Docker v18.06 upgrade.
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=258
This commit is contained in:
parent
bac0493c26
commit
1ab6c95c8e
4
_service
4
_service
@ -3,8 +3,8 @@
|
||||
<param name="url">https://github.com/docker/docker-ce.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="exclude">.git</param>
|
||||
<param name="versionformat">17.09.1_ce</param>
|
||||
<param name="revision">v17.09.1-ce</param>
|
||||
<param name="versionformat">18.06.0_ce</param>
|
||||
<param name="revision">v18.06.0-ce</param>
|
||||
<param name="filename">docker</param>
|
||||
</service>
|
||||
<service name="recompress" mode="disabled">
|
||||
|
@ -1,243 +0,0 @@
|
||||
From e57d7270deb50c31ac1f732d8f28812e5b809062 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Thu, 16 Nov 2017 17:09:16 +1100
|
||||
Subject: [PATCH] pkg: devmapper: dynamically load dm_task_deferred_remove
|
||||
|
||||
dm_task_deferred_remove is not supported by all distributions, due to
|
||||
out-dated versions of devicemapper. However, in the case where the
|
||||
devicemapper library was updated without rebuilding Docker (which can
|
||||
happen in some distributions) then we should attempt to dynamically load
|
||||
the relevant object rather than try to link to it.
|
||||
|
||||
This can only be done if Docker was built dynamically, for obvious
|
||||
reasons.
|
||||
|
||||
In order to avoid having issues arise when dlsym(3) was unnecessary,
|
||||
gate the whole dlsym(3) logic behind a buildflag that we disable by
|
||||
default (libdm_dlsym_deferred_remove).
|
||||
|
||||
SUSE-Bugs: bsc#1021227 bsc#1029320 bsc#1058173
|
||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
---
|
||||
components/engine/hack/make.sh | 12 +-
|
||||
...> devmapper_wrapper_dynamic_deferred_remove.go} | 10 +-
|
||||
...mapper_wrapper_dynamic_dlsym_deferred_remove.go | 128 +++++++++++++++++++++
|
||||
.../devmapper_wrapper_no_deferred_remove.go | 6 +-
|
||||
4 files changed, 149 insertions(+), 7 deletions(-)
|
||||
rename components/engine/pkg/devicemapper/{devmapper_wrapper_deferred_remove.go => devmapper_wrapper_dynamic_deferred_remove.go} (78%)
|
||||
create mode 100644 components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
|
||||
|
||||
diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh
|
||||
index 58e0d8cd628a..3b78ddef30b0 100755
|
||||
--- a/components/engine/hack/make.sh
|
||||
+++ b/components/engine/hack/make.sh
|
||||
@@ -112,6 +112,12 @@ if [ ! "$GOPATH" ]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
+# Adds $1_$2 to DOCKER_BUILDTAGS unless it already
|
||||
+# contains a word starting from $1_
|
||||
+add_buildtag() {
|
||||
+ [[ " $DOCKER_BUILDTAGS" == *" $1_"* ]] || DOCKER_BUILDTAGS+=" $1_$2"
|
||||
+}
|
||||
+
|
||||
if ${PKG_CONFIG} 'libsystemd >= 209' 2> /dev/null ; then
|
||||
DOCKER_BUILDTAGS+=" journald"
|
||||
elif ${PKG_CONFIG} 'libsystemd-journal' 2> /dev/null ; then
|
||||
@@ -127,12 +133,14 @@ if \
|
||||
fi
|
||||
|
||||
# test whether "libdevmapper.h" is new enough to support deferred remove
|
||||
-# functionality.
|
||||
+# functionality. We favour libdm_dlsym_deferred_remove over
|
||||
+# libdm_no_deferred_remove in dynamic cases because the binary could be shipped
|
||||
+# with a newer libdevmapper than the one it was built wih.
