We recently updated opencontainers-runc to fix CVE-2019-5736, but Fedora had to update the docker package too (along with runc): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LNX2DUKUN7YXNQJHLXPD4AFQI76GIRCQ/ The patch they added patches cloned_binary.c, which our docker package bundles three copies of, and nsexec.c, of which our package bundled two copies: libcontainer/nsenter/cloned_binary.c components/engine/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c components/engine/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c components/cli/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c components/cli/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c The package is confusing and I don't know why there's all this bundled stuff. Fedora's patch applies cleanly to cloned_binary.c, but one of two hunks fails for nsexec.c The Mageia 6 package doesn't have the top-level libcontainer directory, but it has the two further nested ones as well.
Whiteboard: (none) => MGA6TOO
Looking into this openSUSE advisory from today (February 16): https://lists.opensuse.org/opensuse-updates/2019-02/msg00078.html It sounds like docker needs to also be built with the updated golang otherwise it can be affected by the CVE-2018-1687[3-5] fixed in Bug 24014, but the docker update in Bug 24289 was built first.
For Docker in Mageia 6, this can be fixed by updating to 18.06.3 (See https://github.com/docker/docker-ce/blob/v18.06.3-ce/CHANGELOG.md) Working on an update now.
Status: NEW => ASSIGNED
For Docker in cauldron, this is fixed by an update to 18.09.3 as well (See https://github.com/docker/docker-ce/blob/v18.09.3/CHANGELOG.md) Working on it as well.
version 18.06.3 uploaded to updates_testing for mga6 and version 18.09.3 pushed to cauldron.
Whiteboard: MGA6TOO => (none)CC: (none) => brunoAssignee: bruno => qa-bugsVersion: Cauldron => 6
Didn't build in Mageia 6: http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20190317232758.bcornec.duvel.5515/log/docker-18.06.3-1.1.mga6/build.0.20190317232945.log
Assignee: qa-bugs => brunoCC: (none) => qa-bugs
Builds locally. And doesn't seem to be me :-(: /man/md2man-all.sh: line 12: 5266 Trace/breakpoint trap (core dumped) go-md2man -in "$FILE" -out "./man${num}/${name}" Not sure what to do except retrying tomorrow...
It built this time. docker-18.06.3-1.2.mga6 docker-devel-18.06.3-1.2.mga6 docker-fish-completion-18.06.3-1.2.mga6 docker-logrotate-18.06.3-1.2.mga6 docker-unit-test-18.06.3-1.2.mga6 docker-vim-18.06.3-1.2.mga6 docker-zsh-completion-18.06.3-1.2.mga6 docker-nano-18.06.3-1.2.mga6 from docker-18.06.3-1.2.mga6.src.rpm
Blocks: (none) => 24321
Moving docker update to the correct bug (from Bug 24321).
Assignee: bruno => qa-bugs
mga6, x86_64 Found Bruno's Labs-master already installed on this machine. To be investigated after the update. later.
CC: (none) => tarazed25
Had a quick look and realized that the Labs are about full on training to learn to use Docker seriously. Far too ambitious for a humble tester and likely to need several weeks effort so I shall, with all due respect for Bruno's excellent work, go back to my simple introductory manual.
Well, I didn't meant to do the full Lab (iit's a 4 hours + work !) just the begining to check that docker is installed correctly and works at least to pull an image and run it.
Well, that is the problem, I have the whole thing sitting on a hard disk but am too dumb to understand how to kickstart it. I did run one script and it went straight on to the web, downloaded a lot of stuff and said that there were all sorts of things needed to set up a proper environment and then asked me to set up an Azure account. What is Azure? Haven't a clue. And I don't want to have to run things in virtualbox. It really is out of my league. Thanks for replying though.
Short tutorial: 1/ Install docker from the test repo (sudo urpmi docker) 2/ sudo systemctl restart docker (restart or start docker engine) 3/ docker --version (should give the corect version) 4/ docker run hello-world (should print an hello work after downloading the image from the docker hub) 5/ docker images (should show you the image downloaded 6/ docker ps -a (should show you the now defunct container) 7/ docker pull fedora (should do the same with the latest fedora image) 8/ docker run -ti fedora:latest /bin/bash (should give you a bash shell in a fedora context) 9/ in that container you can do dnf install tcsh to check it works as expected If all that works, then you already have a pretty solid docker env :-)
Many thanks for that. I have a vague memory of doing similar things for the openrunc update a few months back, getting as far as deleting containers and exchanging information between running containers. I shall get back to this later.
