linux/meta-virtualization.git, branch scarthgap

podman: Upgrade 5.0.1 -> 5.0.3

2026-04-28T11:43:17+00:00

Upgrade podman to 5.0.3 to include some bugfixes and some security fix such as CVE-2024-3727 [1]. Release notes: Security This release addresses CVE-2024-3727, a vulnerability in the containers/image library which allows attackers to trigger authenticated registry access on behalf of the victim user. Bugfixes Fixed a bug where podman machine start would fail if the machine had a volume with a long target path (#22226). Fixed a bug where podman machine start mounted volumes with paths that included dashes in the wrong location (#22505). Misc Updated Buildah to v1.35.4 Updated the containers/common library to v0.58.3 Updated the containers/image library to v5.30.1 [1] https://github.com/containers/podman/releases/tag/v5.0.3 Signed-off-by: Mingli Yu Signed-off-by: Bruce Ashfield

containerd-opencontainers: align CVE_PRODUCT with NVD CPE naming

2026-04-28T11:41:21+00:00

Update CVE_PRODUCT from containerd to linuxfoundation:containerd in containerd-opencontainers recipe to match the vendor-qualified NVD CPE naming. This aligns with the master update[1] and avoids potential CVE lookup gaps caused by an unqualified product token. Reference: [1] https://git.yoctoproject.org/meta-virtualization/commit/?id=f829fbfda0f14365235d48dbe2055121fbc0718c Signed-off-by: Himanshu Jadon Signed-off-by: Bruce Ashfield

cni: Add CVE_PRODUCT to align with NVD CPE

2026-04-28T11:41:21+00:00

`CVE_PRODUCT` has been set to `linuxfoundation:container_network_interface linuxfoundation:cni_network_plugins` to align with the product naming defined in the NVD CPE database for `cni`. The NVD CPE database contains product variants for this project under: `cpe:2.3:a:linuxfoundation:container_network_interface` `cpe:2.3:a:linuxfoundation:cni_network_plugins` The NVD references for these CPEs confirm that they correspond to the source code used in our recipe. Signed-off-by: Himanshu Jadon Signed-off-by: Bruce Ashfield (cherry picked from commit 84c856c442e420a8fcaa9498d1f0dc2fe511cc01) Signed-off-by: Himanshu Jadon Signed-off-by: Bruce Ashfield

criu: Add CVE_PRODUCT to align with NVD CPE

2026-04-28T11:41:21+00:00

CVE_PRODUCT has been set to criu:checkpoint/restore_in_userspace to align with the product naming used in the NVD CPE database for criu. The slash-containing product token is intentional as NVD references this project under checkpoint/restore_in_userspace. Only a single CPE entry exists in the NVD for this product: cpe:2.3:a:criu:checkpoint/restore_in_userspace Signed-off-by: Himanshu Jadon Signed-off-by: Bruce Ashfield (cherry picked from commit 484a57d2df5d02e2cc64a7b7e03be93ffeaff8d4) Signed-off-by: Himanshu Jadon Signed-off-by: Bruce Ashfield

go-distribution: Add CVE_PRODUCT to align with NVD CPE

2026-04-28T11:41:21+00:00

CVE_PRODUCT has been set to docker:registry to align with the NVD CPE product namespace for the distribution/registry codebase. Only a single CPE entry exists in the NVD for this product: cpe:2.3:a:docker:registry This ensures CVEs tracked for docker registry are matched for this recipe. Signed-off-by: Himanshu Jadon Signed-off-by: Bruce Ashfield (cherry picked from commit f8bbbf1f7d7b5c7ef6b2c9c86a93cb44524bc740) Signed-off-by: Himanshu Jadon Signed-off-by: Bruce Ashfield

image-oci-unmoci: preserve file modes

2026-02-26T18:20:27+00:00

Based on the following patch: Subject: [meta-virtualization][PATCH] image-oci-umoci: preserve file modes in rootfs From: "Florian Wickert" cp does not preserve file modes by default. This will break sudo (among others) which needs the suid flag to do its work. This patch adds the --preserve=mode flag to the cp call to fix this. Signed-off-by: Florian Wickert Signed-off-by: Bruce Ashfield Signed-off-by: Adrian Freihofer Signed-off-by: Bruce Ashfield