|
||||
if \
|
||||
command -v gcc &> /dev/null \
|
||||
&& ! ( echo -e '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null ) \
|
||||
; then
|
||||
- DOCKER_BUILDTAGS+=' libdm_no_deferred_remove'
|
||||
+ add_buildtag libdm dlsym_deferred_remove
|
||||
fi
|
||||
|
||||
# Use these flags when compiling the tests and final binary
|
||||
diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
|
||||
similarity index 78%
|
||||
rename from components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go
|
||||
rename to components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
|
||||
index 7f793c270868..bf57371ff4cf 100644
|
||||
--- a/components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go
|
||||
+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
|
||||
@@ -1,11 +1,15 @@
|
||||
-// +build linux,cgo,!libdm_no_deferred_remove
|
||||
+// +build linux,cgo,!static_build
|
||||
+// +build !libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
|
||||
|
||||
package devicemapper
|
||||
|
||||
-// #include <libdevmapper.h>
|
||||
+/*
|
||||
+#include <libdevmapper.h>
|
||||
+*/
|
||||
import "C"
|
||||
|
||||
-// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
|
||||
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
|
||||
+// current Docker invocation.
|
||||
const LibraryDeferredRemovalSupport = true
|
||||
|
||||
func dmTaskDeferredRemoveFct(task *cdmTask) int {
|
||||
diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
|
||||
new file mode 100644
|
||||
index 000000000000..5dfb369f1ff8
|
||||
--- /dev/null
|
||||
+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
|
||||
@@ -0,0 +1,128 @@
|
||||
+// +build linux,cgo,!static_build
|
||||
+// +build libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
|
||||
+
|
||||
+package devicemapper
|
||||
+
|
||||
+/*
|
||||
+#cgo LDFLAGS: -ldl
|
||||
+#include <stdlib.h>
|
||||
+#include <dlfcn.h>
|
||||
+#include <libdevmapper.h>
|
||||
+
|
||||
+// Yes, I know this looks scary. In order to be able to fill our own internal
|
||||
+// dm_info with deferred_remove we need to have a struct definition that is
|
||||
+// correct (regardless of the version of libdm that was used to compile it). To
|
||||
+// this end, we define struct_backport_dm_info. This code comes from lvm2, and
|
||||
+// I have verified that the structure has only ever had elements *appended* to
|
||||
+// it (since 2001).
|
||||
+//
|
||||
+// It is also important that this structure be _larger_ than the dm_info that
|
||||
+// libdevmapper expected. Otherwise libdm might try to write to memory it
|
||||
+// shouldn't (they don't have a "known size" API).
|
||||
+struct backport_dm_info {
|
||||
+ int exists;
|
||||
+ int suspended;
|
||||
+ int live_table;
|
||||
+ int inactive_table;
|
||||
+ int32_t open_count;
|
||||
+ uint32_t event_nr;
|
||||
+ uint32_t major;
|
||||
+ uint32_t minor;
|
||||
+ int read_only;
|
||||
+
|
||||
+ int32_t target_count;
|
||||
+
|
||||
+ int deferred_remove;
|
||||
+ int internal_suspend;
|
||||
+
|
||||
+ // Padding, purely for our own safety. This is to avoid cases where libdm
|
||||
+ // was updated underneath us and we call into dm_task_get_info() with too
|
||||
+ // small of a buffer.
|
||||
+ char _[512];
|
||||
+};
|
||||
+
|
||||
+// We have to wrap this in CGo, because Go really doesn't like function pointers.
|
||||
+int call_dm_task_deferred_remove(void *fn, struct dm_task *task)
|
||||
+{
|
||||
+ int (*_dm_task_deferred_remove)(struct dm_task *task) = fn;
|
||||
+ return _dm_task_deferred_remove(task);
|
||||
+}
|
||||
+*/
|
||||
+import "C"
|
||||
+
|
||||
+import (
|
||||
+ "unsafe"
|
||||
+
|
||||
+ "github.com/sirupsen/logrus"
|
||||
+)
|
||||
+
|
||||
+// dm_task_deferred_remove is not supported by all distributions, due to
|
||||
+// out-dated versions of devicemapper. However, in the case where the
|
||||
+// devicemapper library was updated without rebuilding Docker (which can happen
|
||||
+// in some distributions) then we should attempt to dynamically load the
|
||||
+// relevant object rather than try to link to it.
