FEDORA-2016-6a0d540088

security update in Fedora 23 for docker

Status: stable 3 years ago

built docker @projectatomic/fedora-1.10.3 commit f476348

built docker @projectatomic/fedora-1.10.3 commit f476348

built docker @projectatomic/fedora-1.10.3 commit 4158ccc

Resolves: #1335649 - enable Red Hat subscription use in Docker containers on Fedora

built docker @projectatomic/fedora-1.10.3 commit 8ecd47f

built docker @projectatomic/fedora-1.10.3 commit 8ecd47f

built docker @projectatomic/fedora-1.10.3 commit 667d6d1

built docker @projectatomic/fedora-1.10.3 commit bba2d6d

built docker @projectatomic/fedora-1.10.3 commit a41254f

built docker @projectatomic/fedora-1.10.3 commit#964eda6

built docker @projectatomic/fedora-1.10.3 commit#ef2fa35

docker package runtime depends on docker-forward-journald

rebuilt to remove dockerroot user creation

rebuilt to remove dockerroot user creation

rebuilt to include dss_libdir directory

built docker @projectatomic/fedora-1.10.2 commit#86e59a5

rebuilt with seccomp enabled

built docker @projectatomic/fedora-1.10.1 commit#6c71d8f

built docker @projectatomic/fedora-1.10.1 commit#6c71d8f

rebuilt, no change

built docker @projectatomic/fedora-1.10.2 commit#0f5ac89

How to install

sudo dnf upgrade --advisory=FEDORA-2016-6a0d540088

Comments 12

This update has been submitted for testing by runcom.

3 years ago

This update has obsoleted docker-1.10.3-23.gitf476348.fc23, and has inherited its bugs and notes.

3 years ago

This update has been pushed to testing.

3 years ago
derekwaynecarr 3 years ago

I tested this with a Kubernetes 1.3 cluster and verified it was functional.

karma: +1

runcom edited this update.

3 years ago
derekwaynecarr 3 years ago

Installed on a vanilla F23 box and did not edit any unit files, and get following error:

sudo systemctl status docker ● docker.service - Docker Application Container Engine Loaded: loaded (/etc/systemd/system/docker.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-06-08 15:58:16 EDT; 7s ago Docs: http://docs.docker.com Process: 16020 ExecStart=/usr/bin/docker -d $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $INSECURE_REGISTRY (code=exited, status=125) Main PID: 16020 (code=exited, status=125)

Jun 08 15:58:16 localhost.localdomain systemd[1]: Started Docker Application Container Engine. Jun 08 15:58:16 localhost.localdomain systemd[1]: Starting Docker Application Container Engine... Jun 08 15:58:16 localhost.localdomain docker[16020]: flag provided but not defined: -d Jun 08 15:58:16 localhost.localdomain docker[16020]: See '/usr/bin/docker --help'. Jun 08 15:58:16 localhost.localdomain systemd[1]: docker.service: Main process exited, code=exited, status=125/n/a Jun 08 15:58:16 localhost.localdomain systemd[1]: docker.service: Unit entered failed state. Jun 08 15:58:16 localhost.localdomain systemd[1]: docker.service: Failed with result 'exit-code'.

it looks like the unit should have docker daemon \ and not docker -d \

karma: -1
runcom 3 years ago

derek - that unit file with "/usr/bin/docker -d" is not in the fedora dist-git at all - I'm not sure how you're getting it on a fresh fedora f23 installation - there's not even forward-journald in there (it's just wrong) This is the current unit shipped with this update:

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target
Wants=docker-storage-setup.service

[Service]
Type=notify
NotifyAccess=all
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
ExecStart=/bin/sh -c '/usr/bin/docker daemon \
          --exec-opt native.cgroupdriver=systemd \
          $OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $INSECURE_REGISTRY \
          2>&1 | /usr/bin/forward-journald -tag docker'
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
MountFlags=slave
StandardOutput=null
StandardError=null
TimeoutStartSec=0
Restart=on-abnormal

[Install]
WantedBy=multi-user.target
derekwaynecarr 3 years ago

Apologies, user error on my part.

karma: +1

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

3 years ago

This update has been submitted for stable by runcom.

3 years ago

This update has been pushed to stable.

3 years ago
Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
unspecified
Karma
+2
stable threshold: 3
unstable threshold: -3
Autopush
Disabled
Dates
submitted 3 years ago
in testing 3 years ago
in stable 3 years ago
modified 3 years ago

Related Bugs 10
00 #1254694 "man docker-login" incorrectly claims that you can "docker login" to Docker Hub as non-root user
00 #1269602 Secrets patch does not work in Fedora
00 #1289851 Docker.service does not require docker.socket which can lead to Docker crash when docker.sock is host mounted
00 #1289963 docker push not working in 1.9.1
00 #1303105 Docker does not own /usr/lib/docker-storage-setup
00 #1312934 "docker images" command returns all the repositories prepended with the "docker.io/" string
00 #1326110 Unable to create containers with Kubernetes master and Docker 1.9.1-9
00 #1329454 CVE-2016-3697 docker: privilege escalation via confusion of usernames and UIDs [fedora-all]
00 #1335649 Enable use of Red Hat subscriptions in docker containers on Fedora
00 #1340921 "Failed to get pwuid struct: user: unknown userid " log spam

Automated Test Results

Copyright © 2007-2019 Red Hat, Inc. and others.

Running bodhi-4.0.2 on bodhi-web-77-s86x9.

bodhi is Free Software. Please file issues if you have any problems. Read the documentation.

Legal | Privacy policy