docker-moby: Update to v25.0.9

2026-02-26T18:20:27+00:00

This is the latest point release of v25.0 that supports Go v1.22 Bumping moby to version v25.0.14, which comprises the following commits: 89a48b65fc Dockerfile: update runc binary to v1.2.5 aae4029600 update to go1.22.12 a2802d0746 update to go1.22.11 (fix CVE-2024-45341, CVE-2024-45336) 9281aea6ce ci: update base container to alpine20 for buildkit workflow b1d6fd957d gha: set arm64 GO_VERSION to 1.22.10 7540f88434 ci: switch from jenkins to gha for arm64 build and tests f8d9617c43 ci(bin-image): fix bake build bec5e8eed1 ci: update bake-action to v6 fcb50183e4 Dockerfile: update runc binary to v1.2.4 20af9f77a6 Dockerfile: update containerd to v1.7.25 7d20eee4fd Dockerfile: update runc binary to v1.2.3 eacc3610f9 libnetwork/drivers/bridge: setupIPChains: fix defer checking wrong err 842024e721 update xx to v1.6.1 for compatibility with alpine 3.21 96b8a34d2b Dockerfile: update xx to v1.5.0 5ed63409a2 Dockerfile: update xx to v1.4.0 03885ae2c0 update to go1.22.10 ddc8a15eb5 Dockerd rootless: make {/etc,/var/run}/cdi available 6648f3a10e c8d/tag: Don't log a warning if the source image is not dangling 6f497b2d51 Dockerfile: update to runc v1.2.2 01c163d4ee Dockerfile: update containerd to v1.7.24 708c8dc304 gha: shorter time limits for smoke, validate f6bcbab7a1 gha: use "ubuntu-24.04" instead of "ubuntu-latest" 2de8143fa6 gha: dco: small tweaks to running the container e0857ef530 gha: dco: update ALPINE_VERSION to 3.20 1b7b596513 gha: build (binary), build (dynbinary): limit to 20 minutes 2e43cd5450 gha: dco: limit to 10 minutes bdb21cd779 integration: add wait 911478fb28 Jenkinsfile: modprobe br_netfilter 2278d180a7 daemon: use OwnCgroupPath in withCgroups a6d1d0693f vendor: github.com/golang-jwt/jwt/v4@v4.5.1 0ed4861f9c update to go1.22.9 2df019330c update runc binary to 1.1.14 e6de0b8f3b update runc binary to v1.1.13 cb56070132 volume: VolumesService.Create: fix log-level for debug logs 480b01a532 volume/mounts: fix anonymous volume not being labeled f7b7ec14b8 volume/service: change some logs to use structured logs 60eece38cd Fix: setup user chains even if there are running containers 54ac8bbe37 cmd/dockerd: Add workaround for OTEL meter leak 6e1af3d5d8 gha: remove stray double empty line 0eae0850ac gha: restrict cross and bin-image to 20 minutes e6a2c9bebb gha: add guardrails timeouts on all jobs 4b98bfd07d gha: buildkit: make sure expected Go version is installed ae548176dc update to go1.22.8 122682205f Dockerfile: update containerd binary to v1.7.22 9f102b3b5b Dockerfile: update containerd binary to v1.7.21 (static binaries and CI only) 75891766e4 man: dockerd: add description for --log-format option 3ec9003a14 Update dlv in the dev-env caef5cc70c Explicitly disable nvidia device injection for --gpus=0 34471d3259 seccomp: add riscv64 mapping to seccomp_linux.go bec84c9c31 update to go1.22.7 d0315c9824 golangci-lint: temporarily disable G115: integer overflow conversion ff546aff14 update golangci-lint to v1.60.2 15db81eeaa update to go1.22.6 23af4b75e9 hack/make/.binary: set CGO_LDFLAGS=-latomic for arm/v5 da8bfd963e hack/make/.binary: set CCGO_CFLAGS=-Wno-atomic-alignment for arm/v5 0ce4415ff2 daemon: fix non-constant format string in call (govet) 14a48ac308 api/types: fix non-constant format string in call (govet) c50e7e6ca2 api/server/router: fix non-constant format string in call (govet) 2a4ea4749d container/stream: fix non-constant format string in call (govet) b536253047 libnetwork/drivers/bridge: fix non-constant format string in call (govet) 3216abd8db volume/testutils: fix non-constant format string in call (govet) dd5a6fdbac