From 4f223337a5da48591119daf51269d77910f00b49 Mon Sep 17 00:00:00 2001
From: Derek McGowan <derek@mcgstyle.net>
Date: Fri, 3 Feb 2017 16:23:37 -0800
Subject: [PATCH 1/3] Update go-connections package

fixes #30450

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
---
 vendor.conf                                   |  2 +-
 .../go-connections/sockets/unix_socket.go     | 56 ++-----------------
 .../go-connections/tlsconfig/certpool_go17.go |  2 +-
 .../docker/go-connections/tlsconfig/config.go |  2 +-
 4 files changed, 7 insertions(+), 55 deletions(-)

diff --git a/vendor.conf b/vendor.conf
index fb52f7bd0d..62e0ee0490 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -16,7 +16,7 @@ github.com/vdemeester/shakers 24d7f1d6a71aa5d9cbe7390e4afb66b7eef9e1b3
 golang.org/x/net c427ad74c6d7a814201695e9ffde0c5d400a7674
 golang.org/x/sys 8f0908ab3b2457e2e15403d3697c9ef5cb4b57a9
 github.com/docker/go-units 9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1
-github.com/docker/go-connections 4ccf312bf1d35e5dbda654e57a9be4c3f3cd0366
+github.com/docker/go-connections 7da10c8c50cad14494ec818dcdfb6506265c0086
 golang.org/x/text f72d8390a633d5dfb0cc84043294db9f6c935756
 
 github.com/RackSec/srslog 456df3a81436d29ba874f3590eeeee25d666f8a5
diff --git a/vendor/github.com/docker/go-connections/sockets/unix_socket.go b/vendor/github.com/docker/go-connections/sockets/unix_socket.go
index d1627349f8..a8b5dbb6fd 100644
--- a/vendor/github.com/docker/go-connections/sockets/unix_socket.go
+++ b/vendor/github.com/docker/go-connections/sockets/unix_socket.go
@@ -1,30 +1,26 @@
-// +build linux freebsd solaris
+// +build !windows
 
 package sockets
 
 import (
-	"fmt"
 	"net"
 	"os"
-	"strconv"
 	"syscall"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/opencontainers/runc/libcontainer/user"
 )
 
 // NewUnixSocket creates a unix socket with the specified path and group.
-func NewUnixSocket(path, group string) (net.Listener, error) {
+func NewUnixSocket(path string, gid int) (net.Listener, error) {
 	if err := syscall.Unlink(path); err != nil && !os.IsNotExist(err) {
 		return nil, err
 	}
 	mask := syscall.Umask(0777)
 	defer syscall.Umask(mask)
+
 	l, err := net.Listen("unix", path)
 	if err != nil {
 		return nil, err
 	}
-	if err := setSocketGroup(path, group); err != nil {
+	if err := os.Chown(path, 0, gid); err != nil {
 		l.Close()
 		return nil, err
 	}
@@ -34,47 +30,3 @@ func NewUnixSocket(path, group string) (net.Listener, error) {
 	}
 	return l, nil
 }
-
-func setSocketGroup(path, group string) error {
-	if group == "" {
-		return nil
-	}
-	if err := changeGroup(path, group); err != nil {
-		if group != "docker" {
-			return err
-		}
-		logrus.Debugf("Warning: could not change group %s to docker: %v", path, err)
-	}
-	return nil
-}
-
-func changeGroup(path string, nameOrGid string) error {
-	gid, err := lookupGidByName(nameOrGid)
-	if err != nil {
-		return err
-	}
-	logrus.Debugf("%s group found. gid: %d", nameOrGid, gid)
-	return os.Chown(path, 0, gid)
-}
-
-func lookupGidByName(nameOrGid string) (int, error) {
-	groupFile, err := user.GetGroupPath()
-	if err != nil {
-		return -1, err
-	}
-	groups, err := user.ParseGroupFileFilter(groupFile, func(g user.Group) bool {
-		return g.Name == nameOrGid || strconv.Itoa(g.Gid) == nameOrGid
-	})
-	if err != nil {
-		return -1, err
-	}
-	if groups != nil && len(groups) > 0 {
-		return groups[0].Gid, nil
-	}
-	gid, err := strconv.Atoi(nameOrGid)
-	if err == nil {
-		logrus.Warnf("Could not find GID %d", gid)
-		return gid, nil
-	}
-	return -1, fmt.Errorf("Group %s not found", nameOrGid)
-}
diff --git a/vendor/github.com/docker/go-connections/tlsconfig/certpool_go17.go b/vendor/github.com/docker/go-connections/tlsconfig/certpool_go17.go
index 352d342a89..1d5fa4c76d 100644
--- a/vendor/github.com/docker/go-connections/tlsconfig/certpool_go17.go
+++ b/vendor/github.com/docker/go-connections/tlsconfig/certpool_go17.go
@@ -14,7 +14,7 @@ import (
 func SystemCertPool() (*x509.CertPool, error) {
 	certpool, err := x509.SystemCertPool()
 	if err != nil && runtime.GOOS == "windows" {
-		logrus.Warnf("Unable to use system certificate pool: %v", err)
+		logrus.Infof("Unable to use system certificate pool: %v", err)
 		return x509.NewCertPool(), nil
 	}
 	return certpool, err
diff --git a/vendor/github.com/docker/go-connections/tlsconfig/config.go b/vendor/github.com/docker/go-connections/tlsconfig/config.go
index 8bbffcfd3f..44733ff506 100644
--- a/vendor/github.com/docker/go-connections/tlsconfig/config.go
+++ b/vendor/github.com/docker/go-connections/tlsconfig/config.go
@@ -118,7 +118,7 @@ func Server(options Options) (*tls.Config, error) {
 		return nil, fmt.Errorf("Error reading X509 key pair (cert: %q, key: %q): %v. Make sure the key is not encrypted.", options.CertFile, options.KeyFile, err)
 	}
 	tlsConfig.Certificates = []tls.Certificate{tlsCert}
-	if options.ClientAuth >= tls.VerifyClientCertIfGiven {
+	if options.ClientAuth >= tls.VerifyClientCertIfGiven && options.CAFile != "" {
 		CAs, err := certPool(options.CAFile)
 		if err != nil {
 			return nil, err

