Backport the container stack in Impish

This bug was fixed in the package docker.io - 20.10.7-0ubuntu1~20.04.1

---------------
docker.io (20.10.7-0ubuntu1~20.04.1) focal-security; urgency=medium

  * Backport version 20.10.7-0ubuntu1 from Impish (LP: #1938908).

 -- Lucas Kanashiro <email address hidden> Wed, 04 Aug 2021 16:07:47 -0300

This bug was fixed in the package docker.io - 20.10.7-0ubuntu1~18.04.1

---------------
docker.io (20.10.7-0ubuntu1~18.04.1) bionic-security; urgency=medium

  * Backport version 20.10.7-0ubuntu1 from Impish (LP: #1938908).
    - d/control: do not b-d on libbtrfs-dev, it is not available in Bionic.

 -- Lucas Kanashiro <email address hidden> Wed, 04 Aug 2021 16:22:59 -0300

This bug was fixed in the package docker.io - 20.10.7-0ubuntu1~21.04.1

---------------
docker.io (20.10.7-0ubuntu1~21.04.1) hirsute-security; urgency=medium

  * Backport version 20.10.7-0ubuntu1 from Impish (LP: #1938908).

 -- Lucas Kanashiro <email address hidden> Wed, 04 Aug 2021 09:24:19 -0300

FYI, a possible regression for 20.10.x: https://github.com/moby/moby/issues/41831

https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1939106 is related to this fix

While backporting docker.io/20.10.7-0ubuntu4 to Bionic, I noticed that a new runtime dependency (golang-github-ishidawataru-sctp-dev) was added to the golang-github-docker-docker-dev package and it is not available in Bionic. We have two options here:

1) Add golang-github-ishidawataru-sctp to Bionic. This is the best solution IMO, the package builds fine in Bionic (just need to downgrade debhelper from 12 to 11), there is no impact in the packages in the archive, and it will facilitate the future maintenance when we need to backport newer versions)

2) Roll back the changes introduced in docker.io/20.10.7-0ubuntu2. This would not compromise the quality of docker itself in Bionic because those changes were introduced to properly ship libnetwork component in the library package but it was only needed now in Impish due to the update of others golang packages. However, we would need to keep applying this change (the rollback) every time we need to backport a newer version of docker.io

Hello Lucas, or anyone else affected,

Accepted runc into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/runc/1.0.1-0ubuntu2~21.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Lucas, or anyone else affected,

Accepted runc into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/runc/1.0.1-0ubuntu2~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Lucas, or anyone else affected,

Accepted containerd into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/containerd/1.5.5-0ubuntu2~21.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Lucas, or anyone else affected,

Accepted containerd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/containerd/1.5.5-0ubuntu2~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Lucas, or anyone else affected,

Accepted docker.io into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/docker.io/20.10.7-0ubuntu4~21.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Lucas, or anyone else affected,

Accepted docker.io into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/docker.io/20.10.7-0ubuntu4~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted runc (1.0.1-0ubuntu2~20.04.1) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

golang-github-containers-storage/1.15.8+dfsg1-1 (armhf, ppc64el, amd64, s390x, arm64)
opengcs/0.3.4+dfsg2-0ubuntu3.20.04.1 (armhf, ppc64el, amd64, s390x, arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#runc

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted docker.io (20.10.7-0ubuntu4~21.04.1) for hirsute have finished running.
The following regressions have been reported in tests triggered by the package:

golang-github-containers-image/5.10.3-1ubuntu1 (ppc64el, arm64, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/hirsute/update_excuses.html#docker.io

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted runc (1.0.1-0ubuntu2~21.04.1) for hirsute have finished running.
The following regressions have been reported in tests triggered by the package:

golang-github-containers-storage/1.24.8+dfsg1-1ubuntu1 (ppc64el, arm64, s390x, amd64, armhf)
golang-github-docker-go-connections/0.4.0-2 (ppc64el, arm64, s390x, amd64, armhf)
golang-github-containers-common/0.33.4+ds1-1 (amd64)
golang-github-containers-buildah/1.19.6+dfsg1-1 (ppc64el, arm64, s390x, amd64, armhf)
opengcs/0.3.4+dfsg2-0ubuntu6 (arm64, ppc64el, s390x, amd64, armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/hirsute/update_excuses.html#runc

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

The uploads of docker.io that are currently in focal-proposed and hirsute-proposed do not include the fix for CVE-2021-41089 and so must not be released to updates.

Same for containerd and CVE-2021-41103. I think runc is probably OK though.

docker.io with the security fixes applied is already uploaded to bionic, focal and hirsute unapproved queues, we need the SRU team to accept them. The containerd package still needs to be updated, I'll be backporting version 1.5.5-0ubuntu3 from Impish which already contains the security fix.