builder/dockerfile: parseChownFlag: fix non-constant format string in call (govet) 0c5e131330 layer: ignore G602: slice index out of range (gosec) b50a85d0ed cmd/dockerd: fix non-constant format string in call (govet) 8105391708 libnetwork: fix non-constant format string in call (govet) 6209d5bd68 integration-cli: fix non-constant format string in call (govet) 25cffb9dec integration-cli: DockerSwarmSuite: rm redundant Fprintf, handle errors 21279f652e integration-cli: DockerNetworkSuite: rm redundant Fprintf, handle errors a27066d1ca integration-cli: use erors.New() instead of fmt.Errorf e88d4ea298 libnetwork: TestDNSOptions: remove redundant skip check 613d955d38 integration-cli: remove redundant platform checks e962b3e06e update to go1.21.13 33dbea3c37 vendor: github.com/Microsoft/go-winio v0.6.2 5e46424b29 vendor: golang.org/x/tools v0.16.0 5ca50f5c24 vendor: golang.org/x/mod v0.17.0 a599caf7e9 update golangci-lint to v1.59.1 89903672a7 pkg/archive: reformat code to make #nosec comment work again dbf6db9306 builder/remotecontext: reformat code to make #nosec comment work again 55a4cadaa5 man: create parent directories in install recipe 042dad56d0 man: support bringing your own go-md2man 553d915ef4 man: build dockerd man pages using make c70f626351 Removed all mentions of "please" from docs and messages 5966382473 docs: add default-network-opt daemon option 3edc25412a docs: remove devicemapper 65906e44b0 man/dockerd.8: assorted formatting fixes a298720e8f man/dockerd.8: escape asterisks and underscores 88a3e540c9 docs: update dockerd usage output for new proxy-options 90fc11f69a Fix styling of arguments 182df40d13 Fix the max-concurrent-downloads and max-concurrent-uploads configs documentation 2544c68655 docs: remove documentation about deprecated cluster-store be77069539 Document `--validate` daemon option 0299ca1d73 Update man-page source MarkDown to work with go-md2man v2 aff4659c67 docs: update for cgroup v2 and rootless c47231e5cf docker run: specify cgroup namespace mode with --cgroupns 962f331e76 daemon: document --max-download-attempts option 71f9bfe47f Update document links and title. 017213c2b0 Allow user to specify default address pools for docker networks This is separate commit for CLI files to address PR 36054 210f03082b Update docs and completion-scripts for deprecated features 2f78133a0a Added docs for dockerd 675593bb4f fix a number of minor typos 9c291b1745 Introduce/document new IPC modes a23ff1bb1a docs: add documentation for dm.libdm_log_level c78cecd77f Restore dockerd man page f14cf10618 gha: set permissions to read-only by default 0cd951e4dd api: adjust health start interval on swarm update d151b0f87f vendor: OTEL v0.46.1 / v1.21.0 30f8908102 github/ci: Check if backport is opened against the expected branch 7454d6a2e6 ci: update workflow artifacts retention e8ecb9c76d update containerd binary to v1.7.20 e6cae1f237 update containerd binary to v1.7.19 8ec448db6b update containerd binary to v1.7.18 274310807e integration/TestDiskUsage: Make 4096 also a 'empty' value 886e726984 Dockerfile: update containerd binary to v1.7.17 (static binaries and CI only) a0f0f7e77e update containerd binary to v1.7.15 91903e81ca If url includes scheme, urlPath will drop hostname, which would not match the auth check ccfe0a41d4 Authz plugin security fixes for 0-length content and path validation Signed-off-by: Jameson Hyde d046451b34 update to go1.21.12 [part 2] e16a25e442 update to go1.21.12 b1aac1b134 update to go1.21.11 fffbe84ded Makefile: Pass PAGER/GIT_PAGER variable 9f6600deed builder/mobyexporter: Add missing nil check 70fe516b46 don't depend on containerd platform.Parse to return a