|
||||
+
|
||||
+// dmTaskDeferredRemoveFct is a "bound" version of dm_task_deferred_remove.
|
||||
+// It is nil if dm_task_deferred_remove was not found in the libdevmapper that
|
||||
+// is currently loaded.
|
||||
+var dmTaskDeferredRemovePtr unsafe.Pointer
|
||||
+
|
||||
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
|
||||
+// current Docker invocation. This value is fixed during init.
|
||||
+var LibraryDeferredRemovalSupport bool
|
||||
+
|
||||
+func init() {
|
||||
+ // Clear any errors.
|
||||
+ var err *C.char
|
||||
+ C.dlerror()
|
||||
+
|
||||
+ // The symbol we want to fetch.
|
||||
+ symName := C.CString("dm_task_deferred_remove")
|
||||
+ defer C.free(unsafe.Pointer(symName))
|
||||
+
|
||||
+ // See if we can find dm_task_deferred_remove. Since we already are linked
|
||||
+ // to libdevmapper, we can search our own address space (rather than trying
|
||||
+ // to guess what libdevmapper is called). We use NULL here, as RTLD_DEFAULT
|
||||
+ // is not available in CGO (even if you set _GNU_SOURCE for some reason).
|
||||
+ // The semantics are identical on glibc.
|
||||
+ sym := C.dlsym(nil, symName)
|
||||
+ err = C.dlerror()
|
||||
+ if err != nil {
|
||||
+ logrus.Debugf("devmapper: could not load dm_task_deferred_remove: %s", C.GoString(err))
|
||||
+ return
|
||||
+ }
|
||||
+
|
||||
+ logrus.Debugf("devmapper: found dm_task_deferred_remove at %x", uintptr(sym))
|
||||
+ dmTaskDeferredRemovePtr = sym
|
||||
+ LibraryDeferredRemovalSupport = true
|
||||
+}
|
||||
+
|
||||
+func dmTaskDeferredRemoveFct(task *cdmTask) int {
|
||||
+ sym := dmTaskDeferredRemovePtr
|
||||
+ if sym == nil || !LibraryDeferredRemovalSupport {
|
||||
+ return -1
|
||||
+ }
|
||||
+ return int(C.call_dm_task_deferred_remove(sym, (*C.struct_dm_task)(task)))
|
||||
+}
|
||||
+
|
||||
+func dmTaskGetInfoWithDeferredFct(task *cdmTask, info *Info) int {
|
||||
+ if !LibraryDeferredRemovalSupport {
|
||||
+ return -1
|
||||
+ }
|
||||
+
|
||||
+ Cinfo := C.struct_backport_dm_info{}
|
||||
+ defer func() {
|
||||
+ info.Exists = int(Cinfo.exists)
|
||||
+ info.Suspended = int(Cinfo.suspended)
|
||||
+ info.LiveTable = int(Cinfo.live_table)
|
||||
+ info.InactiveTable = int(Cinfo.inactive_table)
|
||||
+ info.OpenCount = int32(Cinfo.open_count)
|
||||
+ info.EventNr = uint32(Cinfo.event_nr)
|
||||
+ info.Major = uint32(Cinfo.major)
|
||||
+ info.Minor = uint32(Cinfo.minor)
|
||||
+ info.ReadOnly = int(Cinfo.read_only)
|
||||
+ info.TargetCount = int32(Cinfo.target_count)
|
||||
+ info.DeferredRemove = int(Cinfo.deferred_remove)
|
||||
+ }()
|
||||
+ return int(C.dm_task_get_info((*C.struct_dm_task)(task), (*C.struct_dm_info)(unsafe.Pointer(&Cinfo))))
|
||||
+}
|
||||
diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
|
||||
index a880fec8c499..80b034b3ff17 100644
|
||||
--- a/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
|
||||
+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
|
||||
@@ -1,8 +1,10 @@
|
||||
-// +build linux,cgo,libdm_no_deferred_remove
|
||||
+// +build linux,cgo
|
||||
+// +build !libdm_dlsym_deferred_remove,libdm_no_deferred_remove
|
||||
|
||||
package devicemapper
|
||||
|
||||
-// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
|
||||
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
|
||||
+// current Docker invocation.
