Valentin Rothberg 2018-08-15 07:09:12 +00:00 committed by Git OBS Bridge
parent bac0493c26
commit 1ab6c95c8e
13 changed files with 94 additions and 427 deletions

View File

@ -3,8 +3,8 @@
<param name="url">https://github.com/docker/docker-ce.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">17.09.1_ce</param>
<param name="revision">v17.09.1-ce</param>
<param name="versionformat">18.06.0_ce</param>
<param name="revision">v18.06.0-ce</param>
<param name="filename">docker</param>
</service>
<service name="recompress" mode="disabled">

View File

@ -1,243 +0,0 @@
From e57d7270deb50c31ac1f732d8f28812e5b809062 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Thu, 16 Nov 2017 17:09:16 +1100
Subject: [PATCH] pkg: devmapper: dynamically load dm_task_deferred_remove
dm_task_deferred_remove is not supported by all distributions, due to
out-dated versions of devicemapper. However, in the case where the
devicemapper library was updated without rebuilding Docker (which can
happen in some distributions) then we should attempt to dynamically load
the relevant object rather than try to link to it.
This can only be done if Docker was built dynamically, for obvious
reasons.
In order to avoid having issues arise when dlsym(3) was unnecessary,
gate the whole dlsym(3) logic behind a buildflag that we disable by
default (libdm_dlsym_deferred_remove).
SUSE-Bugs: bsc#1021227 bsc#1029320 bsc#1058173
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/engine/hack/make.sh | 12 +-
...> devmapper_wrapper_dynamic_deferred_remove.go} | 10 +-
...mapper_wrapper_dynamic_dlsym_deferred_remove.go | 128 +++++++++++++++++++++
.../devmapper_wrapper_no_deferred_remove.go | 6 +-
4 files changed, 149 insertions(+), 7 deletions(-)
rename components/engine/pkg/devicemapper/{devmapper_wrapper_deferred_remove.go => devmapper_wrapper_dynamic_deferred_remove.go} (78%)
create mode 100644 components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh
index 58e0d8cd628a..3b78ddef30b0 100755
--- a/components/engine/hack/make.sh
+++ b/components/engine/hack/make.sh
@@ -112,6 +112,12 @@ if [ ! "$GOPATH" ]; then
exit 1
fi
+# Adds $1_$2 to DOCKER_BUILDTAGS unless it already
+# contains a word starting from $1_
+add_buildtag() {
+ [[ " $DOCKER_BUILDTAGS" == *" $1_"* ]] || DOCKER_BUILDTAGS+=" $1_$2"
+}
+
if ${PKG_CONFIG} 'libsystemd >= 209' 2> /dev/null ; then
DOCKER_BUILDTAGS+=" journald"
elif ${PKG_CONFIG} 'libsystemd-journal' 2> /dev/null ; then
@@ -127,12 +133,14 @@ if \
fi
# test whether "libdevmapper.h" is new enough to support deferred remove
-# functionality.
+# functionality. We favour libdm_dlsym_deferred_remove over
+# libdm_no_deferred_remove in dynamic cases because the binary could be shipped
+# with a newer libdevmapper than the one it was built wih.
if \
command -v gcc &> /dev/null \
&& ! ( echo -e '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null ) \
; then
- DOCKER_BUILDTAGS+=' libdm_no_deferred_remove'
+ add_buildtag libdm dlsym_deferred_remove
fi
# Use these flags when compiling the tests and final binary
diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
similarity index 78%
rename from components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go
rename to components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
index 7f793c270868..bf57371ff4cf 100644
--- a/components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go
+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
@@ -1,11 +1,15 @@
-// +build linux,cgo,!libdm_no_deferred_remove
+// +build linux,cgo,!static_build
+// +build !libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
package devicemapper
-// #include <libdevmapper.h>
+/*
+#include <libdevmapper.h>
+*/
import "C"
-// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
+// current Docker invocation.
const LibraryDeferredRemovalSupport = true
func dmTaskDeferredRemoveFct(task *cdmTask) int {
diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
new file mode 100644
index 000000000000..5dfb369f1ff8
--- /dev/null
+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
@@ -0,0 +1,128 @@
+// +build linux,cgo,!static_build
+// +build libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
+
+package devicemapper
+
+/*
+#cgo LDFLAGS: -ldl
+#include <stdlib.h>
+#include <dlfcn.h>
+#include <libdevmapper.h>
+
+// Yes, I know this looks scary. In order to be able to fill our own internal
+// dm_info with deferred_remove we need to have a struct definition that is