Moreover, we will need to fix some packages in those stable releases because of the libcontainer API change in this new runc version. I'll check them out and add tasks for them in this bug.

I did backport containerd version 1.5.5-0ubuntu3 from Impish containing also the security fix. It is already in the unapproved queue of bionic, focal and hirsute.

The introduction of a new package golang-github-ishidawataru-sctp in SRU doesn't fall under any of the regular SRU exceptions, it is not a hardware-enablement package and it is not covered by name by any of the other SRU exceptions. It is a requirement for newer docker.io, but we would normally expect new docker dependencies to be vendored, not shipped as new external packages.

The justification given for this as a separate source package is that in addition to being a requirement for docker.io, which has an SRU exception, there are other packages such as podman which need it, so it should be packaged externally rather than embedded in docker.io. Since the introduction of a new package introduces no practical risk of regression, I am accepting this rationale.

Hello Lucas, or anyone else affected,

Accepted golang-github-ishidawataru-sctp into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/golang-github-ishidawataru-sctp/0.0+git20190723.7c296d4-3~ubuntu0.18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Lucas, or anyone else affected,

Accepted docker.io into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/docker.io/20.10.7-0ubuntu5~21.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Lucas, or anyone else affected,

Accepted docker.io into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/docker.io/20.10.7-0ubuntu5~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted docker.io (20.10.7-0ubuntu4~21.04.1) for hirsute have finished running.
The following regressions have been reported in tests triggered by the package:

golang-github-containers-image/5.10.3-1ubuntu1 (ppc64el, s390x, arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/hirsute/update_excuses.html#docker.io

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted docker.io (20.10.7-0ubuntu5~20.04.1) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

docker.io/20.10.7-0ubuntu5~20.04.1 (arm64, s390x, ppc64el, amd64)
ubuntu-fan/0.12.13 (arm64, s390x, ppc64el, amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#docker.io

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted docker.io (20.10.7-0ubuntu5~21.04.1) for hirsute have finished running.
The following regressions have been reported in tests triggered by the package:

docker.io/20.10.7-0ubuntu5~21.04.1 (ppc64el, arm64, s390x, amd64)
golang-github-containers-image/5.10.3-1ubuntu1 (ppc64el, arm64, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/hirsute/update_excuses.html#docker.io

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

There is a golang-github-containers-image/5.10.3-1ubuntu1 regression in hirsute which is not directly caused by docker.io but it is blocking it. The tests are failing only on arm64, ppc64el and s390x due to LTO. The simple fix here is disabling LTO in this package.

The attached debdiff should fix the issue pointed above.

Thanks for the patch, Lucas. LGTM, +1.

Thanks for the review Sergio, package uploaded.

The following packages regressed because of a libcontainer API change in runc:

# Hirsute

- opengcs
- golang-github-containers-storage
- golang-github-containers-common
- golang-github-containers-buildah

# Focal

- opengcs
- golang-github-containers-storage

I'll be adding tasks for each of them.

golang-github-docker-go-connections is also blocking runc in Hirsute but the fix is sitting in proposed for a while but should be fixed once the new version of golang-github-containers-images disabling LTO is accepted. More info here:

https://bugs.launchpad.net/ubuntu/+source/golang-github-docker-go-connections/+bug/1930891

For opengcs in Hirsute, the patch used in Impish applied cleanly. Debdiff attached.

The attached debdiff fixed the API incompatibility in golang-github-containers-storage in Hirsute.

For golang-github-containers-common in Hirsute, I was able to backport an upstream patch to fix the build. However, it depends on golang-github-containers-storage version that I attached in the debdiff above

I was able to use basically the same patch used in Impish to fix the golang-github-containers-buildah build failure in Hirsute, just needed to do some refresh. Debdiff is attached.

To fix the opengcs regression in Focal I was able to reuse the patch applied in Impish and proposed here in this bug to also be applied in Hirsute. Debdiff attached.

For golang-github-containers-storage regression in Focal I needed to apply some very small changes to the upstream patch to backport it and fix the build issue (the codebase is a bit different). Debdiff is attached.

Review for opengcs-hirsute.debdiff:

LGTM, +1. I built it locally without problems. The patch seems correct as well.

Review for golang-github-containers-storage-hirsute.debdiff:

My only comment here (which also applies most of the other debdiffs) is that the "Author" DEP-3 header should reflect the upstream commit author. In this particular case, the author is Daniel J Walsh <email address hidden>.

Otherwise, LGTM. I built the package locally without problems.

All autopkgtests for the newly accepted containerd (1.5.5-0ubuntu3~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

docker.io/20.10.7-0ubuntu1~18.04.2 (amd64, i386, arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#containerd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Hello Lucas, or anyone else affected,

Accepted docker.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/docker.io/20.10.7-0ubuntu5~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted containerd (1.5.5-0ubuntu3~20.04.1) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

containerd/1.5.5-0ubuntu3~20.04.1 (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#containerd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted docker.io (20.10.7-0ubuntu5~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

docker.io/20.10.7-0ubuntu5~18.04.1 (arm64, i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#docker.io

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

opengcs also needs to be patched in Bionic to support the new runc version. Debdiff applying the same patch used in other releases is attached.