|
||||
const LibraryDeferredRemovalSupport = false
|
||||
|
||||
func dmTaskDeferredRemoveFct(task *cdmTask) int {
|
||||
--
|
||||
2.16.1
|
||||
|
@ -1,95 +0,0 @@
|
||||
From ff7b94c76f343931463b5916fb3fbd2610869a1a Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Sun, 15 Oct 2017 17:06:20 +1100
|
||||
Subject: [PATCH] daemon: oci: obey CL_UNPRIVILEGED for user namespaced daemon
|
||||
|
||||
When runc is bind-mounting a particular path "with options", it has to
|
||||
do so by first creating a bind-mount and the modifying the options of
|
||||
said bind-mount via remount. However, in a user namespace, there are
|
||||
restrictions on which flags you can change with a remount (due to
|
||||
CL_UNPRIVILEGED being set in this instance). Docker historically has
|
||||
ignored this, and as a result, internal Docker mounts (such as secrets)
|
||||
haven't worked with --userns-remap. Fix this by preserving
|
||||
CL_UNPRIVILEGED mount flags when Docker is spawning containers with user
|
||||
namespaces enabled.
|
||||
|
||||
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1055676
|
||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
---
|
||||
components/engine/daemon/oci_linux.go | 46 +++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 46 insertions(+)
|
||||
|
||||
diff --git a/components/engine/daemon/oci_linux.go b/components/engine/daemon/oci_linux.go
|
||||
index 6917b4841429..936cb8f998ca 100644
|
||||
--- a/components/engine/daemon/oci_linux.go
|
||||
+++ b/components/engine/daemon/oci_linux.go
|
||||
@@ -27,6 +27,7 @@ import (
|
||||
"github.com/opencontainers/runc/libcontainer/user"
|
||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/sirupsen/logrus"
|
||||
+ "golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -469,6 +470,38 @@ func ensureSharedOrSlave(path string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
+// Get the set of mount flags that are set on the mount that contains the given
|
||||
+// path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that
|
||||
+// bind-mounting "with options" will not fail with user namespaces, due to
|
||||
+// kernel restrictions that require user namespace mounts to preserve
|
||||
+// CL_UNPRIVILEGED locked flags.
|
||||
+func getUnprivilegedMountFlags(path string) ([]string, error) {
|
||||
+ var statfs unix.Statfs_t
|
||||
+ if err := unix.Statfs(path, &statfs); err != nil {
|
||||
+ return nil, err
|
||||
+ }
|
||||
+
|
||||
+ // The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048.
|
||||
+ unprivilegedFlags := map[uint64]string{
|
||||
+ unix.MS_RDONLY: "ro",
|
||||
+ unix.MS_NODEV: "nodev",
|
||||
+ unix.MS_NOEXEC: "noexec",
|
||||
+ unix.MS_NOSUID: "nosuid",
|
||||
+ unix.MS_NOATIME: "noatime",
|
||||
+ unix.MS_RELATIME: "relatime",
|
||||
+ unix.MS_NODIRATIME: "nodiratime",
|
||||
+ }
|
||||
+
|
||||
+ var flags []string
|
||||
+ for mask, flag := range unprivilegedFlags {
|
||||
+ if uint64(statfs.Flags)&mask == mask {
|
||||
+ flags = append(flags, flag)
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return flags, nil
|
||||
+}
|
||||
+
|
||||
var (
|
||||
mountPropagationMap = map[string]int{
|
||||
"private": mount.PRIVATE,
|
||||
@@ -586,6 +619,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c
|
||||
opts = append(opts, mountPropagationReverseMap[pFlag])
|
||||
}
|
||||
|
||||
+ // If we are using user namespaces, then we must make sure that we
|
||||
+ // don't drop any of the CL_UNPRIVILEGED "locked" flags of the source
|
||||
+ // "mount" when we bind-mount. The reason for this is that at the point
|
||||
+ // when runc sets up the root filesystem, it is already inside a user
|
||||
+ // namespace, and thus cannot change any flags that are locked.
