Accepting request 595995 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/595995
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=72

bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch

@@ -0,0 +1,31 @@
+From c11493737b4a5ffd59d635650f3a0d45f220ad2b Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Sun, 8 Apr 2018 20:21:30 +1000
+Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill'
+
+In newer kernels, AppArmor will reject attempts to send signals to a
+container because the signal originated from outside of that AppArmor
+profile. Correct this by allowing all unconfined signals to be received.
+
+SUSE-Bug: bsc#1073877
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ components/engine/profiles/apparmor/template.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
+index c5ea4584de6b..4830ac440645 100644
+--- a/components/engine/profiles/apparmor/template.go
++++ b/components/engine/profiles/apparmor/template.go
+@@ -17,6 +17,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+   capability,
+   file,
+   umount,
++  signal (receive) peer=unconfined,
+ 
+   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
+   # deny write to files not in /proc/<number>/** or /proc/sys/**
+-- 
+2.16.3
+

docker.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Tue Apr 10 09:25:43 UTC 2018 - asarai@suse.com
+
+- Add patch to handle AppArmor changes that make 'docker kill' stop working.
+  bsc#1073877
+  + bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
+
+-------------------------------------------------------------------
+Fri Apr  6 04:21:28 UTC 2018 - asarai@suse.com
+
+- Fix manpage generation breaking ppc64le builds due to a missing
+  -buildemode=pie.
+
 -------------------------------------------------------------------
 Wed Apr  4 12:27:29 UTC 2018 - vrothberg@suse.com
 

docker.spec

@@ -66,6 +66,8 @@ Patch201:       secrets-0002-SUSE-implement-SUSE-container-secrets.patch
 Patch400:       bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173
 Patch401:       bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
+# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877
+Patch402:       bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@@ -194,6 +196,8 @@ Test package for docker. It contains the source code and the tests.
 %patch400 -p1
 # bsc#1021227 bsc#1029320 bsc#1058173
 %patch401 -p1
+# bsc#1073877
+%patch402 -p1
 
 cp %{SOURCE7} .
 cp %{SOURCE9} .
@@ -251,9 +255,8 @@ cd components/cli
 ./scripts/build/dynbinary
 
 mkdir -p ./man/man1
-go build -o gen-manpages github.com/docker/cli/man
+go build -buildmode=pie -o gen-manpages github.com/docker/cli/man
 ./gen-manpages --root "$(pwd)" --target "$(pwd)/man/man1"
-rm gen-manpages
 ./man/md2man-all.sh
 cd ../..