All autopkgtests for the newly accepted golang-github-containers-image (5.10.3-1ubuntu2) for hirsute have finished running.
The following regressions have been reported in tests triggered by the package:

golang-github-containers-buildah/1.19.6+dfsg1-1 (s390x, armhf, amd64, ppc64el, arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/hirsute/update_excuses.html#golang-github-containers-image

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted golang-github-ishidawataru-sctp (0.0+git20190723.7c296d4-3~ubuntu0.18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

docker.io/20.10.7-0ubuntu5~18.04.1 (i386, arm64, amd64)
docker.io/20.10.7-0ubuntu1~18.04.2 (s390x, ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#golang-github-ishidawataru-sctp

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Review for opengcs-bionic.debdiff:

LGTM, +1. The package builds fine locally with the patch. No need to forward it upstream, indeed.

Thanks, Lucas.

Thank you for the review Sergio, opengcs was already uploaded to bionic-unapproved.

I also needed to upload a new docker.io version targeting Bionic to fix the autopkgtest failure. To let the debootstrap command work we need to remove the debian-archive-keyring dependency from the basic-smoke test.

Hello Lucas, or anyone else affected,

Accepted docker.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/docker.io/20.10.7-0ubuntu5~18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted docker.io (20.10.7-0ubuntu5~18.04.2) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

ubuntu-fan/0.12.10 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#docker.io

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Hello Lucas, or anyone else affected,

Accepted opengcs into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opengcs/0.3.4+dfsg2-0ubuntu3.18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Now there is no regression reported in any of the proposed-migration pages. All the packages needing changes to support the libcontainer API changes in runc built fine which I think it is enough validation for the SRUs here (we have links for all the builds in launchpad, let me know if I need to add all of them here for completeness).

Now, I'll execute the Test Plan section which is basically running autopkgtest of runc/containerd/docker.io in all releases and report the outcome here.

===== Hirsute =====

# runc

ubuntu@hirsute:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="21.04 (Hirsute Hippo)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 21.04"
VERSION_ID="21.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=hirsute
UBUNTU_CODENAME=hirsute
ubuntu@hirsute:~$ sudo autopkgtest --apt-pocket=proposed runc -- null
autopkgtest [16:44:26]: starting date: 2021-10-25
autopkgtest [16:44:26]: version 5.16ubuntu0.1
autopkgtest [16:44:26]: host hirsute; command line: /usr/bin/autopkgtest --apt-pocket=proposed runc -- null
autopkgtest [16:44:26]: @@@@@@@@@@@@@@@@@@@@ test bed setup
Hit:1 http://archive.ubuntu.com/ubuntu hirsute-proposed InRelease
Get:2 http://archive.ubuntu.com/ubuntu hirsute-proposed/main amd64 Packages [59.3 kB]
Get:3 http://archive.ubuntu.com/ubuntu hirsute-proposed/main Translation-en [16.4 kB]
Get:4 http://archive.ubuntu.com/ubuntu hirsute-proposed/main amd64 c-n-f Metadata [1524 B]
Get:5 http://archive.ubuntu.com/ubuntu hirsute-proposed/restricted amd64 Packages [45.8 kB]
Get:6 http://archive.ubuntu.com/ubuntu hirsute-proposed/restricted Translation-en [6896 B]
Get:7 http://archive.ubuntu.com/ubuntu hirsute-proposed/restricted amd64 c-n-f Metadata [116 B]
Get:8 http://archive.ubuntu.com/ubuntu hirsute-proposed/universe amd64 Packages [27.9 kB]
Get:9 http://archive.ubuntu.com/ubuntu hirsute-proposed/universe Translation-en [15.1 kB]
Get:10 http://archive.ubuntu.com/ubuntu hirsute-proposed/universe amd64 c-n-f Metadata [1624 B]
Get:11 http://archive.ubuntu.com/ubuntu hirsute-proposed/multiverse amd64 Packages [1488 B]
Get:12 http://archive.ubuntu.com/ubuntu hirsute-proposed/multiverse Translation-en [3788 B]
Get:13 http://archive.ubuntu.com/ubuntu hirsute-proposed/multiverse amd64 c-n-f Metadata [116 B]
Fetched 180 kB in 2s (96.6 kB/s)
Reading package lists... Done
autopkgtest [16:44:29]: testbed dpkg architecture: amd64
autopkgtest [16:44:29]: testbed running kernel: Linux 5.11.0-37-generic #41-Ubuntu SMP Mon Sep 20 16:39:20 UTC 2021
autopkgtest [16:44:29]: @@@@@@@@@@@@@@@@@@@@ apt-source runc
Get:1 http://archive.ubuntu.com/ubuntu hirsute-proposed/main runc 1.0.1-0ubuntu2~21.04.1 (dsc) [2454 B]
Get:2 http://archive.ubuntu.com/ubuntu hirsute-proposed/main runc 1.0.1-0ubuntu2~21.04.1 (tar) [1413 kB]
Get:3 http://archive.ubuntu.com/ubuntu hirsute-proposed/main runc 1.0.1-0ubuntu2~21.04.1 (diff) [8836 B]
gpgv: Signature made Wed Sep 22 18:13:43 2021 -03
gpgv: using RSA key 8ED6C3F8BAC9DB7FC130A870F823A2729883C97C
gpgv: issuer "<email address hidden>"
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./runc_1.0.1-0ubuntu2~21.04.1.dsc
autopkgtest [16:44:32]: testing package runc version 1.0.1-0ubuntu2~21.04.1
...
autopkgtest [16:44:59]: @@@@@@@@@@@@@@@@@@@@ summary
basic-smoke PASS
command1 PASS

