When splitting the docker CLI from the moby/moby repository, the dockerd
documentation and man-pages were moved to the CLI repository. This was a
bit of a bad choice, as now the documentation and code lived in separate
repositories, but when the CLI and dockerd packages were split, the man
page for dockerd ended up in the CLI package.
Starting with [moby@d6e9b5f], the dockerd man-page has been reintegrated
into the moby repository, which means that we can build the man-page
from that repository, and remove it from the CLI repository.
This patch updates the packing to do so:
Before this patch;
dpkg-deb -c docker-ce_0.0.0~20250124134141.b8879a4-1~ubuntu.24.04~noble_arm64.deb | grep -E '^-'
-rw-r--r-- root/root 642 2025-01-24 14:29 ./etc/default/docker
-rwxr-xr-x root/root 2946 2025-01-24 14:29 ./etc/init.d/docker
-rwxr-xr-x root/root 2741336 2025-01-24 19:54 ./usr/bin/docker-proxy
-rw-r--r-- root/root 1727 2025-01-24 14:29 ./usr/lib/systemd/system/docker.service
-rw-r--r-- root/root 295 2025-01-24 14:29 ./usr/lib/systemd/system/docker.socket
-rwxr-xr-x root/root 604336 2025-01-24 19:54 ./usr/libexec/docker/docker-init
-rw-r--r-- root/root 2248 2025-01-24 14:29 ./usr/share/doc/docker-ce/README.md
-rw-r--r-- root/root 168 2025-01-24 19:54 ./usr/share/doc/docker-ce/changelog.Debian.gz
rpm -qpl ./docker-ce-0.0.0~20250124134141.b8879a4-0.fc41.aarch64.rpm
/etc/docker
/usr/bin/docker-proxy
/usr/bin/dockerd
/usr/lib/systemd/system/docker.service
/usr/lib/systemd/system/docker.socket
/usr/libexec/docker/docker-init
With this patch:
dpkg-deb -c docker-ce_0.0.0~20250124134141.b8879a4-1~ubuntu.24.04~noble_arm64.deb | grep -E '^-'
-rw-r--r-- root/root 642 2025-01-24 14:29 ./etc/default/docker
-rwxr-xr-x root/root 2946 2025-01-24 14:29 ./etc/init.d/docker
-rwxr-xr-x root/root 2741336 2025-01-24 20:55 ./usr/bin/docker-proxy
-rwxr-xr-x root/root 79458592 2025-01-24 20:55 ./usr/bin/dockerd
-rw-r--r-- root/root 1727 2025-01-24 14:29 ./usr/lib/systemd/system/docker.service
-rw-r--r-- root/root 295 2025-01-24 14:29 ./usr/lib/systemd/system/docker.socket
-rwxr-xr-x root/root 604336 2025-01-24 20:55 ./usr/libexec/docker/docker-init
-rw-r--r-- root/root 2248 2025-01-24 14:29 ./usr/share/doc/docker-ce/README.md
-rw-r--r-- root/root 166 2025-01-24 20:55 ./usr/share/doc/docker-ce/changelog.Debian.gz
-rw-r--r-- root/root 6561 2025-01-24 20:55 ./usr/share/man/man8/dockerd.8.gz
rpm -qpl ./docker-ce-0.0.0~20250124134141.b8879a4-0.fc41.aarch64.rpm
/etc/docker
/usr/bin/docker-proxy
/usr/bin/dockerd
/usr/lib/systemd/system/docker.service
/usr/lib/systemd/system/docker.socket
/usr/libexec/docker/docker-init
/usr/share/man/man8/dockerd.8.gz
Given that the dockerd man-page was previously packaged as part of docker-ce-cli,
we need to add a "Replaces:" condition to the package, to prevent dpkg from
detecting it as a conflict when an older version of the docker-ce-cli package
was installed that contains the manpage;
Unpacking docker-ce (5:0.0.0~20250124134141.b8879a4-1~raspbian.12~bookworm) ...
dpkg: error processing archive ./deb/debbuild/raspbian-bookworm/docker-ce_0.0.0~20250124134141.b8879a4-1~raspbian.12~bookworm_armhf.deb (--install):
trying to overwrite '/usr/share/man/man8/dockerd.8.gz', which is also in package docker-ce-cli 5:0.0.0~20250124134141.b8879a4-1~raspbian.12~bookworm
From the [Debian manual][1]
> 7.6.1. Overwriting files in other packages
>
> It is usually an error for a package to contain files which are on the
> system in another package. However, if the overwriting package declares
> that it Replaces the one containing the file being overwritten, then dpkg
> will replace the file from the old package with that from the new. The
> file will no longer be listed as “owned” by the old package and will be
> taken over by the new package.
[1]: https://www.debian.org/doc/debian-policy/ch-relationships.html
[moby@d6e9b5f]: d6e9b5fe30
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The CLI currently builds man-pages for sections 1, 5, and 8, but this
list may change; for example, the dockerd man-page is currently built
from the CLI repository but intended to be removed.
This patch changes the code to check all (1..9) secions, and install the
man-pages found in them.
This patch also updates the %doc and %files section; from the Fedora packaging
guide (see [1]);
> The %files section holds a list of all the files that RPM should install
> from the package. **This list should be exhaustive**, so that the RPM system
> knows exactly what your package installs. There are some options, though,
> to name all the files within a directory to help with packages containing
> hundreds of files.
> (...)
> In addition to naming each file on a line, you can use glob-style wildcards.
But also worth noting that it's NOT needed to mark manpages as %doc, see [2];
> Note also that files installed in %{_mandir} are automatically marked by RPM
> as documentation. Thus it is not necessary to use %doc.
So this patch:
- uses wildcards to enumerate all manpages in all sections
- removes the %doc for manpages, as this is automatic.