From e5d77c64a2030fe4c5c1413b69b45f40a2347358 Mon Sep 17 00:00:00 2001
From: Derek McGowan <derek@mcgstyle.net>
Date: Tue, 7 Feb 2017 11:32:39 -0800
Subject: [PATCH 2/3] Convert socket group to int

Sockets interface has been updated to take in a the group
id as an integer rather than a string.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
---
 pkg/listeners/listeners_unix.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pkg/listeners/listeners_unix.go b/pkg/listeners/listeners_unix.go
index f1246e6b6f..6799b8d6ff 100644
--- a/pkg/listeners/listeners_unix.go
+++ b/pkg/listeners/listeners_unix.go
@@ -31,7 +31,12 @@ func Init(proto, addr, socketGroup string, tlsConfig *tls.Config) ([]net.Listene
 		}
 		ls = append(ls, l)
 	case "unix":
-		l, err := sockets.NewUnixSocket(addr, socketGroup)
+
+		gid, err := strconv.Atoi(socketGroup)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse socket group id: should be a number: %v", socketGroup)
+		}
+		l, err := sockets.NewUnixSocket(addr, gid)
 		if err != nil {
 			return nil, fmt.Errorf("can't create unix socket %s: %v", addr, err)
 		}

From bdf4cad1d1af6c6493440074d4007dcca7e7b8ae Mon Sep 17 00:00:00 2001
From: Brian Goff <cpuguy83@gmail.com>
Date: Thu, 9 Feb 2017 16:34:36 -0500
Subject: [PATCH 3/3] Do group lookup in listeners package

This used to be handled by go-connections, but now it only takes a group
ID (int).

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
---
 pkg/listeners/group_unix.go        | 32 ++++++++++++++++++++++++++++++
 pkg/listeners/listeners_solaris.go |  6 +++++-
 pkg/listeners/listeners_unix.go    |  5 ++---
 3 files changed, 39 insertions(+), 4 deletions(-)
 create mode 100644 pkg/listeners/group_unix.go

diff --git a/pkg/listeners/group_unix.go b/pkg/listeners/group_unix.go
new file mode 100644
index 0000000000..183a0eb9d3
--- /dev/null
+++ b/pkg/listeners/group_unix.go
@@ -0,0 +1,32 @@
+// +build !windows
+
+package listeners
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/opencontainers/runc/libcontainer/user"
+	"github.com/pkg/errors"
+)
+
+func lookupGID(name string) (int, error) {
+	groupFile, err := user.GetGroupPath()
+	if err != nil {
+		return -1, errors.Wrap(err, "error looking up groups")
+	}
+	groups, err := user.ParseGroupFileFilter(groupFile, func(g user.Group) bool {
+		return g.Name == name || strconv.Itoa(g.Gid) == name
+	})
+	if err != nil {
+		return -1, errors.Wrapf(err, "error parsing groups for %s", name)
+	}
+	if groups != nil && len(groups) > 0 {
+		return groups[0].Gid, nil
+	}
+	gid, err := strconv.Atoi(name)
+	if err == nil {
+		return gid, nil
+	}
+	return -1, fmt.Errorf("group %s not found", name)
+}
diff --git a/pkg/listeners/listeners_solaris.go b/pkg/listeners/listeners_solaris.go
index ff833e3741..58e43a0ac2 100644
--- a/pkg/listeners/listeners_solaris.go
+++ b/pkg/listeners/listeners_solaris.go
@@ -18,7 +18,11 @@ func Init(proto, addr, socketGroup string, tlsConfig *tls.Config) (ls []net.List
 		}
 		ls = append(ls, l)
 	case "unix":
-		l, err := sockets.NewUnixSocket(addr, socketGroup)
+		gid, err := lookupGID(socketGroup)
+		if err != nil {
+			return nil, err
+		}
+		l, err := sockets.NewUnixSocket(addr, gid)
 		if err != nil {
 			return nil, fmt.Errorf("can't create unix socket %s: %v", addr, err)
 		}
diff --git a/pkg/listeners/listeners_unix.go b/pkg/listeners/listeners_unix.go
index 6799b8d6ff..3e7bfcb1ec 100644
--- a/pkg/listeners/listeners_unix.go
+++ b/pkg/listeners/listeners_unix.go
@@ -31,10 +31,9 @@ func Init(proto, addr, socketGroup string, tlsConfig *tls.Config) ([]net.Listene
 		}
 		ls = append(ls, l)
 	case "unix":
-
-		gid, err := strconv.Atoi(socketGroup)
+		gid, err := lookupGID(socketGroup)
 		if err != nil {
-			return nil, fmt.Errorf("failed to parse socket group id: should be a number: %v", socketGroup)
+			return nil, err
 		}
 		l, err := sockets.NewUnixSocket(addr, gid)
 		if err != nil {