+// correct (regardless of the version of libdm that was used to compile it). To
+// this end, we define struct_backport_dm_info. This code comes from lvm2, and
+// I have verified that the structure has only ever had elements *appended* to
+// it (since 2001).
+//
+// It is also important that this structure be _larger_ than the dm_info that
+// libdevmapper expected. Otherwise libdm might try to write to memory it
+// shouldn't (they don't have a "known size" API).
+struct backport_dm_info {
+ int exists;
+ int suspended;
+ int live_table;
+ int inactive_table;
+ int32_t open_count;
+ uint32_t event_nr;
+ uint32_t major;
+ uint32_t minor;
+ int read_only;
+
+ int32_t target_count;
+
+ int deferred_remove;
+ int internal_suspend;
+
+ // Padding, purely for our own safety. This is to avoid cases where libdm
+ // was updated underneath us and we call into dm_task_get_info() with too
+ // small of a buffer.
+ char _[512];
+};
+
+// We have to wrap this in CGo, because Go really doesn't like function pointers.
+int call_dm_task_deferred_remove(void *fn, struct dm_task *task)
+{
+ int (*_dm_task_deferred_remove)(struct dm_task *task) = fn;
+ return _dm_task_deferred_remove(task);
+}
+*/
+import "C"
+
+import (
+ "unsafe"
+
+ "github.com/sirupsen/logrus"
+)
+
+// dm_task_deferred_remove is not supported by all distributions, due to
+// out-dated versions of devicemapper. However, in the case where the
+// devicemapper library was updated without rebuilding Docker (which can happen
+// in some distributions) then we should attempt to dynamically load the
+// relevant object rather than try to link to it.
+
+// dmTaskDeferredRemoveFct is a "bound" version of dm_task_deferred_remove.
+// It is nil if dm_task_deferred_remove was not found in the libdevmapper that
+// is currently loaded.
+var dmTaskDeferredRemovePtr unsafe.Pointer
+
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
+// current Docker invocation. This value is fixed during init.
+var LibraryDeferredRemovalSupport bool
+
+func init() {
+ // Clear any errors.
+ var err *C.char
+ C.dlerror()
+
+ // The symbol we want to fetch.
+ symName := C.CString("dm_task_deferred_remove")
+ defer C.free(unsafe.Pointer(symName))
+
+ // See if we can find dm_task_deferred_remove. Since we already are linked
+ // to libdevmapper, we can search our own address space (rather than trying
+ // to guess what libdevmapper is called). We use NULL here, as RTLD_DEFAULT
+ // is not available in CGO (even if you set _GNU_SOURCE for some reason).
+ // The semantics are identical on glibc.
+ sym := C.dlsym(nil, symName)
+ err = C.dlerror()
+ if err != nil {
+ logrus.Debugf("devmapper: could not load dm_task_deferred_remove: %s", C.GoString(err))
+ return
+ }
+
+ logrus.Debugf("devmapper: found dm_task_deferred_remove at %x", uintptr(sym))
+ dmTaskDeferredRemovePtr = sym
+ LibraryDeferredRemovalSupport = true
+}
+
+func dmTaskDeferredRemoveFct(task *cdmTask) int {
+ sym := dmTaskDeferredRemovePtr
+ if sym == nil || !LibraryDeferredRemovalSupport {
+ return -1
+ }
+ return int(C.call_dm_task_deferred_remove(sym, (*C.struct_dm_task)(task)))
+}
+
+func dmTaskGetInfoWithDeferredFct(task *cdmTask, info *Info) int {
+ if !LibraryDeferredRemovalSupport {
+ return -1
+ }
+
+ Cinfo := C.struct_backport_dm_info{}
+ defer func() {
+ info.Exists = int(Cinfo.exists)
+ info.Suspended = int(Cinfo.suspended)
+ info.LiveTable = int(Cinfo.live_table)
+ info.InactiveTable = int(Cinfo.inactive_table)
+ info.OpenCount = int32(Cinfo.open_count)
+ info.EventNr = uint32(Cinfo.event_nr)
+ info.Major = uint32(Cinfo.major)
+ info.Minor = uint32(Cinfo.minor)
+ info.ReadOnly = int(Cinfo.read_only)
+ info.TargetCount = int32(Cinfo.target_count)
+ info.DeferredRemove = int(Cinfo.deferred_remove)
+ }()
+ return int(C.dm_task_get_info((*C.struct_dm_task)(task), (*C.struct_dm_info)(unsafe.Pointer(&Cinfo))))
+}
diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
index a880fec8c499..80b034b3ff17 100644
--- a/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
@@ -1,8 +1,10 @@
-// +build linux,cgo,libdm_no_deferred_remove
+// +build linux,cgo
+// +build !libdm_dlsym_deferred_remove,libdm_no_deferred_remove
package devicemapper
-// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
+// current Docker invocation.
const LibraryDeferredRemovalSupport = false
func dmTaskDeferredRemoveFct(task *cdmTask) int {
--
2.16.1