# containerd

ubuntu@hirsute:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="21.04 (Hirsute Hippo)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 21.04"
V...

===== Focal =====

# runc

ubuntu@focal:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
ubuntu@focal:~$ sudo autopkgtest --apt-pocket=proposed runc -- null
autopkgtest [17:08:32]: version 5.11ubuntu1.1
autopkgtest [17:08:32]: host focal; command line: /usr/bin/autopkgtest --apt-pocket=proposed runc -- null
autopkgtest [17:08:32]: @@@@@@@@@@@@@@@@@@@@ test bed setup
Get:1 http://archive.ubuntu.com/ubuntu focal-proposed InRelease [267 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages [87.7 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-proposed/main Translation-en [23.0 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 c-n-f Metadata [1200 B]
Get:5 http://archive.ubuntu.com/ubuntu focal-proposed/restricted amd64 Packages [75.8 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal-proposed/restricted Translation-en [10.9 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal-proposed/restricted amd64 c-n-f Metadata [116 B]
Get:8 http://archive.ubuntu.com/ubuntu focal-proposed/universe amd64 Packages [43.4 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal-proposed/universe Translation-en [19.6 kB]
Get:10 http://archive.ubuntu.com/ubuntu focal-proposed/universe amd64 c-n-f Metadata [1948 B]
Get:11 http://archive.ubuntu.com/ubuntu focal-proposed/multiverse Translation-en [3404 B]
Get:12 http://archive.ubuntu.com/ubuntu focal-proposed/multiverse amd64 c-n-f Metadata [116 B]
Fetched 534 kB in 2s (259 kB/s)
Reading package lists... Done
autopkgtest [17:08:38]: testbed dpkg architecture: amd64
autopkgtest [17:08:38]: testbed running kernel: Linux 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021
autopkgtest [17:08:38]: @@@@@@@@@@@@@@@@@@@@ apt-source runc
Get:1 http://archive.ubuntu.com/ubuntu focal-proposed/main runc 1.0.1-0ubuntu2~20.04.1 (dsc) [2454 B]
Get:2 http://archive.ubuntu.com/ubuntu focal-proposed/main runc 1.0.1-0ubuntu2~20.04.1 (tar) [1413 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-proposed/main runc 1.0.1-0ubuntu2~20.04.1 (diff) [8836 B]
gpgv: Signature made Wed Sep 22 18:09:55 2021 -03
gpgv: using RSA key 8ED6C3F8BAC9DB7FC130A870F823A2729883C97C
gpgv: issuer "<email address hidden>"
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./runc_1.0.1-0ubuntu2~20.04.1.dsc
autopkgtest [17:08:42]: testing package runc version 1.0.1-0ubuntu2~20.04.1
...
autopkgtest [17:09:13]: @@@@@@@@@@@@@@@@@@@@ summary
basic-smoke PASS
command1 PASS

# containerd

ubuntu@focal:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_P...

