Merge pull request bottlerocket-os#711 from koooosh/add-dockerv29-pkgs

Add Docker v29 packages

Author: koooosh

Cargo.lock

@@ -20,8 +20,10 @@ members = [
   "packages/coreutils",
   "packages/libcryptsetup",
   "packages/dbus-broker",
-  "packages/docker-cli",
-  "packages/docker-engine",
+  "packages/docker-cli-25",
+  "packages/docker-cli-29",
+  "packages/docker-engine-25",
+  "packages/docker-engine-29",
   "packages/docker-init",
   "packages/e2fsprogs",
   "packages/early-boot-config",

Cargo.toml

@@ -29,8 +29,10 @@ containerd-2_0 = { path = "../../packages/containerd-2.0" }
 containerd-2_1 = { path = "../../packages/containerd-2.1" }
 coreutils = { path = "../../packages/coreutils" }
 dbus-broker = { path = "../../packages/dbus-broker" }
-docker-cli = { path = "../../packages/docker-cli" }
-docker-engine = { path = "../../packages/docker-engine" }
+docker-cli-25 = { path = "../../packages/docker-cli-25" }
+docker-cli-29 = { path = "../../packages/docker-cli-29" }
+docker-engine-25 = { path = "../../packages/docker-engine-25" }
+docker-engine-29 = { path = "../../packages/docker-engine-29" }
 docker-init = { path = "../../packages/docker-init" }
 e2fsprogs = { path = "../../packages/e2fsprogs" }
 early-boot-config = { path = "../../packages/early-boot-config" }

kits/bottlerocket-core-kit/Cargo.toml

@@ -1,5 +1,5 @@
 [package]
-name = "docker-cli"
+name = "docker-cli-25"
 version = "0.1.0"
 edition = "2021"
 publish = false

packages/docker-cli/0001-non-tcp-host-header.patch renamed to packages/docker-cli-25/0001-non-tcp-host-header.patch

@@ -10,7 +10,9 @@
 
 %global _dwz_low_mem_die_limit 0
 
-Name: %{_cross_os}docker-%{gorepo}
+%global package_priority_epoch 1
+
+Name: %{_cross_os}docker-%{gorepo}-25
 Version: %{rpmver}
 Release: 1%{?dist}
 Summary: Docker CLI
@@ -23,6 +25,9 @@ BuildRequires: git
 BuildRequires: %{_cross_os}glibc-devel
 Requires: %{name}(binaries)
 
+Provides: %{_cross_os}docker-%{gorepo} = %{package_priority_epoch}:
+Conflicts: %{_cross_os}docker-%{gorepo}
+
 %description
 %{summary}.
 

