[21.11] docker: 2.10.9 -> 20.10.14 (for glibc 2.34 compatiblity!)

[blitz]

Description of changes

We've hit an issue on our build servers that run Docker on NixOS 21.11. The problem is that the docker 2.10.9 is incompatible with glibc 2.34. The symptom is that applications using glibc 2.34 will die with EPERM from a clone3 system call.

Ironically, this prevents new Nix binaries from working. We noticed the issue when even nix-shell --version would just die with Permission denied.

Information on the issue can be found here:

• Docker incompatibility with glibc-2.34 actions/runner-images#4193 (for context)
• [20.10 backport] seccomp: add support for "clone3" syscall in default policy moby/moby#42836
• https://github.com/moby/moby/releases/tag/v20.10.10 (see the Runtime section)

I've backported from master:

• 18d0fe9
• b73b403
• 3d25f04
• ae79018

This brings docker to 2.10.14. According to their release notes, this also fixes two security issues:

• CVE-2021-41190
• CVE-2022-24769

Will mark as ready for review when the tests completed.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[blitz]

nix-build -A nixosTests.docker is happy. I'm currently running nixpkgs-review.

[blitz]

nixpkgs-review is also happy:

❯ nixpkgs-review pr 170900
$ git -c fetch.prune=false fetch --no-tags --force https://github.com/NixOS/nixpkgs release-21.11:refs/nixpkgs-review/0 pull/170900/head:refs/nixpkgs-review/1
$ git worktree add /home/julian/.cache/nixpkgs-review/pr-170900-2/nixpkgs 837913deb2a4f21cfa8f2cb2f72ba5fae39b7e40
Preparing worktree (detached HEAD 837913deb2a4)
Updating files: 100% (29051/29051), done.
HEAD is now at 837913deb2a4 Merge pull request #170759 from NixOS/backport-169937-to-release-21.11
$ git merge --no-commit --no-ff 4f66697ff43753b55f68311c0839b6d27c133e62
Automatic merge went well; stopped before committing as requested
$ nix --experimental-features nix-command build --no-link --keep-going --option build-use-sandbox relaxed -f /home/julian/.cache/nixpkgs-review/pr-170900-2/build.nix

Link to currently reviewing PR:
https://github.com/NixOS/nixpkgs/pull/170900

12 packages built:
charliecloud docker docker-client docker-gc fn-cli grype nvidia-docker out-of-tree pipework python38Packages.jupyter-repo2docker python39Packages.jupyter-repo2docker tarsum

$ nix-shell /home/julian/.cache/nixpkgs-review/pr-170900-2/shell.nix