===== Bionic =====

# runc

ubuntu@bionic:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
ubuntu@bionic:~$ sudo autopkgtest --apt-pocket=proposed runc -- null
autopkgtest [17:15:55]: version 5.3.1ubuntu1.1
autopkgtest [17:15:55]: host bionic; command line: /usr/bin/autopkgtest --apt-pocket=proposed runc -- null
autopkgtest [17:15:55]: @@@@@@@@@@@@@@@@@@@@ test bed setup
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed InRelease [242 kB]
Fetched 242 kB in 2s (148 kB/s)
Reading package lists... Done
autopkgtest [17:15:59]: testbed dpkg architecture: amd64
autopkgtest [17:15:59]: testbed running kernel: Linux 4.15.0-159-generic #167-Ubuntu SMP Tue Sep 21 08:55:05 UTC 2021
autopkgtest [17:15:59]: @@@@@@@@@@@@@@@@@@@@ apt-source runc
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/universe runc 1.0.1-0ubuntu2~18.04.1 (dsc) [2445 B]
Get:2 http://archive.ubuntu.com/ubuntu bionic-proposed/universe runc 1.0.1-0ubuntu2~18.04.1 (tar) [1413 kB]
Get:3 http://archive.ubuntu.com/ubuntu bionic-proposed/universe runc 1.0.1-0ubuntu2~18.04.1 (diff) [9000 B]
gpgv: Signature made Wed Sep 22 18:04:05 2021 -03
gpgv: using RSA key 8ED6C3F8BAC9DB7FC130A870F823A2729883C97C
gpgv: issuer "<email address hidden>"
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./runc_1.0.1-0ubuntu2~18.04.1.dsc
autopkgtest [17:16:02]: testing package runc version 1.0.1-0ubuntu2~18.04.1
...
autopkgtest [17:16:40]: @@@@@@@@@@@@@@@@@@@@ summary
basic-smoke PASS
command1 PASS

# containerd

ubuntu@bionic:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
ubuntu@bionic:~$ sudo autopkgtest --apt-pocket=proposed containerd -- null
autopkgtest [17:16:59]: version 5.3.1ubuntu1.1
autopkgtest [17:16:59]: host bionic; command line: /usr/bin/autopkgtest --apt-pocket=proposed containerd -- null
autopkgtest [17:16:59]: @@@@@@@@@@@@@@@@@@@@ test bed setup
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed InRelease [242 kB]
Fetched 242 kB in 2s (152 kB/s)
Reading package lists... Done
autopkgtest [17:17:02]: testbed dpkg architecture: amd64
autopkgtest [17:17:02]: testbed running kernel: Linux 4.15.0-159-generic #167-Ubuntu SMP Tue Sep 21 08:55:05 UTC 2021
autopkgtest [17:17:02]: @@@@@@@@@@@@@@@@@@@@ apt-source containerd
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/universe containerd 1.5.5-0ubuntu3~18.04.1 (dsc) [2429 B]
Get:2 http://archive.ubuntu.com/ubuntu bioni...

Hi,

I'm seeing a problem with docker.io 20.10.7-0ubuntu5~20.04.1 when running autotest-client-test/ubuntu_performance_deep_learning

https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1948361

Please let me know if I can provide any further information or any potential solutions

Thanks,
Ian

This works for me:
docker.io/focal-proposed,now 20.10.7-0ubuntu5~20.04.1 amd64 [installed]

The original error I had during a 'docker build' was:

Errors during downloading metadata for repository 'fedora':
  - Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-35&arch=x86_64 [getaddrinfo() thread failed to start]
Error: Failed to download metadata for repo 'fedora': Cannot prepare internal mirrorlist: Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-35&arch=x86_64 [getaddrinfo() thread failed to start]
The command '/bin/sh -c dnf install --assumeyes git make valgrind diffutils which findutils langpacks-en && dnf clean all' returned a non-zero code: 1

tags: added: verification-done-focal
removed: verification-needed-focal

All autopkgtests for the newly accepted golang-github-containers-common (0.33.4+ds1-1ubuntu1) for hirsute have finished running.
The following regressions have been reported in tests triggered by the package:

golang-github-containers-buildah/1.19.6+dfsg1-1 (arm64, armhf, amd64, s390x, ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/hirsute/update_excuses.html#golang-github-containers-common

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted golang-github-containers-buildah (1.19.6+dfsg1-1ubuntu1) for hirsute have finished running.
The following regressions have been reported in tests triggered by the package:

golang-github-containers-buildah/1.19.6+dfsg1-1ubuntu1 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/hirsute/update_excuses.html#golang-github-containers-buildah

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

This bug was fixed in the package containerd - 1.5.5-0ubuntu3~21.04.1

---------------
containerd (1.5.5-0ubuntu3~21.04.1) hirsute; urgency=medium

  * Backport version 1.5.5-0ubuntu3 from Impish (LP: #1938908).

containerd (1.5.5-0ubuntu3) impish; urgency=medium

  * SECURITY UPDATE: insufficiently restricted directory permissions
    - debian/patches/1.5-reduce-directory-permissions.patch: reduce
      permissions for bundle dir in runtime/v1/linux/bundle.go,
      runtime/v1/linux/bundle_test.go, runtime/v2/bundle.go,
      runtime/v2/bundle_default.go, runtime/v2/bundle_linux.go,
      runtime/v2/bundle_linux_test.go, runtime/v2/bundle_test.go,
      snapshots/btrfs/btrfs.go.
    - CVE-2021-41103

containerd (1.5.5-0ubuntu2) impish; urgency=medium

  * d/p/seccomp-support-clone3-syscall.patch: clone3 is explicitly requested
    to give ENOSYS instead of the default EPERM, when CAP_SYS_ADMIN is unset.
    (LP: #1943049).