typed error f7ce828e9e Fix issue where node promotion could fail 98ddccbbfe apparmor: Allow confined runc to kill containers 637205391b update to go1.21.10 3d56d734db vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobuf v1.5.4 0a2f5085ee vendor: cloud.google.com/go/logging v1.8.1 3141ea5c8b vendor: golang.org/x/mod v0.13.0, golang.org/x/tools v0.13.0 4f25076181 vendor: golang.org/x/sync v0.5.0 d93cc7edc0 nil dereference fix on image history Created value ee5909c2d0 vendor: golang.org/x/net v0.23.0 f37d6f5f48 vendor: golang.org/x/net v0.22.0, golang.org/x/crypto v0.21.0 fd828b6766 go.mod: golang.org/x/sys v0.18.0 584a30c772 awslogs: Replace depreacted WithEndpointResolver usage 60605eb1da vendor: bump github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs to v1.32.0 71b8e0339c vendor: bump github.com/aws/aws-sdk-go-v2 to v1.24.1 08e8912d7c ci/validate-pr: Use `::error::` command to print errors e2e670299f Fix cases where we are wrapping a nil error 935787c19c save: Remove platform from config descriptor bd19301d9e ci: Require changelog description 50bd133ad3 update to go1.21.9 a987bc5ad0 libnet: Don't forward to upstream resolvers on internal nw 20c205fd3a Environment variable to override resolv.conf path. 4be97233cc daemon: move getUnprivilegedMountFlags to internal package 7ed7e6caf6 plugin: fix mounting /etc/hosts when running in UserNS 81ad7062f0 rootless: fix `open /etc/docker/plugins: permission denied` 02d4ee3f9a Makefile: generate-files: fix check for empty TMP_OUT 478f6b097d volume: Don't decrement refcount below 0 d250e13945 builder-next: fix missing lock in ensurelayer d0d85f6438 daemon: overlay2: remove world writable permission from the lower file 0451b287dc Don't create endpoint config for MAC addr config migration d27fe2558d dockerd-rootless-setuptool.sh: check RootlessKit functionality 77de535364 Dockerfile: update RootlessKit to v2.0.2 2d347024d1 update to go1.21.8 f66b5f642e Test DNS on Windows 'nat' networks fa4ea308f0 c8d/windows: Temporarily skip two failing tests d66e0fb7b1 Set up DNS names for Windows default network 7a4abb8c77 ci: set codecov token 81a83f0544 Simplify macvlan/ipvlan integration test structure abcd6f8a46 Run the macvlan/ipvlan integration tests f7be6dcba6 integration: Reset `OTEL_EXPORTER_OTLP_ENDPOINT` for sub-daemons 10609544e5 update to go1.21.7 be59afce2d c8d/pull: Output truncated id for `Pulling fs layer` 97951c39fb c8d/pull: Don't emit `Downloading` with 0 progress 2001813571 c8d/pull: Emit `Pulling fs layer` 8e3bcf1974 pkg/streamformatter: Make `progressOutput` concurrency safe 27f36f42a4 builder/dockerfile: ADD with best-effort xattrs 1ae019fca2 Don't enforce new validation rules for existing networks c761353e7c Make 'internal' bridge networks accessible from host 10bc347b03 ci: Update `teststat` to v0.1.25 94137f6df5 client: fix connection-errors being shadowed by API version mismatch errors dd5faa9d4f ci: Make `find` for test reports more specific 012bfd33e5 client: doRequest: make sure we return a connection-error 3ec1946ce1 client: NegotiateAPIVersion: do not ignore (connection) errors from Ping 200a2c3576 client: fix TestPingWithError 70c05fe10c libcontainerd: change the digest used when restoring e85cef89fa api/pre-1.44: Default `ReadOnlyNonRecursive` to true a72294a668 mounts/validate: Don't check source exists with CreateMountpoint 9ee331235a integration: Add container.Output utility 5d9e13bc84 api: omit missing Created field from ImageInspect response bb66c3ca04 api/history: Mention empty `Created` fa3a64f2bc Set `Created` to `0001-01-01T00:00:00Z` on older API versions Signed-off-by: Félix Piédallu Signed-off-by: Bruce Ashfield

