[meta-virtualization][kirkstone][PATCHv2 00/21] docker updates

[meta-virtualization][kirkstone][PATCHv2 00/21] docker updates

[Adrian Freihofer]

This brings docker-ce, docker-moby, containerd-opencontainers,
runc-opencontainers and runc-docker to almost the same commits
as they are on the master branch. That's what I did:

  git cherry-pick ea4c3c3ebac169c3b609476de1cae9bf826e2e50
  git cherry-pick ade7848788f9b9b1fdf64c2569601ae187e92b1c
  git cherry-pick 3cf7b710863cbc0d2696700c3eb30f9ee6638953
  git cherry-pick 3012689f5eb352ac6d35f64cf30fee26e947c980
  git revert 16e29a7818e2e342960e8ccb38768543f860021c
    commit e4474ef881401b2f3ed3ba806a288bb986dcac49 of runc does a vendor
    update which includes the reverted fix again. The commit is after
    1.2.0 and before 1.3.0 --> the next cherry-pick updates runc to
    1.3.0 and the fix will be back.
  git cherry-pick d8ecc12a13ec4da705f4f2597582879ef7889833
  git cherry-pick 038b48664af66ad4ae1f02e23a2b3fce7f93db6d
  git cherry-pick dbe9ce60c2628a3b63067e0334491448c8643a0a
  git cherry-pick bd60f149dceb0a96ce6c2593103738aa8dccfb5a
  git cherry-pick f6bf30aca6cb16f4fe185965f56e4e59dd7848f8
  git cherry-pick 19045acf78b48d7c0d08e7d6afe55133fbf544be
  git cherry-pick 9ef3fa52d049d5c9ffebcbcbd9d2dd7598fd6685
  git cherry-pick 7cea149bb0b510d2fb7fe71eee28d10399d0ceb4
  git cherry-pick a61f6ea090891356bdddd3b63fa2fee228fd38af
  git cherry-pick 2d0f7255a75d24ec3e3b686d70e97d20dc39c259

  git cherry-pick 6dba10357ce8906c95b81d3256e945c617999aa8
  git cherry-pick 99e93d3f88ba1ba21c4d9bec01b07a6d68d7e0b2
  git cherry-pick 6499f37793e691e0ee07e8f7e5dea4960c8c2217
  git cherry-pick 9d84fcdc6dd6e6f76709e697e37ee352b8a7de6e
  git cherry-pick 3f45dc8e6944da89c3124871debec9ec5f443bd5
  git cherry-pick d3acb1a378e644fe2784a8357390b19695640f78

  Finally the update of moby/ce to v20.10.21 is not straight forward.
  - moby: There is an update to go 1.8 which needs to be reverted.
    The commits are not exactly the same as referred by master. That's
    on purpose. Picking more commits would just add more code which needs
    go 1.8.
  - For the cli the update to go 1.8 chagned only the docker build files
    but not the code or the vendor folder. It's still straight forward.
  - libnetwork does not have such changes. It's still straight forward.

Testing:

# docker run -it debian /bin/bash
  root@e44d34c90b37:/# cat /etc/os-release
  PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
  NAME="Debian GNU/Linux"
  VERSION_ID="11"
  VERSION="11 (bullseye)"
  VERSION_CODENAME=bullseye
  ID=debian
  HOME_URL="https://www.debian.org/"
  SUPPORT_URL="https://www.debian.org/support"
  BUG_REPORT_URL="https://bugs.debian.org/"
  root@e44d34c90b37:/# exit
exit
# docker version
Client:
 Version:           20.10.21-ce
 API version:       1.41
 Go version:        go1.17.13
 Git commit:        baeda1f82a
 Built:             Fri Dec  9 07:20:51 2022
 OS/Arch:           linux/arm64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          20.10.21-ce
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.17.13
  Git commit:       3056208812eb5e792fa99736c9167d1e10f4ab49
  Built:            Tue Oct 25 11:44:15 2022
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          v1.6.9-12-g6c41694da.m
  GitCommit:        6c41694da9eb09c2f1f49a5a5fbec4e970cfb460.m
 runc:
  Version:          1.1.4+dev
  GitCommit:        v1.1.4-8-g974efd2d-dirty
 docker-init:
  Version:          0.19.0
  GitCommit:        b9f42a0-dirty


Adrian Freihofer (2):
  runc-opencontainers: drop obsolete patch
  moby: update to v20.10.21

Bruce Ashfield (18):
  docker/moby: update to 20.10.16
  docker/moby/libnetwork: update to -latest
  docker-ce: update to 20.10.16
  runc: update to 1.1.3
  runc-docker: update to 1.1.3
  docker-moby: update to 20.10.17
  docker-ce: update to 20.10.17
  docker: ensure that sysvinit and systemd are exclusive
  containerd: update to 1.6.8
  containerd: improve reproducibility
  docker: reproducibility add -trimpath to go -> $GO patches
  containerd: fix final TMDIR references
  runc: update to 1.1.4-tip
  runc-docker: update to 1.1.4-tip
  containerd: update to v1.6.9
  docker: add mobyproject:moby to CVE_PRODUCT
  docker: add seccomp to default packageconfig settings
  docker/moby: use generic DOCKER_COMMIT in do_compile

Jose Quaresma (1):
  docker/proxy: don't use -linkshared unconditionally

 .../0001-Add-build-option-GODEBUG-1.patch     |   32 -
 ...O_BUILD_FLAGS-to-be-externally-speci.patch |    6 +-
 ...don-t-use-gcflags-to-define-trimpath.patch |   30 +
 .../containerd-opencontainers_git.bb          |   62 +-
 ...1-build-use-oe-provided-GO-and-flags.patch |    6 +-
 recipes-containers/docker/README              |    7 +
 recipes-containers/docker/docker-ce_git.bb    |   13 +-
 recipes-containers/docker/docker-moby_git.bb  |   13 +-
 recipes-containers/docker/docker.inc          |   18 +-
 ...ernal-GO111MODULE-and-cross-compiler.patch |   15 +-
 ...0001-dynbinary-use-go-cross-compiler.patch |    2 +-
 ...0001-libnetwork-use-GO-instead-of-go.patch |   10 +-
 .../files/0001-revert-go-1.8-update.patch     | 1218 +++++++++++++++++
 ...efine-ActKillThread-equal-to-ActKill.patch |   90 --
 recipes-containers/runc/runc-docker_git.bb    |    4 +-
 .../runc/runc-opencontainers_git.bb           |    5 +-
 16 files changed, 1322 insertions(+), 209 deletions(-)
 delete mode 100644 recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch
 create mode 100644 recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch
 create mode 100644 recipes-containers/docker/README
 create mode 100644 recipes-containers/docker/files/0001-revert-go-1.8-update.patch
 delete mode 100644 recipes-containers/runc/files/0002-Define-ActKillThread-equal-to-ActKill.patch

-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 01/21] docker/moby: update to 20.10.16

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Bumping moby to version v20.10.16, which comprises the following commits:

    a15acb4bd6 [20.10] vendor: golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
    5f2e0b79ad [20.10] update golang to 1.17.10
    be7855fdbe vendor: update github.com/containerd/cgroups and github.com/cilium/ebpf
    414a9e24a7 update containerd binary to v1.6.4
    47b6a924b6 update containerd binary to v1.6.3
    6d7c2b2d26 update containerd binary to v1.6.2
    91708bf704 update containerd binary to v1.6.1
    53ae17008e Revert "[20.10] update containerd binary to 1.5.11"
    961b9a78d5 update runc binary to v1.1.1
    97972dac5f update runc binary to v1.1.0
    033a819714 [20.10] update golang to 1.17.9
    a80884126b Jenkinsfile: add workaround for CVE-2022-24765
    09d6fcdfec update to go 1.17.8 to address CVE-2022-24921
    5957684b2c Update Go to 1.17.7
    55b72c70ba Update Go to 1.17.6
    fdf3020bd5 Update Go to 1.17.5
    36e164ba80 Update Go to 1.17.4
    ecfba8f588 Update Go to 1.17.3
    4e14dcc125 Update Go to 1.17.2
    c32b5ece31 Update Go to 1.17.1
    7096508811 vendor: update archive/tar to match Go 1.17.0
    a1150245cc Update to Go 1.17.0, and gofmt with Go 1.17
    95cc7115fb hack/vendor.sh: allow go version to be specified with .0
    949c33b1c5 vendor: golang.org/x/sys  63515b42dcdf9544f4e6a02fd7632793fde2f72d (for Go 1.17)
    8392285876 vendor: golang.org/x/sys d19ff857e887eacb631721f188c7d365c2331456
    4e81bcf380 Makefile: update buildx to v0.8.2
    74e699c8d3 Makefile: update buildx version to v0.6.0
    bc3cc2e7ac Makefile: install buildx from binary release, instead of building
    492fac20af api: docs: fix indentation of HostConfig.SecurityOpt (v1.39-v1.41)
    3cba2682d8 api: docs: move ContainerWaitResponse to definitions (v1.39-v1.41)
    55e71450ae api: docs: move VolumeCreateOptions to definitions (v1.39-v1.41)
    c54362cd64 api: docs: move Volume examples inline (v1.39-v1.41)
    c60ff9b296 doc: server API Correct ImagesCreate - platform parameter added in 1.32
    7a45f7a8cc docs: cleanup swagger API with multiple examples (v1.25-v1.41)
    29bb9204bf api: docs: add IPAMConfig on IPAM (v1.41)
    77f6564369 api: docs: document MountPoint fields (v1.25-v1.41)
    51ea235ab8 api: docs: remove deprecated RootFS.BaseLayer (API v1.25-v1.41)
    3d6b4ae572 Correct type of Mounts in ContainerSummary in docs (v1.25-v1.40)
    6e8b9809b7 Correct type of Mounts in ContainerSummary in docs
    621a98dac0 api: docs: fix warning about comment indentation (API v1.40-v1.41)
    bb9ef98060 api: docs: update docs for /images/{name}/json (API v1.39-v1.41)
    88ca5cec4e daemon: fix error-message for minimum allowed kernel-memory limit
    3ea996abd7 docs: add missing KernelMemoryTCP to api v1.40 and v1.41
    b475bc95cd docs/api: add missing 400 response for POST /containers/{id}/wait
    ae07b3cc96 docs/api: update /containers/{id}/wait "condition" parameter (v1.30-v1.41)
    19555fa92d [20.10] vendor: github.com/docker/distribution v2.8.1
    32fe0bbb91 daemon: use RWMutex for stateCounter
    ed8fb00b65 errdefs: move GetHTTPErrorStatusCode to api/server/httpstatus
    3bd611d7a5 log error message when receiving an unexpected type error
    7dfe7a1752 [20.10] update containerd binary to 1.5.11
    af953d2f38 [20.10] vendor: containerd 7cfa023d95d37076d5ab035003d4839f4b6ba791
    5f9753ae73 client: remove containerd "platform" dependency
    4df345e65d client: remove unused Platform field from configWrapper
    dd38613d0c oci: inheritable capability set should be empty
    2825bf7123 Only check if route overlaps routes with scope: LINK
    f5c56eaca8 [20.10] bump swarmkit for config size increase
    ce3b6d1ae9 distribution: retry downloading schema config on retryable error

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/docker/docker-moby_git.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index 0a0ffd6..4685550 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -34,7 +34,7 @@ DESCRIPTION = "Linux container runtime \
 #   - The common components of this recipe and docker-ce do need to be moved
 #     to a docker.inc recipe
 
-SRCREV_moby = "906f57ff5b7100013dfef066ea8fe367706468df"
+SRCREV_moby = "f756502055d2e36a84f2068e6620bea5ecf09058"
 SRCREV_libnetwork = "64b7a4574d1426139437d20e81c0b6d391130ec8"
 SRCREV_cli = "a224086349269551becacce16e5842ceeb2a98d6"
 SRCREV_FORMAT = "moby_libnetwork"
@@ -54,7 +54,7 @@ require docker.inc
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=4859e97a9c7780e77972d989f0823f28"
 
-DOCKER_VERSION = "20.10.12"
+DOCKER_VERSION = "20.10.16"
 PV = "${DOCKER_VERSION}+git${SRCREV_moby}"
 
 CVE_PRODUCT = "docker"
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 02/21] docker/moby/libnetwork: update to -latest

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Bumping libnetwork to version v0.7.0-dev.3-1830-g339b972b, which comprises the following commits:

    9db86fb7 Only check if route overlaps routes with scope: LINK
    7b9c2905 fix port forwarding with ipv6.disable=1

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/docker/docker-moby_git.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index 4685550..f7f0f6f 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -35,7 +35,7 @@ DESCRIPTION = "Linux container runtime \
 #     to a docker.inc recipe
 
 SRCREV_moby = "f756502055d2e36a84f2068e6620bea5ecf09058"
-SRCREV_libnetwork = "64b7a4574d1426139437d20e81c0b6d391130ec8"
+SRCREV_libnetwork = "339b972b464ee3d401b5788b2af9e31d09d6b7da"
 SRCREV_cli = "a224086349269551becacce16e5842ceeb2a98d6"
 SRCREV_FORMAT = "moby_libnetwork"
 SRC_URI = "\
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 03/21] docker-ce: update to 20.10.16

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Bumping moby to version v20.10.16, which comprises the following commits:

    a15acb4bd6 [20.10] vendor: golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
    5f2e0b79ad [20.10] update golang to 1.17.10
    be7855fdbe vendor: update github.com/containerd/cgroups and github.com/cilium/ebpf
    414a9e24a7 update containerd binary to v1.6.4
    47b6a924b6 update containerd binary to v1.6.3
    6d7c2b2d26 update containerd binary to v1.6.2
    91708bf704 update containerd binary to v1.6.1
    53ae17008e Revert "[20.10] update containerd binary to 1.5.11"
    961b9a78d5 update runc binary to v1.1.1
    97972dac5f update runc binary to v1.1.0
    033a819714 [20.10] update golang to 1.17.9
    a80884126b Jenkinsfile: add workaround for CVE-2022-24765
    09d6fcdfec update to go 1.17.8 to address CVE-2022-24921
    5957684b2c Update Go to 1.17.7
    55b72c70ba Update Go to 1.17.6
    fdf3020bd5 Update Go to 1.17.5
    36e164ba80 Update Go to 1.17.4
    ecfba8f588 Update Go to 1.17.3
    4e14dcc125 Update Go to 1.17.2
    c32b5ece31 Update Go to 1.17.1
    7096508811 vendor: update archive/tar to match Go 1.17.0
    a1150245cc Update to Go 1.17.0, and gofmt with Go 1.17
    95cc7115fb hack/vendor.sh: allow go version to be specified with .0
    949c33b1c5 vendor: golang.org/x/sys  63515b42dcdf9544f4e6a02fd7632793fde2f72d (for Go 1.17)
    8392285876 vendor: golang.org/x/sys d19ff857e887eacb631721f188c7d365c2331456
    4e81bcf380 Makefile: update buildx to v0.8.2
    74e699c8d3 Makefile: update buildx version to v0.6.0
    bc3cc2e7ac Makefile: install buildx from binary release, instead of building
    492fac20af api: docs: fix indentation of HostConfig.SecurityOpt (v1.39-v1.41)
    3cba2682d8 api: docs: move ContainerWaitResponse to definitions (v1.39-v1.41)
    55e71450ae api: docs: move VolumeCreateOptions to definitions (v1.39-v1.41)
    c54362cd64 api: docs: move Volume examples inline (v1.39-v1.41)
    c60ff9b296 doc: server API Correct ImagesCreate - platform parameter added in 1.32
    7a45f7a8cc docs: cleanup swagger API with multiple examples (v1.25-v1.41)
    29bb9204bf api: docs: add IPAMConfig on IPAM (v1.41)
    77f6564369 api: docs: document MountPoint fields (v1.25-v1.41)
    51ea235ab8 api: docs: remove deprecated RootFS.BaseLayer (API v1.25-v1.41)
    3d6b4ae572 Correct type of Mounts in ContainerSummary in docs (v1.25-v1.40)
    6e8b9809b7 Correct type of Mounts in ContainerSummary in docs
    621a98dac0 api: docs: fix warning about comment indentation (API v1.40-v1.41)
    bb9ef98060 api: docs: update docs for /images/{name}/json (API v1.39-v1.41)
    88ca5cec4e daemon: fix error-message for minimum allowed kernel-memory limit
    3ea996abd7 docs: add missing KernelMemoryTCP to api v1.40 and v1.41
    b475bc95cd docs/api: add missing 400 response for POST /containers/{id}/wait
    ae07b3cc96 docs/api: update /containers/{id}/wait "condition" parameter (v1.30-v1.41)
    19555fa92d [20.10] vendor: github.com/docker/distribution v2.8.1
    32fe0bbb91 daemon: use RWMutex for stateCounter
    ed8fb00b65 errdefs: move GetHTTPErrorStatusCode to api/server/httpstatus
    3bd611d7a5 log error message when receiving an unexpected type error
    7dfe7a1752 [20.10] update containerd binary to 1.5.11
    af953d2f38 [20.10] vendor: containerd 7cfa023d95d37076d5ab035003d4839f4b6ba791
    5f9753ae73 client: remove containerd "platform" dependency
    4df345e65d client: remove unused Platform field from configWrapper
    dd38613d0c oci: inheritable capability set should be empty
    2825bf7123 Only check if route overlaps routes with scope: LINK
    f5c56eaca8 [20.10] bump swarmkit for config size increase
    ce3b6d1ae9 distribution: retry downloading schema config on retryable error

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/docker/docker-ce_git.bb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-containers/docker/docker-ce_git.bb b/recipes-containers/docker/docker-ce_git.bb
index 12bc73c..27cb962 100644
--- a/recipes-containers/docker/docker-ce_git.bb
+++ b/recipes-containers/docker/docker-ce_git.bb
@@ -31,8 +31,8 @@ DESCRIPTION = "Linux container runtime \
 # so we get that tag, and make it our SRCREVS:
 #
 
-SRCREV_docker = "906f57ff5b7100013dfef066ea8fe367706468df"
-SRCREV_libnetwork = "64b7a4574d1426139437d20e81c0b6d391130ec8"
+SRCREV_docker = "f756502055d2e36a84f2068e6620bea5ecf09058"
+SRCREV_libnetwork = "339b972b464ee3d401b5788b2af9e31d09d6b7da"
 SRCREV_cli = "62eae52c2a76f4c1dcf79dfc7b5ea3bf5eebab8b"
 SRCREV_FORMAT = "docker_libnetwork"
 SRC_URI = "\
@@ -51,7 +51,7 @@ require docker.inc
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=4859e97a9c7780e77972d989f0823f28"
 
-DOCKER_VERSION = "20.10.12-ce"
+DOCKER_VERSION = "20.10.16-ce"
 PV = "${DOCKER_VERSION}+git${SRCREV_docker}"
 
 CVE_PRODUCT = "docker"
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 04/21] runc-opencontainers: drop obsolete patch

[Adrian Freihofer]

commit e4474ef881401b2f3ed3ba806a288bb986dcac49 of runc does a vendor
update which includes the reverted fix again. The commit is after 1.2.0
and before 1.3.0 --> the next cherry-pick updates runc to 1.3.0 and the
fix will be back.

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
---
 ...efine-ActKillThread-equal-to-ActKill.patch | 90 -------------------
 .../runc/runc-opencontainers_git.bb           |  1 -
 2 files changed, 91 deletions(-)
 delete mode 100644 recipes-containers/runc/files/0002-Define-ActKillThread-equal-to-ActKill.patch

diff --git a/recipes-containers/runc/files/0002-Define-ActKillThread-equal-to-ActKill.patch b/recipes-containers/runc/files/0002-Define-ActKillThread-equal-to-ActKill.patch
deleted file mode 100644
index ba51d4a..0000000
--- a/recipes-containers/runc/files/0002-Define-ActKillThread-equal-to-ActKill.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From f2aa0359bcc776239bda8a4eb84957b97ef55c35 Mon Sep 17 00:00:00 2001
-From: Tonis Tiigi <tonistiigi@gmail.com>
-Date: Fri, 28 Jan 2022 14:44:56 -0800
-Subject: [PATCH] Define ActKillThread equal to ActKill
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-These constants are equal in libseccomp but Go definitions
-were defined separately. This resulted in dead code that
-never executed due to identical case statements in switch.
-Go can usually detect these error cases and refuses to build
-but for some reason this detection doesn’t work with cgo+gcc.
-Clang detects the equal constants correctly and therefore
-libseccomp-golang builds with clang broke after ActKillThread
-was added.
-
-In order to fix the clang build only removal of the
-switch case is needed. But I assumed that the setter/getter
-logic is supposed to work for ActKillThread as well
-and only way to ensure that is to set them equal like they
-are in C.
-
-Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
-Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
-Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
-Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
-Upstream-status: Backport [https://github.com/seccomp/libseccomp-golang/commit/c35397d0ea8f285a0be78693bb2fd37b06952453]
----
- seccomp.go          | 8 ++++----
- seccomp_internal.go | 4 ----
- 2 files changed, 4 insertions(+), 8 deletions(-)
-
-diff --git a/seccomp.go b/seccomp.go
-index e9b92e2..32f6ab2 100644
---- a/seccomp.go
-+++ b/seccomp.go
-@@ -214,14 +214,14 @@ const (
- 	// This action is only usable when libseccomp API level 3 or higher is
- 	// supported.
- 	ActLog ScmpAction = iota
--	// ActKillThread kills the thread that violated the rule. It is the same as ActKill.
--	// All other threads from the same thread group will continue to execute.
--	ActKillThread ScmpAction = iota
- 	// ActKillProcess kills the process that violated the rule.
- 	// All threads in the thread group are also terminated.
- 	// This action is only usable when libseccomp API level 3 or higher is
- 	// supported.
- 	ActKillProcess ScmpAction = iota
-+	// ActKillThread kills the thread that violated the rule. It is the same as ActKill.
-+	// All other threads from the same thread group will continue to execute.
-+	ActKillThread = ActKill
- )
- 
- const (
-@@ -394,7 +394,7 @@ func (a ScmpCompareOp) String() string {
- // String returns a string representation of a seccomp match action
- func (a ScmpAction) String() string {
- 	switch a & 0xFFFF {
--	case ActKill, ActKillThread:
-+	case ActKillThread:
- 		return "Action: Kill thread"
- 	case ActKillProcess:
- 		return "Action: Kill process"
-diff --git a/seccomp_internal.go b/seccomp_internal.go
-index 8dc7b29..8fc9914 100644
---- a/seccomp_internal.go
-+++ b/seccomp_internal.go
-@@ -612,8 +612,6 @@ func (a ScmpCompareOp) toNative() C.int {
- func actionFromNative(a C.uint32_t) (ScmpAction, error) {
- 	aTmp := a & 0xFFFF
- 	switch a & 0xFFFF0000 {
--	case C.C_ACT_KILL:
--		return ActKill, nil
- 	case C.C_ACT_KILL_PROCESS:
- 		return ActKillProcess, nil
- 	case C.C_ACT_KILL_THREAD:
-@@ -638,8 +636,6 @@ func actionFromNative(a C.uint32_t) (ScmpAction, error) {
- // Only use with sanitized actions, no error handling
- func (a ScmpAction) toNative() C.uint32_t {
- 	switch a & 0xFFFF {
--	case ActKill:
--		return C.C_ACT_KILL
- 	case ActKillProcess:
- 		return C.C_ACT_KILL_PROCESS
- 	case ActKillThread:
--- 
-2.25.1
-
diff --git a/recipes-containers/runc/runc-opencontainers_git.bb b/recipes-containers/runc/runc-opencontainers_git.bb
index f9dae6a..14570b9 100644
--- a/recipes-containers/runc/runc-opencontainers_git.bb
+++ b/recipes-containers/runc/runc-opencontainers_git.bb
@@ -4,7 +4,6 @@ SRCREV = "b507e2da6c6a3a328f208fa415a56ad7cd58761b"
 SRC_URI = " \
     git://github.com/opencontainers/runc;branch=release-1.1;protocol=https \
     file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
-    file://0002-Define-ActKillThread-equal-to-ActKill.patch;patchdir=src/import/vendor/github.com/seccomp/libseccomp-golang \
     "
 RUNC_VERSION = "1.1.2"
 
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 05/21] runc: update to 1.1.3

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Bumping runc to version v1.1.3-2-g1e7bb5b7, which comprises the following commits:

    eb1552a0 VERSION: back to development
    6724737f VERSION: release 1.1.3
    91fa032d ci: add basic checks for CHANGELOG.md
    7219387e cgroups: systemd: skip adding device paths that don't exist
    93d1807b libcontainer: relax getenv_int sanity check
    8242c05d script/seccomp.sh: check tarball sha256
    017cb29b Dockerfile,scripts/release: bump libseccomp to v2.5.4
    51649a7d Allow mounting of /proc/sys/kernel/ns_last_pid
    3a09da6b ci: drop docker layer caching from release job
    8b93f9fb seccomp: enosys: always return -ENOSYS for setup(2) on s390(x)
    fc2a8fe1 libct/cg/sd: check dbus.ErrClosed instead of isDbusError
    d105e052 libct/seccomp/config: add missing KillThread, KillProcess
    e4474ef8 [1.1] vendor: bump seccomp/libseccomp-golang to f33da4d
    dc083b2b fix deprecated ActKill
    bf1cd884 ci: use golangci-lint-action v3, GO_VERSION
    1feafc31 ci: bump golangci-lint to v1.44
    89f79ff0 libct: StartInitialization: fix %w related warning
    3b7f2605 Format sources using gofumpt 0.2.1
    eeac4e77 build(deps): bump actions/checkout from 2 to 3
    cd7fa00d Vagrantfile.fedora: fix build wrt new git

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/runc/runc-opencontainers_git.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-containers/runc/runc-opencontainers_git.bb b/recipes-containers/runc/runc-opencontainers_git.bb
index 14570b9..997fb1e 100644
--- a/recipes-containers/runc/runc-opencontainers_git.bb
+++ b/recipes-containers/runc/runc-opencontainers_git.bb
@@ -1,10 +1,10 @@
 include runc.inc
 
-SRCREV = "b507e2da6c6a3a328f208fa415a56ad7cd58761b"
+SRCREV = "1e7bb5b773162b57333d57f612fd72e3f8612d94"
 SRC_URI = " \
     git://github.com/opencontainers/runc;branch=release-1.1;protocol=https \
     file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
     "
-RUNC_VERSION = "1.1.2"
+RUNC_VERSION = "1.1.3"
 
 CVE_PRODUCT = "runc"
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 06/21] runc-docker: update to 1.1.3

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Bumping runc to version v1.1.3-2-g1e7bb5b7, which comprises the following commits:

    eb1552a0 VERSION: back to development
    6724737f VERSION: release 1.1.3
    91fa032d ci: add basic checks for CHANGELOG.md
    7219387e cgroups: systemd: skip adding device paths that don't exist
    93d1807b libcontainer: relax getenv_int sanity check
    8242c05d script/seccomp.sh: check tarball sha256
    017cb29b Dockerfile,scripts/release: bump libseccomp to v2.5.4
    51649a7d Allow mounting of /proc/sys/kernel/ns_last_pid
    3a09da6b ci: drop docker layer caching from release job
    8b93f9fb seccomp: enosys: always return -ENOSYS for setup(2) on s390(x)
    fc2a8fe1 libct/cg/sd: check dbus.ErrClosed instead of isDbusError
    d105e052 libct/seccomp/config: add missing KillThread, KillProcess
    e4474ef8 [1.1] vendor: bump seccomp/libseccomp-golang to f33da4d
    dc083b2b fix deprecated ActKill
    bf1cd884 ci: use golangci-lint-action v3, GO_VERSION
    1feafc31 ci: bump golangci-lint to v1.44
    89f79ff0 libct: StartInitialization: fix %w related warning
    3b7f2605 Format sources using gofumpt 0.2.1
    eeac4e77 build(deps): bump actions/checkout from 2 to 3
    cd7fa00d Vagrantfile.fedora: fix build wrt new git

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/runc/runc-docker_git.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-containers/runc/runc-docker_git.bb b/recipes-containers/runc/runc-docker_git.bb
index f2c0613..8180c3a 100644
--- a/recipes-containers/runc/runc-docker_git.bb
+++ b/recipes-containers/runc/runc-docker_git.bb
@@ -2,13 +2,13 @@ include runc.inc
 
 # Note: this rev is before the required protocol field, update when all components
 #       have been updated to match.
-SRCREV_runc-docker = "b507e2da6c6a3a328f208fa415a56ad7cd58761b"
+SRCREV_runc-docker = "1e7bb5b773162b57333d57f612fd72e3f8612d94"
 SRC_URI = "git://github.com/opencontainers/runc;branch=release-1.1;name=runc-docker;protocol=https \
            file://0001-runc-Add-console-socket-dev-null.patch \
            file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
            file://0001-runc-docker-SIGUSR1-daemonize.patch \
           "
 
-RUNC_VERSION = "1.1.2"
+RUNC_VERSION = "1.1.3"
 
 CVE_PRODUCT = "runc"
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 07/21] docker-moby: update to 20.10.17

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Bumping moby to version v20.10.17-2-g3949ff121e, which comprises the following commits:

    ff7feeac37 vendor: github.com/containerd/continuity v0.3.0
    6f3f2b6d08 update containerd binary to v1.6.6
    b3bcb15da8 update containerd binary to v1.6.5
    f55b030fa0 system: unbreak build for darwin
    63ab12cd3a Port pkg/system/mknod.go to FreeBSD
    081e538fbd vendor: libnetwork f6ccccb1c082a432c2a5814aaedaca56af33d9ea
    8e9d647c01 [20.10] update golang to 1.17.11
    87ead7fd2a vendor: hcsshim a11a2c44e8a4aa9d66314b1d759ef582df5ab5e8
    27f8322324 vendor: libnetwork 2dab5620d4462865c6151e573b3e7fa5d3b8458b
    829951ec19 docs: api: /containers/{id}/attach/ws: remove unsupported query-args < v1.42
    6cbe73bfc0 Rename Reservation to Reservations in the open API
    d9ed3d7e28 update runc binary to v1.1.2
    a15acb4bd6 [20.10] vendor: golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
    5f2e0b79ad [20.10] update golang to 1.17.10

Bumping libnetwork to version v0.7.0-dev.3-1835-gf6ccccb1, which comprises the following commits:

    af0c46d8 Apply peformance tuning to new sandboxes also
    23ffb31f Set ExternalPortReserved for dummy proxy
    9b82e422 Bump hcsshim
    9db86fb7 Only check if route overlaps routes with scope: LINK

Bumping docker-cli to version v20.10.17, which comprises the following commits:

    7502d7e56 Fix dead external link
    308624c3b fix: remove asterisk from docker command suggestions
    de7d866b6 [20.10] update golang to 1.17.11
    240e4b550 [20.10] vendor: golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
    5d4776bd9 [20.10] update golang to 1.17.10
    49e9c2ae3 vendor: golang.org/x/sys  63515b42dcdf9544f4e6a02fd7632793fde2f72d (for Go 1.17)
    87a3ce269 vendor: golang.org/x/sys d19ff857e887eacb631721f188c7d365c2331456
    1d8abed17 vendor: update x/sys to 134d130e
    31dad66f9 [20.10] update golang to 1.17.9
    80f673bf9 gofmt with go1.17
    3d4cc8e69 [20.10] update remaining files to go1.17.8
    30277a8f8 update go to 1.17.8
    cfef3a7dc docs: deprecated: add entry for "fluent-async-connect" log-opt
    53426025c [20.10] docs: reformat table for compatibility
    573a66463 Describe privileged mode in terms of capabilities
    cf0ab7ac4 [20.10] vendor: github.com/docker/distribution v2.8.1
    d05fd4ffc [20.10] vendor: github.com/opencontainers/image-spec v1.0.2
    870f13825 [20.10] vendor: github.com/docker/docker v20.10.14
    198d6b872 [20.10] circleci: update buildx to v0.8.2
    55a14ec85 [20.10] update remaining Dockerfiles to go 1.16.15
    1f9a0df05 e2e: update docker-compose to 1.29.2
    4ae338b33 docs: reference: remove trailing space to fix yaml formatting
    6380142dd docs: fix (table) formatting, fix some broken links
    82f422fcf docs: build: fix minor markdown and syntax issues
    80fd77903 Update the list of log drivers
    c3d4d623c Fix CMD --ignored-param1 example
    2e82d11de docs: dockerd: fix broken link in blockquote area
    738a6ee1c improve cp documentation with some illustration examples
    246d96bb6 docs: unify "docker create" and "docker run" reference
    2fd0f1705 docs: add missing documentation for --pull flag
    5fa500000 Fix incorrect pointer inputs to `json.Unmarshal`
    1e6a8ce2b Dockerfile: update xx to 1.1
    6f7a931a2 [20.10] use GO_LDFLAGS instead of LDFLAGS to prevent inheriting unrelated options
    91bab605f [20.10] vendor.conf: don't use git:// protocol
    a282e0c5d [20.10] update to go 1.16.15 to address CVE-2022-24921

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/docker/docker-moby_git.bb      |  8 ++++----
 ...-external-GO111MODULE-and-cross-compiler.patch | 15 ++++++---------
 2 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index f7f0f6f..dea5a8e 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -34,9 +34,9 @@ DESCRIPTION = "Linux container runtime \
 #   - The common components of this recipe and docker-ce do need to be moved
 #     to a docker.inc recipe
 
-SRCREV_moby = "f756502055d2e36a84f2068e6620bea5ecf09058"
-SRCREV_libnetwork = "339b972b464ee3d401b5788b2af9e31d09d6b7da"
-SRCREV_cli = "a224086349269551becacce16e5842ceeb2a98d6"
+SRCREV_moby = "3949ff121ee486eb73484f6c4708d199f68c930e"
+SRCREV_libnetwork = "f6ccccb1c082a432c2a5814aaedaca56af33d9ea"
+SRCREV_cli = "100c70180fde3601def79a59cc3e996aa553c9b9"
 SRCREV_FORMAT = "moby_libnetwork"
 SRC_URI = "\
 	git://github.com/moby/moby.git;branch=20.10;name=moby;protocol=https \
@@ -54,7 +54,7 @@ require docker.inc
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=4859e97a9c7780e77972d989f0823f28"
 
-DOCKER_VERSION = "20.10.16"
+DOCKER_VERSION = "20.10.17"
 PV = "${DOCKER_VERSION}+git${SRCREV_moby}"
 
 CVE_PRODUCT = "docker"
diff --git a/recipes-containers/docker/files/0001-cli-use-external-GO111MODULE-and-cross-compiler.patch b/recipes-containers/docker/files/0001-cli-use-external-GO111MODULE-and-cross-compiler.patch
index dc32261..16b5f9e 100644
--- a/recipes-containers/docker/files/0001-cli-use-external-GO111MODULE-and-cross-compiler.patch
+++ b/recipes-containers/docker/files/0001-cli-use-external-GO111MODULE-and-cross-compiler.patch
@@ -8,20 +8,17 @@ Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
  git/cli/scripts/build/binary | 3 +--
  1 file changed, 1 insertion(+), 2 deletions(-)
 
-diff --git git/cli/scripts/build/binary git/cli/scripts/build/binary
-index e4c5e12a6b..7c47b75c2f 100755
---- git/cli/scripts/build/binary
+Index: git/cli/scripts/build/binary
+===================================================================
+--- git.orig/cli/scripts/build/binary
 +++ git/cli/scripts/build/binary
-@@ -73,8 +73,7 @@ fi
+@@ -73,8 +73,7 @@
  
  echo "Building $GO_LINKMODE $(basename "${TARGET}")"
  
 -export GO111MODULE=auto
  
--go build -o "${TARGET}" -tags "${GO_BUILDTAGS}" --ldflags "${LDFLAGS}" ${GO_BUILDMODE} "${SOURCE}"
-+${GO} build -o "${TARGET}" -tags "${GO_BUILDTAGS}" --ldflags "${LDFLAGS}" ${GO_BUILDMODE} "${SOURCE}"
+-go build -o "${TARGET}" -tags "${GO_BUILDTAGS}" --ldflags "${GO_LDFLAGS}" ${GO_BUILDMODE} "${SOURCE}"
++${GO} build -o "${TARGET}" -tags "${GO_BUILDTAGS}" --ldflags "${GO_LDFLAGS}" ${GO_BUILDMODE} "${SOURCE}"
  
  ln -sf "$(basename "${TARGET}")" "$(dirname "${TARGET}")/docker"
--- 
-2.19.1
-
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 08/21] docker-ce: update to 20.10.17

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Bumping moby to version v20.10.17-2-g3949ff121e, which comprises the following commits:

    ff7feeac37 vendor: github.com/containerd/continuity v0.3.0
    6f3f2b6d08 update containerd binary to v1.6.6
    b3bcb15da8 update containerd binary to v1.6.5
    f55b030fa0 system: unbreak build for darwin
    63ab12cd3a Port pkg/system/mknod.go to FreeBSD
    081e538fbd vendor: libnetwork f6ccccb1c082a432c2a5814aaedaca56af33d9ea
    8e9d647c01 [20.10] update golang to 1.17.11
    87ead7fd2a vendor: hcsshim a11a2c44e8a4aa9d66314b1d759ef582df5ab5e8
    27f8322324 vendor: libnetwork 2dab5620d4462865c6151e573b3e7fa5d3b8458b
    829951ec19 docs: api: /containers/{id}/attach/ws: remove unsupported query-args < v1.42
    6cbe73bfc0 Rename Reservation to Reservations in the open API
    d9ed3d7e28 update runc binary to v1.1.2
    a15acb4bd6 [20.10] vendor: golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
    5f2e0b79ad [20.10] update golang to 1.17.10

Bumping libnetwork to version v0.7.0-dev.3-1835-gf6ccccb1, which comprises the following commits:

    af0c46d8 Apply peformance tuning to new sandboxes also
    23ffb31f Set ExternalPortReserved for dummy proxy
    9b82e422 Bump hcsshim
    9db86fb7 Only check if route overlaps routes with scope: LINK

Bumping docker-cli to version v20.10.17, which comprises the following commits:

    7502d7e56 Fix dead external link
    308624c3b fix: remove asterisk from docker command suggestions
    de7d866b6 [20.10] update golang to 1.17.11
    240e4b550 [20.10] vendor: golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
    5d4776bd9 [20.10] update golang to 1.17.10
    49e9c2ae3 vendor: golang.org/x/sys  63515b42dcdf9544f4e6a02fd7632793fde2f72d (for Go 1.17)
    87a3ce269 vendor: golang.org/x/sys d19ff857e887eacb631721f188c7d365c2331456
    1d8abed17 vendor: update x/sys to 134d130e
    31dad66f9 [20.10] update golang to 1.17.9
    80f673bf9 gofmt with go1.17
    3d4cc8e69 [20.10] update remaining files to go1.17.8
    30277a8f8 update go to 1.17.8
    cfef3a7dc docs: deprecated: add entry for "fluent-async-connect" log-opt
    53426025c [20.10] docs: reformat table for compatibility
    573a66463 Describe privileged mode in terms of capabilities
    cf0ab7ac4 [20.10] vendor: github.com/docker/distribution v2.8.1
    d05fd4ffc [20.10] vendor: github.com/opencontainers/image-spec v1.0.2
    870f13825 [20.10] vendor: github.com/docker/docker v20.10.14
    198d6b872 [20.10] circleci: update buildx to v0.8.2
    55a14ec85 [20.10] update remaining Dockerfiles to go 1.16.15
    1f9a0df05 e2e: update docker-compose to 1.29.2
    4ae338b33 docs: reference: remove trailing space to fix yaml formatting
    6380142dd docs: fix (table) formatting, fix some broken links
    82f422fcf docs: build: fix minor markdown and syntax issues
    80fd77903 Update the list of log drivers
    c3d4d623c Fix CMD --ignored-param1 example
    2e82d11de docs: dockerd: fix broken link in blockquote area
    738a6ee1c improve cp documentation with some illustration examples
    246d96bb6 docs: unify "docker create" and "docker run" reference
    2fd0f1705 docs: add missing documentation for --pull flag
    5fa500000 Fix incorrect pointer inputs to `json.Unmarshal`
    1e6a8ce2b Dockerfile: update xx to 1.1
    6f7a931a2 [20.10] use GO_LDFLAGS instead of LDFLAGS to prevent inheriting unrelated options
    91bab605f [20.10] vendor.conf: don't use git:// protocol
    a282e0c5d [20.10] update to go 1.16.15 to address CVE-2022-24921
    700364e30 Fix mistake with env var example in docker run docs
    62d27c32f Update WORKDIR command information
    c0e952cf0 Fix the (dead) link for docs for Dockerfile syntax reference
    04104a04d Update dockerd.md
    b721998b7 Fixing typo (his --> its)
    4065e1246 format create.md table
    f1002eb9f Fix typo
    e97c7b240 added missing closing parenthese
    aa7893763 Update stats.md add example json output
    40fe0573a Update Ubuntu version number references in push.md
    c9737e1c3 docs/daemon: replace deprecated '-g' option for '--data-root'
    5c6723d08 Correct device syntax to --gpus
    fd5fc61ec [20.10] Update Go to 1.16.14
    3624019d8 [20.10] update Go to 1.16.13
    f3ff8e6ad [20.10] vendor: compose-on-kubernetes v0.5.0 to remove github.com/golang/glog
    ee1ac1b31 fix innocuous data-race when config.Load called in parallel
    38dd744a1 [20.10] Update Go to 1.16.12
    4de40a825 Update Go to 1.16.11
    03fa8f92c Update Go to 1.16.10
    9989fdbc4 Update most links in docs to use https by default
    0e20c1fd2 Update Go to 1.16.9
    1c0927a04 Dockerfile: update tonistiigi/xx to 1.0.0-rc.2, add XX_VERSION arg
    82f9d5921 info: skip client-side warning about seccomp profile on API >= 1.42
    adb01ca79 docs: some minor touch-ups in checkpoint reference
    8260476a0 docs: remove trailing space to fix generated YAML format
    bce2e1f95 docs: create.md: typo fix
    44064f51c Fix typo in documentation - build.md
    292779add Add doc for BUILDKIT_PROGRESS env var
    f2e79b826 docs: use "console" code-hint for shell examples
    fa46b9236 docs: rewrite reference docs for --stop-signal and --stop-timeout
    400f81089 experimental: fix broken link to "checkpoint and restore" page
    c72057c8d docs: move checkpoint/restore doc from experimental into reference
    77db97d59 Use private network address for default-address-pools setting in daemon.json example
    cbf0d2b7b docs: fix some broken anchors
    d0014a86b docs: fix description of restart-delay to mention max (1 minute)
    6c1c8b55a docs: fix search results by filterd is-official
    44fdac11f Update Go to 1.16.8
    061051c24 docs: add missing redirect, and remove /go/experimental redirect
    2012fbf11 Update Go to 1.16.7
    42d1c0275 registry: ensure default auth config has address

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/docker/docker-ce_git.bb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/recipes-containers/docker/docker-ce_git.bb b/recipes-containers/docker/docker-ce_git.bb
index 27cb962..b36ac0d 100644
--- a/recipes-containers/docker/docker-ce_git.bb
+++ b/recipes-containers/docker/docker-ce_git.bb
@@ -31,9 +31,9 @@ DESCRIPTION = "Linux container runtime \
 # so we get that tag, and make it our SRCREVS:
 #
 
-SRCREV_docker = "f756502055d2e36a84f2068e6620bea5ecf09058"
-SRCREV_libnetwork = "339b972b464ee3d401b5788b2af9e31d09d6b7da"
-SRCREV_cli = "62eae52c2a76f4c1dcf79dfc7b5ea3bf5eebab8b"
+SRCREV_docker = "3949ff121ee486eb73484f6c4708d199f68c930e"
+SRCREV_libnetwork = "f6ccccb1c082a432c2a5814aaedaca56af33d9ea"
+SRCREV_cli = "100c70180fde3601def79a59cc3e996aa553c9b9"
 SRCREV_FORMAT = "docker_libnetwork"
 SRC_URI = "\
 	git://github.com/docker/docker.git;branch=20.10;name=docker;protocol=https \
@@ -51,7 +51,7 @@ require docker.inc
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=4859e97a9c7780e77972d989f0823f28"
 
-DOCKER_VERSION = "20.10.16-ce"
+DOCKER_VERSION = "20.10.17-ce"
 PV = "${DOCKER_VERSION}+git${SRCREV_docker}"
 
 CVE_PRODUCT = "docker"
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 09/21] docker: ensure that sysvinit and systemd are exclusive

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

The sysvinit functionality conflicts with the docker daemon
settings required for the systemd docker.socket.

Ensure that the sysvinit capabilities are only enabled if
systemd is not present.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/docker/README     | 7 +++++++
 recipes-containers/docker/docker.inc | 9 +++++----
 2 files changed, 12 insertions(+), 4 deletions(-)
 create mode 100644 recipes-containers/docker/README

diff --git a/recipes-containers/docker/README b/recipes-containers/docker/README
new file mode 100644
index 0000000..565e350
--- /dev/null
+++ b/recipes-containers/docker/README
@@ -0,0 +1,7 @@
+if containerd is starting docker, and it is interfering with standalone
+docker operation, you may need to kill the running daemon and restart
+it:
+
+  % ps axf | grep docker | grep -v grep | awk '{print "kill -9 " $1}' | sh
+  % systemctl stop docker
+  % systemctl start docker
diff --git a/recipes-containers/docker/docker.inc b/recipes-containers/docker/docker.inc
index 40a3642..b0bee4f 100644
--- a/recipes-containers/docker/docker.inc
+++ b/recipes-containers/docker/docker.inc
@@ -120,8 +120,7 @@ do_install() {
 		# replaces one copied from above with one that uses the local registry for a mirror
 		install -m 644 ${S}/src/import/contrib/init/systemd/docker.service ${D}/${systemd_unitdir}/system
 		rm -f ${D}/${systemd_unitdir}/system/docker.service.rpm
-	fi
-	if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
+	else
 		install -d ${D}${sysconfdir}/init.d
 		install -m 0755 ${WORKDIR}/docker.init ${D}${sysconfdir}/init.d/docker.init
 	fi
@@ -142,8 +141,10 @@ SYSTEMD_PACKAGES = "${@bb.utils.contains('DISTRO_FEATURES','systemd','${PN}','',
 SYSTEMD_SERVICE:${PN} = "${@bb.utils.contains('DISTRO_FEATURES','systemd','docker.socket','',d)}"
 SYSTEMD_AUTO_ENABLE:${PN} = "enable"
 
-INITSCRIPT_PACKAGES += "${@bb.utils.contains('DISTRO_FEATURES','sysvinit','${PN}','',d)}"
-INITSCRIPT_NAME:${PN} = "${@bb.utils.contains('DISTRO_FEATURES','sysvinit','docker.init','',d)}"
+# inverted logic warning. We ony want the sysvinit init to be installed if systemd
+# is NOT in the distro features
+INITSCRIPT_PACKAGES += "${@bb.utils.contains('DISTRO_FEATURES','systemd','', '${PN}',d)}"
+INITSCRIPT_NAME:${PN} = "${@bb.utils.contains('DISTRO_FEATURES','systemd','', 'docker.init',d)}"
 INITSCRIPT_PARAMS:${PN} = "defaults"
 
 inherit useradd
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 10/21] containerd: update to 1.6.8

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Bumping containerd to version v1.6.8-8-g579a6380e, which comprises the following commits:

    1efd8b947 ci: remove GOPROXY environment variable due to https://github.com/go-yaml/yaml/issues/887
    0448673af Do not append []string{""} to command to preserve Docker compatibility
    5c230ece0 Fix cleanup in critest
    ed9d3dc37 oci: WithDefaultUnixDevices(): remove tun/tap from the default devices
    3364f411e Prepare release notes for v1.6.8
    390920429 release workflow: remove Go setup action
    cf48ba6e8 release workflow: increase timeout to 30 minutes
    57873e652 release: rollback Ubuntu to 18.04 (except for riscv64)
    eccb82f6d Update release build timeout to 20 minutes
    6a854d4b5 Update mailmap
    61612e1a2 Prepare release notes for 1.6.7
    d199ee462 Update golang to 1.17.13
    0578d20c5 Change os.Stderr reassign for Windows service
    12cae4961 Update Vagrant CI to macos-12
    bc4091aae chore: bump macos runner version
    cb73bd050 Windows HostProcess container CRI stats test
    ac388525a Add validations for Windows HostProcess CRI configs
    0007f40fe [release/1.6] go.mod: Bump hcsshim to v0.9.4
    c9607e78c Update Fedora version to 36
    2952b66c0 CI: add riscv64 builds
    6b2dc9a37 release/Dockerfile: update Ubuntu to 22.04 for supporting riscv64
    745dc07c4 seccomp: support riscv64
    c2f841f21 Create ppc64le release
    86b55bd8d seccomp: allow clock_settime64 when CAP_SYS_TIME is added
    f3da3e51f allow ptrace(2) by default for kernel >= 4.8
    aa1101068 [release/1.6] update golang to 1.17.12
    37dfc5c9d [release/1.6] Fix WWW-Authenticate parsing

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 .../containerd/containerd-opencontainers_git.bb             | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
index 35a27d4..af91a22 100644
--- a/recipes-containers/containerd/containerd-opencontainers_git.bb
+++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -5,7 +5,7 @@ DESCRIPTION = "containerd is a daemon to control runC, built for performance and
                support as well as checkpoint and restore for cloning and live migration of containers."
 
 
-SRCREV = "4e92d8e7e439530f5bb17e57a77481e9aa3da851"
+SRCREV = "579a6380ec93ab92a6e7f26167fe4f18dfcf2a4b"
 SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=https \
            file://0001-Add-build-option-GODEBUG-1.patch \
            file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \
@@ -15,8 +15,8 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=1269f40c0d099c21a871163984590d89"
 
-CONTAINERD_VERSION = "v1.6.6"
-CVE_VERSION = "1.6.6"
+CONTAINERD_VERSION = "v1.6.8"
+CVE_VERSION = "1.6.8"
 
 EXTRA_OEMAKE += "GODEBUG=1"
 
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 11/21] containerd: improve reproducibility

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

We get the following QA warning on build:

WARNING: containerd-opencontainers-v1.6.8+gitAUTOINC+579a6380ec-r0 do_package_qa: QA Issue: File /usr/bin/containerd-shim-runc-v2 in package containerd-opencontainers contains reference to TMPDIR
File /usr/bin/containerd-ctr in package containerd-opencontainers contains reference to TMPDIR
File /usr/bin/containerd-shim-runc-v1 in package containerd-opencontainers contains reference to TMPDIR
File /usr/bin/containerd in package containerd-opencontainers contains reference to TMPDIR
File /usr/bin/containerd-shim in package containerd-opencontainers contains reference to TMPDIR [buildpaths]

This is the first step in fixing the QA warning, by dropping our
debug patch, passing -trimpath and not defining GO_DEBUG.

This leaves a final reference similar to:

path _/opt/poky/build/tmp/work/core2-64-poky-linux/containerd-opencontainers/v1.6.8+gitAUTOINC+579a6380ec-r0/git/src/import/cmd/ctr

That is being stored in the .rodata of the binaries.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 .../0001-Add-build-option-GODEBUG-1.patch     | 32 -------------------
 ...don-t-use-gcflags-to-define-trimpath.patch | 30 +++++++++++++++++
 .../containerd-opencontainers_git.bb          |  6 ++--
 3 files changed, 33 insertions(+), 35 deletions(-)
 delete mode 100644 recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch
 create mode 100644 recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch

diff --git a/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch b/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch
deleted file mode 100644
index 8b43c8a..0000000
--- a/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 84874e47aa2025b8e73df0286c44f3b8a1d9fdb2 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Mon, 2 Sep 2019 16:20:07 +0800
-Subject: [PATCH] Add build option "GODEBUG=1"
-
-Make will generate GDB friendly binary with this build option.
-
-Signed-off-by: Hui Zhu <teawater@hyper.sh>
-
-Upstream-Status: Backport [c5a0c7f491b435e4eb45972903b00e2d8ed46495]
-
-Partly backport and refresh to v1.2.7
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- src/import/Makefile | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-Index: git/src/import/Makefile
-===================================================================
---- git.orig/src/import/Makefile	2020-10-12 08:09:41.638977052 -0700
-+++ git/src/import/Makefile	2020-10-12 08:10:49.783074373 -0700
-@@ -72,6 +72,10 @@
- COMMANDS=ctr containerd containerd-stress
- MANPAGES=ctr.8 containerd.8 containerd-config.8 containerd-config.toml.5
- 
-+ifndef GODEBUG
-+   EXTRA_LDFLAGS += -s -w
-+endif
-+
- ifdef BUILDTAGS
-     GO_BUILDTAGS = ${BUILDTAGS}
- endif
diff --git a/recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch b/recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch
new file mode 100644
index 0000000..f1dea5a
--- /dev/null
+++ b/recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch
@@ -0,0 +1,30 @@
+From 9174091fa1624dbb09ce812792a4102dff693541 Mon Sep 17 00:00:00 2001
+From: Bruce Ashfield <bruce.ashfield@gmail.com>
+Date: Mon, 12 Sep 2022 15:40:08 -0400
+Subject: [PATCH] build: don't use gcflags to define trimpath
+
+We can pass trimpath in via environment variables. The gcflags
+definition of trimpath is for older go versions and is using the
+complete path for trimming. If the variable is captured in the
+resulting binary, we have a reproducibility and QA issue.
+
+Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
+---
+ Makefile | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git git.orig/src/import/Makefile git.orig/src/import/Makefile
+index 4a6c13042..debb57925 100644
+--- git.orig/src/import/Makefile
++++ git.orig/src/import/Makefile
+@@ -130,7 +130,6 @@ TESTFLAGS_RACE=
+ # See Golang issue re: '-trimpath': https://github.com/golang/go/issues/13809
+ GO_GCFLAGS=$(shell				\
+ 	set -- ${GOPATHS};			\
+-	echo "-gcflags=-trimpath=$${1}/src";	\
+ 	)
+ 
+ BINARIES=$(addprefix bin/,$(COMMANDS))
+-- 
+2.19.1
+
diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
index af91a22..edc3a5c 100644
--- a/recipes-containers/containerd/containerd-opencontainers_git.bb
+++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -7,8 +7,8 @@ DESCRIPTION = "containerd is a daemon to control runC, built for performance and
 
 SRCREV = "579a6380ec93ab92a6e7f26167fe4f18dfcf2a4b"
 SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=https \
-           file://0001-Add-build-option-GODEBUG-1.patch \
            file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \
+           file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
           "
 
 # Apache-2.0 for containerd
@@ -18,7 +18,7 @@ LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=1269f40c0d099c21a871163984590d
 CONTAINERD_VERSION = "v1.6.8"
 CVE_VERSION = "1.6.8"
 
-EXTRA_OEMAKE += "GODEBUG=1"
+# EXTRA_OEMAKE += "GODEBUG=1"
 
 PROVIDES += "virtual/containerd"
 RPROVIDES:${PN} = "virtual-containerd"
@@ -84,7 +84,7 @@ do_compile() {
     # cannot find package runtime/cgo (using -importcfg)
     #        ... recipe-sysroot-native/usr/lib/aarch64-poky-linux/go/pkg/tool/linux_amd64/link:
     #        cannot open file : open : no such file or directory
-    export GO_BUILD_FLAGS="-a -pkgdir dontusecurrentpkgs"
+    export GO_BUILD_FLAGS="-trimpath -a -pkgdir dontusecurrentpkgs"
     export GO111MODULE=off
 
     cd ${S}/src/import
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 12/21] docker: reproducibility add -trimpath to go -> $GO patches

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

With this, we build and package docker without QA warnings due to
references to TMPDIR.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 ...i-use-external-GO111MODULE-and-cross-compiler.patch |  2 +-
 .../files/0001-dynbinary-use-go-cross-compiler.patch   |  2 +-
 .../files/0001-libnetwork-use-GO-instead-of-go.patch   | 10 +++++-----
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/recipes-containers/docker/files/0001-cli-use-external-GO111MODULE-and-cross-compiler.patch b/recipes-containers/docker/files/0001-cli-use-external-GO111MODULE-and-cross-compiler.patch
index 16b5f9e..d68de1c 100644
--- a/recipes-containers/docker/files/0001-cli-use-external-GO111MODULE-and-cross-compiler.patch
+++ b/recipes-containers/docker/files/0001-cli-use-external-GO111MODULE-and-cross-compiler.patch
@@ -19,6 +19,6 @@ Index: git/cli/scripts/build/binary
 -export GO111MODULE=auto
  
 -go build -o "${TARGET}" -tags "${GO_BUILDTAGS}" --ldflags "${GO_LDFLAGS}" ${GO_BUILDMODE} "${SOURCE}"
-+${GO} build -o "${TARGET}" -tags "${GO_BUILDTAGS}" --ldflags "${GO_LDFLAGS}" ${GO_BUILDMODE} "${SOURCE}"
++${GO} build -trimpath -o "${TARGET}" -tags "${GO_BUILDTAGS}" --ldflags "${GO_LDFLAGS}" ${GO_BUILDMODE} "${SOURCE}"
  
  ln -sf "$(basename "${TARGET}")" "$(dirname "${TARGET}")/docker"
diff --git a/recipes-containers/docker/files/0001-dynbinary-use-go-cross-compiler.patch b/recipes-containers/docker/files/0001-dynbinary-use-go-cross-compiler.patch
index 971c60d..c6edaf4 100644
--- a/recipes-containers/docker/files/0001-dynbinary-use-go-cross-compiler.patch
+++ b/recipes-containers/docker/files/0001-dynbinary-use-go-cross-compiler.patch
@@ -17,7 +17,7 @@ Index: git/src/import/hack/make/.binary
  	echo "Building: $DEST/$BINARY_FULLNAME"
  	echo "GOOS=\"${GOOS}\" GOARCH=\"${GOARCH}\" GOARM=\"${GOARM}\""
 -	go build \
-+	${GO} build \
++	${GO} build -trimpath \
  		-o "$DEST/$BINARY_FULLNAME" \
  		"${BUILDFLAGS[@]}" \
  		-ldflags "
diff --git a/recipes-containers/docker/files/0001-libnetwork-use-GO-instead-of-go.patch b/recipes-containers/docker/files/0001-libnetwork-use-GO-instead-of-go.patch
index c623b26..d4f84e3 100644
--- a/recipes-containers/docker/files/0001-libnetwork-use-GO-instead-of-go.patch
+++ b/recipes-containers/docker/files/0001-libnetwork-use-GO-instead-of-go.patch
@@ -22,9 +22,9 @@ Index: git/libnetwork/Makefile
 -	go build -tags experimental -o "bin/dnet" ./cmd/dnet
 -	go build -o "bin/docker-proxy" ./cmd/proxy
 -	CGO_ENABLED=0 go build -o "bin/diagnosticClient" ./cmd/diagnostic
-+	$(GO) build -tags experimental -o "bin/dnet" ./cmd/dnet
-+	$(GO) build -o "bin/proxy" ./cmd/proxy
-+	CGO_ENABLED=0 $(GO) build -o "bin/diagnosticClient" ./cmd/diagnostic
++	$(GO) build -trimpath -tags experimental -o "bin/dnet" ./cmd/dnet
++	$(GO) build -trimpath -o "bin/proxy" ./cmd/proxy
++	CGO_ENABLED=0 $(GO) build -trimpath -o "bin/diagnosticClient" ./cmd/diagnostic
  	CGO_ENABLED=0 go build -o "bin/testMain" ./cmd/networkdb-test/testMain.go
  
  build-images:
@@ -34,8 +34,8 @@ Index: git/libnetwork/Makefile
  	@echo "🐳 $@"
 -	go build -o "bin/dnet-$$GOOS-$$GOARCH" ./cmd/dnet
 -	go build -o "bin/docker-proxy-$$GOOS-$$GOARCH" ./cmd/proxy
-+	@$(GO) build -linkshared $(GOBUILDFLAGS) -o "bin/docker-proxy-$$GOOS-$$GOARCH" ./cmd/proxy
-+	@$(GO) build -linkshared $(GOBUILDFLAGS) -o "bin/dnet-$$GOOS-$$GOARCH" ./cmd/dnet
++	@$(GO) build -trimpath -linkshared $(GOBUILDFLAGS) -o "bin/docker-proxy-$$GOOS-$$GOARCH" ./cmd/proxy
++	@$(GO) build -trimpath -linkshared $(GOBUILDFLAGS) -o "bin/dnet-$$GOOS-$$GOARCH" ./cmd/dnet
  
  # Rebuild protocol buffers.
  # These may need to be rebuilt after vendoring updates, so .proto files are declared .PHONY so they are always rebuilt.
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 13/21] containerd: fix final TMDIR references

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

restructure the containerd source layout to avoid symlinking vendor
dependencies. This avoid go recording paths in the final binaries.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 ...O_BUILD_FLAGS-to-be-externally-speci.patch |  6 +--
 ...don-t-use-gcflags-to-define-trimpath.patch |  6 +--
 .../containerd-opencontainers_git.bb          | 50 +++++--------------
 ...1-build-use-oe-provided-GO-and-flags.patch |  6 +--
 4 files changed, 21 insertions(+), 47 deletions(-)

diff --git a/recipes-containers/containerd/containerd-opencontainers/0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch b/recipes-containers/containerd/containerd-opencontainers/0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch
index 7f4d751..0ef0d38 100644
--- a/recipes-containers/containerd/containerd-opencontainers/0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch
+++ b/recipes-containers/containerd/containerd-opencontainers/0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch
@@ -19,10 +19,10 @@ Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
  Makefile | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
 
-diff --git git.orig/src/import/Makefile  git.orig/src/import/Makefile
+diff --git git.orig/Makefile  git.orig/Makefile
 index c61418e60..54a10eb42 100644
---- git.orig/src/import/Makefile
-+++ git.orig/src/import/Makefile
+--- git.orig/Makefile
++++ git.orig/Makefile
 @@ -112,7 +112,8 @@ endif
  GOPATHS=$(shell echo ${GOPATH} | tr ":" "\n" | tr ";" "\n")
  
diff --git a/recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch b/recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch
index f1dea5a..b499de5 100644
--- a/recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch
+++ b/recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch
@@ -13,10 +13,10 @@ Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
  Makefile | 1 -
  1 file changed, 1 deletion(-)
 
-diff --git git.orig/src/import/Makefile git.orig/src/import/Makefile
+diff --git git.orig/Makefile git.orig/Makefile
 index 4a6c13042..debb57925 100644
---- git.orig/src/import/Makefile
-+++ git.orig/src/import/Makefile
+--- git.orig/Makefile
++++ git.orig/Makefile
 @@ -130,7 +130,6 @@ TESTFLAGS_RACE=
  # See Golang issue re: '-trimpath': https://github.com/golang/go/issues/13809
  GO_GCFLAGS=$(shell				\
diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
index edc3a5c..8847f31 100644
--- a/recipes-containers/containerd/containerd-opencontainers_git.bb
+++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -6,14 +6,14 @@ DESCRIPTION = "containerd is a daemon to control runC, built for performance and
 
 
 SRCREV = "579a6380ec93ab92a6e7f26167fe4f18dfcf2a4b"
-SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=https \
+SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=https;destsuffix=git/src/github.com/containerd/containerd \
            file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \
            file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
           "
 
 # Apache-2.0 for containerd
 LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=1269f40c0d099c21a871163984590d89"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=1269f40c0d099c21a871163984590d89"
 
 CONTAINERD_VERSION = "v1.6.8"
 CVE_VERSION = "1.6.8"
@@ -23,7 +23,7 @@ CVE_VERSION = "1.6.8"
 PROVIDES += "virtual/containerd"
 RPROVIDES:${PN} = "virtual-containerd"
 
-S = "${WORKDIR}/git"
+S = "${WORKDIR}/git/src/github.com/containerd/containerd"
 
 PV = "${CONTAINERD_VERSION}+git${SRCPV}"
 
@@ -41,34 +41,7 @@ do_configure[noexec] = "1"
 do_compile() {
     export GOARCH="${TARGET_GOARCH}"
 
-    # link fixups for compilation
-    rm -f ${S}/src/import/vendor/src
-    ln -sf ./ ${S}/src/import/vendor/src
-
-    mkdir -p ${S}/src/import/vendor/src/github.com/containerd/containerd/
-    mkdir -p ${S}/src/import/vendor/src/github.com/containerd/containerd/pkg/
-    mkdir -p ${S}/src/import/vendor/src/github.com/containerd/containerd/contrib/
-    # without this, the stress test parts of the build fail
-    cp ${S}/src/import/*.go ${S}/src/import/vendor/src/github.com/containerd/containerd
-
-    for c in content timeout ttrpcutil oom stdio process errdefs fs images mount snapshots linux api runtimes defaults progress \
-		     protobuf reference diff platforms runtime remotes version archive dialer gc metadata \
-		     metrics filters identifiers labels leases plugin server services \
-		     cmd cio containers namespaces oci events log reaper sys rootfs nvidia seed apparmor seccomp \
-		     cap cri userns atomic ioutil os registrar seutil runtimeoptions netns \
-                     shutdown schedcore tracing kmutex; do
-        if [ -d ${S}/src/import/${c} ]; then
-	    ln -sfn ${S}/src/import/${c} ${S}/src/import/vendor/github.com/containerd/containerd/${c}
-        fi
-        if [ -d ${S}/src/import/pkg/${c} ]; then
-            ln -sfn ${S}/src/import/pkg/${c} ${S}/src/import/vendor/github.com/containerd/containerd/pkg/${c}
-        fi
-        if [ -d ${S}/src/import/contrib/${c} ]; then
-            ln -sfn ${S}/src/import/contrib/${c} ${S}/src/import/vendor/github.com/containerd/containerd/contrib/${c}
-        fi
-    done
-
-    export GOPATH="${S}/src/import/.gopath:${S}/src/import/vendor:${STAGING_DIR_TARGET}/${prefix}/local/go"
+    export GOPATH="${S}/src/import/.gopath:${S}/src/import/vendor:${STAGING_DIR_TARGET}/${prefix}/local/go:${WORKDIR}/git/"
     export GOROOT="${STAGING_DIR_NATIVE}/${nonarch_libdir}/${HOST_SYS}/go"
 
     # Pass the needed cflags/ldflags so that cgo
@@ -87,7 +60,8 @@ do_compile() {
     export GO_BUILD_FLAGS="-trimpath -a -pkgdir dontusecurrentpkgs"
     export GO111MODULE=off
 
-    cd ${S}/src/import
+    cd ${S}
+
     oe_runmake binaries
 }
 
@@ -98,11 +72,11 @@ SYSTEMD_SERVICE:${PN} = "${@bb.utils.contains('DISTRO_FEATURES','systemd','conta
 do_install() {
 	mkdir -p ${D}/${bindir}
 
-	cp ${S}/src/import/bin/containerd ${D}/${bindir}/containerd
-	cp ${S}/src/import/bin/containerd-shim ${D}/${bindir}/containerd-shim
-	cp ${S}/src/import/bin/containerd-shim-runc-v1 ${D}/${bindir}/containerd-shim-runc-v1
-	cp ${S}/src/import/bin/containerd-shim-runc-v2 ${D}/${bindir}/containerd-shim-runc-v2
-	cp ${S}/src/import/bin/ctr ${D}/${bindir}/containerd-ctr
+	cp ${S}/bin/containerd ${D}/${bindir}/containerd
+	cp ${S}/bin/containerd-shim ${D}/${bindir}/containerd-shim
+	cp ${S}/bin/containerd-shim-runc-v1 ${D}/${bindir}/containerd-shim-runc-v1
+	cp ${S}/bin/containerd-shim-runc-v2 ${D}/${bindir}/containerd-shim-runc-v2
+	cp ${S}/bin/ctr ${D}/${bindir}/containerd-ctr
 
 	ln -sf containerd ${D}/${bindir}/docker-containerd
 	ln -sf containerd-shim ${D}/${bindir}/docker-containerd-shim
@@ -112,7 +86,7 @@ do_install() {
 
 	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
 		install -d ${D}${systemd_unitdir}/system
-		install -m 644 ${S}/src/import/containerd.service ${D}/${systemd_unitdir}/system
+		install -m 644 ${S}/containerd.service ${D}/${systemd_unitdir}/system
 	        # adjust from /usr/local/bin to /usr/bin/
 		sed -e "s:/usr/local/bin/containerd:${bindir}/containerd:g" -i ${D}/${systemd_unitdir}/system/containerd.service
 	fi
diff --git a/recipes-containers/containerd/files/0001-build-use-oe-provided-GO-and-flags.patch b/recipes-containers/containerd/files/0001-build-use-oe-provided-GO-and-flags.patch
index 544881e..95f2317 100644
--- a/recipes-containers/containerd/files/0001-build-use-oe-provided-GO-and-flags.patch
+++ b/recipes-containers/containerd/files/0001-build-use-oe-provided-GO-and-flags.patch
@@ -12,10 +12,10 @@ Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
  Makefile | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)
 
-Index: git/src/import/Makefile
+Index: git/Makefile
 ===================================================================
---- git.orig/src/import/Makefile
-+++ git/src/import/Makefile
+--- git.orig/Makefile
++++ git/Makefile
 @@ -121,7 +121,7 @@
  TESTFLAGS_PARALLEL ?= 8
  
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 14/21] docker/proxy: don't use -linkshared unconditionally

[Adrian Freihofer]

From: Jose Quaresma <quaresma.jose@gmail.com>

The linkshared is not supported in some machines like riscv64 and
when supported we can use the GO_LINKSHARED instaed.
So export GO_LINKSHARED on the recipe to be available for Makefile.

This is currently only used in libnetwork for the proxy build, but
could be used in additional locations in the future.

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/docker/docker.inc                          | 3 +++
 .../docker/files/0001-libnetwork-use-GO-instead-of-go.patch   | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/recipes-containers/docker/docker.inc b/recipes-containers/docker/docker.inc
index b0bee4f..9708eaf 100644
--- a/recipes-containers/docker/docker.inc
+++ b/recipes-containers/docker/docker.inc
@@ -58,6 +58,9 @@ inherit pkgconfig
 
 do_configure[noexec] = "1"
 
+# Export for possible use in Makefiles, default value comes from go.bbclass
+export GO_LINKSHARED
+
 DOCKER_PKG="github.com/docker/docker"
 # in order to exclude devicemapper and btrfs - https://github.com/docker/docker/issues/14056
 BUILD_TAGS ?= "exclude_graphdriver_btrfs exclude_graphdriver_devicemapper"
diff --git a/recipes-containers/docker/files/0001-libnetwork-use-GO-instead-of-go.patch b/recipes-containers/docker/files/0001-libnetwork-use-GO-instead-of-go.patch
index d4f84e3..b9b41de 100644
--- a/recipes-containers/docker/files/0001-libnetwork-use-GO-instead-of-go.patch
+++ b/recipes-containers/docker/files/0001-libnetwork-use-GO-instead-of-go.patch
@@ -34,8 +34,8 @@ Index: git/libnetwork/Makefile
  	@echo "🐳 $@"
 -	go build -o "bin/dnet-$$GOOS-$$GOARCH" ./cmd/dnet
 -	go build -o "bin/docker-proxy-$$GOOS-$$GOARCH" ./cmd/proxy
-+	@$(GO) build -trimpath -linkshared $(GOBUILDFLAGS) -o "bin/docker-proxy-$$GOOS-$$GOARCH" ./cmd/proxy
-+	@$(GO) build -trimpath -linkshared $(GOBUILDFLAGS) -o "bin/dnet-$$GOOS-$$GOARCH" ./cmd/dnet
++	@$(GO) build -trimpath $(GO_LINKSHARED) $(GOBUILDFLAGS) -o "bin/docker-proxy-$$GOOS-$$GOARCH" ./cmd/proxy
++	@$(GO) build -trimpath $(GO_LINKSHARED) $(GOBUILDFLAGS) -o "bin/dnet-$$GOOS-$$GOARCH" ./cmd/dnet
  
  # Rebuild protocol buffers.
  # These may need to be rebuilt after vendoring updates, so .proto files are declared .PHONY so they are always rebuilt.
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 15/21] runc: update to 1.1.4-tip

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Bumping runc to version v1.1.4-8-g974efd2d, which comprises the following commits:

    3b958289 Fixes inability to use /dev/null when inside a container
    335ec376 cirrus-ci: install EPEL on CentOS 7 conditionally
    fb145a2f cirrus-ci: enable EPEL for CentOS 7
    276297b6 VERSION: back to development
    5fd4c4d1 Release 1.1.4
    204c673c [1.1] fix failed exec after systemctl daemon-reload
    ec2efc2c ci: fix for codespell 2.2
    c778598c [1.1] ci/gha: fix cross-386 job vs go 1.19
    d83a861d Fix error from runc run on noexec fs
    d614445d [1.1] libct/nsenter: switch to sane_kill()
    3ca5673f CI: workaround CentOS Stream 9 criu issue
    c3986e53 tests/int: don't use --criu
    f46c0dad [1.1] ci: fix delete.bats for GHA
    6b94849d tests/int: runc delete: fix flake, enable for rootless
    fa3354dc libct: fix mounting via wrong proc fd
    eb1552a0 VERSION: back to development
    6724737f VERSION: release 1.1.3
    91fa032d ci: add basic checks for CHANGELOG.md

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/runc/runc-opencontainers_git.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-containers/runc/runc-opencontainers_git.bb b/recipes-containers/runc/runc-opencontainers_git.bb
index 997fb1e..59ddca9 100644
--- a/recipes-containers/runc/runc-opencontainers_git.bb
+++ b/recipes-containers/runc/runc-opencontainers_git.bb
@@ -1,10 +1,10 @@
 include runc.inc
 
-SRCREV = "1e7bb5b773162b57333d57f612fd72e3f8612d94"
+SRCREV = "974efd2dfca0abec041a3708a2b66bfac6bd2484"
 SRC_URI = " \
     git://github.com/opencontainers/runc;branch=release-1.1;protocol=https \
     file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
     "
-RUNC_VERSION = "1.1.3"
+RUNC_VERSION = "1.1.4"
 
 CVE_PRODUCT = "runc"
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 16/21] runc-docker: update to 1.1.4-tip

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Bumping runc to version v1.1.4-8-g974efd2d, which comprises the following commits:

    3b958289 Fixes inability to use /dev/null when inside a container
    335ec376 cirrus-ci: install EPEL on CentOS 7 conditionally
    fb145a2f cirrus-ci: enable EPEL for CentOS 7
    276297b6 VERSION: back to development
    5fd4c4d1 Release 1.1.4
    204c673c [1.1] fix failed exec after systemctl daemon-reload
    ec2efc2c ci: fix for codespell 2.2
    c778598c [1.1] ci/gha: fix cross-386 job vs go 1.19
    d83a861d Fix error from runc run on noexec fs
    d614445d [1.1] libct/nsenter: switch to sane_kill()
    3ca5673f CI: workaround CentOS Stream 9 criu issue
    c3986e53 tests/int: don't use --criu
    f46c0dad [1.1] ci: fix delete.bats for GHA
    6b94849d tests/int: runc delete: fix flake, enable for rootless
    fa3354dc libct: fix mounting via wrong proc fd
    eb1552a0 VERSION: back to development
    6724737f VERSION: release 1.1.3
    91fa032d ci: add basic checks for CHANGELOG.md

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/runc/runc-docker_git.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-containers/runc/runc-docker_git.bb b/recipes-containers/runc/runc-docker_git.bb
index 8180c3a..97373a7 100644
--- a/recipes-containers/runc/runc-docker_git.bb
+++ b/recipes-containers/runc/runc-docker_git.bb
@@ -2,13 +2,13 @@ include runc.inc
 
 # Note: this rev is before the required protocol field, update when all components
 #       have been updated to match.
-SRCREV_runc-docker = "1e7bb5b773162b57333d57f612fd72e3f8612d94"
+SRCREV_runc-docker = "974efd2dfca0abec041a3708a2b66bfac6bd2484"
 SRC_URI = "git://github.com/opencontainers/runc;branch=release-1.1;name=runc-docker;protocol=https \
            file://0001-runc-Add-console-socket-dev-null.patch \
            file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
            file://0001-runc-docker-SIGUSR1-daemonize.patch \
           "
 
-RUNC_VERSION = "1.1.3"
+RUNC_VERSION = "1.1.4"
 
 CVE_PRODUCT = "runc"
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 17/21] containerd: update to v1.6.9

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Bumping containerd to version v1.6.9-12-g6c41694da, which comprises the following commits:

    5af8d89ce overlayutils: Add fastpath for userxattr check
    303f608dd [release/1.6] update to Go 1.18.8 to address CVE-2022-41716
    3f9f9508d ctr export strictly match default platform
    df73acad5 [release/1.6] go.mod: Bump hcsshim to v0.9.5
    658490b78 ctr import: strictly match platform
    4907b4d72 Migrate away from GitHub actions set-output
    f1493f665 Prepare release notes for v1.6.9
    346412f5a adding support of CAP_BPF and CAP_PERFMON
    99578d1fc Update mailmap
    a956d8415 Add logging volume metrics to Containerd CRI plugin
    29e2dea50 fix pusher concurrent close channel
    8a9d69385 [release/1.6] Stats() shouldn't assume s.container is non-nil
    a9adc7938 cri: PodSandboxStatus should tolerate missing task
    b66eb726a migrate from k8s.gcr.io to registry.k8s.io
    5b40993a5 [release/1.6] upgrade containerd/continuity from v0.2.2 to v0.3.0
    f2376e659 Update container with sandbox metadata after NetNS is created
    06f82efef archive: validate digests before use
    28324c529 [release/1.6] Update go 1.18.7, addresses CVE-2022-2879, CVE-2022-2880, CVE-2022-41715
    0aeeb62cb [release/1.6] update golangci-lint to v1.19.0
    7db9d1f76 Fix linter warnings
    4dc932e62 [release/1.6] gofmt with go1.19
    7b8d679ad [release/1.6] integration: remove use of deprecated io/ioutil
    926b9c72f retry request on writer reset
    b9a35c6af Add integration tests with failpoint
    1f29fac48 Persist container and sandbox if resource cleanup fails, like teardownPodNetwork
    a85709c6c integration: simplify CNI-fp and add README.md
    d89a8d223 pkg/failpoint: add FreeBSD link and update pkg doc
    b0ce2965a integration: Add injected failpoint testing for RunPodSandbox
    a7f956d86 integration: CNI bridge wrapper with failpoint
    07c479471 pkg/failpoint: add DelegatedEval API
    4a5bc05aa runtime/v2/shim: return if error in load plugin
    71ee7de24 bin/ctr,integration: new runc-shim with failpoint
    3e2e77849 runtime/v2: manager supports server interceptor
    cb935bf49 pkg/failpoint: init failpoint package
    2fdfd564c make xattr EPERM non-fatal in createTarFile
    89e49609d remotes/docker/config: Skipping TLS verification for localhost
    b720be2ce remove stray .zuul.yaml
    6b30bc4b4 .zuul: remove the zuul because it is offline
    0f7e258ee Set grpc code for unimplemented cri-api methods
    fb753e5cd update intergration
    6ee5bb7ea bump cri-api
    ae8598615 ContainerStatus to return container resources
    d3c7e31c8 Update CRI-API
    5b44c5271 vendor: golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd
    3507d600b update runc binary to v1.1.4
    1efd8b947 ci: remove GOPROXY environment variable due to https://github.com/go-yaml/yaml/issues/887

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 .../containerd/containerd-opencontainers_git.bb             | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
index 8847f31..e95ca17 100644
--- a/recipes-containers/containerd/containerd-opencontainers_git.bb
+++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -5,7 +5,7 @@ DESCRIPTION = "containerd is a daemon to control runC, built for performance and
                support as well as checkpoint and restore for cloning and live migration of containers."
 
 
-SRCREV = "579a6380ec93ab92a6e7f26167fe4f18dfcf2a4b"
+SRCREV = "6c41694da9eb09c2f1f49a5a5fbec4e970cfb460"
 SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=https;destsuffix=git/src/github.com/containerd/containerd \
            file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \
            file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
@@ -15,8 +15,8 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=1269f40c0d099c21a871163984590d89"
 
-CONTAINERD_VERSION = "v1.6.8"
-CVE_VERSION = "1.6.8"
+CONTAINERD_VERSION = "v1.6.9"
+CVE_VERSION = "1.6.9"
 
 # EXTRA_OEMAKE += "GODEBUG=1"
 
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 18/21] docker: add mobyproject:moby to CVE_PRODUCT

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Add mobyproject:moby to CVE_PRODUCT to reflect where the source
is coming from for both docker recipes.

We keep the old 'docker' designation for compatibility.

It is unclear whether or not we should also be adding the cli
and libnetwork to the CVE_PRODUCT. But since they are on
different SRCREVs and not vendored, we keep them out for now.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/docker/docker-ce_git.bb   | 2 +-
 recipes-containers/docker/docker-moby_git.bb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-containers/docker/docker-ce_git.bb b/recipes-containers/docker/docker-ce_git.bb
index b36ac0d..b86596c 100644
--- a/recipes-containers/docker/docker-ce_git.bb
+++ b/recipes-containers/docker/docker-ce_git.bb
@@ -54,4 +54,4 @@ LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=4859e97a9c7780e77972d989f0823f
 DOCKER_VERSION = "20.10.17-ce"
 PV = "${DOCKER_VERSION}+git${SRCREV_docker}"
 
-CVE_PRODUCT = "docker"
+CVE_PRODUCT = "docker mobyproject:moby"
diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index dea5a8e..e687cec 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -57,4 +57,4 @@ LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=4859e97a9c7780e77972d989f0823f
 DOCKER_VERSION = "20.10.17"
 PV = "${DOCKER_VERSION}+git${SRCREV_moby}"
 
-CVE_PRODUCT = "docker"
+CVE_PRODUCT = "docker mobyproject:moby"
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 19/21] docker: add seccomp to default packageconfig settings

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Much of meta-virt requires seccomp to function properly, so we
update docker to match that common default.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/docker/docker.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-containers/docker/docker.inc b/recipes-containers/docker/docker.inc
index 9708eaf..b74b412 100644
--- a/recipes-containers/docker/docker.inc
+++ b/recipes-containers/docker/docker.inc
@@ -41,7 +41,7 @@ RPROVIDES:${PN}-dev += "docker-dev"
 RPROVIDES:${PN}-contrip += "docker-dev"
 
 inherit pkgconfig
-PACKAGECONFIG ??= "docker-init"
+PACKAGECONFIG ??= "docker-init seccomp"
 PACKAGECONFIG[seccomp] = "seccomp,,libseccomp"
 PACKAGECONFIG[docker-init] = ",,,docker-init"
 PACKAGECONFIG[transient-config] = "transient-config"
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 20/21] docker/moby: use generic DOCKER_COMMIT in do_compile

[Adrian Freihofer]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

do_compile() is shared and shouldn't have been using SRCREV_moby
as that is obviously only set in the moby recipe.

Switch to using a generic DOCKER_COMMIT variable and set it in
both docker_moby and docker-ce.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/docker/docker-ce_git.bb   | 2 ++
 recipes-containers/docker/docker-moby_git.bb | 2 ++
 recipes-containers/docker/docker.inc         | 4 ++--
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/recipes-containers/docker/docker-ce_git.bb b/recipes-containers/docker/docker-ce_git.bb
index b86596c..4561687 100644
--- a/recipes-containers/docker/docker-ce_git.bb
+++ b/recipes-containers/docker/docker-ce_git.bb
@@ -45,6 +45,8 @@ SRC_URI = "\
         file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
 	"
 
+DOCKER_COMMIT = "${SRCREV_docker}"
+
 require docker.inc
 
 # Apache-2.0 for docker
diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index e687cec..8a35290 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -48,6 +48,8 @@ SRC_URI = "\
         file://0001-dynbinary-use-go-cross-compiler.patch \
 	"
 
+DOCKER_COMMIT = "${SRCREV_moby}"
+
 require docker.inc
 
 # Apache-2.0 for docker
diff --git a/recipes-containers/docker/docker.inc b/recipes-containers/docker/docker.inc
index b74b412..2487456 100644
--- a/recipes-containers/docker/docker.inc
+++ b/recipes-containers/docker/docker.inc
@@ -97,14 +97,14 @@ do_compile() {
 	# this is the unsupported built structure
 	# that doesn't rely on an existing docker
 	# to build this:
-	VERSION="${DOCKER_VERSION}" DOCKER_GITCOMMIT="${SRCREV_moby}" ./hack/make.sh dynbinary
+	VERSION="${DOCKER_VERSION}" DOCKER_GITCOMMIT="${DOCKER_COMMIT}" ./hack/make.sh dynbinary
 
         # build the cli
 	cd ${S}/src/import/.gopath/src/github.com/docker/cli
 	export CFLAGS=""
 	export LDFLAGS=""
 	export DOCKER_VERSION=${DOCKER_VERSION}
-	VERSION="${DOCKER_VERSION}" DOCKER_GITCOMMIT="${SRCREV_moby}" make dynbinary
+	VERSION="${DOCKER_VERSION}" DOCKER_GITCOMMIT="${DOCKER_COMMIT}" make dynbinary
 
 	# build the proxy
 	cd ${S}/src/import/.gopath/src/github.com/docker/libnetwork
-- 
2.38.1

[meta-virtualization][kirkstone][PATCHv2 21/21] moby: update to v20.10.21

[Adrian Freihofer]

Bumping moby to version v20.10.21, which comprises the following commits:

        f99cb8297b integration: download busybox-w32 from GitHub Release
        3f9dc25f5c update containerd binary to v1.6.9
        87ccd38cea vendor: moby/term, Azure/go-ansiterm for golang.org/x/sys/windows compatibility
        e83e465ae2 [20.10] vendor: github.com/moby/buildkit eeb7b65ab7d651770a5ec52a06ea7c96eb97a249 (v0.8 branch)
        9c84417c1b skip TestImagePullStoredfDigestForOtherRepo() on Windows and rootless
        5b5b5c6f13 builder: add missing doc comment
        05e25f7892 builder: fix running git commands on Windows
        2f3bf18014 [20.10] vendor moby/buildkit v0.8.3-31-gc0149372
        6699afa549 registry: allow "allow-nondistributable-artifacts" for Docker Hub
        4b9902bad4 Validate digest in repo for pull by digest
        c0d1188c14 builder: make git config isolation opt-in
        9f5f3abcee builder: isolate git from local system
        10db4c2db7 builder: explicitly set CWD for all git commands
        8816c3c2aa builder: modernize TestCheckoutGit
        11bdbf40b9 [20.10] Update to go 1.18.7 to address CVE-2022-2879, CVE-2022-2880, CVE-2022-41715
        66ddb7f91c Fix live-restore w/ restart policies + volume refs
        c003392582 contrib: make dockerd-rootless-setuptool.sh more robust
        53313be0f3 docker-rootless-setuptools.sh: use context after install
        9c486bd267 swagger: update links to logo
        fa17fab895 vendor: github.com/containerd/console v1.0.2
        481bee51b5 vendor: github.com/armon/go-metrics v0.4.1
        39ba2873e8 vendor: github.com/google/btree v1.1.2
        c2755f40cd vendor: github.com/hasicorp/memberlist v0.4.0
        5ba3208ec7 Dockerfile: Update Dockerfile syntax, switch to bullseye, add missing libseccomp-dev, remove build pack
        6d6a236286 [20.10] Update uses of Image platform fields in OCI image-spec
        2570784169 [20.10] vendor: github.com/moby/buildkit 3a1eeca59a9263613d996ead67d53a4b7d45723d (v0.8 branch)
        fcd4df906b Update some tests for supplementary group permissions
        6a0186b357 Wrap local calls to the content and lease service
        3d4616f943 Update to go 1.18.6 to address CVE-2022-27664, CVE-2022-32190
        23c7d84b84 docs: api: adjust ContainerWaitResponse error as optional
        3e9e79d134 docs: api: document ImageSummary fields (api v1.39-v1.41)
        fdd438ae03 api: docs: improve documentation of ContainerConfig type (API v1.30-v1.41)
        97014a8db5 namesgenerator: remove Valentina Tereshkova
        e44d7f735e AdditionalGids must include effective group ID
        9e7662e4a7 [20.10] vendor: update containerd to latest of docker-20.10 branch
        7dac25a3a9 vendor: update tar-split to v0.11.2
        8bd86a0699 update containerd binary to v1.6.8
        6c8dd6a6f2 update runc to v1.1.4
        418c141e64 [20.10 backport] daemon: kill exec process on ctx cancel
        d127287d92 Allow different syscalls from kernels 5.12 -> 5.16
        57db169641 seccomp: add support for Landlock syscalls in default policy
reverted by patch: 7ba8ca042c Update golang to 1.18.5
reverted by patch: f2a3c3bcef update golang to 1.18.4
reverted by patch: a99c9cd852 update golang to 1.18.3
reverted by patch: 82939f536b update golang to 1.18.2
reverted by patch: ecd1aa081f update golang to 1.18.1
reverted by patch: 7ba67d05a8 [20.10] vendor: update archive/tar for go 1.18
reverted by patch: 0bc432241e update golang to 1.18.0
        bb95d09f9a staticcheck: ignore "SA1019: strings.Title is deprecated"
        a7299ae72c Dockerfile: update golangci-lint v1.44.0
        d97fd533cf integration-cli: SA5011: possible nil pointer dereference (staticcheck)
        e6aee04a88 client.NewClientWithOpts(): remove redundant type assertion (gosimple)
        0523323c28 daemon/logger/awslogs: suppress false positive on hardcoded creds (gosec)
        adeb29c64c client/request.go:157:8: SA1019: err.Temporary is deprecated (staticcheck)
        50361d91a6 registry: trimV1Address(): simplify trimming trailing slash
        ae3a9337dd golangci.yml: do not limit max reported issues
        9820255a1c golangci.yml: skip some tests
        d223f37300 golangci.yml: update regex for ignoring SA1019
        ec3bfba89d graphdriver: temporarily ignore unsafeptr: possible misuse of reflect.SliceHeader
        f2f387b131 daemon: var-declaration: should omit type bool (revive)
        2fb7c9fea7 daemon/config: error strings should not be capitalized
        fa6954cb98 reformat "nolint" comments
        45fa675a35 if-return: redundant if ...; err != nil check (revive)
        9e88f8435a daemon/splunk: ignore G402: TLS MinVersion too low for now
        2de90ebbe4 pkg/archive: RebaseArchiveEntries(): ignore G110
        14b475d091 daemon/stats: fix notRunningErr / notFoundErr detected as unused (false positive)
        db7b3f4737 unused: ignore false positives
        b6de0ca7c5 G601: Implicit memory aliasing in for loop
        e8b838e99f gosec: G601: Implicit memory aliasing in for loop
        2ddf6e598a gosimple: S1039: unnecessary use of fmt.Sprintf
        fadf8bbdff staticcheck: SA4001: &*x will be simplified to x. It will not copy x
        7573e32577 client: S1031: unnecessary nil check around range (gosimple)
        e738a57a6d daemon/logger/journald: fix linting errors
        34f6b94255 gosec: G404: Use of weak random number generator
        a6d7b61c8b update containerd binary to v1.6.7
        b4ba1ee22f update runc binary to v1.1.3
        da8828c4b3 api: swagger: fix invalid example value (API v1.39-v1.41)
        9501d91e19 api: swagger: document BuildCache fields (API v1.39-v1.41)
        61fdea902b api: swagger: document BuildCache fields.
        c77432c889 [20.10] Update golang to 1.17.13
        2833aa1e4b docs: api: add missing "platform" query-arg on create (v1.41)
        a8c28260ad api: swagger: add missing "platform" query-arg on create
        cfdc075b1c Fix file capabilities droping in Dockerfile
        2daa6bb6b3 Windows: Re-create custom NAT networks after restart if missing from HNS
        903cd53ce4 vendor: libnetwork 0dde5c895075df6e3630e76f750a447cf63f4789
        eccaf6d368 [20.10] update golang to 1.17.12
        ff7feeac37 vendor: github.com/containerd/continuity v0.3.0

    Bumping libnetwork to version v0.7.0-dev.3-1841-gdcdf8f17, which comprises the following commits:

        5e08bdb1 Revert: Added API to set ephemeral port allocator range
        563fe8e2 README.md: repo was moved to https://github.com/moby/moby/tree/master/libnetwork
        bea0bcf5 libnetwork: skip firewalld management for rootless
        af0c46d8 Apply peformance tuning to new sandboxes also

    Bumping docker-cli to version v20.10.21, which comprises the following commits:

        3e3677e47d docs: fix links to BuildKit backend
        20e3951aeb Remove "experimental" gates around "--platform" in bash completion
        75d7ce92a2 fixed the plugin command docker-runc
        a12c535f6e [20.10] vendor docker 03df974ae9e6c219862907efdd76ec2e77ec930b (v20.10.20)
        d18a3e9004 [20.10] vendor moby/buildkit v0.8.3-31-gc0149372
        932ca73874 [20.10] vendor: github.com/docker/docker v20.10.19
        7d51e65e72 [20.10] vendor: github.com/moby/buildkit 3a1eeca59a9263613d996ead67d53a4b7d45723d (v0.8 branch)
        1ea8d69d6f feat(docker): add context argument completion
        e82aa85741 [20.10] vendor: github.com/docker/docker v20.10.18
        e9176b36cc [20.10] vendor: github.com/containerd/continuity v0.3.0
        bc6ff39e42 docs/reference: run.md update confusing example name
        3fa7a8654f docs: update deprecation status for "overlay2.override_kernel_check"
        3e06ce8bfa [20.10] Update go 1.18.7 to address CVE-2022-2879, CVE-2022-2880, CVE-2022-41715
        93eead45ee Update to go 1.18.6 to address CVE-2022-27664, CVE-2022-32190
        45075ea08c [20.10] vendor: github.com/docker/docker v20.10.17
        c2dcaecf19 make compose plugin detection in bash completion work on Mac OS
        613b9362d0 Detect compose plugin
        b30d250320 Add completion for docker-compose plugin
        6b25bc3003 fix race condition in TestRemoveForce
        bdac0b38d9 Update golang to 1.18.5
        c70b01ec1f update golang to 1.18.4
        0389090aeb update golang to 1.18.3
        c904936d69 update golang to 1.18.2
        386d50c2e9 update golang to 1.18.1
        990186f2f6 update go to 1.18.0
        86bf1966e2 staticcheck: ignore SA1019: strings.Title is deprecated
        b3022b91d1 [20.10] Dockerfile.lint: use go install
        f14ba9f5d7 [20.10] Dockerfile: use syntax=docker/dockerfile:1
        c189c4dbea [20.10] vendor: github.com/json-iterator/go v1.1.12 for Go 1.18 compatibility
        0c46ffc1f9 [20.10] vendor: github.com/modern-go/reflect2 v1.0.2 for Go 1.18 compatibility
        6be9ce798e [20.10] vendor: github.com/google/gofuzz v1.0.0
        779ed309a8 lint: update golangci-lint to v1.45.2
        2f7e84be65 linting: fix incorrectly formatted errors (revive)
        e628209d9b linting: ignore some "G101: Potential hardcoded credentials" warnings
        80a3add604 cli/command/container: unnecessary use of fmt.Sprintf (gosimple)
        80fb0d575e [20.10] Update golang to 1.17.13
        d72bef2088 [20.10] update golang to 1.17.12
        7502d7e560 Fix dead external link
        308624c3b1 fix: remove asterisk from docker command suggestions
        de7d866b6a [20.10] update golang to 1.17.11
        240e4b5501 [20.10] vendor: golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
        5d4776bd90 [20.10] update golang to 1.17.10
        49e9c2ae3d vendor: golang.org/x/sys  63515b42dcdf9544f4e6a02fd7632793fde2f72d (for Go 1.17)
        87a3ce2699 vendor: golang.org/x/sys d19ff857e887eacb631721f188c7d365c2331456
        1d8abed17d vendor: update x/sys to 134d130e
        31dad66f9a [20.10] update golang to 1.17.9
        80f673bf9e gofmt with go1.17
        3d4cc8e699 [20.10] update remaining files to go1.17.8
        30277a8f80 update go to 1.17.8
        cfef3a7dc1 docs: deprecated: add entry for "fluent-async-connect" log-opt
        53426025c3 [20.10] docs: reformat table for compatibility
        573a664639 Describe privileged mode in terms of capabilities
        cf0ab7ac4c [20.10] vendor: github.com/docker/distribution v2.8.1
        d05fd4ffc8 [20.10] vendor: github.com/opencontainers/image-spec v1.0.2
        870f138250 [20.10] vendor: github.com/docker/docker v20.10.14
        198d6b8724 [20.10] circleci: update buildx to v0.8.2
        55a14ec851 [20.10] update remaining Dockerfiles to go 1.16.15
        1f9a0df05a e2e: update docker-compose to 1.29.2
        4ae338b33a docs: reference: remove trailing space to fix yaml formatting
        6380142dd4 docs: fix (table) formatting, fix some broken links
        82f422fcf3 docs: build: fix minor markdown and syntax issues
        80fd77903b Update the list of log drivers
        c3d4d623c8 Fix CMD --ignored-param1 example
        2e82d11def docs: dockerd: fix broken link in blockquote area
        738a6ee1cc improve cp documentation with some illustration examples
        246d96bb6c docs: unify "docker create" and "docker run" reference
        2fd0f17057 docs: add missing documentation for --pull flag
        5fa500000a Fix incorrect pointer inputs to `json.Unmarshal`
        1e6a8ce2b7 Dockerfile: update xx to 1.1
        6f7a931a2d [20.10] use GO_LDFLAGS instead of LDFLAGS to prevent inheriting unrelated options
        91bab605f7 [20.10] vendor.conf: don't use git:// protocol
        a282e0c5d2 [20.10] update to go 1.16.15 to address CVE-2022-24921
        700364e304 Fix mistake with env var example in docker run docs
        62d27c32ff Update WORKDIR command information
        c0e952cf04 Fix the (dead) link for docs for Dockerfile syntax reference
        04104a04d3 Update dockerd.md
        b721998b7b Fixing typo (his --> its)
        4065e1246e format create.md table
        f1002eb9fb Fix typo
        e97c7b240e added missing closing parenthese
        aa78937634 Update stats.md add example json output
        40fe0573aa Update Ubuntu version number references in push.md
        c9737e1c37 docs/daemon: replace deprecated '-g' option for '--data-root'
        5c6723d080 Correct device syntax to --gpus
        fd5fc61ecd [20.10] Update Go to 1.16.14
        3624019d83 [20.10] update Go to 1.16.13
        f3ff8e6ad6 [20.10] vendor: compose-on-kubernetes v0.5.0 to remove github.com/golang/glog
        ee1ac1b319 fix innocuous data-race when config.Load called in parallel
        38dd744a11 [20.10] Update Go to 1.16.12
        4de40a825e Update Go to 1.16.11
        03fa8f92c8 Update Go to 1.16.10
        9989fdbc40 Update most links in docs to use https by default
        0e20c1fd21 Update Go to 1.16.9
        1c0927a041 Dockerfile: update tonistiigi/xx to 1.0.0-rc.2, add XX_VERSION arg
        82f9d5921b info: skip client-side warning about seccomp profile on API >= 1.42
        adb01ca79d docs: some minor touch-ups in checkpoint reference
        8260476a06 docs: remove trailing space to fix generated YAML format
        bce2e1f953 docs: create.md: typo fix
        44064f51c8 Fix typo in documentation - build.md
        292779add5 Add doc for BUILDKIT_PROGRESS env var
        f2e79b826c docs: use "console" code-hint for shell examples
        fa46b92361 docs: rewrite reference docs for --stop-signal and --stop-timeout
        400f81089a experimental: fix broken link to "checkpoint and restore" page
        c72057c8db docs: move checkpoint/restore doc from experimental into reference
        77db97d595 Use private network address for default-address-pools setting in daemon.json example
        cbf0d2b7b7 docs: fix some broken anchors
        d0014a86bc docs: fix description of restart-delay to mention max (1 minute)
        6c1c8b55aa docs: fix search results by filterd is-official
        44fdac11f5 Update Go to 1.16.8
        061051c24d docs: add missing redirect, and remove /go/experimental redirect
        2012fbf111 Update Go to 1.16.7
        42d1c02750 registry: ensure default auth config has address
        0b924e51fc Update to go1.16.6
        6288e8b1ac change TestNewAPIClientFromFlagsWithHttpProxyEnv to an e2e test
        1e9575e81a cli/config/configfile: various test cleanups
        c98e9c47ca Use designated test domains (RFC2606) in tests
        8437cfefae context: deprecate support for encrypted TLS private keys
        68a5ca859f cli/context: ignore linting warnings about RFC 1423 encryption
        8a64739631 Update Dockerfiles to latest syntax, remove "experimental"
        1d37fb3027 Deprecate Kubernetes context support
        0793f96394 Deprecate Kubernetes stack support
        b639ea8b89 Deprecate Kubernetes stack support

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
---
 recipes-containers/docker/docker-ce_git.bb    |    9 +-
 recipes-containers/docker/docker-moby_git.bb  |    9 +-
 .../files/0001-revert-go-1.8-update.patch     | 1218 +++++++++++++++++
 3 files changed, 1228 insertions(+), 8 deletions(-)
 create mode 100644 recipes-containers/docker/files/0001-revert-go-1.8-update.patch

diff --git a/recipes-containers/docker/docker-ce_git.bb b/recipes-containers/docker/docker-ce_git.bb
index 4561687..a41e83a 100644
--- a/recipes-containers/docker/docker-ce_git.bb
+++ b/recipes-containers/docker/docker-ce_git.bb
@@ -31,9 +31,9 @@ DESCRIPTION = "Linux container runtime \
 # so we get that tag, and make it our SRCREVS:
 #
 
-SRCREV_docker = "3949ff121ee486eb73484f6c4708d199f68c930e"
-SRCREV_libnetwork = "f6ccccb1c082a432c2a5814aaedaca56af33d9ea"
-SRCREV_cli = "100c70180fde3601def79a59cc3e996aa553c9b9"
+SRCREV_docker = "3056208812eb5e792fa99736c9167d1e10f4ab49"
+SRCREV_libnetwork = "dcdf8f176d1e13ad719e913e796fb698d846de98"
+SRCREV_cli = "baeda1f82a10204ec5708d5fbba130ad76cfee49"
 SRCREV_FORMAT = "docker_libnetwork"
 SRC_URI = "\
 	git://github.com/docker/docker.git;branch=20.10;name=docker;protocol=https \
@@ -43,6 +43,7 @@ SRC_URI = "\
 	file://docker.init \
         file://0001-dynbinary-use-go-cross-compiler.patch \
         file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
+    file://0001-revert-go-1.8-update.patch;patchdir=src/import \
 	"
 
 DOCKER_COMMIT = "${SRCREV_docker}"
@@ -53,7 +54,7 @@ require docker.inc
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=4859e97a9c7780e77972d989f0823f28"
 
-DOCKER_VERSION = "20.10.17-ce"
+DOCKER_VERSION = "20.10.21-ce"
 PV = "${DOCKER_VERSION}+git${SRCREV_docker}"
 
 CVE_PRODUCT = "docker mobyproject:moby"
diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index 8a35290..b048208 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -34,9 +34,9 @@ DESCRIPTION = "Linux container runtime \
 #   - The common components of this recipe and docker-ce do need to be moved
 #     to a docker.inc recipe
 
-SRCREV_moby = "3949ff121ee486eb73484f6c4708d199f68c930e"
-SRCREV_libnetwork = "f6ccccb1c082a432c2a5814aaedaca56af33d9ea"
-SRCREV_cli = "100c70180fde3601def79a59cc3e996aa553c9b9"
+SRCREV_moby = "3056208812eb5e792fa99736c9167d1e10f4ab49"
+SRCREV_libnetwork = "dcdf8f176d1e13ad719e913e796fb698d846de98"
+SRCREV_cli = "baeda1f82a10204ec5708d5fbba130ad76cfee49"
 SRCREV_FORMAT = "moby_libnetwork"
 SRC_URI = "\
 	git://github.com/moby/moby.git;branch=20.10;name=moby;protocol=https \
@@ -46,6 +46,7 @@ SRC_URI = "\
 	file://0001-libnetwork-use-GO-instead-of-go.patch \
         file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
         file://0001-dynbinary-use-go-cross-compiler.patch \
+    file://0001-revert-go-1.8-update.patch;patchdir=src/import \
 	"
 
 DOCKER_COMMIT = "${SRCREV_moby}"
@@ -56,7 +57,7 @@ require docker.inc
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=4859e97a9c7780e77972d989f0823f28"
 
-DOCKER_VERSION = "20.10.17"
+DOCKER_VERSION = "20.10.21"
 PV = "${DOCKER_VERSION}+git${SRCREV_moby}"
 
 CVE_PRODUCT = "docker mobyproject:moby"
diff --git a/recipes-containers/docker/files/0001-revert-go-1.8-update.patch b/recipes-containers/docker/files/0001-revert-go-1.8-update.patch
new file mode 100644
index 0000000..0298c31
--- /dev/null
+++ b/recipes-containers/docker/files/0001-revert-go-1.8-update.patch
@@ -0,0 +1,1218 @@
+From 575302e9c6567b8547b308b2b0c6a07b27e3be3b Mon Sep 17 00:00:00 2001
+From: Adrian Freihofer <adrian.freihofer@siemens.com>
+Date: Sun, 4 Dec 2022 18:02:54 +0100
+Subject: [PATCH] Revert "Merge pull request #43976 from
+ thaJeztah/20.10_backport_bump_golang_1.18"
+
+Upstream-Status: Inapropriate
+
+Updating this patch:
+  git revert -m 1 7d4cc78c0289edbb4727e3d50d4b130ce0f9c47e
+
+This reverts commit 7d4cc78c0289edbb4727e3d50d4b130ce0f9c47e, reversing
+changes made to 32debe0986f4516bfe17bf9122447f0c735e61b4.
+---
+ Dockerfile                            |   2 +-
+ Dockerfile.e2e                        |   2 +-
+ Dockerfile.simple                     |   2 +-
+ Dockerfile.windows                    |   2 +-
+ daemon/logger/templates/templates.go  |   2 +-
+ pkg/plugins/pluginrpc-gen/template.go |   2 +-
+ vendor/archive/tar/common.go          |  40 ++++----
+ vendor/archive/tar/format.go          | 138 +++++++++++++-------------
+ vendor/archive/tar/fuzz_test.go       |  80 ---------------
+ vendor/archive/tar/reader.go          | 102 ++++++++++---------
+ vendor/archive/tar/reader_test.go     |  30 +++---
+ vendor/archive/tar/stat_actime1.go    |   1 +
+ vendor/archive/tar/stat_actime2.go    |   1 +
+ vendor/archive/tar/stat_unix.go       |   1 +
+ vendor/archive/tar/strconv.go         |  43 +++++---
+ vendor/archive/tar/tar_test.go        |   2 +-
+ vendor/archive/tar/writer.go          |  89 ++++++++---------
+ vendor/archive/tar/writer_test.go     |  24 +++--
+ 18 files changed, 251 insertions(+), 312 deletions(-)
+ delete mode 100644 vendor/archive/tar/fuzz_test.go
+
+diff --git a/Dockerfile b/Dockerfile
+index 9472c512a6..f3f7956414 100644
+--- a/Dockerfile
++++ b/Dockerfile
+@@ -3,7 +3,7 @@
+ ARG CROSS="false"
+ ARG SYSTEMD="false"
+ # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored
+-ARG GO_VERSION=1.18.7
++ARG GO_VERSION=1.17.13
+ ARG DEBIAN_FRONTEND=noninteractive
+ ARG VPNKIT_VERSION=0.5.0
+ ARG DOCKER_BUILDTAGS="apparmor seccomp"
+diff --git a/Dockerfile.e2e b/Dockerfile.e2e
+index f92bec85b0..d0f0b08acd 100644
+--- a/Dockerfile.e2e
++++ b/Dockerfile.e2e
+@@ -1,4 +1,4 @@
+-ARG GO_VERSION=1.18.7
++ARG GO_VERSION=1.17.13
+ 
+ FROM golang:${GO_VERSION}-alpine AS base
+ ENV GO111MODULE=off
+diff --git a/Dockerfile.simple b/Dockerfile.simple
+index 8aa6d7ff94..1db20c1e35 100644
+--- a/Dockerfile.simple
++++ b/Dockerfile.simple
+@@ -5,7 +5,7 @@
+ 
+ # This represents the bare minimum required to build and test Docker.
+ 
+-ARG GO_VERSION=1.18.7
++ARG GO_VERSION=1.17.13
+ 
+ FROM golang:${GO_VERSION}-buster
+ ENV GO111MODULE=off
+diff --git a/Dockerfile.windows b/Dockerfile.windows
+index 6f8242decc..b0ee068aab 100644
+--- a/Dockerfile.windows
++++ b/Dockerfile.windows
+@@ -165,7 +165,7 @@ FROM microsoft/windowsservercore
+ # Use PowerShell as the default shell
+ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
+ 
+-ARG GO_VERSION=1.18.7
++ARG GO_VERSION=1.17.13
+ ARG GOTESTSUM_VERSION=v1.7.0
+ 
+ # Environment variable notes:
+diff --git a/daemon/logger/templates/templates.go b/daemon/logger/templates/templates.go
+index d8b4ce5d85..ab76d0f1c2 100644
+--- a/daemon/logger/templates/templates.go
++++ b/daemon/logger/templates/templates.go
+@@ -20,7 +20,7 @@ var basicFunctions = template.FuncMap{
+ 	},
+ 	"split":    strings.Split,
+ 	"join":     strings.Join,
+-	"title":    strings.Title, //nolint:staticcheck // SA1019: strings.Title is deprecated: The rule Title uses for word boundaries does not handle Unicode punctuation properly. Use golang.org/x/text/cases instead.
++	"title":    strings.Title,
+ 	"lower":    strings.ToLower,
+ 	"upper":    strings.ToUpper,
+ 	"pad":      padWithSpace,
+diff --git a/pkg/plugins/pluginrpc-gen/template.go b/pkg/plugins/pluginrpc-gen/template.go
+index c34a5add11..50ed9293c1 100644
+--- a/pkg/plugins/pluginrpc-gen/template.go
++++ b/pkg/plugins/pluginrpc-gen/template.go
+@@ -64,7 +64,7 @@ func title(s string) string {
+ 	if strings.ToLower(s) == "id" {
+ 		return "ID"
+ 	}
+-	return strings.Title(s) //nolint:staticcheck // SA1019: strings.Title is deprecated: The rule Title uses for word boundaries does not handle Unicode punctuation properly. Use golang.org/x/text/cases instead.
++	return strings.Title(s)
+ }
+ 
+ var generatedTempl = template.Must(template.New("rpc_cient").Funcs(templFuncs).Parse(`
+diff --git a/vendor/archive/tar/common.go b/vendor/archive/tar/common.go
+index c99b5c1920..c667cfc872 100644
+--- a/vendor/archive/tar/common.go
++++ b/vendor/archive/tar/common.go
+@@ -316,10 +316,10 @@ func invertSparseEntries(src []sparseEntry, size int64) []sparseEntry {
+ // fileState tracks the number of logical (includes sparse holes) and physical
+ // (actual in tar archive) bytes remaining for the current file.
+ //
+-// Invariant: logicalRemaining >= physicalRemaining
++// Invariant: LogicalRemaining >= PhysicalRemaining
+ type fileState interface {
+-	logicalRemaining() int64
+-	physicalRemaining() int64
++	LogicalRemaining() int64
++	PhysicalRemaining() int64
+ }
+ 
+ // allowedFormats determines which formats can be used.
+@@ -413,22 +413,22 @@ func (h Header) allowedFormats() (format Format, paxHdrs map[string]string, err
+ 
+ 	// Check basic fields.
+ 	var blk block
+-	v7 := blk.toV7()
+-	ustar := blk.toUSTAR()
+-	gnu := blk.toGNU()
+-	verifyString(h.Name, len(v7.name()), "Name", paxPath)
+-	verifyString(h.Linkname, len(v7.linkName()), "Linkname", paxLinkpath)
+-	verifyString(h.Uname, len(ustar.userName()), "Uname", paxUname)
+-	verifyString(h.Gname, len(ustar.groupName()), "Gname", paxGname)
+-	verifyNumeric(h.Mode, len(v7.mode()), "Mode", paxNone)
+-	verifyNumeric(int64(h.Uid), len(v7.uid()), "Uid", paxUid)
+-	verifyNumeric(int64(h.Gid), len(v7.gid()), "Gid", paxGid)
+-	verifyNumeric(h.Size, len(v7.size()), "Size", paxSize)
+-	verifyNumeric(h.Devmajor, len(ustar.devMajor()), "Devmajor", paxNone)
+-	verifyNumeric(h.Devminor, len(ustar.devMinor()), "Devminor", paxNone)
+-	verifyTime(h.ModTime, len(v7.modTime()), "ModTime", paxMtime)
+-	verifyTime(h.AccessTime, len(gnu.accessTime()), "AccessTime", paxAtime)
+-	verifyTime(h.ChangeTime, len(gnu.changeTime()), "ChangeTime", paxCtime)
++	v7 := blk.V7()
++	ustar := blk.USTAR()
++	gnu := blk.GNU()
++	verifyString(h.Name, len(v7.Name()), "Name", paxPath)
++	verifyString(h.Linkname, len(v7.LinkName()), "Linkname", paxLinkpath)
++	verifyString(h.Uname, len(ustar.UserName()), "Uname", paxUname)
++	verifyString(h.Gname, len(ustar.GroupName()), "Gname", paxGname)
++	verifyNumeric(h.Mode, len(v7.Mode()), "Mode", paxNone)
++	verifyNumeric(int64(h.Uid), len(v7.UID()), "Uid", paxUid)
++	verifyNumeric(int64(h.Gid), len(v7.GID()), "Gid", paxGid)
++	verifyNumeric(h.Size, len(v7.Size()), "Size", paxSize)
++	verifyNumeric(h.Devmajor, len(ustar.DevMajor()), "Devmajor", paxNone)
++	verifyNumeric(h.Devminor, len(ustar.DevMinor()), "Devminor", paxNone)
++	verifyTime(h.ModTime, len(v7.ModTime()), "ModTime", paxMtime)
++	verifyTime(h.AccessTime, len(gnu.AccessTime()), "AccessTime", paxAtime)
++	verifyTime(h.ChangeTime, len(gnu.ChangeTime()), "ChangeTime", paxCtime)
+ 
+ 	// Check for header-only types.
+ 	var whyOnlyPAX, whyOnlyGNU string
+@@ -538,7 +538,7 @@ type headerFileInfo struct {
+ func (fi headerFileInfo) Size() int64        { return fi.h.Size }
+ func (fi headerFileInfo) IsDir() bool        { return fi.Mode().IsDir() }
+ func (fi headerFileInfo) ModTime() time.Time { return fi.h.ModTime }
+-func (fi headerFileInfo) Sys() any           { return fi.h }
++func (fi headerFileInfo) Sys() interface{}   { return fi.h }
+ 
+ // Name returns the base name of the file.
+ func (fi headerFileInfo) Name() string {
+diff --git a/vendor/archive/tar/format.go b/vendor/archive/tar/format.go
+index 8898c438b5..6642364de1 100644
+--- a/vendor/archive/tar/format.go
++++ b/vendor/archive/tar/format.go
+@@ -160,28 +160,28 @@ var zeroBlock block
+ type block [blockSize]byte
+ 
+ // Convert block to any number of formats.
+-func (b *block) toV7() *headerV7       { return (*headerV7)(b) }
+-func (b *block) toGNU() *headerGNU     { return (*headerGNU)(b) }
+-func (b *block) toSTAR() *headerSTAR   { return (*headerSTAR)(b) }
+-func (b *block) toUSTAR() *headerUSTAR { return (*headerUSTAR)(b) }
+-func (b *block) toSparse() sparseArray { return sparseArray(b[:]) }
++func (b *block) V7() *headerV7       { return (*headerV7)(b) }
++func (b *block) GNU() *headerGNU     { return (*headerGNU)(b) }
++func (b *block) STAR() *headerSTAR   { return (*headerSTAR)(b) }
++func (b *block) USTAR() *headerUSTAR { return (*headerUSTAR)(b) }
++func (b *block) Sparse() sparseArray { return sparseArray(b[:]) }
+ 
+ // GetFormat checks that the block is a valid tar header based on the checksum.
+ // It then attempts to guess the specific format based on magic values.
+ // If the checksum fails, then FormatUnknown is returned.
+-func (b *block) getFormat() Format {
++func (b *block) GetFormat() Format {
+ 	// Verify checksum.
+ 	var p parser
+-	value := p.parseOctal(b.toV7().chksum())
+-	chksum1, chksum2 := b.computeChecksum()
++	value := p.parseOctal(b.V7().Chksum())
++	chksum1, chksum2 := b.ComputeChecksum()
+ 	if p.err != nil || (value != chksum1 && value != chksum2) {
+ 		return FormatUnknown
+ 	}
+ 
+ 	// Guess the magic values.
+-	magic := string(b.toUSTAR().magic())
+-	version := string(b.toUSTAR().version())
+-	trailer := string(b.toSTAR().trailer())
++	magic := string(b.USTAR().Magic())
++	version := string(b.USTAR().Version())
++	trailer := string(b.STAR().Trailer())
+ 	switch {
+ 	case magic == magicUSTAR && trailer == trailerSTAR:
+ 		return formatSTAR
+@@ -194,23 +194,23 @@ func (b *block) getFormat() Format {
+ 	}
+ }
+ 
+-// setFormat writes the magic values necessary for specified format
++// SetFormat writes the magic values necessary for specified format
+ // and then updates the checksum accordingly.
+-func (b *block) setFormat(format Format) {
++func (b *block) SetFormat(format Format) {
+ 	// Set the magic values.
+ 	switch {
+ 	case format.has(formatV7):
+ 		// Do nothing.
+ 	case format.has(FormatGNU):
+-		copy(b.toGNU().magic(), magicGNU)
+-		copy(b.toGNU().version(), versionGNU)
++		copy(b.GNU().Magic(), magicGNU)
++		copy(b.GNU().Version(), versionGNU)
+ 	case format.has(formatSTAR):
+-		copy(b.toSTAR().magic(), magicUSTAR)
+-		copy(b.toSTAR().version(), versionUSTAR)
+-		copy(b.toSTAR().trailer(), trailerSTAR)
++		copy(b.STAR().Magic(), magicUSTAR)
++		copy(b.STAR().Version(), versionUSTAR)
++		copy(b.STAR().Trailer(), trailerSTAR)
+ 	case format.has(FormatUSTAR | FormatPAX):
+-		copy(b.toUSTAR().magic(), magicUSTAR)
+-		copy(b.toUSTAR().version(), versionUSTAR)
++		copy(b.USTAR().Magic(), magicUSTAR)
++		copy(b.USTAR().Version(), versionUSTAR)
+ 	default:
+ 		panic("invalid format")
+ 	}
+@@ -218,17 +218,17 @@ func (b *block) setFormat(format Format) {
+ 	// Update checksum.
+ 	// This field is special in that it is terminated by a NULL then space.
+ 	var f formatter
+-	field := b.toV7().chksum()
+-	chksum, _ := b.computeChecksum() // Possible values are 256..128776
++	field := b.V7().Chksum()
++	chksum, _ := b.ComputeChecksum() // Possible values are 256..128776
+ 	f.formatOctal(field[:7], chksum) // Never fails since 128776 < 262143
+ 	field[7] = ' '
+ }
+ 
+-// computeChecksum computes the checksum for the header block.
++// ComputeChecksum computes the checksum for the header block.
+ // POSIX specifies a sum of the unsigned byte values, but the Sun tar used
+ // signed byte values.
+ // We compute and return both.
+-func (b *block) computeChecksum() (unsigned, signed int64) {
++func (b *block) ComputeChecksum() (unsigned, signed int64) {
+ 	for i, c := range b {
+ 		if 148 <= i && i < 156 {
+ 			c = ' ' // Treat the checksum field itself as all spaces.
+@@ -240,68 +240,68 @@ func (b *block) computeChecksum() (unsigned, signed int64) {
+ }
+ 
+ // Reset clears the block with all zeros.
+-func (b *block) reset() {
++func (b *block) Reset() {
+ 	*b = block{}
+ }
+ 
+ type headerV7 [blockSize]byte
+ 
+-func (h *headerV7) name() []byte     { return h[000:][:100] }
+-func (h *headerV7) mode() []byte     { return h[100:][:8] }
+-func (h *headerV7) uid() []byte      { return h[108:][:8] }
+-func (h *headerV7) gid() []byte      { return h[116:][:8] }
+-func (h *headerV7) size() []byte     { return h[124:][:12] }
+-func (h *headerV7) modTime() []byte  { return h[136:][:12] }
+-func (h *headerV7) chksum() []byte   { return h[148:][:8] }
+-func (h *headerV7) typeFlag() []byte { return h[156:][:1] }
+-func (h *headerV7) linkName() []byte { return h[157:][:100] }
++func (h *headerV7) Name() []byte     { return h[000:][:100] }
++func (h *headerV7) Mode() []byte     { return h[100:][:8] }
++func (h *headerV7) UID() []byte      { return h[108:][:8] }
++func (h *headerV7) GID() []byte      { return h[116:][:8] }
++func (h *headerV7) Size() []byte     { return h[124:][:12] }
++func (h *headerV7) ModTime() []byte  { return h[136:][:12] }
++func (h *headerV7) Chksum() []byte   { return h[148:][:8] }
++func (h *headerV7) TypeFlag() []byte { return h[156:][:1] }
++func (h *headerV7) LinkName() []byte { return h[157:][:100] }
+ 
+ type headerGNU [blockSize]byte
+ 
+-func (h *headerGNU) v7() *headerV7       { return (*headerV7)(h) }
+-func (h *headerGNU) magic() []byte       { return h[257:][:6] }
+-func (h *headerGNU) version() []byte     { return h[263:][:2] }
+-func (h *headerGNU) userName() []byte    { return h[265:][:32] }
+-func (h *headerGNU) groupName() []byte   { return h[297:][:32] }
+-func (h *headerGNU) devMajor() []byte    { return h[329:][:8] }
+-func (h *headerGNU) devMinor() []byte    { return h[337:][:8] }
+-func (h *headerGNU) accessTime() []byte  { return h[345:][:12] }
+-func (h *headerGNU) changeTime() []byte  { return h[357:][:12] }
+-func (h *headerGNU) sparse() sparseArray { return sparseArray(h[386:][:24*4+1]) }
+-func (h *headerGNU) realSize() []byte    { return h[483:][:12] }
++func (h *headerGNU) V7() *headerV7       { return (*headerV7)(h) }
++func (h *headerGNU) Magic() []byte       { return h[257:][:6] }
++func (h *headerGNU) Version() []byte     { return h[263:][:2] }
++func (h *headerGNU) UserName() []byte    { return h[265:][:32] }
++func (h *headerGNU) GroupName() []byte   { return h[297:][:32] }
++func (h *headerGNU) DevMajor() []byte    { return h[329:][:8] }
++func (h *headerGNU) DevMinor() []byte    { return h[337:][:8] }
++func (h *headerGNU) AccessTime() []byte  { return h[345:][:12] }
++func (h *headerGNU) ChangeTime() []byte  { return h[357:][:12] }
++func (h *headerGNU) Sparse() sparseArray { return sparseArray(h[386:][:24*4+1]) }
++func (h *headerGNU) RealSize() []byte    { return h[483:][:12] }
+ 
+ type headerSTAR [blockSize]byte
+ 
+-func (h *headerSTAR) v7() *headerV7      { return (*headerV7)(h) }
+-func (h *headerSTAR) magic() []byte      { return h[257:][:6] }
+-func (h *headerSTAR) version() []byte    { return h[263:][:2] }
+-func (h *headerSTAR) userName() []byte   { return h[265:][:32] }
+-func (h *headerSTAR) groupName() []byte  { return h[297:][:32] }
+-func (h *headerSTAR) devMajor() []byte   { return h[329:][:8] }
+-func (h *headerSTAR) devMinor() []byte   { return h[337:][:8] }
+-func (h *headerSTAR) prefix() []byte     { return h[345:][:131] }
+-func (h *headerSTAR) accessTime() []byte { return h[476:][:12] }
+-func (h *headerSTAR) changeTime() []byte { return h[488:][:12] }
+-func (h *headerSTAR) trailer() []byte    { return h[508:][:4] }
++func (h *headerSTAR) V7() *headerV7      { return (*headerV7)(h) }
++func (h *headerSTAR) Magic() []byte      { return h[257:][:6] }
++func (h *headerSTAR) Version() []byte    { return h[263:][:2] }
++func (h *headerSTAR) UserName() []byte   { return h[265:][:32] }
++func (h *headerSTAR) GroupName() []byte  { return h[297:][:32] }
++func (h *headerSTAR) DevMajor() []byte   { return h[329:][:8] }
++func (h *headerSTAR) DevMinor() []byte   { return h[337:][:8] }
++func (h *headerSTAR) Prefix() []byte     { return h[345:][:131] }
++func (h *headerSTAR) AccessTime() []byte { return h[476:][:12] }
++func (h *headerSTAR) ChangeTime() []byte { return h[488:][:12] }
++func (h *headerSTAR) Trailer() []byte    { return h[508:][:4] }
+ 
+ type headerUSTAR [blockSize]byte
+ 
+-func (h *headerUSTAR) v7() *headerV7     { return (*headerV7)(h) }
+-func (h *headerUSTAR) magic() []byte     { return h[257:][:6] }
+-func (h *headerUSTAR) version() []byte   { return h[263:][:2] }
+-func (h *headerUSTAR) userName() []byte  { return h[265:][:32] }
+-func (h *headerUSTAR) groupName() []byte { return h[297:][:32] }
+-func (h *headerUSTAR) devMajor() []byte  { return h[329:][:8] }
+-func (h *headerUSTAR) devMinor() []byte  { return h[337:][:8] }
+-func (h *headerUSTAR) prefix() []byte    { return h[345:][:155] }
++func (h *headerUSTAR) V7() *headerV7     { return (*headerV7)(h) }
++func (h *headerUSTAR) Magic() []byte     { return h[257:][:6] }
++func (h *headerUSTAR) Version() []byte   { return h[263:][:2] }
++func (h *headerUSTAR) UserName() []byte  { return h[265:][:32] }
++func (h *headerUSTAR) GroupName() []byte { return h[297:][:32] }
++func (h *headerUSTAR) DevMajor() []byte  { return h[329:][:8] }
++func (h *headerUSTAR) DevMinor() []byte  { return h[337:][:8] }
++func (h *headerUSTAR) Prefix() []byte    { return h[345:][:155] }
+ 
+ type sparseArray []byte
+ 
+-func (s sparseArray) entry(i int) sparseElem { return sparseElem(s[i*24:]) }
+-func (s sparseArray) isExtended() []byte     { return s[24*s.maxEntries():][:1] }
+-func (s sparseArray) maxEntries() int        { return len(s) / 24 }
++func (s sparseArray) Entry(i int) sparseElem { return sparseElem(s[i*24:]) }
++func (s sparseArray) IsExtended() []byte     { return s[24*s.MaxEntries():][:1] }
++func (s sparseArray) MaxEntries() int        { return len(s) / 24 }
+ 
+ type sparseElem []byte
+ 
+-func (s sparseElem) offset() []byte { return s[00:][:12] }
+-func (s sparseElem) length() []byte { return s[12:][:12] }
++func (s sparseElem) Offset() []byte { return s[00:][:12] }
++func (s sparseElem) Length() []byte { return s[12:][:12] }
+diff --git a/vendor/archive/tar/fuzz_test.go b/vendor/archive/tar/fuzz_test.go
+deleted file mode 100644
+index e73e0d2609..0000000000
+--- a/vendor/archive/tar/fuzz_test.go
++++ /dev/null
+@@ -1,80 +0,0 @@
+-// Copyright 2021 The Go Authors. All rights reserved.
+-// Use of this source code is governed by a BSD-style
+-// license that can be found in the LICENSE file.
+-
+-package tar
+-
+-import (
+-	"bytes"
+-	"io"
+-	"testing"
+-)
+-
+-func FuzzReader(f *testing.F) {
+-	b := bytes.NewBuffer(nil)
+-	w := NewWriter(b)
+-	inp := []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.")
+-	err := w.WriteHeader(&Header{
+-		Name: "lorem.txt",
+-		Mode: 0600,
+-		Size: int64(len(inp)),
+-	})
+-	if err != nil {
+-		f.Fatalf("failed to create writer: %s", err)
+-	}
+-	_, err = w.Write(inp)
+-	if err != nil {
+-		f.Fatalf("failed to write file to archive: %s", err)
+-	}
+-	if err := w.Close(); err != nil {
+-		f.Fatalf("failed to write archive: %s", err)
+-	}
+-	f.Add(b.Bytes())
+-
+-	f.Fuzz(func(t *testing.T, b []byte) {
+-		r := NewReader(bytes.NewReader(b))
+-		type file struct {
+-			header  *Header
+-			content []byte
+-		}
+-		files := []file{}
+-		for {
+-			hdr, err := r.Next()
+-			if err == io.EOF {
+-				break
+-			}
+-			if err != nil {
+-				return
+-			}
+-			buf := bytes.NewBuffer(nil)
+-			if _, err := io.Copy(buf, r); err != nil {
+-				continue
+-			}
+-			files = append(files, file{header: hdr, content: buf.Bytes()})
+-		}
+-
+-		// If we were unable to read anything out of the archive don't
+-		// bother trying to roundtrip it.
+-		if len(files) == 0 {
+-			return
+-		}
+-
+-		out := bytes.NewBuffer(nil)
+-		w := NewWriter(out)
+-		for _, f := range files {
+-			if err := w.WriteHeader(f.header); err != nil {
+-				t.Fatalf("unable to write previously parsed header: %s", err)
+-			}
+-			if _, err := w.Write(f.content); err != nil {
+-				t.Fatalf("unable to write previously parsed content: %s", err)
+-			}
+-		}
+-		if err := w.Close(); err != nil {
+-			t.Fatalf("Unable to write archive: %s", err)
+-		}
+-
+-		// TODO: We may want to check if the archive roundtrips. This would require
+-		// taking into account addition of the two zero trailer blocks that Writer.Close
+-		// appends.
+-	})
+-}
+diff --git a/vendor/archive/tar/reader.go b/vendor/archive/tar/reader.go
+index e609c15f27..f645af8016 100644
+--- a/vendor/archive/tar/reader.go
++++ b/vendor/archive/tar/reader.go
+@@ -65,7 +65,7 @@ func (tr *Reader) next() (*Header, error) {
+ 	format := FormatUSTAR | FormatPAX | FormatGNU
+ 	for {
+ 		// Discard the remainder of the file and any padding.
+-		if err := discard(tr.r, tr.curr.physicalRemaining()); err != nil {
++		if err := discard(tr.r, tr.curr.PhysicalRemaining()); err != nil {
+ 			return nil, err
+ 		}
+ 		if _, err := tryReadFull(tr.r, tr.blk[:tr.pad]); err != nil {
+@@ -355,7 +355,7 @@ func (tr *Reader) readHeader() (*Header, *block, error) {
+ 	}
+ 
+ 	// Verify the header matches a known format.
+-	format := tr.blk.getFormat()
++	format := tr.blk.GetFormat()
+ 	if format == FormatUnknown {
+ 		return nil, nil, ErrHeader
+ 	}
+@@ -364,30 +364,30 @@ func (tr *Reader) readHeader() (*Header, *block, error) {
+ 	hdr := new(Header)
+ 
+ 	// Unpack the V7 header.
+-	v7 := tr.blk.toV7()
+-	hdr.Typeflag = v7.typeFlag()[0]
+-	hdr.Name = p.parseString(v7.name())
+-	hdr.Linkname = p.parseString(v7.linkName())
+-	hdr.Size = p.parseNumeric(v7.size())
+-	hdr.Mode = p.parseNumeric(v7.mode())
+-	hdr.Uid = int(p.parseNumeric(v7.uid()))
+-	hdr.Gid = int(p.parseNumeric(v7.gid()))
+-	hdr.ModTime = time.Unix(p.parseNumeric(v7.modTime()), 0)
++	v7 := tr.blk.V7()
++	hdr.Typeflag = v7.TypeFlag()[0]
++	hdr.Name = p.parseString(v7.Name())
++	hdr.Linkname = p.parseString(v7.LinkName())
++	hdr.Size = p.parseNumeric(v7.Size())
++	hdr.Mode = p.parseNumeric(v7.Mode())
++	hdr.Uid = int(p.parseNumeric(v7.UID()))
++	hdr.Gid = int(p.parseNumeric(v7.GID()))
++	hdr.ModTime = time.Unix(p.parseNumeric(v7.ModTime()), 0)
+ 
+ 	// Unpack format specific fields.
+ 	if format > formatV7 {
+-		ustar := tr.blk.toUSTAR()
+-		hdr.Uname = p.parseString(ustar.userName())
+-		hdr.Gname = p.parseString(ustar.groupName())
+-		hdr.Devmajor = p.parseNumeric(ustar.devMajor())
+-		hdr.Devminor = p.parseNumeric(ustar.devMinor())
++		ustar := tr.blk.USTAR()
++		hdr.Uname = p.parseString(ustar.UserName())
++		hdr.Gname = p.parseString(ustar.GroupName())
++		hdr.Devmajor = p.parseNumeric(ustar.DevMajor())
++		hdr.Devminor = p.parseNumeric(ustar.DevMinor())
+ 
+ 		var prefix string
+ 		switch {
+ 		case format.has(FormatUSTAR | FormatPAX):
+ 			hdr.Format = format
+-			ustar := tr.blk.toUSTAR()
+-			prefix = p.parseString(ustar.prefix())
++			ustar := tr.blk.USTAR()
++			prefix = p.parseString(ustar.Prefix())
+ 
+ 			// For Format detection, check if block is properly formatted since
+ 			// the parser is more liberal than what USTAR actually permits.
+@@ -396,23 +396,23 @@ func (tr *Reader) readHeader() (*Header, *block, error) {
+ 				hdr.Format = FormatUnknown // Non-ASCII characters in block.
+ 			}
+ 			nul := func(b []byte) bool { return int(b[len(b)-1]) == 0 }
+-			if !(nul(v7.size()) && nul(v7.mode()) && nul(v7.uid()) && nul(v7.gid()) &&
+-				nul(v7.modTime()) && nul(ustar.devMajor()) && nul(ustar.devMinor())) {
++			if !(nul(v7.Size()) && nul(v7.Mode()) && nul(v7.UID()) && nul(v7.GID()) &&
++				nul(v7.ModTime()) && nul(ustar.DevMajor()) && nul(ustar.DevMinor())) {
+ 				hdr.Format = FormatUnknown // Numeric fields must end in NUL
+ 			}
+ 		case format.has(formatSTAR):
+-			star := tr.blk.toSTAR()
+-			prefix = p.parseString(star.prefix())
+-			hdr.AccessTime = time.Unix(p.parseNumeric(star.accessTime()), 0)
+-			hdr.ChangeTime = time.Unix(p.parseNumeric(star.changeTime()), 0)
++			star := tr.blk.STAR()
++			prefix = p.parseString(star.Prefix())
++			hdr.AccessTime = time.Unix(p.parseNumeric(star.AccessTime()), 0)
++			hdr.ChangeTime = time.Unix(p.parseNumeric(star.ChangeTime()), 0)
+ 		case format.has(FormatGNU):
+ 			hdr.Format = format
+ 			var p2 parser
+-			gnu := tr.blk.toGNU()
+-			if b := gnu.accessTime(); b[0] != 0 {
++			gnu := tr.blk.GNU()
++			if b := gnu.AccessTime(); b[0] != 0 {
+ 				hdr.AccessTime = time.Unix(p2.parseNumeric(b), 0)
+ 			}
+-			if b := gnu.changeTime(); b[0] != 0 {
++			if b := gnu.ChangeTime(); b[0] != 0 {
+ 				hdr.ChangeTime = time.Unix(p2.parseNumeric(b), 0)
+ 			}
+ 
+@@ -439,8 +439,8 @@ func (tr *Reader) readHeader() (*Header, *block, error) {
+ 			// See https://golang.org/issues/21005
+ 			if p2.err != nil {
+ 				hdr.AccessTime, hdr.ChangeTime = time.Time{}, time.Time{}
+-				ustar := tr.blk.toUSTAR()
+-				if s := p.parseString(ustar.prefix()); isASCII(s) {
++				ustar := tr.blk.USTAR()
++				if s := p.parseString(ustar.Prefix()); isASCII(s) {
+ 					prefix = s
+ 				}
+ 				hdr.Format = FormatUnknown // Buggy file is not GNU
+@@ -465,38 +465,38 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err
+ 	// Make sure that the input format is GNU.
+ 	// Unfortunately, the STAR format also has a sparse header format that uses
+ 	// the same type flag but has a completely different layout.
+-	if blk.getFormat() != FormatGNU {
++	if blk.GetFormat() != FormatGNU {
+ 		return nil, ErrHeader
+ 	}
+ 	hdr.Format.mayOnlyBe(FormatGNU)
+ 
+ 	var p parser
+-	hdr.Size = p.parseNumeric(blk.toGNU().realSize())
++	hdr.Size = p.parseNumeric(blk.GNU().RealSize())
+ 	if p.err != nil {
+ 		return nil, p.err
+ 	}
+-	s := blk.toGNU().sparse()
+-	spd := make(sparseDatas, 0, s.maxEntries())
++	s := blk.GNU().Sparse()
++	spd := make(sparseDatas, 0, s.MaxEntries())
+ 	for {
+-		for i := 0; i < s.maxEntries(); i++ {
++		for i := 0; i < s.MaxEntries(); i++ {
+ 			// This termination condition is identical to GNU and BSD tar.
+-			if s.entry(i).offset()[0] == 0x00 {
++			if s.Entry(i).Offset()[0] == 0x00 {
+ 				break // Don't return, need to process extended headers (even if empty)
+ 			}
+-			offset := p.parseNumeric(s.entry(i).offset())
+-			length := p.parseNumeric(s.entry(i).length())
++			offset := p.parseNumeric(s.Entry(i).Offset())
++			length := p.parseNumeric(s.Entry(i).Length())
+ 			if p.err != nil {
+ 				return nil, p.err
+ 			}
+ 			spd = append(spd, sparseEntry{Offset: offset, Length: length})
+ 		}
+ 
+-		if s.isExtended()[0] > 0 {
++		if s.IsExtended()[0] > 0 {
+ 			// There are more entries. Read an extension header and parse its entries.
+ 			if _, err := mustReadFull(tr.r, blk[:]); err != nil {
+ 				return nil, err
+ 			}
+-			s = blk.toSparse()
++			s = blk.Sparse()
+ 			continue
+ 		}
+ 		return spd, nil // Done
+@@ -678,13 +678,11 @@ func (fr *regFileReader) WriteTo(w io.Writer) (int64, error) {
+ 	return io.Copy(w, struct{ io.Reader }{fr})
+ }
+ 
+-// logicalRemaining implements fileState.logicalRemaining.
+-func (fr regFileReader) logicalRemaining() int64 {
++func (fr regFileReader) LogicalRemaining() int64 {
+ 	return fr.nb
+ }
+ 
+-// logicalRemaining implements fileState.physicalRemaining.
+-func (fr regFileReader) physicalRemaining() int64 {
++func (fr regFileReader) PhysicalRemaining() int64 {
+ 	return fr.nb
+ }
+ 
+@@ -696,9 +694,9 @@ type sparseFileReader struct {
+ }
+ 
+ func (sr *sparseFileReader) Read(b []byte) (n int, err error) {
+-	finished := int64(len(b)) >= sr.logicalRemaining()
++	finished := int64(len(b)) >= sr.LogicalRemaining()
+ 	if finished {
+-		b = b[:sr.logicalRemaining()]
++		b = b[:sr.LogicalRemaining()]
+ 	}
+ 
+ 	b0 := b
+@@ -726,7 +724,7 @@ func (sr *sparseFileReader) Read(b []byte) (n int, err error) {
+ 		return n, errMissData // Less data in dense file than sparse file
+ 	case err != nil:
+ 		return n, err
+-	case sr.logicalRemaining() == 0 && sr.physicalRemaining() > 0:
++	case sr.LogicalRemaining() == 0 && sr.PhysicalRemaining() > 0:
+ 		return n, errUnrefData // More data in dense file than sparse file
+ 	case finished:
+ 		return n, io.EOF
+@@ -748,7 +746,7 @@ func (sr *sparseFileReader) WriteTo(w io.Writer) (n int64, err error) {
+ 
+ 	var writeLastByte bool
+ 	pos0 := sr.pos
+-	for sr.logicalRemaining() > 0 && !writeLastByte && err == nil {
++	for sr.LogicalRemaining() > 0 && !writeLastByte && err == nil {
+ 		var nf int64 // Size of fragment
+ 		holeStart, holeEnd := sr.sp[0].Offset, sr.sp[0].endOffset()
+ 		if sr.pos < holeStart { // In a data fragment
+@@ -756,7 +754,7 @@ func (sr *sparseFileReader) WriteTo(w io.Writer) (n int64, err error) {
+ 			nf, err = io.CopyN(ws, sr.fr, nf)
+ 		} else { // In a hole fragment
+ 			nf = holeEnd - sr.pos
+-			if sr.physicalRemaining() == 0 {
++			if sr.PhysicalRemaining() == 0 {
+ 				writeLastByte = true
+ 				nf--
+ 			}
+@@ -781,18 +779,18 @@ func (sr *sparseFileReader) WriteTo(w io.Writer) (n int64, err error) {
+ 		return n, errMissData // Less data in dense file than sparse file
+ 	case err != nil:
+ 		return n, err
+-	case sr.logicalRemaining() == 0 && sr.physicalRemaining() > 0:
++	case sr.LogicalRemaining() == 0 && sr.PhysicalRemaining() > 0:
+ 		return n, errUnrefData // More data in dense file than sparse file
+ 	default:
+ 		return n, nil
+ 	}
+ }
+ 
+-func (sr sparseFileReader) logicalRemaining() int64 {
++func (sr sparseFileReader) LogicalRemaining() int64 {
+ 	return sr.sp[len(sr.sp)-1].endOffset() - sr.pos
+ }
+-func (sr sparseFileReader) physicalRemaining() int64 {
+-	return sr.fr.physicalRemaining()
++func (sr sparseFileReader) PhysicalRemaining() int64 {
++	return sr.fr.PhysicalRemaining()
+ }
+ 
+ type zeroReader struct{}
+diff --git a/vendor/archive/tar/reader_test.go b/vendor/archive/tar/reader_test.go
+index 140c736429..5a644a43a4 100644
+--- a/vendor/archive/tar/reader_test.go
++++ b/vendor/archive/tar/reader_test.go
+@@ -1030,12 +1030,12 @@ func TestParsePAX(t *testing.T) {
+ 
+ func TestReadOldGNUSparseMap(t *testing.T) {
+ 	populateSparseMap := func(sa sparseArray, sps []string) []string {
+-		for i := 0; len(sps) > 0 && i < sa.maxEntries(); i++ {
+-			copy(sa.entry(i), sps[0])
++		for i := 0; len(sps) > 0 && i < sa.MaxEntries(); i++ {
++			copy(sa.Entry(i), sps[0])
+ 			sps = sps[1:]
+ 		}
+ 		if len(sps) > 0 {
+-			copy(sa.isExtended(), "\x80")
++			copy(sa.IsExtended(), "\x80")
+ 		}
+ 		return sps
+ 	}
+@@ -1043,19 +1043,19 @@ func TestReadOldGNUSparseMap(t *testing.T) {
+ 	makeInput := func(format Format, size string, sps ...string) (out []byte) {
+ 		// Write the initial GNU header.
+ 		var blk block
+-		gnu := blk.toGNU()
+-		sparse := gnu.sparse()
+-		copy(gnu.realSize(), size)
++		gnu := blk.GNU()
++		sparse := gnu.Sparse()
++		copy(gnu.RealSize(), size)
+ 		sps = populateSparseMap(sparse, sps)
+ 		if format != FormatUnknown {
+-			blk.setFormat(format)
++			blk.SetFormat(format)
+ 		}
+ 		out = append(out, blk[:]...)
+ 
+ 		// Write extended sparse blocks.
+ 		for len(sps) > 0 {
+ 			var blk block
+-			sps = populateSparseMap(blk.toSparse(), sps)
++			sps = populateSparseMap(blk.Sparse(), sps)
+ 			out = append(out, blk[:]...)
+ 		}
+ 		return out
+@@ -1368,11 +1368,11 @@ func TestFileReader(t *testing.T) {
+ 			wantCnt int64
+ 			wantErr error
+ 		}
+-		testRemaining struct { // logicalRemaining() == wantLCnt, physicalRemaining() == wantPCnt
++		testRemaining struct { // LogicalRemaining() == wantLCnt, PhysicalRemaining() == wantPCnt
+ 			wantLCnt int64
+ 			wantPCnt int64
+ 		}
+-		testFnc any // testRead | testWriteTo | testRemaining
++		testFnc interface{} // testRead | testWriteTo | testRemaining
+ 	)
+ 
+ 	type (
+@@ -1385,7 +1385,7 @@ func TestFileReader(t *testing.T) {
+ 			spd     sparseDatas
+ 			size    int64
+ 		}
+-		fileMaker any // makeReg | makeSparse
++		fileMaker interface{} // makeReg | makeSparse
+ 	)
+ 
+ 	vectors := []struct {
+@@ -1605,11 +1605,11 @@ func TestFileReader(t *testing.T) {
+ 					t.Errorf("test %d.%d, expected %d more operations", i, j, len(f.ops))
+ 				}
+ 			case testRemaining:
+-				if got := fr.logicalRemaining(); got != tf.wantLCnt {
+-					t.Errorf("test %d.%d, logicalRemaining() = %d, want %d", i, j, got, tf.wantLCnt)
++				if got := fr.LogicalRemaining(); got != tf.wantLCnt {
++					t.Errorf("test %d.%d, LogicalRemaining() = %d, want %d", i, j, got, tf.wantLCnt)
+ 				}
+-				if got := fr.physicalRemaining(); got != tf.wantPCnt {
+-					t.Errorf("test %d.%d, physicalRemaining() = %d, want %d", i, j, got, tf.wantPCnt)
++				if got := fr.PhysicalRemaining(); got != tf.wantPCnt {
++					t.Errorf("test %d.%d, PhysicalRemaining() = %d, want %d", i, j, got, tf.wantPCnt)
+ 				}
+ 			default:
+ 				t.Fatalf("test %d.%d, unknown test operation: %T", i, j, tf)
+diff --git a/vendor/archive/tar/stat_actime1.go b/vendor/archive/tar/stat_actime1.go
+index c4c2480fee..4fdf2a04b3 100644
+--- a/vendor/archive/tar/stat_actime1.go
++++ b/vendor/archive/tar/stat_actime1.go
+@@ -3,6 +3,7 @@
+ // license that can be found in the LICENSE file.
+ 
+ //go:build aix || linux || dragonfly || openbsd || solaris
++// +build aix linux dragonfly openbsd solaris
+ 
+ package tar
+ 
+diff --git a/vendor/archive/tar/stat_actime2.go b/vendor/archive/tar/stat_actime2.go
+index f76d6be220..5a9a35cbb4 100644
+--- a/vendor/archive/tar/stat_actime2.go
++++ b/vendor/archive/tar/stat_actime2.go
+@@ -3,6 +3,7 @@
+ // license that can be found in the LICENSE file.
+ 
+ //go:build darwin || freebsd || netbsd
++// +build darwin freebsd netbsd
+ 
+ package tar
+ 
+diff --git a/vendor/archive/tar/stat_unix.go b/vendor/archive/tar/stat_unix.go
+index b743c76b8c..4a5bca0312 100644
+--- a/vendor/archive/tar/stat_unix.go
++++ b/vendor/archive/tar/stat_unix.go
+@@ -3,6 +3,7 @@
+ // license that can be found in the LICENSE file.
+ 
+ //go:build aix || linux || darwin || dragonfly || freebsd || openbsd || netbsd || solaris
++// +build aix linux darwin dragonfly freebsd openbsd netbsd solaris
+ 
+ package tar
+ 
+diff --git a/vendor/archive/tar/strconv.go b/vendor/archive/tar/strconv.go
+index 275db6f026..f0b61e6dba 100644
+--- a/vendor/archive/tar/strconv.go
++++ b/vendor/archive/tar/strconv.go
+@@ -14,7 +14,7 @@ import (
+ 
+ // hasNUL reports whether the NUL character exists within s.
+ func hasNUL(s string) bool {
+-	return strings.Contains(s, "\x00")
++	return strings.IndexByte(s, 0) >= 0
+ }
+ 
+ // isASCII reports whether the input is an ASCII C-style string.
+@@ -201,7 +201,10 @@ func parsePAXTime(s string) (time.Time, error) {
+ 	const maxNanoSecondDigits = 9
+ 
+ 	// Split string into seconds and sub-seconds parts.
+-	ss, sn, _ := strings.Cut(s, ".")
++	ss, sn := s, ""
++	if pos := strings.IndexByte(s, '.'); pos >= 0 {
++		ss, sn = s[:pos], s[pos+1:]
++	}
+ 
+ 	// Parse the seconds.
+ 	secs, err := strconv.ParseInt(ss, 10, 64)
+@@ -251,32 +254,48 @@ func formatPAXTime(ts time.Time) (s string) {
+ // return the remainder as r.
+ func parsePAXRecord(s string) (k, v, r string, err error) {
+ 	// The size field ends at the first space.
+-	nStr, rest, ok := strings.Cut(s, " ")
+-	if !ok {
++	sp := strings.IndexByte(s, ' ')
++	if sp == -1 {
+ 		return "", "", s, ErrHeader
+ 	}
+ 
+ 	// Parse the first token as a decimal integer.
+-	n, perr := strconv.ParseInt(nStr, 10, 0) // Intentionally parse as native int
+-	if perr != nil || n < 5 || n > int64(len(s)) {
++	n, perr := strconv.ParseInt(s[:sp], 10, 0) // Intentionally parse as native int
++	if perr != nil || n < 5 || int64(len(s)) < n {
+ 		return "", "", s, ErrHeader
+ 	}
+-	n -= int64(len(nStr) + 1) // convert from index in s to index in rest
+-	if n <= 0 {
++
++	afterSpace := int64(sp + 1)
++	beforeLastNewLine := n - 1
++	// In some cases, "length" was perhaps padded/malformed, and
++	// trying to index past where the space supposedly is goes past
++	// the end of the actual record.
++	// For example:
++	//    "0000000000000000000000000000000030 mtime=1432668921.098285006\n30 ctime=2147483649.15163319"
++	//                                  ^     ^
++	//                                  |     |
++	//                                  |  afterSpace=35
++	//                                  |
++	//                          beforeLastNewLine=29
++	// yet indexOf(firstSpace) MUST BE before endOfRecord.
++	//
++	// See https://golang.org/issues/40196.
++	if afterSpace >= beforeLastNewLine {
+ 		return "", "", s, ErrHeader
+ 	}
+ 
+ 	// Extract everything between the space and the final newline.
+-	rec, nl, rem := rest[:n-1], rest[n-1:n], rest[n:]
++	rec, nl, rem := s[afterSpace:beforeLastNewLine], s[beforeLastNewLine:n], s[n:]
+ 	if nl != "\n" {
+ 		return "", "", s, ErrHeader
+ 	}
+ 
+ 	// The first equals separates the key from the value.
+-	k, v, ok = strings.Cut(rec, "=")
+-	if !ok {
++	eq := strings.IndexByte(rec, '=')
++	if eq == -1 {
+ 		return "", "", s, ErrHeader
+ 	}
++	k, v = rec[:eq], rec[eq+1:]
+ 
+ 	if !validPAXRecord(k, v) {
+ 		return "", "", s, ErrHeader
+@@ -314,7 +333,7 @@ func formatPAXRecord(k, v string) (string, error) {
+ // for the PAX version of the USTAR string fields.
+ // The key must not contain an '=' character.
+ func validPAXRecord(k, v string) bool {
+-	if k == "" || strings.Contains(k, "=") {
++	if k == "" || strings.IndexByte(k, '=') >= 0 {
+ 		return false
+ 	}
+ 	switch k {
+diff --git a/vendor/archive/tar/tar_test.go b/vendor/archive/tar/tar_test.go
+index a476f5eb01..e9fafc7cc7 100644
+--- a/vendor/archive/tar/tar_test.go
++++ b/vendor/archive/tar/tar_test.go
+@@ -23,7 +23,7 @@ import (
+ 
+ type testError struct{ error }
+ 
+-type fileOps []any // []T where T is (string | int64)
++type fileOps []interface{} // []T where T is (string | int64)
+ 
+ // testFile is an io.ReadWriteSeeker where the IO operations performed
+ // on it must match the list of operations in ops.
+diff --git a/vendor/archive/tar/writer.go b/vendor/archive/tar/writer.go
+index 9b2e3e25d4..893eac00ae 100644
+--- a/vendor/archive/tar/writer.go
++++ b/vendor/archive/tar/writer.go
+@@ -50,7 +50,7 @@ func (tw *Writer) Flush() error {
+ 	if tw.err != nil {
+ 		return tw.err
+ 	}
+-	if nb := tw.curr.logicalRemaining(); nb > 0 {
++	if nb := tw.curr.LogicalRemaining(); nb > 0 {
+ 		return fmt.Errorf("archive/tar: missed writing %d bytes", nb)
+ 	}
+ 	if _, tw.err = tw.w.Write(zeroBlock[:tw.pad]); tw.err != nil {
+@@ -117,8 +117,8 @@ func (tw *Writer) writeUSTARHeader(hdr *Header) error {
+ 	// Pack the main header.
+ 	var f formatter
+ 	blk := tw.templateV7Plus(hdr, f.formatString, f.formatOctal)
+-	f.formatString(blk.toUSTAR().prefix(), namePrefix)
+-	blk.setFormat(FormatUSTAR)
++	f.formatString(blk.USTAR().Prefix(), namePrefix)
++	blk.SetFormat(FormatUSTAR)
+ 	if f.err != nil {
+ 		return f.err // Should never happen since header is validated
+ 	}
+@@ -211,7 +211,7 @@ func (tw *Writer) writePAXHeader(hdr *Header, paxHdrs map[string]string) error {
+ 	var f formatter // Ignore errors since they are expected
+ 	fmtStr := func(b []byte, s string) { f.formatString(b, toASCII(s)) }
+ 	blk := tw.templateV7Plus(hdr, fmtStr, f.formatOctal)
+-	blk.setFormat(FormatPAX)
++	blk.SetFormat(FormatPAX)
+ 	if err := tw.writeRawHeader(blk, hdr.Size, hdr.Typeflag); err != nil {
+ 		return err
+ 	}
+@@ -253,10 +253,10 @@ func (tw *Writer) writeGNUHeader(hdr *Header) error {
+ 	var spb []byte
+ 	blk := tw.templateV7Plus(hdr, f.formatString, f.formatNumeric)
+ 	if !hdr.AccessTime.IsZero() {
+-		f.formatNumeric(blk.toGNU().accessTime(), hdr.AccessTime.Unix())
++		f.formatNumeric(blk.GNU().AccessTime(), hdr.AccessTime.Unix())
+ 	}
+ 	if !hdr.ChangeTime.IsZero() {
+-		f.formatNumeric(blk.toGNU().changeTime(), hdr.ChangeTime.Unix())
++		f.formatNumeric(blk.GNU().ChangeTime(), hdr.ChangeTime.Unix())
+ 	}
+ 	// TODO(dsnet): Re-enable this when adding sparse support.
+ 	// See https://golang.org/issue/22735
+@@ -296,7 +296,7 @@ func (tw *Writer) writeGNUHeader(hdr *Header) error {
+ 			f.formatNumeric(blk.GNU().RealSize(), realSize)
+ 		}
+ 	*/
+-	blk.setFormat(FormatGNU)
++	blk.SetFormat(FormatGNU)
+ 	if err := tw.writeRawHeader(blk, hdr.Size, hdr.Typeflag); err != nil {
+ 		return err
+ 	}
+@@ -324,28 +324,28 @@ type (
+ // The block returned is only valid until the next call to
+ // templateV7Plus or writeRawFile.
+ func (tw *Writer) templateV7Plus(hdr *Header, fmtStr stringFormatter, fmtNum numberFormatter) *block {
+-	tw.blk.reset()
++	tw.blk.Reset()
+ 
+ 	modTime := hdr.ModTime
+ 	if modTime.IsZero() {
+ 		modTime = time.Unix(0, 0)
+ 	}
+ 
+-	v7 := tw.blk.toV7()
+-	v7.typeFlag()[0] = hdr.Typeflag
+-	fmtStr(v7.name(), hdr.Name)
+-	fmtStr(v7.linkName(), hdr.Linkname)
+-	fmtNum(v7.mode(), hdr.Mode)
+-	fmtNum(v7.uid(), int64(hdr.Uid))
+-	fmtNum(v7.gid(), int64(hdr.Gid))
+-	fmtNum(v7.size(), hdr.Size)
+-	fmtNum(v7.modTime(), modTime.Unix())
++	v7 := tw.blk.V7()
++	v7.TypeFlag()[0] = hdr.Typeflag
++	fmtStr(v7.Name(), hdr.Name)
++	fmtStr(v7.LinkName(), hdr.Linkname)
++	fmtNum(v7.Mode(), hdr.Mode)
++	fmtNum(v7.UID(), int64(hdr.Uid))
++	fmtNum(v7.GID(), int64(hdr.Gid))
++	fmtNum(v7.Size(), hdr.Size)
++	fmtNum(v7.ModTime(), modTime.Unix())
+ 
+-	ustar := tw.blk.toUSTAR()
+-	fmtStr(ustar.userName(), hdr.Uname)
+-	fmtStr(ustar.groupName(), hdr.Gname)
+-	fmtNum(ustar.devMajor(), hdr.Devmajor)
+-	fmtNum(ustar.devMinor(), hdr.Devminor)
++	ustar := tw.blk.USTAR()
++	fmtStr(ustar.UserName(), hdr.Uname)
++	fmtStr(ustar.GroupName(), hdr.Gname)
++	fmtNum(ustar.DevMajor(), hdr.Devmajor)
++	fmtNum(ustar.DevMinor(), hdr.Devminor)
+ 
+ 	return &tw.blk
+ }
+@@ -354,7 +354,7 @@ func (tw *Writer) templateV7Plus(hdr *Header, fmtStr stringFormatter, fmtNum num
+ // It uses format to encode the header format and will write data as the body.
+ // It uses default values for all of the other fields (as BSD and GNU tar does).
+ func (tw *Writer) writeRawFile(name, data string, flag byte, format Format) error {
+-	tw.blk.reset()
++	tw.blk.Reset()
+ 
+ 	// Best effort for the filename.
+ 	name = toASCII(name)
+@@ -364,15 +364,15 @@ func (tw *Writer) writeRawFile(name, data string, flag byte, format Format) erro
+ 	name = strings.TrimRight(name, "/")
+ 
+ 	var f formatter
+-	v7 := tw.blk.toV7()
+-	v7.typeFlag()[0] = flag
+-	f.formatString(v7.name(), name)
+-	f.formatOctal(v7.mode(), 0)
+-	f.formatOctal(v7.uid(), 0)
+-	f.formatOctal(v7.gid(), 0)
+-	f.formatOctal(v7.size(), int64(len(data))) // Must be < 8GiB
+-	f.formatOctal(v7.modTime(), 0)
+-	tw.blk.setFormat(format)
++	v7 := tw.blk.V7()
++	v7.TypeFlag()[0] = flag
++	f.formatString(v7.Name(), name)
++	f.formatOctal(v7.Mode(), 0)
++	f.formatOctal(v7.UID(), 0)
++	f.formatOctal(v7.GID(), 0)
++	f.formatOctal(v7.Size(), int64(len(data))) // Must be < 8GiB
++	f.formatOctal(v7.ModTime(), 0)
++	tw.blk.SetFormat(format)
+ 	if f.err != nil {
+ 		return f.err // Only occurs if size condition is violated
+ 	}
+@@ -514,13 +514,10 @@ func (fw *regFileWriter) ReadFrom(r io.Reader) (int64, error) {
+ 	return io.Copy(struct{ io.Writer }{fw}, r)
+ }
+ 
+-// logicalRemaining implements fileState.logicalRemaining.
+-func (fw regFileWriter) logicalRemaining() int64 {
++func (fw regFileWriter) LogicalRemaining() int64 {
+ 	return fw.nb
+ }
+-
+-// logicalRemaining implements fileState.physicalRemaining.
+-func (fw regFileWriter) physicalRemaining() int64 {
++func (fw regFileWriter) PhysicalRemaining() int64 {
+ 	return fw.nb
+ }
+ 
+@@ -532,9 +529,9 @@ type sparseFileWriter struct {
+ }
+ 
+ func (sw *sparseFileWriter) Write(b []byte) (n int, err error) {
+-	overwrite := int64(len(b)) > sw.logicalRemaining()
++	overwrite := int64(len(b)) > sw.LogicalRemaining()
+ 	if overwrite {
+-		b = b[:sw.logicalRemaining()]
++		b = b[:sw.LogicalRemaining()]
+ 	}
+ 
+ 	b0 := b
+@@ -562,7 +559,7 @@ func (sw *sparseFileWriter) Write(b []byte) (n int, err error) {
+ 		return n, errMissData // Not possible; implies bug in validation logic
+ 	case err != nil:
+ 		return n, err
+-	case sw.logicalRemaining() == 0 && sw.physicalRemaining() > 0:
++	case sw.LogicalRemaining() == 0 && sw.PhysicalRemaining() > 0:
+ 		return n, errUnrefData // Not possible; implies bug in validation logic
+ 	case overwrite:
+ 		return n, ErrWriteTooLong
+@@ -584,12 +581,12 @@ func (sw *sparseFileWriter) ReadFrom(r io.Reader) (n int64, err error) {
+ 
+ 	var readLastByte bool
+ 	pos0 := sw.pos
+-	for sw.logicalRemaining() > 0 && !readLastByte && err == nil {
++	for sw.LogicalRemaining() > 0 && !readLastByte && err == nil {
+ 		var nf int64 // Size of fragment
+ 		dataStart, dataEnd := sw.sp[0].Offset, sw.sp[0].endOffset()
+ 		if sw.pos < dataStart { // In a hole fragment
+ 			nf = dataStart - sw.pos
+-			if sw.physicalRemaining() == 0 {
++			if sw.PhysicalRemaining() == 0 {
+ 				readLastByte = true
+ 				nf--
+ 			}
+@@ -619,18 +616,18 @@ func (sw *sparseFileWriter) ReadFrom(r io.Reader) (n int64, err error) {
+ 		return n, errMissData // Not possible; implies bug in validation logic
+ 	case err != nil:
+ 		return n, err
+-	case sw.logicalRemaining() == 0 && sw.physicalRemaining() > 0:
++	case sw.LogicalRemaining() == 0 && sw.PhysicalRemaining() > 0:
+ 		return n, errUnrefData // Not possible; implies bug in validation logic
+ 	default:
+ 		return n, ensureEOF(rs)
+ 	}
+ }
+ 
+-func (sw sparseFileWriter) logicalRemaining() int64 {
++func (sw sparseFileWriter) LogicalRemaining() int64 {
+ 	return sw.sp[len(sw.sp)-1].endOffset() - sw.pos
+ }
+-func (sw sparseFileWriter) physicalRemaining() int64 {
+-	return sw.fw.physicalRemaining()
++func (sw sparseFileWriter) PhysicalRemaining() int64 {
++	return sw.fw.PhysicalRemaining()
+ }
+ 
+ // zeroWriter may only be written with NULs, otherwise it returns errWriteHole.
+diff --git a/vendor/archive/tar/writer_test.go b/vendor/archive/tar/writer_test.go
+index 640264984a..4e709e5cac 100644
+--- a/vendor/archive/tar/writer_test.go
++++ b/vendor/archive/tar/writer_test.go
+@@ -67,7 +67,7 @@ func TestWriter(t *testing.T) {
+ 		testClose struct { // Close() == wantErr
+ 			wantErr error
+ 		}
+-		testFnc any // testHeader | testWrite | testReadFrom | testClose
++		testFnc interface{} // testHeader | testWrite | testReadFrom | testClose
+ 	)
+ 
+ 	vectors := []struct {
+@@ -987,9 +987,11 @@ func TestIssue12594(t *testing.T) {
+ 		// The prefix field should never appear in the GNU format.
+ 		var blk block
+ 		copy(blk[:], b.Bytes())
+-		prefix := string(blk.toUSTAR().prefix())
+-		prefix, _, _ = strings.Cut(prefix, "\x00") // Truncate at the NUL terminator
+-		if blk.getFormat() == FormatGNU && len(prefix) > 0 && strings.HasPrefix(name, prefix) {
++		prefix := string(blk.USTAR().Prefix())
++		if i := strings.IndexByte(prefix, 0); i >= 0 {
++			prefix = prefix[:i] // Truncate at the NUL terminator
++		}
++		if blk.GetFormat() == FormatGNU && len(prefix) > 0 && strings.HasPrefix(name, prefix) {
+ 			t.Errorf("test %d, found prefix in GNU format: %s", i, prefix)
+ 		}
+ 
+@@ -1054,11 +1056,11 @@ func TestFileWriter(t *testing.T) {
+ 			wantCnt int64
+ 			wantErr error
+ 		}
+-		testRemaining struct { // logicalRemaining() == wantLCnt, physicalRemaining() == wantPCnt
++		testRemaining struct { // LogicalRemaining() == wantLCnt, PhysicalRemaining() == wantPCnt
+ 			wantLCnt int64
+ 			wantPCnt int64
+ 		}
+-		testFnc any // testWrite | testReadFrom | testRemaining
++		testFnc interface{} // testWrite | testReadFrom | testRemaining
+ 	)
+ 
+ 	type (
+@@ -1071,7 +1073,7 @@ func TestFileWriter(t *testing.T) {
+ 			sph     sparseHoles
+ 			size    int64
+ 		}
+-		fileMaker any // makeReg | makeSparse
++		fileMaker interface{} // makeReg | makeSparse
+ 	)
+ 
+ 	vectors := []struct {
+@@ -1317,11 +1319,11 @@ func TestFileWriter(t *testing.T) {
+ 					t.Errorf("test %d.%d, expected %d more operations", i, j, len(f.ops))
+ 				}
+ 			case testRemaining:
+-				if got := fw.logicalRemaining(); got != tf.wantLCnt {
+-					t.Errorf("test %d.%d, logicalRemaining() = %d, want %d", i, j, got, tf.wantLCnt)
++				if got := fw.LogicalRemaining(); got != tf.wantLCnt {
++					t.Errorf("test %d.%d, LogicalRemaining() = %d, want %d", i, j, got, tf.wantLCnt)
+ 				}
+-				if got := fw.physicalRemaining(); got != tf.wantPCnt {
+-					t.Errorf("test %d.%d, physicalRemaining() = %d, want %d", i, j, got, tf.wantPCnt)
++				if got := fw.PhysicalRemaining(); got != tf.wantPCnt {
++					t.Errorf("test %d.%d, PhysicalRemaining() = %d, want %d", i, j, got, tf.wantPCnt)
+ 				}
+ 			default:
+ 				t.Fatalf("test %d.%d, unknown test operation: %T", i, j, tf)
+-- 
+2.38.1
+
-- 
2.38.1

Re: [meta-virtualization][kirkstone][PATCHv2 00/21] docker updates

[Bruce Ashfield]

In message: [meta-virtualization][kirkstone][PATCHv2 00/21] docker updates
on 12/12/2022 Adrian Freihofer wrote:

> This brings docker-ce, docker-moby, containerd-opencontainers,
> runc-opencontainers and runc-docker to almost the same commits
> as they are on the master branch. That's what I did:
> 
>   git cherry-pick ea4c3c3ebac169c3b609476de1cae9bf826e2e50
>   git cherry-pick ade7848788f9b9b1fdf64c2569601ae187e92b1c
>   git cherry-pick 3cf7b710863cbc0d2696700c3eb30f9ee6638953
>   git cherry-pick 3012689f5eb352ac6d35f64cf30fee26e947c980
>   git revert 16e29a7818e2e342960e8ccb38768543f860021c
>     commit e4474ef881401b2f3ed3ba806a288bb986dcac49 of runc does a vendor
>     update which includes the reverted fix again. The commit is after
>     1.2.0 and before 1.3.0 --> the next cherry-pick updates runc to
>     1.3.0 and the fix will be back.
>   git cherry-pick d8ecc12a13ec4da705f4f2597582879ef7889833
>   git cherry-pick 038b48664af66ad4ae1f02e23a2b3fce7f93db6d
>   git cherry-pick dbe9ce60c2628a3b63067e0334491448c8643a0a
>   git cherry-pick bd60f149dceb0a96ce6c2593103738aa8dccfb5a
>   git cherry-pick f6bf30aca6cb16f4fe185965f56e4e59dd7848f8
>   git cherry-pick 19045acf78b48d7c0d08e7d6afe55133fbf544be
>   git cherry-pick 9ef3fa52d049d5c9ffebcbcbd9d2dd7598fd6685
>   git cherry-pick 7cea149bb0b510d2fb7fe71eee28d10399d0ceb4
>   git cherry-pick a61f6ea090891356bdddd3b63fa2fee228fd38af
>   git cherry-pick 2d0f7255a75d24ec3e3b686d70e97d20dc39c259
> 
>   git cherry-pick 6dba10357ce8906c95b81d3256e945c617999aa8
>   git cherry-pick 99e93d3f88ba1ba21c4d9bec01b07a6d68d7e0b2
>   git cherry-pick 6499f37793e691e0ee07e8f7e5dea4960c8c2217
>   git cherry-pick 9d84fcdc6dd6e6f76709e697e37ee352b8a7de6e
>   git cherry-pick 3f45dc8e6944da89c3124871debec9ec5f443bd5
>   git cherry-pick d3acb1a378e644fe2784a8357390b19695640f78
> 
>   Finally the update of moby/ce to v20.10.21 is not straight forward.
>   - moby: There is an update to go 1.8 which needs to be reverted.
>     The commits are not exactly the same as referred by master. That's
>     on purpose. Picking more commits would just add more code which needs
>     go 1.8.
>   - For the cli the update to go 1.8 chagned only the docker build files
>     but not the code or the vendor folder. It's still straight forward.
>   - libnetwork does not have such changes. It's still straight forward.
> 
> Testing:
> 
> # docker run -it debian /bin/bash
>   root@e44d34c90b37:/# cat /etc/os-release
>   PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
>   NAME="Debian GNU/Linux"
>   VERSION_ID="11"
>   VERSION="11 (bullseye)"
>   VERSION_CODENAME=bullseye
>   ID=debian
>   HOME_URL="https://www.debian.org/"
>   SUPPORT_URL="https://www.debian.org/support"
>   BUG_REPORT_URL="https://bugs.debian.org/"
>   root@e44d34c90b37:/# exit
> exit
> # docker version
> Client:
>  Version:           20.10.21-ce
>  API version:       1.41
>  Go version:        go1.17.13
>  Git commit:        baeda1f82a
>  Built:             Fri Dec  9 07:20:51 2022
>  OS/Arch:           linux/arm64
>  Context:           default
>  Experimental:      true
> 
> Server:
>  Engine:
>   Version:          20.10.21-ce
>   API version:      1.41 (minimum version 1.12)
>   Go version:       go1.17.13
>   Git commit:       3056208812eb5e792fa99736c9167d1e10f4ab49
>   Built:            Tue Oct 25 11:44:15 2022
>   OS/Arch:          linux/arm64
>   Experimental:     false
>  containerd:
>   Version:          v1.6.9-12-g6c41694da.m
>   GitCommit:        6c41694da9eb09c2f1f49a5a5fbec4e970cfb460.m
>  runc:
>   Version:          1.1.4+dev
>   GitCommit:        v1.1.4-8-g974efd2d-dirty
>  docker-init:
>   Version:          0.19.0
>   GitCommit:        b9f42a0-dirty

Thanks for the excellent summary, cherry picks and test results.
It made reviewing it before merging much easier.

My results match yours, so this is now merged to kirkstone.

Bruce

> 
> 
> Adrian Freihofer (2):
>   runc-opencontainers: drop obsolete patch
>   moby: update to v20.10.21
> 
> Bruce Ashfield (18):
>   docker/moby: update to 20.10.16
>   docker/moby/libnetwork: update to -latest
>   docker-ce: update to 20.10.16
>   runc: update to 1.1.3
>   runc-docker: update to 1.1.3
>   docker-moby: update to 20.10.17
>   docker-ce: update to 20.10.17
>   docker: ensure that sysvinit and systemd are exclusive
>   containerd: update to 1.6.8
>   containerd: improve reproducibility
>   docker: reproducibility add -trimpath to go -> $GO patches
>   containerd: fix final TMDIR references
>   runc: update to 1.1.4-tip
>   runc-docker: update to 1.1.4-tip
>   containerd: update to v1.6.9
>   docker: add mobyproject:moby to CVE_PRODUCT
>   docker: add seccomp to default packageconfig settings
>   docker/moby: use generic DOCKER_COMMIT in do_compile
> 
> Jose Quaresma (1):
>   docker/proxy: don't use -linkshared unconditionally
> 
>  .../0001-Add-build-option-GODEBUG-1.patch     |   32 -
>  ...O_BUILD_FLAGS-to-be-externally-speci.patch |    6 +-
>  ...don-t-use-gcflags-to-define-trimpath.patch |   30 +
>  .../containerd-opencontainers_git.bb          |   62 +-
>  ...1-build-use-oe-provided-GO-and-flags.patch |    6 +-
>  recipes-containers/docker/README              |    7 +
>  recipes-containers/docker/docker-ce_git.bb    |   13 +-
>  recipes-containers/docker/docker-moby_git.bb  |   13 +-
>  recipes-containers/docker/docker.inc          |   18 +-
>  ...ernal-GO111MODULE-and-cross-compiler.patch |   15 +-
>  ...0001-dynbinary-use-go-cross-compiler.patch |    2 +-
>  ...0001-libnetwork-use-GO-instead-of-go.patch |   10 +-
>  .../files/0001-revert-go-1.8-update.patch     | 1218 +++++++++++++++++
>  ...efine-ActKillThread-equal-to-ActKill.patch |   90 --
>  recipes-containers/runc/runc-docker_git.bb    |    4 +-
>  .../runc/runc-opencontainers_git.bb           |    5 +-
>  16 files changed, 1322 insertions(+), 209 deletions(-)
>  delete mode 100644 recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch
>  create mode 100644 recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch
>  create mode 100644 recipes-containers/docker/README
>  create mode 100644 recipes-containers/docker/files/0001-revert-go-1.8-update.patch
>  delete mode 100644 recipes-containers/runc/files/0002-Define-ActKillThread-equal-to-ActKill.patch
> 
> -- 
> 2.38.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7753): https://lists.yoctoproject.org/g/meta-virtualization/message/7753
> Mute This Topic: https://lists.yoctoproject.org/mt/95617029/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>