 -- Lucas Kanashiro <email address hidden> Fri, 08 Oct 2021 11:37:00 -0300

This bug was fixed in the package opengcs - 0.3.4+dfsg2-0ubuntu6.21.04.1

---------------
opengcs (0.3.4+dfsg2-0ubuntu6.21.04.1) hirsute; urgency=medium

  * d/p/0003-Add-support-for-runc-1.0.x.patch: Comply with the libcontainer
    API changes introduced in runc 1.0.x (LP: #1938908).

 -- Lucas Kanashiro <email address hidden> Fri, 15 Oct 2021 17:12:23 -0300

This bug was fixed in the package golang-github-containers-common - 0.33.4+ds1-1ubuntu1

---------------
golang-github-containers-common (0.33.4+ds1-1ubuntu1) hirsute; urgency=medium

  * d/p/support-runc-1.x.patch: Add patch to comply with API changes in
    libcontainer inside runc (LP: #1938908).

 -- Lucas Kanashiro <email address hidden> Fri, 15 Oct 2021 18:12:13 -0300

This bug was fixed in the package golang-github-containers-storage - 1.24.8+dfsg1-1ubuntu2

---------------
golang-github-containers-storage (1.24.8+dfsg1-1ubuntu2) hirsute; urgency=medium

  * d/p/support-runc-1.0.1.patch: Add patch to comply with API changes in
    libcontainer inside runc (LP: #1938908).

 -- Lucas Kanashiro <email address hidden> Fri, 15 Oct 2021 17:49:47 -0300

This bug was fixed in the package golang-github-containers-buildah - 1.19.6+dfsg1-1ubuntu1

---------------
golang-github-containers-buildah (1.19.6+dfsg1-1ubuntu1) hirsute; urgency=medium

  * d/p/support-runc-1.0.1.patch: Add patch to comply with API changes in
    libcontainer inside runc (LP: #1938908).

 -- Lucas Kanashiro <email address hidden> Fri, 15 Oct 2021 18:29:47 -0300

This bug was fixed in the package golang-github-containers-image - 5.10.3-1ubuntu2

---------------
golang-github-containers-image (5.10.3-1ubuntu2) hirsute; urgency=medium

  * d/rules: disable LTO, this is blocking docker.io migration (LP: #1938908)

 -- Lucas Kanashiro <email address hidden> Fri, 15 Oct 2021 16:20:47 -0300

This bug was fixed in the package docker.io - 20.10.7-0ubuntu5~21.04.1

---------------
docker.io (20.10.7-0ubuntu5~21.04.1) hirsute; urgency=medium

  * Backport version 20.10.7-0ubuntu5 from Impish (LP: #1938908).

docker.io (20.10.7-0ubuntu5) impish; urgency=medium

  [ Sergio Durigan Junior ]
  * d/t/docker-in-lxd:
    Improve dep8 test. Make it run a more complex test against an
    ubuntu:devel docker container, especially because glibc updates might
    break docker.io. Improve test reliability when running autopkgtest
    locally.

  [ Steve Beattie ]
  * SECURITY UPDATE: insufficiently restricted directory permissions
    - d/p/CVE-2021-41091.patch: Lock down docker root dir perms.
    - CVE-2021-41091
  * SECURITY UPDATE: permissions modifications outside of install directory
    - d/p/CVE-2021-41089.patch: chrootarchive: don't create parent dirs
      outside of chroot.
    - CVE-2021-41089

docker.io (20.10.7-0ubuntu4) impish; urgency=medium

  * d/p/seccomp-add-support-for-clone3-syscall-in-default-policy.patch: Fix
    failure with new glibc clone3 syscall adding it to the default seccomp
    policy (LP: #1943049).

 -- Lucas Kanashiro <email address hidden> Wed, 06 Oct 2021 10:41:32 -0300

This bug was fixed in the package runc - 1.0.1-0ubuntu2~21.04.1

---------------
runc (1.0.1-0ubuntu2~21.04.1) hirsute; urgency=medium

  * Backport version 1.0.1-0ubuntu2 from Impish (LP: #1938908).

runc (1.0.1-0ubuntu2) impish; urgency=medium

  * d/p/test--skip-fs-related-cgroups-tests.patch: skip a new cgroups related
    test. It requires permission to write in /sys/fs/cgroup/memory during its
    execution.