View File

@ -1,95 +0,0 @@
From ff7b94c76f343931463b5916fb3fbd2610869a1a Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 15 Oct 2017 17:06:20 +1100
Subject: [PATCH] daemon: oci: obey CL_UNPRIVILEGED for user namespaced daemon
When runc is bind-mounting a particular path "with options", it has to
do so by first creating a bind-mount and the modifying the options of
said bind-mount via remount. However, in a user namespace, there are
restrictions on which flags you can change with a remount (due to
CL_UNPRIVILEGED being set in this instance). Docker historically has
ignored this, and as a result, internal Docker mounts (such as secrets)
haven't worked with --userns-remap. Fix this by preserving
CL_UNPRIVILEGED mount flags when Docker is spawning containers with user
namespaces enabled.
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1055676
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/engine/daemon/oci_linux.go | 46 +++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
diff --git a/components/engine/daemon/oci_linux.go b/components/engine/daemon/oci_linux.go
index 6917b4841429..936cb8f998ca 100644
--- a/components/engine/daemon/oci_linux.go
+++ b/components/engine/daemon/oci_linux.go
@@ -27,6 +27,7 @@ import (
"github.com/opencontainers/runc/libcontainer/user"
specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
)
var (
@@ -469,6 +470,38 @@ func ensureSharedOrSlave(path string) error {
return nil
}
+// Get the set of mount flags that are set on the mount that contains the given
+// path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that
+// bind-mounting "with options" will not fail with user namespaces, due to
+// kernel restrictions that require user namespace mounts to preserve
+// CL_UNPRIVILEGED locked flags.
+func getUnprivilegedMountFlags(path string) ([]string, error) {
+ var statfs unix.Statfs_t
+ if err := unix.Statfs(path, &statfs); err != nil {
+ return nil, err
+ }
+
+ // The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048.
+ unprivilegedFlags := map[uint64]string{
+ unix.MS_RDONLY: "ro",
+ unix.MS_NODEV: "nodev",
+ unix.MS_NOEXEC: "noexec",
+ unix.MS_NOSUID: "nosuid",
+ unix.MS_NOATIME: "noatime",
+ unix.MS_RELATIME: "relatime",
+ unix.MS_NODIRATIME: "nodiratime",
+ }
+
+ var flags []string
+ for mask, flag := range unprivilegedFlags {
+ if uint64(statfs.Flags)&mask == mask {
+ flags = append(flags, flag)
+ }
+ }
+
+ return flags, nil
+}
+
var (
mountPropagationMap = map[string]int{
"private": mount.PRIVATE,
@@ -586,6 +619,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c
opts = append(opts, mountPropagationReverseMap[pFlag])
}
+ // If we are using user namespaces, then we must make sure that we
+ // don't drop any of the CL_UNPRIVILEGED "locked" flags of the source
+ // "mount" when we bind-mount. The reason for this is that at the point
+ // when runc sets up the root filesystem, it is already inside a user
+ // namespace, and thus cannot change any flags that are locked.
+ if daemon.configStore.RemappedRoot != "" {
+ unprivOpts, err := getUnprivilegedMountFlags(m.Source)
+ if err != nil {
+ return err
+ }
+ opts = append(opts, unprivOpts...)
+ }
+
mt.Options = opts
s.Mounts = append(s.Mounts, mt)
}
--
2.16.1

View File

@ -1,4 +1,4 @@
From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001
From 690b89f58f34dc03333988577d49bae04a11a27c Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 8 Apr 2018 20:21:30 +1000
Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
@ -15,7 +15,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
1 file changed, 6 insertions(+)
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
index c5ea4584de6b..082638e85903 100644
index c00a3f70e993..772c4a4873f6 100644
--- a/components/engine/profiles/apparmor/template.go
+++ b/components/engine/profiles/apparmor/template.go
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
@ -32,5 +32,5 @@ index c5ea4584de6b..082638e85903 100644
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/**
--
2.17.1
2.18.0