Right, here we are. What was already on the system: $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 457c015182dc azure "/bin/sh -c /tmp/az.…" 18 hours ago Up 18 hours elegant_mclean eede586b3474 redis "docker-entrypoint.s…" 6 weeks ago Exited (0) 6 weeks ago modest_archimedes 3bb196546b48 redis "docker-entrypoint.s…" 6 weeks ago Exited (0) 6 weeks ago vigorous_hugle 429da90ab706 hello-world "/hello" 7 weeks ago Exited (0) 7 weeks ago determined_fermat 722f36262cd8 test/cowsay-dockerfile "/usr/games/cowsay B…" 7 weeks ago Exited (0) 7 weeks ago gracious_dubinsky e45bc35da265 test/cowsayimage "/usr/games/cowsay M…" 7 weeks ago Exited (0) 7 weeks ago mystifying_babbage 73d9edcc3796 debian "bash" 7 weeks ago Exited (0) 7 weeks ago cowsay 2ce141353ad8 redis:latest "docker-entrypoint.s…" 7 weeks ago Exited (255) 7 weeks ago 6379/tcp alpha 86cf6a564b99 redis:latest "docker-entrypoint.s…" 7 weeks ago Exited (255) 7 weeks ago 6379/tcp wedgewood Better get rid of those and start from scratch after the update.
Ran the update. Used 'docker ps -a' and 'docker images' to list containers and images. Removed them with repeated commands: $ docker rm <container id> $ docker rmi <reository name> or $ docker rmi <image id> $ sudo systemctl restart docker $ systemctl status docker Active: active (running) since Sun 2019-03-31 19:04:01 BST; 1min 32s ago $ docker version Client: Version: 18.06.0-dev API version: 1.38 Go version: go1.11.5 Git commit: d7080c1 Built: Tue Mar 19 16:53:43 2019 OS/Arch: linux/amd64 Experimental: false Server: Engine: Version: 18.06.3-ce API version: 1.38 (minimum version 1.12) Go version: go1.11.5 Git commit: d7080c1 Built: Tue Mar 19 16:53:14 2019 OS/Arch: linux/amd64 Experimental: false $ docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world 1b930d010525: Pull complete Digest: sha256:2557e3c07ed1e38f26e389462d03ed943586f744621577a99efb77324b0fe535 Status: Downloaded newer image for hello-world:latest Hello from Docker! This message shows that your installation appears to be working correctly. [...] $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE hello-world latest fce289e99eb9 2 months ago 1.84kB $ docker ps -a $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6064d8abf9ac hello-world "/hello" About a minute ago Exited (0) About a minute ago confident_kilby 64740c6ad06b hello-world "/hello" 2 minutes ago Exited (0) 2 minutes ago gracious_keldysh <Ran it twice> $ docker pull fedora Using default tag: latest latest: Pulling from library/fedora <downloading and extracting ~89MB> 01eb078129a0: Pull complete Digest: sha256:8ee55e140e8751492ab2cfa4513c82093cd2716df9311ea6f442f1f1259cbb3e Status: Downloaded newer image for fedora:latest $ docker run -ti fedora:latest /bin/bash [root@23a1a062bdde /]# dnf install tcsh Fedora Modular 29 - x86_64 335 kB/s | 1.5 MB 00:04 Fedora Modular 29 - x86_64 - Updates 485 kB/s | 2.1 MB 00:04 Fedora 29 - x86_64 - Updates 1.7 MB/s | 25 MB 00:14 Fedora 29 - x86_64 3.4 MB/s | 62 MB 00:18 Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: tcsh x86_64 6.20.00-10.fc29 fedora 431 k Transaction Summary ================================================================================ Install 1 Package Total download size: 431 k Installed size: 1.2 M Is this ok [y/N]: y Downloading Packages: tcsh-6.20.00-10.fc29.x86_64.rpm 326 kB/s | 431 kB 00:01 -------------------------------------------------------------------------------- Total 129 kB/s | 431 kB 00:03 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : tcsh-6.20.00-10.fc29.x86_64 1/1 Running scriptlet: tcsh-6.20.00-10.fc29.x86_64 1/1 Verifying : tcsh-6.20.00-10.fc29.x86_64 1/1 Installed: tcsh-6.20.00-10.fc29.x86_64 Complete! To see how far it could be pushed tried installing a big package, stellarium (122 packages), and that ran very