 -- Lucas Kanashiro <email address hidden> Tue, 21 Sep 2021 17:55:39 -0300

The verification of the Stable Release Update for containerd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package containerd - 1.5.5-0ubuntu3~20.04.1

---------------
containerd (1.5.5-0ubuntu3~20.04.1) focal; urgency=medium

  * Backport version 1.5.5-0ubuntu3 from Impish (LP: #1938908).
    - d/rules: set GO111MODULE to off, this avoid Internet connection during
      the build.

containerd (1.5.5-0ubuntu3) impish; urgency=medium

  * SECURITY UPDATE: insufficiently restricted directory permissions
    - debian/patches/1.5-reduce-directory-permissions.patch: reduce
      permissions for bundle dir in runtime/v1/linux/bundle.go,
      runtime/v1/linux/bundle_test.go, runtime/v2/bundle.go,
      runtime/v2/bundle_default.go, runtime/v2/bundle_linux.go,
      runtime/v2/bundle_linux_test.go, runtime/v2/bundle_test.go,
      snapshots/btrfs/btrfs.go.
    - CVE-2021-41103

containerd (1.5.5-0ubuntu2) impish; urgency=medium

  * d/p/seccomp-support-clone3-syscall.patch: clone3 is explicitly requested
    to give ENOSYS instead of the default EPERM, when CAP_SYS_ADMIN is unset.
    (LP: #1943049).

 -- Lucas Kanashiro <email address hidden> Fri, 08 Oct 2021 11:45:38 -0300

This bug was fixed in the package golang-github-containers-storage - 1.15.8+dfsg1-1ubuntu1

---------------
golang-github-containers-storage (1.15.8+dfsg1-1ubuntu1) focal; urgency=medium

  * d/p/support-runc-1.x.patch: Add patch to comply with API changes in
    libcontainer inside runc (LP: #1938908).

 -- Lucas Kanashiro <email address hidden> Mon, 18 Oct 2021 09:29:32 -0300

This bug was fixed in the package opengcs - 0.3.4+dfsg2-0ubuntu3.20.04.2

---------------
opengcs (0.3.4+dfsg2-0ubuntu3.20.04.2) focal; urgency=medium

  * d/p/0003-Add-support-for-runc-1.0.x.patch: Comply with the libcontainer
    API changes introduced in runc 1.0.x (LP: #1938908).

 -- Lucas Kanashiro <email address hidden> Mon, 18 Oct 2021 09:06:05 -0300

This bug was fixed in the package docker.io - 20.10.7-0ubuntu5~20.04.1

---------------
docker.io (20.10.7-0ubuntu5~20.04.1) focal; urgency=medium

  * Backport version 20.10.7-0ubuntu5 from Impish (LP: #1938908).

docker.io (20.10.7-0ubuntu5) impish; urgency=medium

  [ Sergio Durigan Junior ]
  * d/t/docker-in-lxd:
    Improve dep8 test. Make it run a more complex test against an
    ubuntu:devel docker container, especially because glibc updates might
    break docker.io. Improve test reliability when running autopkgtest
    locally.

  [ Steve Beattie ]
  * SECURITY UPDATE: insufficiently restricted directory permissions
    - d/p/CVE-2021-41091.patch: Lock down docker root dir perms.
    - CVE-2021-41091
  * SECURITY UPDATE: permissions modifications outside of install directory
    - d/p/CVE-2021-41089.patch: chrootarchive: don't create parent dirs
      outside of chroot.
    - CVE-2021-41089

docker.io (20.10.7-0ubuntu4) impish; urgency=medium

  * d/p/seccomp-add-support-for-clone3-syscall-in-default-policy.patch: Fix
    failure with new glibc clone3 syscall adding it to the default seccomp
    policy (LP: #1943049).

 -- Lucas Kanashiro <email address hidden> Wed, 06 Oct 2021 10:53:57 -0300

This bug was fixed in the package runc - 1.0.1-0ubuntu2~20.04.1

---------------
runc (1.0.1-0ubuntu2~20.04.1) focal; urgency=medium

  * Backport version 1.0.1-0ubuntu2 from Impish (LP: #1938908).

runc (1.0.1-0ubuntu2) impish; urgency=medium

  * d/p/test--skip-fs-related-cgroups-tests.patch: skip a new cgroups related
    test. It requires permission to write in /sys/fs/cgroup/memory during its
    execution.

 -- Lucas Kanashiro <email address hidden> Tue, 21 Sep 2021 18:00:11 -0300

This bug was fixed in the package containerd - 1.5.5-0ubuntu3~18.04.1

---------------
containerd (1.5.5-0ubuntu3~18.04.1) bionic; urgency=medium

  * Backport version 1.5.5-0ubuntu3 from Impish (LP: #1938908).
    - d/control: do not b-d on libbtrfs-dev, it is not available in Bionic.
    - d/control: b-d on golang-1.13-go instead of golang-go.
    - d/rules: set GO111MODULE to off, to avoid Internet connection during the
      build.

