FEDORA-2016-6a0d540088

security update in Fedora 23 for docker

Status: stable 3 years ago

built docker @projectatomic/fedora-1.10.3 commit f476348


built docker @projectatomic/fedora-1.10.3 commit f476348


built docker @projectatomic/fedora-1.10.3 commit 4158ccc


Resolves: #1335649 - enable Red Hat subscription use in Docker containers on Fedora


built docker @projectatomic/fedora-1.10.3 commit 8ecd47f


built docker @projectatomic/fedora-1.10.3 commit 8ecd47f


built docker @projectatomic/fedora-1.10.3 commit 667d6d1


built docker @projectatomic/fedora-1.10.3 commit bba2d6d


built docker @projectatomic/fedora-1.10.3 commit a41254f


built docker @projectatomic/fedora-1.10.3 commit#964eda6


built docker @projectatomic/fedora-1.10.3 commit#ef2fa35


docker package runtime depends on docker-forward-journald


rebuilt to remove dockerroot user creation


rebuilt to remove dockerroot user creation


rebuilt to include dss_libdir directory


built docker @projectatomic/fedora-1.10.2 commit#86e59a5


rebuilt with seccomp enabled


built docker @projectatomic/fedora-1.10.1 commit#6c71d8f


built docker @projectatomic/fedora-1.10.1 commit#6c71d8f


rebuilt, no change


built docker @projectatomic/fedora-1.10.2 commit#0f5ac89

How to install

sudo dnf upgrade --advisory=FEDORA-2016-6a0d540088

Comments 12

This update has been submitted for testing by runcom.

This update has obsoleted docker-1.10.3-23.gitf476348.fc23, and has inherited its bugs and notes.

This update has been pushed to testing.

I tested this with a Kubernetes 1.3 cluster and verified it was functional.

karma: +1

runcom edited this update.

Installed on a vanilla F23 box and did not edit any unit files, and get following error:

sudo systemctl status docker ‚óŹ docker.service - Docker Application Container Engine Loaded: loaded (/etc/systemd/system/docker.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-06-08 15:58:16 EDT; 7s ago Docs: http://docs.docker.com Process: 16020 ExecStart=/usr/bin/docker -d $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $INSECURE_REGISTRY (code=exited, status=125) Main PID: 16020 (code=exited, status=125)

Jun 08 15:58:16 localhost.localdomain systemd[1]: Started Docker Application Container Engine. Jun 08 15:58:16 localhost.localdomain systemd[1]: Starting Docker Application Container Engine... Jun 08 15:58:16 localhost.localdomain docker[16020]: flag provided but not defined: -d Jun 08 15:58:16 localhost.localdomain docker[16020]: See '/usr/bin/docker --help'. Jun 08 15:58:16 localhost.localdomain systemd[1]: docker.service: Main process exited, code=exited, status=125/n/a Jun 08 15:58:16 localhost.localdomain systemd[1]: docker.service: Unit entered failed state. Jun 08 15:58:16 localhost.localdomain systemd[1]: docker.service: Failed with result 'exit-code'.

it looks like the unit should have docker daemon \ and not docker -d \

karma: -1

derek - that unit file with "/usr/bin/docker -d" is not in the fedora dist-git at all - I'm not sure how you're getting it on a fresh fedora f23 installation - there's not even forward-journald in there (it's just wrong) This is the current unit shipped with this update:

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target
Wants=docker-storage-setup.service

[Service]
Type=notify
NotifyAccess=all
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
ExecStart=/bin/sh -c '/usr/bin/docker daemon \
          --exec-opt native.cgroupdriver=systemd \
          $OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $INSECURE_REGISTRY \
          2>&1 | /usr/bin/forward-journald -tag docker'
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
MountFlags=slave
StandardOutput=null
StandardError=null
TimeoutStartSec=0
Restart=on-abnormal

[Install]
WantedBy=multi-user.target

Apologies, user error on my part.

karma: +1

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

This update has been submitted for stable by runcom.

This update has been pushed to stable.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
unspecified
Karma
+2
stable threshold: 3
unstable threshold: -3
Autopush
Disabled
Dates
submitted 3 years ago
in testing 3 years ago
in stable 3 years ago
modified 3 years ago

Related Bugs 10

00 #1254694 "man docker-login" incorrectly claims that you can "docker login" to Docker Hub as non-root user
00 #1269602 Secrets patch does not work in Fedora
00 #1289851 Docker.service does not require docker.socket which can lead to Docker crash when docker.sock is host mounted
00 #1289963 docker push not working in 1.9.1
00 #1303105 Docker does not own /usr/lib/docker-storage-setup
00 #1312934 "docker images" command returns all the repositories prepended with the "docker.io/" string
00 #1326110 Unable to create containers with Kubernetes master and Docker 1.9.1-9
00 #1329454 CVE-2016-3697 docker: privilege escalation via confusion of usernames and UIDs [fedora-all]
00 #1335649 Enable use of Red Hat subscriptions in docker containers on Fedora
00 #1340921 "Failed to get pwuid struct: user: unknown userid " log spam

Automated Test Results