
+ 	"google.golang.org/grpc/status"
+ )
+ 
+-// InitProcessName is the name given to the first process of a
+-// container
+-const InitProcessName = "init"
++const (
++	// InitProcessName is the name given to the first process of a container
++	InitProcessName = "init"
++	// RetryMax is the max num to connect containerd grpc
++	RetryMax = 10
++)
+ 
+ type container struct {
+ 	mu sync.Mutex
+@@ -167,9 +170,20 @@ func (c *client) Restore(ctx context.Context, id string, attachStdio StdioCallba
+ 		err = wrapError(err)
+ 	}()
+ 
+-	ctr, err := c.client.LoadContainer(ctx, id)
+-	if err != nil {
+-		return false, -1, errors.WithStack(wrapError(err))
++	var ctr containerd.Container
++	var err1 error
++	for retry := 1; retry <= RetryMax; retry++ {
++		ctr, err1 = c.client.LoadContainer(ctx, id)
++		if err1 == nil {
++			break
++		} else if strings.Contains(err1.Error(), "unexpected EOF") {
++			time.Sleep(time.Millisecond * 100)
++			continue
++		}
++		return false, -1, errors.WithStack(wrapError(err1))
++	}
++	if err1 != nil {
++		return false, -1, errors.Wrap(wrapError(err1), "reconnect load contianer failed")
+ 	}
+ 
+ 	attachIO := func(fifos *cio.FIFOSet) (cio.IO, error) {
+-- 
+2.33.0
+

patch/0281-backport-fix-CVE-2024-36621.patch

@@ -0,0 +1,79 @@
+From 5aa1ff9afad56ef0cf4acd983ff441c8048c0ba3 Mon Sep 17 00:00:00 2001
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Wed, 6 Mar 2024 23:11:32 -0800
+Subject: [PATCH] builder-next: fix missing lock in ensurelayer
+
+When this was called concurrently from the moby image
+exporter there could be a data race where a layer was
+written to the refs map when it was already there.
+
+In that case the reference count got mixed up and on
+release only one of these layers was actually released.
+
+Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
+---
+ .../builder-next/adapters/snapshot/layer.go   |  3 +++
+ .../adapters/snapshot/snapshot.go             | 19 +++++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/components/engine/builder/builder-next/adapters/snapshot/layer.go b/components/engine/builder/builder-next/adapters/snapshot/layer.go
+index ffde5eec..13847d5a 100644
+--- a/components/engine/builder/builder-next/adapters/snapshot/layer.go
++++ b/components/engine/builder/builder-next/adapters/snapshot/layer.go
+@@ -13,6 +13,9 @@ import (
+ )
+ 
+ func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
++	s.layerCreateLocker.Lock(key)
++	defer s.layerCreateLocker.Unlock(key)
++
+ 	if l, err := s.getLayer(key, true); err != nil {
+ 		return nil, err
+ 	} else if l != nil {
+diff --git a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
+index c1388da7..2b1d33d7 100644
+--- a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
++++ b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
+@@ -11,6 +11,7 @@ import (
+ 	"github.com/containerd/containerd/snapshots"
+ 	"github.com/docker/docker/daemon/graphdriver"
+ 	"github.com/docker/docker/layer"
++	"github.com/docker/docker/pkg/locker"
+ 	"github.com/moby/buildkit/identity"
+ 	"github.com/moby/buildkit/snapshot"
+ 	digest "github.com/opencontainers/go-digest"
+@@ -43,10 +44,11 @@ type checksumCalculator interface {
+ type snapshotter struct {
+ 	opt Opt
+ 
+-	refs map[string]layer.Layer
+-	db   *bolt.DB
+-	mu   sync.Mutex
+-	reg  graphIDRegistrar
++	refs              map[string]layer.Layer
++	db                *bolt.DB
++	mu                sync.Mutex
++	reg               graphIDRegistrar
++	layerCreateLocker *locker.Locker
+ }
+ 
+ var _ snapshot.SnapshotterBase = &snapshotter{}
+@@ -65,10 +67,11 @@ func NewSnapshotter(opt Opt) (snapshot.SnapshotterBase, error) {
+ 	}
+ 
+ 	s := &snapshotter{
+-		opt:  opt,
+-		db:   db,
+-		refs: map[string]layer.Layer{},
+-		reg:  reg,
++		opt:               opt,
++		db:                db,
++		refs:              map[string]layer.Layer{},
++		reg:               reg,
++		layerCreateLocker: locker.New(),
+ 	}
+ 	return s, nil
+ }
+-- 
+2.33.0
+