View File

@ -1,4 +1,4 @@
From 8edc54753ab5ea9294c55ec32b49c9eb7cdf3892 Mon Sep 17 00:00:00 2001
From 45d68c6f85da51dc6e292ce09855e79794fd8984 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 29 Jun 2018 17:59:30 +1000
Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start
@ -21,7 +21,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
3 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/components/engine/daemon/apparmor_default.go b/components/engine/daemon/apparmor_default.go
index 2a418b25c241..c3e271ee4774 100644
index 461f5c7f96b2..8f21c5c0c566 100644
--- a/components/engine/daemon/apparmor_default.go
+++ b/components/engine/daemon/apparmor_default.go
@@ -14,6 +14,15 @@ const (
@ -53,12 +53,12 @@ index 2a418b25c241..c3e271ee4774 100644
return nil
}
diff --git a/components/engine/daemon/apparmor_default_unsupported.go b/components/engine/daemon/apparmor_default_unsupported.go
index cd2dd9702ef2..17584063c711 100644
index 51f9c526b350..97d7758442ee 100644
--- a/components/engine/daemon/apparmor_default_unsupported.go
+++ b/components/engine/daemon/apparmor_default_unsupported.go
@@ -2,6 +2,10 @@
package daemon
package daemon // import "github.com/docker/docker/daemon"
+func clobberDefaultAppArmorProfile() error {
+ return nil
@ -68,10 +68,10 @@ index cd2dd9702ef2..17584063c711 100644
return nil
}
diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
index a11a1f8691cc..6f8846b19f57 100644
index 5e5f586ae085..6ca6a7aaa268 100644
--- a/components/engine/daemon/daemon.go
+++ b/components/engine/daemon/daemon.go
@@ -594,7 +594,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
@@ -660,7 +660,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
}
@ -83,5 +83,5 @@ index a11a1f8691cc..6f8846b19f57 100644
}
--
2.17.1
2.18.0

View File

@ -1,4 +1,4 @@
From d39172ffc6b245f02da1898793ccaef20bb6858a Mon Sep 17 00:00:00 2001
From 6cba061d6d42e2e40267dbf8628480ec0c5d376a Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Mon, 30 Jul 2018 19:34:01 +1000
Subject: [PATCH] build: add -buildmode=pie
@ -7,6 +7,7 @@ Make all dynbinary builds be position-independent (this adds both
security benefits and can help with flaky builds on POWER
architectures).
SUSE-Bugs: bsc#1100727
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/cli/scripts/build/dynbinary | 2 +-

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dd19ad9900aaabb9eb5870be6271262aebbd4f86fa12f7c59677d47876492bf9
size 6237800

3
docker-18.06.0_ce.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:df4b5d33d8a1d17c4707fe9610a33bd8a1618ae7a7d3a0fa0b8c38ed1d1d53e1
size 8550432

View File

@ -1,3 +1,25 @@
-------------------------------------------------------------------
Wed Aug 1 09:40:59 UTC 2018 - asarai@suse.com
- Enable seccomp support on SLE12, since libseccomp is now a new enough vintage
to work with Docker and containerd. fate#325877
-------------------------------------------------------------------
Tue Jul 31 09:48:16 UTC 2018 - asarai@suse.com
- Upgrade to docker-ce v18.06.0-ce. bsc#1102522
- Remove systemd-service dependency on containerd, which is now being started
by dockerd to align with upstream defaults.
- Removed the following patches as they are merged upstream:
- bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
- bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
- Rebased the following patches:
* bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
* bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
* bsc1100727-0001-build-add-buildmode-pie.patch
* secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
* secrets-0002-SUSE-implement-SUSE-container-secrets.patch
-------------------------------------------------------------------
Mon Jul 30 09:44:47 UTC 2018 - asarai@suse.com

View File

@ -1,8 +1,7 @@
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target containerd.socket containerd.service lvm2-monitor.service SuSEfirewall2.service
Requires=containerd.socket containerd.service
After=network.target lvm2-monitor.service SuSEfirewall2.service
[Service]
EnvironmentFile=/etc/sysconfig/docker
@ -11,7 +10,7 @@ EnvironmentFile=/etc/sysconfig/docker
# enabled by default because enabling socket activation means that on boot your
# containers won't start until someone tries to administer the Docker daemon.
Type=notify
ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead

View File

@ -36,12 +36,12 @@
# These are the git commits required. We verify them against the source to make
# sure we didn't miss anything important when doing upgrades.
%define required_containerd 06b9cb35161009dcb7123345749fef02f7cea8e0
%define required_dockerrunc 3f2f8b84a77f73d38244dd690525642a72156c64
%define required_libnetwork 7b2b1feb1de4817d522cc372af149ff48d25028e
%define required_containerd d64c661f1d51c48782c9cec8fda7604785f93587
%define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340
%define required_libnetwork 3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b
Name: docker
Version: 17.09.1_ce
Version: 18.06.0_ce
Release: 0
Summary: The Linux container runtime
License: Apache-2.0
@ -62,16 +62,12 @@ Source9: tests.sh
# branch in http://github.com/suse/docker.mirror.
Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35205. bsc#1055676
Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173
Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877
Patch402: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277
Patch403: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727
Patch404: bsc1100727-0001-build-add-buildmode-pie.patch
Patch402: bsc1100727-0001-build-add-buildmode-pie.patch
BuildRequires: audit
BuildRequires: bash-completion
BuildRequires: ca-certificates
@ -79,21 +75,7 @@ BuildRequires: device-mapper-devel >= 1.2.68
BuildRequires: glibc-devel-static
BuildRequires: libapparmor-devel
BuildRequires: libbtrfs-devel >= 3.8
# enable libseccomp for sle >= sle12sp2
%if 0%{?sle_version} >= 120200
%define with_libseccomp 1
%endif
# enable libseccomp for leap >= 42.2
%if 0%{?leap_version} >= 420200
%define with_libseccomp 1
%endif
# enable libseccomp for Factory
%if 0%{?suse_version} > 1320
%define with_libseccomp 1
%endif
%if 0%{?with_libseccomp}
BuildRequires: libseccomp-devel
%endif
BuildRequires: libseccomp-devel >= 2.2
BuildRequires: libtool
BuildRequires: procps
BuildRequires: sqlite3-devel
@ -136,9 +118,9 @@ Recommends: lvm2 >= 2.2.89
Conflicts: lxc < 1.0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExcludeArch: s390 ppc
# Make sure we build with go 1.8
# Make sure we build with go 1.10
BuildRequires: go-go-md2man
BuildRequires: golang(API) = 1.8
BuildRequires: golang(API) = 1.10
%description
Docker complements LXC with a high-level API which operates at the process
@ -196,25 +178,18 @@ Test package for docker. It contains the source code and the tests.
%patch200 -p1
%patch201 -p1
%endif
# bsc#1055676
%patch400 -p1
# bsc#1021227 bsc#1029320 bsc#1058173
%patch401 -p1
# bsc#1073877
%patch402 -p1
%patch400 -p1
# bsc#1099277
%patch403 -p1
%patch401 -p1
# bsc#1100727
%patch404 -p1
%patch402 -p1
cp %{SOURCE7} .
cp %{SOURCE9} .
%build
BUILDTAGS="exclude_graphdriver_aufs apparmor selinux pkcs11"
%if 0%{?with_libseccomp}
BUILDTAGS="seccomp $BUILDTAGS"
%endif
BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
%if 0%{?sle_version} == 120000
# Provided by patch406, to allow us to build with older distros but still
# have deferred removal support at runtime. We only use this when building
@ -279,9 +254,9 @@ cd ../..
# of the upstream vendoring scripts. This is done on-build to make sure that
# someone doing an update didn't miss anything.
cd components/engine
grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/binaries-commits
grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits
grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits
grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/install/runc.installer
grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/install/containerd.installer
grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/install/proxy.installer
%install
install -d %{buildroot}%{go_contribdir}
@ -336,6 +311,17 @@ getent group docker >/dev/null || groupadd -r docker
%service_add_post %{name}.service
%{fillup_only -n docker}
# NOTE: This is a pretty hacky way of getting around the fact we've removed
# containerd.service and now everything is spawned underneath Docker. In
# order to force containerd.service to be stopped on the upgrade we need
# to trick the systemd macros into thinking that this is an "uninstall".
# Hopefully we can remove this soon.
(
FIRST_ARG=0
%service_del_preun containerd.service containerd.socket
%service_del_postun containerd.service containerd.socket
)
%preun
%service_del_preun %{name}.service

View File

@ -1,4 +1,4 @@
From c607825b73e5f850b3804a10e9f3c8684cb29d16 Mon Sep 17 00:00:00 2001
From 72ca29ce89146ac0c9a47881ebfc10883ed8ed39 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
@ -14,26 +14,26 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go
index 954c194ea836..3ef1e0262edc 100644
index bc7ee452332b..d34129dfd80b 100644
--- a/components/engine/daemon/container_operations_unix.go
+++ b/components/engine/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@
package daemon
package daemon // import "github.com/docker/docker/daemon"
import (
+ "bytes"
"context"
"fmt"
"io/ioutil"
@@ -13,6 +14,7 @@ import (
@@ -14,6 +15,7 @@ import (
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/links"
"github.com/docker/docker/errdefs"
+ "github.com/docker/docker/pkg/archive"
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/mount"
"github.com/docker/docker/pkg/stringid"
@@ -216,9 +218,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
if err != nil {
return errors.Wrap(err, "unable to get secret from secret store")
}
@ -43,7 +43,7 @@ index 954c194ea836..3ef1e0262edc 100644
uid, err := strconv.Atoi(s.File.UID)
if err != nil {
@@ -229,6 +228,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
@@ -219,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
return err
}
@ -70,5 +70,5 @@ index 954c194ea836..3ef1e0262edc 100644
return errors.Wrap(err, "error setting ownership for secret")
}
--
2.17.0
2.18.0

View File

@ -1,4 +1,4 @@
From a7533a3084e925eb478148ef30bec0d1f1b81ae3 Mon Sep 17 00:00:00 2001
From 4b300d3fabe2c8fa7292967c63a83eb82a30925a Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
@ -10,36 +10,36 @@ THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
SUSE-Bugs: bsc#1057743 bsc#1055676 bsc#1030702
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/engine/daemon/start.go | 5 +
components/engine/daemon/suse_secrets.go | 399 +++++++++++++++++++++++
2 files changed, 404 insertions(+)
components/engine/daemon/suse_secrets.go | 396 +++++++++++++++++++++++
2 files changed, 401 insertions(+)
create mode 100644 components/engine/daemon/suse_secrets.go
diff --git a/components/engine/daemon/start.go b/components/engine/daemon/start.go
index 55438cf2c45f..7dfa6cd1d055 100644
index c00bd9ceb22b..aa705888df39 100644
--- a/components/engine/daemon/start.go
+++ b/components/engine/daemon/start.go
@@ -147,6 +147,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
return err
}
+ // SUSE:secrets -- inject the SUSE secret store
+ if err := daemon.injectSuseSecretStore(container); err != nil {
+ return err
+ return errdefs.System(err)
+ }
+
spec, err := daemon.createSpec(container)
if err != nil {
return systemError{err}
return errdefs.System(err)
diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go
new file mode 100644
index 000000000000..00e485368b47
index 000000000000..817cd5561023
--- /dev/null
+++ b/components/engine/daemon/suse_secrets.go
@@ -0,0 +1,399 @@
@@ -0,0 +1,396 @@
+/*
+ * suse-secrets: patch for Docker to implement SUSE secrets
+ * Copyright (C) 2017 SUSE LLC.
@ -143,10 +143,6 @@ index 000000000000..00e485368b47
+ var suseFiles []*SuseFakeFile
+
+ path := filepath.Join(prefix, dir)
+ if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) {
+ // If the path doesn't exist at all we don't inject anything.
+ return nil, nil
+ }
+ fi, err := os.Stat(path)
+ if err != nil {
+ // Ignore dangling symlinks.
@ -263,10 +259,6 @@ index 000000000000..00e485368b47
+// readFile returns a secret given a file under a given prefix.
+func readFile(prefix, file string) ([]*SuseFakeFile, error) {
+ path := filepath.Join(prefix, file)
+ if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) {
+ // If the path doesn't exist at all we don't inject anything.
+ return nil, nil
+ }
+ fi, err := os.Stat(path)
+ if err != nil {
+ // Ignore dangling symlinks.
@ -430,7 +422,12 @@ index 000000000000..00e485368b47
+ // to the mount list. This causes clashes because of duplicate namespaces.
+ // If we see an existing mount that will clash with the in-built secrets
+ // mount we assume it's our fault.
+ for _, intendedMount := range c.SecretMounts() {
+ intendedMounts, err := c.SecretMounts()
+ if err != nil {
+ logrus.Warnf("SUSE:secrets :: fetching old secret mounts: %v", err)
+ return err
+ }
+ for _, intendedMount := range intendedMounts {
+ mountPath := intendedMount.Destination
+ if volume, ok := c.MountPoints[mountPath]; ok {
+ logrus.Debugf("SUSE:secrets :: removing pre-existing %q mount: %#v", mountPath, volume)
@ -440,5 +437,5 @@ index 000000000000..00e485368b47
+ return nil
+}
--
2.17.0
2.18.0