[1]: https://jfearn.fedorapeople.org/en-US/RPM/4/html/RPM_Guide/ch09s05.html
[2]: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_manpages
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
For make commands, we can just pass the directory through "-C", and for
"install" we can pass the full path of the source.
There's some remaining uses for targets that build through a script
or using "go build", which may still require changing.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The dh_bash-completion debhelper provides an easy way to install the
shell-completion scripts for Bash. Unfortunately there is no stable
equivalent yet for the other shells (zsh, fish, powershell), which
resulted in two out of three shells requiring manual install.
Given that the installation path for Bash is [well-documented][1],
we can align Bash with the other shells to make this less confusing.
This patch makes that change, and adds a code-comment to outline
the reasoning (and possible future options) for future readers.
[1]: 79fd051907/README.md
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Makes it slightly clearer where installing the CLI itself
ends, and where installing completion scripts start.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This unlikely makes a big difference, as some files may have timestamps
based on checkout date or being generated, but it doesn't hurt doing
either.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This unlikely makes a big difference, as some files may have timestamps
based on checkout date or being generated, but it doesn't hurt doing
either.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The "-D" option creates parent directories if missing; we
can use it in most places, except for one where we're using
wildcards, as installing multiple files requires the target
directory to exist.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The "make dynbinary" target calls ./scripts/build/binary with the
right options set, and does not use docker to build (so can be
run as part of our deb/rpm build scripts.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the obsoletes for `docker-ce-selinux`, `docker-engine-selinux`, and
`docker-engine`.
These were obsoleted in 2017 through 94943b4752
> Mark docker-*-selinux pkgs as obsolete
>
> These are replaced by `container-selinux` on fedora-25 and centos-7.
> Marking these packages as obsolete makes the installation process a bit
> smoother, otherwise the user will have to manually uninstall the older
> packages to install the new one.
>
> Also makes fedora24 use container-selinux which is now supports labeling
> the `dockerd` binary correctly.
Both CentOS 6/7 and Fedora 25 are EOL now, and these packages have not been
published for a long time. Time to remove them, also to reduce some noise
during builds;
RPM build warnings:
line 51: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-ce-selinux
line 52: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-engine-selinux
line 53: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-engine
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.23.5 (released 2025-01-16) includes security fixes to the crypto/x509 and
net/http packages, as well as bug fixes to the compiler, the runtime, and the
net package. See the Go 1.23.5 milestone on our issue tracker for details;
- https://github.com/golang/go/issues?q=milestone%3AGo1.23.5+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.23.4...go1.23.5
Hello gophers,
We have just released Go versions 1.23.5 and 1.22.11, minor point releases.
These minor releases include 2 security fixes following the security policy:
- crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
A certificate with a URI which has a IPv6 address with a zone ID may
incorrectly satisfy a URI name constraint that applies to the certificate
chain.
Certificates containing URIs are not permitted in the web PKI, so this
only affects users of private PKIs which make use of URIs.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2024-45341 and Go issue https://go.dev/issue/71156.
- net/http: sensitive headers incorrectly sent after cross-domain redirect
The HTTP client drops sensitive headers after following a cross-domain redirect.
For example, a request to a.com/ containing an Authorization header which is
redirected to b.com/ will not send that header to b.com.
In the event that the client received a subsequent same-domain redirect, however,
the sensitive headers would be restored. For example, a chain of redirects from
a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization
header to b.com/2.
Thanks to Kyle Seely for reporting this issue.
This is CVE-2024-45336 and Go issue https://go.dev/issue/70530.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Update the license fields to use the (now recommented) SPDX identifier;
> https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ lists
> Apache-2.0 as the SPDX identifier and ASL 2.0 as a "Legacy Abbreviation"
> for Apache License 2.0.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reverts commit 78242140d7.
That change was added to fix a missing archive_write_add_filter_zstd when
compiling tini, but it's no longer needed;
> Add libarchive build-dep to fix missing archive_write_add_filter_zstd
>
> Trying to fix
>
> + echo 'Install tini version de40ad007797e0dcd8b7126f27bb87401d224240'
> + git clone https://github.com/krallin/tini.git /go/tini
> Install tini version de40ad007797e0dcd8b7126f27bb87401d224240
> Cloning into '/go/tini'...
> + cd /go/tini
> + git checkout -q de40ad007797e0dcd8b7126f27bb87401d224240
> + cmake .
> cmake: symbol lookup error: cmake: undefined symbol: archive_write_add_filter_zstd
> error: Bad exit status from /var/tmp/rpm-tmp.Dl5CDf (%build)
>
> According to https://bugs.centos.org/view.php?id=18212, upgrading to libarchive-3.3.3-1.el8.x86_64
> should resolve the problem.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The AuFS storage driver was deprecated and removed, so we can remove it
as a suggested dependency.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The version constraint was added in e4b1c10a6b,
later updated in a246b19b07 to prevent old
versions to be used, as they had some issues.
Current version on RHEL8 (which is the oldest rpm distro we build for) is
2:2.229, so we can remove this explicit constraint.
Installing:
container-selinux noarch 2:2.229.0-2.module+el8.10.0+22417+2fb00970 ubi-8-appstream-rpms 71 k
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This dependency was added in [docker@42d8fe6], at which time we were building
a docker-selinux policy with additional policies, but we're now depending
on the distro's `container-selinux` package and it was removed in the moby
repository in [docker@bfe5cab], so we can remove it here as well.
[docker@42d8fe6]: 42d8fe6105
[docker@bfe5cab]: bfe5cab13b
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn
Sebastiaan van Stijn
Paweł Gronowski
Alano Terblanche
Tonis Tiigi
CrazyMax
Guillaume Lours
Bjorn Neergaard
Nicolas De Loof