packages/docker-cli/Cargo.toml renamed to packages/docker-cli-25/Cargo.toml

@@ -0,0 +1,121 @@
+From c85efebc0c9321fecc536485b47857dbcbe34ddf Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <[email protected]>
+Date: Wed, 12 Jul 2023 15:07:59 +0200
+Subject: [PATCH 1/2] pkg/plugins: use a dummy hostname for local connections
+
+For local communications (npipe://, unix://), the hostname is not used,
+but we need valid and meaningful hostname.
+
+The current code used the socket path as hostname, which gets rejected by
+go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
+which was implemented in  https://go.dev/issue/60374.
+
+Prior versions go Go would clean the host header, and strip slashes in the
+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
+header.
+
+Before this patch, tests would fail on go1.20.6:
+
+    === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s)
+    time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s"
+    time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s"
+    time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s"
+    time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s"
+        authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header
+
+[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
+
+Signed-off-by: Sebastiaan van Stijn <[email protected]>
+
+---
+ .../github.com/docker/docker/client/client.go | 30 +++++++++++++++++++
+ .../github.com/docker/docker/client/hijack.go |  6 +++-
+ .../docker/docker/client/request.go           | 10 +++----
+ 3 files changed, 39 insertions(+), 7 deletions(-)
+
+diff --git a/vendor/github.com/docker/docker/client/client.go b/vendor/github.com/docker/docker/client/client.go
+index 9b2b2eaeb8..5bf699d88d 100644
+--- a/vendor/github.com/docker/docker/client/client.go
++++ b/vendor/github.com/docker/docker/client/client.go
+@@ -57,6 +57,36 @@ import (
+ 	"github.com/pkg/errors"
+ )
+ 
++// DummyHost is a hostname used for local communication.
++//
++// It acts as a valid formatted hostname for local connections (such as "unix://"
++// or "npipe://") which do not require a hostname. It should never be resolved,
++// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
++// and [RFC 6761, Section 6.3]).
++//
++// [RFC 7230, Section 5.4] defines that an empty header must be used for such
++// cases:
++//
++//	If the authority component is missing or undefined for the target URI,
++//	then a client MUST send a Host header field with an empty field-value.
++//
++// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
++// allow an empty header to be used, and requires req.URL.Scheme to be either
++// "http" or "https".
++//
++// For further details, refer to:
++//
++//   - https://github.com/docker/engine-api/issues/189
++//   - https://github.com/golang/go/issues/13624
++//   - https://github.com/golang/go/issues/61076
++//   - https://github.com/moby/moby/issues/45935
++//
++// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
++// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
++// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
++// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
++const DummyHost = "api.moby.localhost"
++
+ // ErrRedirect is the error returned by checkRedirect when the request is non-GET.
+ var ErrRedirect = errors.New("unexpected redirect in response")
+ 
+diff --git a/vendor/github.com/docker/docker/client/hijack.go b/vendor/github.com/docker/docker/client/hijack.go
+index e1dc49ef0f..b8fac0be7e 100644
+--- a/vendor/github.com/docker/docker/client/hijack.go
++++ b/vendor/github.com/docker/docker/client/hijack.go
+@@ -62,7 +62,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
+ }
+ 
+ func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, error) {
+-	req.Host = cli.addr
++	req.URL.Host = cli.addr
++	if cli.proto == "unix" || cli.proto == "npipe" {
++		// Override host header for non-tcp connections.
++		req.Host = DummyHost
++	}
+ 	req.Header.Set("Connection", "Upgrade")
+ 	req.Header.Set("Upgrade", proto)
+ 
+diff --git a/vendor/github.com/docker/docker/client/request.go b/vendor/github.com/docker/docker/client/request.go
+index 7f54b1dd80..3fc99056d0 100644
+--- a/vendor/github.com/docker/docker/client/request.go
++++ b/vendor/github.com/docker/docker/client/request.go
+@@ -89,16 +89,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea
+ 		return nil, err
+ 	}
+ 	req = cli.addHeaders(req, headers)
++	req.URL.Scheme = cli.scheme
++	req.URL.Host = cli.addr
+ 
+ 	if cli.proto == "unix" || cli.proto == "npipe" {
+-		// For local communications, it doesn't matter what the host is. We just
+-		// need a valid and meaningful host name. (See #189)
+-		req.Host = "docker"
++		// Override host header for non-tcp connections.
++		req.Host = DummyHost
+ 	}
+ 
+-	req.URL.Host = cli.addr
+-	req.URL.Scheme = cli.scheme
+-
+ 	if expectedPayload && req.Header.Get("Content-Type") == "" {
+ 		req.Header.Set("Content-Type", "text/plain")
+ 	}
+-- 
+2.34.1
+

packages/docker-cli/clarify.toml renamed to packages/docker-cli-25/clarify.toml

@@ -0,0 +1,19 @@
+[package]
+name = "docker-cli-29"
+version = "0.1.0"
+edition = "2021"
+publish = false
+build = "../build.rs"
+
+[lib]
+path = "../packages.rs"
+
+[package.metadata.build-package]
+releases-url = "https://github.com/docker/cli/releases"
+
+[[package.metadata.build-package.external-files]]
+url = "https://github.com/docker/cli/archive/v29.0.0-rc.2/cli-29.0.0-rc.2.tar.gz"
+sha512 = "4194a8916c65873d85af1917873bf642b2d03fa2ea4ec0dced2471e9d93ed7963d7efc786cc44bfeecc0c05233fc55839ed675ba777fa0a73d6964f8a4fa7f92"
+
+[build-dependencies]
+glibc = { path = "../glibc" }

packages/docker-cli/docker-cli.spec renamed to packages/docker-cli-25/docker-cli-25.spec

@@ -0,0 +1,12 @@
+[clarify."github.com/docker/licensing"]
+expression = "Apache-2.0"
+license-files = [
+    { path = "LICENSE", hash = 0xd2f64213 },
+]
+skip-files = ["license.go", "model/license.go"]
+
+[clarify."sigs.k8s.io/yaml"]
+expression = "MIT AND BSD-3-Clause"
+license-files = [
+    { path = "LICENSE", hash = 0xcdf3ae00},
+]