FEDORA-2016-6a0d540088 — security update for docker

stable

docker-1.10.3-24.gitf476348.fc23

FEDORA-2016-6a0d540088 created by runcom 9 years ago for Fedora 23

built docker @projectatomic/fedora-1.10.3 commit f476348

built docker @projectatomic/fedora-1.10.3 commit 4158ccc

Resolves: #1335649 - enable Red Hat subscription use in Docker containers on Fedora

built docker @projectatomic/fedora-1.10.3 commit 8ecd47f

built docker @projectatomic/fedora-1.10.3 commit 667d6d1

built docker @projectatomic/fedora-1.10.3 commit bba2d6d

built docker @projectatomic/fedora-1.10.3 commit a41254f

built docker @projectatomic/fedora-1.10.3 commit#964eda6

built docker @projectatomic/fedora-1.10.3 commit#ef2fa35

docker package runtime depends on docker-forward-journald

rebuilt to remove dockerroot user creation

rebuilt to include dss_libdir directory

built docker @projectatomic/fedora-1.10.2 commit#86e59a5

rebuilt with seccomp enabled

built docker @projectatomic/fedora-1.10.1 commit#6c71d8f

rebuilt, no change

built docker @projectatomic/fedora-1.10.2 commit#0f5ac89

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2016-6a0d540088

This update has been submitted for testing by runcom.

9 years ago

This update has obsoleted docker-1.10.3-23.gitf476348.fc23, and has inherited its bugs and notes.

9 years ago

This update has been pushed to testing.

9 years ago

derekwaynecarr commented & provided feedback 9 years ago

karma

I tested this with a Kubernetes 1.3 cluster and verified it was functional.

runcom edited this update.

9 years ago

derekwaynecarr commented & provided feedback 9 years ago

karma

Installed on a vanilla F23 box and did not edit any unit files, and get following error:

sudo systemctl status docker ● docker.service - Docker Application Container Engine Loaded: loaded (/etc/systemd/system/docker.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-06-08 15:58:16 EDT; 7s ago Docs: http://docs.docker.com Process: 16020 ExecStart=/usr/bin/docker -d $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $INSECURE_REGISTRY (code=exited, status=125) Main PID: 16020 (code=exited, status=125)

Jun 08 15:58:16 localhost.localdomain systemd[1]: Started Docker Application Container Engine. Jun 08 15:58:16 localhost.localdomain systemd[1]: Starting Docker Application Container Engine... Jun 08 15:58:16 localhost.localdomain docker[16020]: flag provided but not defined: -d Jun 08 15:58:16 localhost.localdomain docker[16020]: See '/usr/bin/docker --help'. Jun 08 15:58:16 localhost.localdomain systemd[1]: docker.service: Main process exited, code=exited, status=125/n/a Jun 08 15:58:16 localhost.localdomain systemd[1]: docker.service: Unit entered failed state. Jun 08 15:58:16 localhost.localdomain systemd[1]: docker.service: Failed with result 'exit-code'.

it looks like the unit should have docker daemon \ and not docker -d \

runcom commented & provided feedback 9 years ago

derek - that unit file with "/usr/bin/docker -d" is not in the fedora dist-git at all - I'm not sure how you're getting it on a fresh fedora f23 installation - there's not even forward-journald in there (it's just wrong) This is the current unit shipped with this update:

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target
Wants=docker-storage-setup.service

[Service]
Type=notify
NotifyAccess=all
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
ExecStart=/bin/sh -c '/usr/bin/docker daemon \
          --exec-opt native.cgroupdriver=systemd \
          $OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $INSECURE_REGISTRY \
          2>&1 | /usr/bin/forward-journald -tag docker'
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
MountFlags=slave
StandardOutput=null
StandardError=null
TimeoutStartSec=0
Restart=on-abnormal

[Install]
WantedBy=multi-user.target

derekwaynecarr commented & provided feedback 9 years ago

karma

Apologies, user error on my part.

lsm5 provided feedback 9 years ago

karma

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

9 years ago

This update has been submitted for stable by runcom.

9 years ago

This update has been pushed to stable.

9 years ago

Please log in to add feedback.

Metadata

Type

security

Karma

Signed

Content Type

RPM

Test Gating

None

Autopush Settings

Unstable by Karma

-3

Stable by Karma

disabled

Stable by Time

disabled

Dates

submitted

9 years ago

in testing

9 years ago

in stable

9 years ago

modified

9 years ago

Builds

docker-1.10.3-24.gitf476348.fc23

BZ#1254694 "man docker-login" incorrectly claims that you can "docker login" to Docker Hub as non-root user

BZ#1269602 Secrets patch does not work in Fedora

BZ#1289851 Docker.service does not require docker.socket which can lead to Docker crash when docker.sock is host mounted

BZ#1289963 docker push not working in 1.9.1

BZ#1303105 Docker does not own /usr/lib/docker-storage-setup

BZ#1312934 "docker images" command returns all the repositories prepended with the "docker.io/" string

BZ#1326110 Unable to create containers with Kubernetes master and Docker 1.9.1-9

BZ#1329454 CVE-2016-3697 docker: privilege escalation via confusion of usernames and UIDs [fedora-all]

BZ#1335649 Enable use of Red Hat subscriptions in docker containers on Fedora

BZ#1340921 "Failed to get pwuid struct: user: unknown userid " log spam

docker-1.10.3-24.gitf476348.fc23

Automated Test Results

None