patch/0282-backport-fix-CVE-2024-36623.patch

@@ -0,0 +1,48 @@
+From 5e02d7625ef0472e0be29acb30e47255546ced58 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
+Date: Thu, 22 Feb 2024 18:01:40 +0100
+Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Sync access to the underlying `io.Writer` with a mutex.
+
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ components/engine/pkg/streamformatter/streamformatter.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/components/engine/pkg/streamformatter/streamformatter.go b/components/engine/pkg/streamformatter/streamformatter.go
+index 04917d49ab..eaa82e1010 100644
+--- a/components/engine/pkg/streamformatter/streamformatter.go
++++ b/components/engine/pkg/streamformatter/streamformatter.go
+@@ -5,6 +5,7 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
++	"sync"
+ 
+ 	"github.com/docker/docker/pkg/jsonmessage"
+ 	"github.com/docker/docker/pkg/progress"
+@@ -109,6 +110,7 @@ type progressOutput struct {
+ 	sf       formatProgress
+ 	out      io.Writer
+ 	newLines bool
++	mu       sync.Mutex
+ }
+ 
+ // WriteProgress formats progress information from a ProgressReader.
+@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error {
+ 		jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units}
+ 		formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
+ 	}
++
++	out.mu.Lock()
++	defer out.mu.Unlock()
+ 	_, err := out.out.Write(formatted)
+ 	if err != nil {
+ 		return err
+-- 
+2.33.0
+

patch/0283-docker-check-containerd-sock-legality.patch

@@ -0,0 +1,30 @@
+From 66f64ce2f18d1051f19f342c8fcf98c5066f00a6 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Mon, 13 Jan 2025 16:35:53 +0800
+Subject: [PATCH] docker:check containerd.sock legality
+
+---
+ components/engine/cmd/dockerd/daemon.go | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/components/engine/cmd/dockerd/daemon.go b/components/engine/cmd/dockerd/daemon.go
+index 89fa9245a..f703765be 100644
+--- a/components/engine/cmd/dockerd/daemon.go
++++ b/components/engine/cmd/dockerd/daemon.go
+@@ -759,8 +759,11 @@ func validateAuthzPlugins(requestedPlugins []string, pg plugingetter.PluginGette
+ }
+ 
+ func systemContainerdRunning() bool {
+-	_, err := os.Lstat(containerddefaults.DefaultAddress)
+-	return err == nil
++	fileInfo, err := os.Stat(containerddefaults.DefaultAddress)
++	if err != nil {
++		return false
++	}
++	return fileInfo.Mode()&os.ModeSocket == os.ModeSocket
+ }
+ 
+ func (cli *DaemonCli) setRuntimeStartTimeout() error {
+-- 
+2.33.0
+

patch/0284-docker-modify-hostconfig.json-perm-640.patch

@@ -0,0 +1,25 @@
+From 432ab009827f6bc84fb07d424d95d10328b4b185 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Fri, 21 Feb 2025 11:00:10 +0800
+Subject: [PATCH] docker:modify hostconfig.json perm to 640
+
+---
+ components/engine/container/container.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/components/engine/container/container.go b/components/engine/container/container.go
+index 3dcfdaefa..6eaee714e 100644
+--- a/components/engine/container/container.go
++++ b/components/engine/container/container.go
+@@ -262,7 +262,7 @@ func (container *Container) WriteHostConfig() (*containertypes.HostConfig, error
+ 		return nil, err
+ 	}
+ 
+-	f, err := ioutils.NewAtomicFileWriter(pth, 0644)
++	f, err := ioutils.NewAtomicFileWriter(pth, 0640)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+-- 
+2.33.0
+

patch/0285-docker-change-rand-random-number-library-to-generate.patch

@@ -0,0 +1,26 @@
+From a002e6e5309209cd7aa90cde3c1168328fc654d7 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Sat, 22 Feb 2025 09:58:59 +0800
+Subject: [PATCH] docker:change rand random number library to generate seeds
+ using Nano time
+
+---
+ .../engine/vendor/github.com/docker/libnetwork/resolver.go      | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/resolver.go b/components/engine/vendor/github.com/docker/libnetwork/resolver.go
+index 0e44352d7..b898c38f9 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/resolver.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/resolver.go
+@@ -98,7 +98,7 @@ type resolver struct {
+ }
+ 
+ func init() {
+-	rand.Seed(time.Now().Unix())
++	rand.Seed(time.Now().UnixNano())
+ }
+ 
+ // NewResolver creates a new instance of the Resolver
+-- 
+2.33.0
+

series.conf

@@ -272,4 +272,11 @@ patch/0274-docker-fix-CVE-2024-29018.patch
 patch/0275-backport-fix-CVE-2024-32473.patch
 patch/0276-docker-Ignore-SIGURG-on-Linux.patch
 patch/0277-backport-fix-CVE-2024-41110.patch
+patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
+patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch
+patch/0281-backport-fix-CVE-2024-36621.patch
+patch/0282-backport-fix-CVE-2024-36623.patch
+patch/0283-docker-check-containerd-sock-legality.patch
+patch/0284-docker-modify-hostconfig.json-perm-640.patch
+patch/0285-docker-change-rand-random-number-library-to-generate.patch
 #end