containerd (1.5.5-0ubuntu3) impish; urgency=medium

  * SECURITY UPDATE: insufficiently restricted directory permissions
    - debian/patches/1.5-reduce-directory-permissions.patch: reduce
      permissions for bundle dir in runtime/v1/linux/bundle.go,
      runtime/v1/linux/bundle_test.go, runtime/v2/bundle.go,
      runtime/v2/bundle_default.go, runtime/v2/bundle_linux.go,
      runtime/v2/bundle_linux_test.go, runtime/v2/bundle_test.go,
      snapshots/btrfs/btrfs.go.
    - CVE-2021-41103

containerd (1.5.5-0ubuntu2) impish; urgency=medium

  * d/p/seccomp-support-clone3-syscall.patch: clone3 is explicitly requested
    to give ENOSYS instead of the default EPERM, when CAP_SYS_ADMIN is unset.
    (LP: #1943049).

 -- Lucas Kanashiro <email address hidden> Fri, 08 Oct 2021 11:55:12 -0300

This bug was fixed in the package golang-github-ishidawataru-sctp - 0.0+git20190723.7c296d4-3~ubuntu0.18.04.1

---------------
golang-github-ishidawataru-sctp (0.0+git20190723.7c296d4-3~ubuntu0.18.04.1) bionic; urgency=medium

  * Backport to Bionic. This is needed by the docker.io package (LP: #1938908).
    - Downgrade debhelper compatibility level to 11.

golang-github-ishidawataru-sctp (0.0+git20190723.7c296d4-3) unstable; urgency=medium

  * Ignore test failures, test fail on buildd.

 -- Lucas Kanashiro <email address hidden> Wed, 22 Sep 2021 11:04:30 -0300

This bug was fixed in the package opengcs - 0.3.4+dfsg2-0ubuntu3.18.04.2

---------------
opengcs (0.3.4+dfsg2-0ubuntu3.18.04.2) bionic; urgency=medium

  * d/p/0003-Add-support-for-runc-1.0.x.patch: Comply with the libcontainer
    API changes introduced in runc 1.0.x (LP: #1938908).

 -- Lucas Kanashiro <email address hidden> Wed, 20 Oct 2021 11:54:32 -0300

This bug was fixed in the package runc - 1.0.1-0ubuntu2~18.04.1

---------------
runc (1.0.1-0ubuntu2~18.04.1) bionic; urgency=medium

  * Backport version 1.0.1-0ubuntu2 from Impish (LP: #1938908).
    - Build with Golang 1.13
      + d/control: b-d on golang-1.13-go instead of golang-any.
      + d/rules: add Golang 1.13 to $PATH.
    - d/rules: set GOPATH to a temporary directory.
    - d/rules: set GO111MODULE to off, to avoid Internet connection during the
      build.

runc (1.0.1-0ubuntu2) impish; urgency=medium

  * d/p/test--skip-fs-related-cgroups-tests.patch: skip a new cgroups related
    test. It requires permission to write in /sys/fs/cgroup/memory during its
    execution.

 -- Lucas Kanashiro <email address hidden> Tue, 21 Sep 2021 18:04:02 -0300

This bug was fixed in the package docker.io - 20.10.7-0ubuntu5~18.04.2

---------------
docker.io (20.10.7-0ubuntu5~18.04.2) bionic; urgency=medium

  * d/t/control: make basic-smoke do not depend on debian-archive-keyring.
    In Bionic, when debian-archive-keyring is installed we are not able to
    debootstrap a Debian stable chroot. Removing this dependency make it
    work again.

docker.io (20.10.7-0ubuntu5~18.04.1) bionic; urgency=medium

  * Backport version 20.10.7-0ubuntu5 from Impish (LP: #1938908).
    - d/control: do not b-d on libbtrfs-dev, it is not available in Bionic.

docker.io (20.10.7-0ubuntu5) impish; urgency=medium

  [ Sergio Durigan Junior ]
  * d/t/docker-in-lxd:
    Improve dep8 test. Make it run a more complex test against an
    ubuntu:devel docker container, especially because glibc updates might
    break docker.io. Improve test reliability when running autopkgtest
    locally.

  [ Steve Beattie ]
  * SECURITY UPDATE: insufficiently restricted directory permissions
    - d/p/CVE-2021-41091.patch: Lock down docker root dir perms.
    - CVE-2021-41091
  * SECURITY UPDATE: permissions modifications outside of install directory
    - d/p/CVE-2021-41089.patch: chrootarchive: don't create parent dirs
      outside of chroot.
    - CVE-2021-41089

docker.io (20.10.7-0ubuntu4) impish; urgency=medium

  * d/p/seccomp-add-support-for-clone3-syscall-in-default-policy.patch: Fix
    failure with new glibc clone3 syscall adding it to the default seccomp
    policy (LP: #1943049).

 -- Lucas Kanashiro <email address hidden> Thu, 21 Oct 2021 16:55:00 -0300