docker-moby: Update docker cli

2026-02-26T18:20:27+00:00

Bumping docker-cli to version v25.0.7-10-g43987fca48, which comprises the following commits: cdbfdc6025 update xx to v1.6.1 for compatibility with alpine 3.21 4b0e7ba9db Dockerfile: update xx to v1.5.0 d661d0449f Dockerfile: update to xx 1.4.0 190ebb5036 update to go1.22.10 0a98cba34b gha: update to macOS 13, add macOS 14 arm64 (Apple Silicon M1) 8b446aa5d0 update to go1.22.9 a0f4097740 docs: dockerd: add documentation for --log-format option 11634426e8 man: dockerd: add description for --log-format option 024b3c1e9b volume/update: require 1 argument/fix panic 718cd79a8a ci: update to go1.22.8 24c47bad80 gha: update codeql workflow to go1.22.7 52037f602b update to go1.22.7 b26009a92b update to go1.22.6 8a604b18a3 update to go1.21.13 06e1305fd7 scripts/build/plugins: don't override CGO_ENABLED set by .variables a73610dc4f run: fix GetList return empty issue for throttledevice 1924acea45 gha: set permissions to read-only by default 6fb9a5b264 tests: fix other flaky `connhelper` tests 956c112f16 tests: fix flaxy `TestCloseRunningCommand` test 02b482013c vendor: golang.org/x/net v0.23.0 e2dad1bd3f vendor: golang.org/x/net v0.22.0, golang.org/x/crypto v0.21.0 df5d652d99 vendor: golang.org/x/term v0.18.0 82a04c86b3 vendor: golang.org/x/sys v0.18.0 26850c6a89 ci/validate-pr: Use `::error::` command to print errors 73b9f1c0fb github/ci: Check if backport is opened against the expected branch de7a473c43 ci: Require changelog description ef3b190da3 ci: set DISABLE_WARN_OUTSIDE_CONTAINER=1 for CodeQL action 7e4a7b5477 ci: fix CodeQL 2.16.4 autobuild 0dd60b064f update to go1.21.12 a90d08534b Dockerfile: update ALPINE_VERSION to 3.20 1fbc90faf7 update to go1.21.11 c5aee98be7 update to go1.21.10 d379797cec gha: update to actions/upload-artifact@v4 f2918727a6 update to go1.21.9 c2be159764 vendor: github.com/docker/docker e63daec8672d (v25.0.5-dev) 690b1565fb bake: Add `windows/arm64` target to bin-image-cross 833128bce5 vendor: github.com/docker/docker 061aa95809be396a6 ce113a74af vendor: github.com/docker/docker 9e526bc3943c a3b6c9ea7e update to go1.21.8 956d15c723 Cleanup of dockerfiles, compose files and env vars 5a942fadcf Update gha runners and engines used in e2e tests 592c146cca testenv: Add DaemonAPIVersion helper 0735e78cc9 vendor: github.com/docker/docker 25.0.4-51e876cd96 e0dab5ce1e Dockerfile: update docker compose to v2.24.3 a25a9100f3 Minor test fixes necessary for eventually upgrading ci runners and engine version c87c4c96ec update to go1.21.7 c270556d44 Fixed typo in bash completion functions 1cddb2b03d docker stack: allow '=' separator in extra_hosts 8715d9a33a Avoid keeping @docker_cli_[UUID] files 9142b58351 docs: regenerate markdown 08eba2246c docs: update url scheme for reference docs 4fd2cf5f2d deps: update cli-docs-tool version (v0.7.0) e456704864 vendor: github.com/docker/docker v25.0.3 5428301e3f build(deps): Bump codecov/codecov-action from 3 to 4 1cbc218c05 tests: add plugin-socket-compatibility tests 2f6b5ada71 scripts: don't hardcode architecture in e2e script d8e07c9c47 tests: add tests for `cli-plugins/socket` 62b2963b80 vendor: github.com/docker/docker v25.0.2 71f2b0d109 vendor: github.com/docker/docker v25.0.1 617bc98c8d Add Linode docker volume plugin 4caf4de039 docs: update host-gateway-ip to use daemon.json instead of cli flag 6ab4781bd0 Dockerfile: update docker compose to v2.24.2 4e097c643d socket: return from loop after EOF Signed-off-by: Félix Piédallu Signed-off-by: Bruce Ashfield

docker-moby: Update libnetwork

2026-02-26T18:20:27+00:00

Bumping libnetwork to version v0.7.0-dev.3-1876-g3797618f, which comprises the following commits: 9a98d9c9 libnetwork: processEndpointDelete: Fix deadlock between getSvcRecords and processEndpointDelete Signed-off-by: Félix Piédallu Signed-off-by: Bruce Ashfield

Revert "docker-moby: Security fix for CVE-2024-41110"

2026-02-26T18:20:26+00:00

This reverts commit 78abd77b8695705e6e55266745c838bb665486de. Security fixes are backported in v25.0.9. Signed-off-by: Bruce Ashfield