smoothly. It is not runnable - another chapter I guess - no X display. # dnf remove stellarium took care of it. # exit <to leave container> $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 23a1a062bdde fedora:latest "/bin/bash" 19 minutes ago Exited (0) 19 seconds ago pedantic_sammet 6064d8abf9ac hello-world "/hello" 25 minutes ago Exited (0) 25 minutes ago confident_kilby 64740c6ad06b hello-world "/hello" 26 minutes ago Exited (0) 26 minutes ago gracious_keldysh $ docker rm 6064d8abf9ac 6064d8abf9ac $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 23a1a062bdde fedora:latest "/bin/bash" 22 minutes ago Exited (0) 3 minutes ago pedantic_sammet 64740c6ad06b hello-world "/hello" 29 minutes ago Exited (0) 29 minutes ago gracious_keldysh $ docker inspect pedantic_sammet [ { "Id": "23a1a062bddeffa84ed58694c213a543ec4389bd9068473870ec88fed6f5b657", "Created": "2019-03-31T18:15:36.204923966Z", "Path": "/bin/bash", "Args": [], "State": { "Status": "exited", "Running": false, [...] $ docker inspect pedantic_sammet | grep NetworkID "NetworkID": "9e0bdfab3882457b659a75af77481661ce6a19d0051fb6569caa1ab7e2f6a0c4", $ docker restart 23a1a062bdde 23a1a062bdde $ Not sure what that did. Probably starts a stopped container or stops and starts it. Re-enter the fedora container: $ docker run -ti fedora:latest /bin/bash [root@c70d49401bea /]# ls bin dev home lib64 media opt root sbin sys usr boot etc lib lost+found mnt proc run srv tmp var [root@c70d49401bea /]# cd bin [root@c70d49401bea bin]# ll total 26800 -rwxr-xr-x 1 root root 69776 Nov 7 15:14 '[' -rwxr-xr-x 1 root root 33 Jan 17 08:27 alias -rwxr-xr-x 1 root root 77824 Jul 14 2018 applydeltarpm -rwxr-xr-x 1 root root 46952 Nov 7 15:14 arch [...] -rwxr-xr-x 1 root root 2209 Jul 26 2018 zless -rwxr-xr-x 1 root root 1845 Jul 26 2018 zmore -rwxr-xr-x 1 root root 4556 Jul 26 2018 znew [root@c70d49401bea bin]# ls | wc -l 375 $ docker run -it --name cowsay --hostname cowsay debian bash Unable to find image 'debian:latest' locally latest: Pulling from library/debian e79bb959ec00: Pull complete Digest: sha256:724b0fbbda7fda6372ffed586670573c59e07a48c86d606bab05db118abe0ef5 Status: Downloaded newer image for debian:latest root@cowsay:/# apt-get update Get:1 http://security-cdn.debian.org/debian-security stretch/updates InRelease [94.3 kB] Get:3 http://security-cdn.debian.org/debian-security stretch/updates/main amd64 Packages [481 kB] Ign:2 http://cdn-fastly.deb.debian.org/debian stretch InRelease Get:4 http://cdn-fastly.deb.debian.org/debian stretch-updates InRelease [91.0 kB] Get:5 http://cdn-fastly.deb.debian.org/debian stretch-updates/main amd64 Packages [11.1 kB] Get:6 http://cdn-fastly.deb.debian.org/debian stretch Release [118 kB] Get:7 http://cdn-fastly.deb.debian.org/debian stretch Release.gpg [2434 B] Get:8 http://cdn-fastly.deb.debian.org/debian stretch/main amd64 Packages [7084 kB] Fetched 7881 kB in 3s (2441 kB/s) Reading package lists... Done root@cowsay:/# apt-get install -y cowsay fortune [...] root@cowsay:/# /usr/games/fortune | /usr/games/cowsay _________________________________________ / Cheer Up! Things are getting worse at a \ \ slower rate. / ----------------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || root@cowsay:/# That should do for this update. docker is running fine. Thanks again to Bruno for the tutorial.
Whiteboard: (none) => MGA6-64-OK
Looks more than sufficient to me. Thanks for your help, Bruno. Validating, but it still needs advisory information.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Adding the feedback keyword. Please remove it when the advisory info is available.
CC: (none) => davidwhodginsKeywords: (none) => feedback
Keywords: feedback => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0180.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED