2 files changed, 114 insertions, 0 deletions
diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index 0738e2d4..7858bebf 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -56,6 +56,7 @@ SRC_URI = "\
        file://0001-libnetwork-use-GO-instead-of-go.patch \
        file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
        file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
+        file://0001-Allow-for-xattr-copy-failure-for-vfs.patch;patchdir=src/import \
        "
 DOCKER_COMMIT = "${SRCREV_moby}"
diff --git a/recipes-containers/docker/files/0001-Allow-for-xattr-copy-failure-for-vfs.patch b/recipes-containers/docker/files/0001-Allow-for-xattr-copy-failure-for-vfs.patch
new file mode 100644
index 00000000..b657cafd
--- /dev/null
+++ b/recipes-containers/docker/files/0001-Allow-for-xattr-copy-failure-for-vfs.patch
@@ -0,0 +1,113 @@
+From f0dbd4eaf1416074bc8845063f4b6fb285bf75bd Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Thu, 27 Apr 2023 00:42:19 -0700
+Subject: [PATCH] Allow for xattr copy failure for vfs
+vfs is declared to work with any filesystem, but after
+https://github.com/moby/moby/commit/31f654a704f61768828d5950a13f30bb493d1239
+it's no longer working with NFS.
+As the extended attribute support depends on filesystem and
+if we do copy it in vfs and do not allow failure, that would
+essentially mean that vfs does NOT support all filesystems but
+only those that support xattr.
+So we should just try to copy security.capabilities and allow
+for failure. In this way, vfs come back to the state of
+being able to run on any filesystem as declared in
+https://docs.docker.com/storage/storagedriver/select-storage-driver/.
+Fixes https://github.com/moby/moby/issues/45417
+Upstream-Status: Submitted [https://github.com/moby/moby/pull/45420]
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ daemon/graphdriver/copy/copy.go       | 6 ++++--
+ daemon/graphdriver/copy/copy_test.go  | 4 ++--
+ daemon/graphdriver/overlay/overlay.go | 4 ++--
+ daemon/graphdriver/vfs/copy_linux.go  | 2 +-
+ 4 files changed, 9 insertions(+), 7 deletions(-)
+diff --git a/daemon/graphdriver/copy/copy.go b/daemon/graphdriver/copy/copy.go
+index 0fb8a1a9d9..f6a5b74af5 100644
+--- a/daemon/graphdriver/copy/copy.go
+++ b/daemon/graphdriver/copy/copy.go
+@@ -116,7 +116,7 @@ type dirMtimeInfo struct {
+ //
+ // The copyOpaqueXattrs controls if "trusted.overlay.opaque" xattrs are copied.
+ // Passing false disables copying "trusted.overlay.opaque" xattrs.
+-func DirCopy(srcDir, dstDir string, copyMode Mode, copyOpaqueXattrs bool) error {
+func DirCopy(srcDir, dstDir string, copyMode Mode, copyOpaqueXattrs bool, allowXattrFailure bool) error {
+        copyWithFileRange := true
+        copyWithFileClone := true
+ 
+@@ -210,7 +210,9 @@ func DirCopy(srcDir, dstDir string, copyMode Mode, copyOpaqueXattrs bool) error
+                }
+ 
+                if err := copyXattr(srcPath, dstPath, "security.capability"); err != nil {
+-                       return err
+                       if !allowXattrFailure {
+                               return err
+                       }
+                }
+ 
+                if copyOpaqueXattrs {
+diff --git a/daemon/graphdriver/copy/copy_test.go b/daemon/graphdriver/copy/copy_test.go
+index 8dcd8d9d56..340c715f5f 100644
+--- a/daemon/graphdriver/copy/copy_test.go
+++ b/daemon/graphdriver/copy/copy_test.go
+@@ -40,7 +40,7 @@ func TestCopyDir(t *testing.T) {
+        assert.NilError(t, err)
+        defer os.RemoveAll(dstDir)
+ 
+-       assert.Check(t, DirCopy(srcDir, dstDir, Content, false))
+       assert.Check(t, DirCopy(srcDir, dstDir, Content, false, true))
+        assert.NilError(t, filepath.Walk(srcDir, func(srcPath string, f os.FileInfo, err error) error {
+                if err != nil {
+                        return err
+@@ -146,7 +146,7 @@ func TestCopyHardlink(t *testing.T) {
+        assert.NilError(t, os.WriteFile(srcFile1, []byte{}, 0777))
+        assert.NilError(t, os.Link(srcFile1, srcFile2))
+ 
+-       assert.Check(t, DirCopy(srcDir, dstDir, Content, false))
+       assert.Check(t, DirCopy(srcDir, dstDir, Content, false, true))
+ 
+        assert.NilError(t, unix.Stat(srcFile1, &srcFile1FileInfo))
+        assert.NilError(t, unix.Stat(srcFile2, &srcFile2FileInfo))
+diff --git a/daemon/graphdriver/overlay/overlay.go b/daemon/graphdriver/overlay/overlay.go
+index 2ed53d82e9..909478963e 100644
+--- a/daemon/graphdriver/overlay/overlay.go
+++ b/daemon/graphdriver/overlay/overlay.go
+@@ -320,7 +320,7 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr
+                return err
+        }
+ 
+-       return copy.DirCopy(parentUpperDir, upperDir, copy.Content, true)
+       return copy.DirCopy(parentUpperDir, upperDir, copy.Content, true, false)
+ }
+ 
+ func (d *Driver) dir(id string) string {
+@@ -460,7 +460,7 @@ func (d *Driver) ApplyDiff(id string, parent string, diff io.Reader) (size int64
+                }
+        }()
+ 
+-       if err = copy.DirCopy(parentRootDir, tmpRootDir, copy.Hardlink, true); err != nil {
+       if err = copy.DirCopy(parentRootDir, tmpRootDir, copy.Hardlink, true, false); err != nil {
+                return 0, err
+        }
+ 
+diff --git a/daemon/graphdriver/vfs/copy_linux.go b/daemon/graphdriver/vfs/copy_linux.go
+index 7276b3837f..592825c1a5 100644
+--- a/daemon/graphdriver/vfs/copy_linux.go
+++ b/daemon/graphdriver/vfs/copy_linux.go
+@@ -3,5 +3,5 @@ package vfs // import "github.com/docker/docker/daemon/graphdriver/vfs"
+ import "github.com/docker/docker/daemon/graphdriver/copy"
+ 
+ func dirCopy(srcDir, dstDir string) error {
+-       return copy.DirCopy(srcDir, dstDir, copy.Content, false)
+       return copy.DirCopy(srcDir, dstDir, copy.Content, false, true)
+ }
+-- 
+2.40.0

diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb index 0738e2d4..7858bebf 100644 --- a/recipes-containers/docker/docker-moby_git.bb +++ b/recipes-containers/docker/docker-moby_git.bb
@@ -56,6 +56,7 @@ SRC_URI = "\
56	file://0001-libnetwork-use-GO-instead-of-go.patch \	56	file://0001-libnetwork-use-GO-instead-of-go.patch \
57	file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \	57	file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
58	file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \	58	file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
		59	file://0001-Allow-for-xattr-copy-failure-for-vfs.patch;patchdir=src/import \
59	"	60	"
60		61
61	DOCKER_COMMIT = "${SRCREV_moby}"	62	DOCKER_COMMIT = "${SRCREV_moby}"


diff --git a/recipes-containers/docker/files/0001-Allow-for-xattr-copy-failure-for-vfs.patch b/recipes-containers/docker/files/0001-Allow-for-xattr-copy-failure-for-vfs.patch new file mode 100644 index 00000000..b657cafd --- /dev/null +++ b/recipes-containers/docker/files/0001-Allow-for-xattr-copy-failure-for-vfs.patch
@@ -0,0 +1,113 @@
		1	From f0dbd4eaf1416074bc8845063f4b6fb285bf75bd Mon Sep 17 00:00:00 2001
		2	From: Chen Qi <Qi.Chen@windriver.com>
		3	Date: Thu, 27 Apr 2023 00:42:19 -0700
		4	Subject: [PATCH] Allow for xattr copy failure for vfs
		5
		6	vfs is declared to work with any filesystem, but after
		7	https://github.com/moby/moby/commit/31f654a704f61768828d5950a13f30bb493d1239
		8	it's no longer working with NFS.
		9
		10	As the extended attribute support depends on filesystem and
		11	if we do copy it in vfs and do not allow failure, that would
		12	essentially mean that vfs does NOT support all filesystems but
		13	only those that support xattr.
		14
		15	So we should just try to copy security.capabilities and allow
		16	for failure. In this way, vfs come back to the state of
		17	being able to run on any filesystem as declared in
		18	https://docs.docker.com/storage/storagedriver/select-storage-driver/.
		19
		20	Fixes https://github.com/moby/moby/issues/45417
		21
		22	Upstream-Status: Submitted [https://github.com/moby/moby/pull/45420]
		23
		24	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		25	---
		26	daemon/graphdriver/copy/copy.go \| 6 ++++--
		27	daemon/graphdriver/copy/copy_test.go \| 4 ++--
		28	daemon/graphdriver/overlay/overlay.go \| 4 ++--
		29	daemon/graphdriver/vfs/copy_linux.go \| 2 +-
		30	4 files changed, 9 insertions(+), 7 deletions(-)
		31
		32	diff --git a/daemon/graphdriver/copy/copy.go b/daemon/graphdriver/copy/copy.go
		33	index 0fb8a1a9d9..f6a5b74af5 100644
		34	--- a/daemon/graphdriver/copy/copy.go
		35	+++ b/daemon/graphdriver/copy/copy.go
		36	@@ -116,7 +116,7 @@ type dirMtimeInfo struct {
		37	//
		38	// The copyOpaqueXattrs controls if "trusted.overlay.opaque" xattrs are copied.
		39	// Passing false disables copying "trusted.overlay.opaque" xattrs.
		40	-func DirCopy(srcDir, dstDir string, copyMode Mode, copyOpaqueXattrs bool) error {
		41	+func DirCopy(srcDir, dstDir string, copyMode Mode, copyOpaqueXattrs bool, allowXattrFailure bool) error {
		42	copyWithFileRange := true
		43	copyWithFileClone := true
		44
		45	@@ -210,7 +210,9 @@ func DirCopy(srcDir, dstDir string, copyMode Mode, copyOpaqueXattrs bool) error
		46	}
		47
		48	if err := copyXattr(srcPath, dstPath, "security.capability"); err != nil {
		49	- return err
		50	+ if !allowXattrFailure {
		51	+ return err
		52	+ }
		53	}
		54
		55	if copyOpaqueXattrs {
		56	diff --git a/daemon/graphdriver/copy/copy_test.go b/daemon/graphdriver/copy/copy_test.go
		57	index 8dcd8d9d56..340c715f5f 100644
		58	--- a/daemon/graphdriver/copy/copy_test.go
		59	+++ b/daemon/graphdriver/copy/copy_test.go
		60	@@ -40,7 +40,7 @@ func TestCopyDir(t *testing.T) {
		61	assert.NilError(t, err)
		62	defer os.RemoveAll(dstDir)
		63
		64	- assert.Check(t, DirCopy(srcDir, dstDir, Content, false))
		65	+ assert.Check(t, DirCopy(srcDir, dstDir, Content, false, true))
		66	assert.NilError(t, filepath.Walk(srcDir, func(srcPath string, f os.FileInfo, err error) error {
		67	if err != nil {
		68	return err
		69	@@ -146,7 +146,7 @@ func TestCopyHardlink(t *testing.T) {
		70	assert.NilError(t, os.WriteFile(srcFile1, []byte{}, 0777))
		71	assert.NilError(t, os.Link(srcFile1, srcFile2))
		72
		73	- assert.Check(t, DirCopy(srcDir, dstDir, Content, false))
		74	+ assert.Check(t, DirCopy(srcDir, dstDir, Content, false, true))
		75
		76	assert.NilError(t, unix.Stat(srcFile1, &srcFile1FileInfo))
		77	assert.NilError(t, unix.Stat(srcFile2, &srcFile2FileInfo))
		78	diff --git a/daemon/graphdriver/overlay/overlay.go b/daemon/graphdriver/overlay/overlay.go
		79	index 2ed53d82e9..909478963e 100644
		80	--- a/daemon/graphdriver/overlay/overlay.go
		81	+++ b/daemon/graphdriver/overlay/overlay.go
		82	@@ -320,7 +320,7 @@ func (d Driver) Create(id, parent string, opts graphdriver.CreateOpts) (retErr
		83	return err
		84	}
		85
		86	- return copy.DirCopy(parentUpperDir, upperDir, copy.Content, true)
		87	+ return copy.DirCopy(parentUpperDir, upperDir, copy.Content, true, false)
		88	}
		89
		90	func (d *Driver) dir(id string) string {
		91	@@ -460,7 +460,7 @@ func (d *Driver) ApplyDiff(id string, parent string, diff io.Reader) (size int64
		92	}
		93	}()
		94
		95	- if err = copy.DirCopy(parentRootDir, tmpRootDir, copy.Hardlink, true); err != nil {
		96	+ if err = copy.DirCopy(parentRootDir, tmpRootDir, copy.Hardlink, true, false); err != nil {
		97	return 0, err
		98	}
		99
		100	diff --git a/daemon/graphdriver/vfs/copy_linux.go b/daemon/graphdriver/vfs/copy_linux.go
		101	index 7276b3837f..592825c1a5 100644
		102	--- a/daemon/graphdriver/vfs/copy_linux.go
		103	+++ b/daemon/graphdriver/vfs/copy_linux.go
		104	@@ -3,5 +3,5 @@ package vfs // import "github.com/docker/docker/daemon/graphdriver/vfs"
		105	import "github.com/docker/docker/daemon/graphdriver/copy"
		106
		107	func dirCopy(srcDir, dstDir string) error {
		108	- return copy.DirCopy(srcDir, dstDir, copy.Content, false)
		109	+ return copy.DirCopy(srcDir, dstDir, copy.Content, false, true)
		110	}
		111	--
		112	2.40.0
		113