|
||||
+ if daemon.configStore.RemappedRoot != "" {
|
||||
+ unprivOpts, err := getUnprivilegedMountFlags(m.Source)
|
||||
+ if err != nil {
|
||||
+ return err
|
||||
+ }
|
||||
+ opts = append(opts, unprivOpts...)
|
||||
+ }
|
||||
+
|
||||
mt.Options = opts
|
||||
s.Mounts = append(s.Mounts, mt)
|
||||
}
|
||||
--
|
||||
2.16.1
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001
|
||||
From 690b89f58f34dc03333988577d49bae04a11a27c Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Sun, 8 Apr 2018 20:21:30 +1000
|
||||
Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
|
||||
@ -15,7 +15,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
|
||||
index c5ea4584de6b..082638e85903 100644
|
||||
index c00a3f70e993..772c4a4873f6 100644
|
||||
--- a/components/engine/profiles/apparmor/template.go
|
||||
+++ b/components/engine/profiles/apparmor/template.go
|
||||
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||
@ -32,5 +32,5 @@ index c5ea4584de6b..082638e85903 100644
|
||||
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
||||
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
||||
--
|
||||
2.17.1
|
||||
2.18.0
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 8edc54753ab5ea9294c55ec32b49c9eb7cdf3892 Mon Sep 17 00:00:00 2001
|
||||
From 45d68c6f85da51dc6e292ce09855e79794fd8984 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
||||
Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start
|
||||
@ -21,7 +21,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
3 files changed, 17 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/components/engine/daemon/apparmor_default.go b/components/engine/daemon/apparmor_default.go
|
||||
index 2a418b25c241..c3e271ee4774 100644
|
||||
index 461f5c7f96b2..8f21c5c0c566 100644
|
||||
--- a/components/engine/daemon/apparmor_default.go
|
||||
+++ b/components/engine/daemon/apparmor_default.go
|
||||
@@ -14,6 +14,15 @@ const (
|
||||
@ -53,12 +53,12 @@ index 2a418b25c241..c3e271ee4774 100644
|
||||
return nil
|
||||
}
|
||||
diff --git a/components/engine/daemon/apparmor_default_unsupported.go b/components/engine/daemon/apparmor_default_unsupported.go
|
||||
index cd2dd9702ef2..17584063c711 100644
|
||||
index 51f9c526b350..97d7758442ee 100644
|
||||
--- a/components/engine/daemon/apparmor_default_unsupported.go
|
||||
+++ b/components/engine/daemon/apparmor_default_unsupported.go
|
||||
@@ -2,6 +2,10 @@
|
||||
|
||||
package daemon
|
||||
package daemon // import "github.com/docker/docker/daemon"
|
||||
|
||||
+func clobberDefaultAppArmorProfile() error {
|
||||
+ return nil
|
||||
@ -68,10 +68,10 @@ index cd2dd9702ef2..17584063c711 100644
|
||||
return nil
|
||||
}
|
||||
diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
|
||||
index a11a1f8691cc..6f8846b19f57 100644
|
||||
index 5e5f586ae085..6ca6a7aaa268 100644
|
||||
--- a/components/engine/daemon/daemon.go
|
||||
+++ b/components/engine/daemon/daemon.go
|
||||
@@ -594,7 +594,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
|
||||
@@ -660,7 +660,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
|
||||
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
|
||||
}
|
||||
|
||||
@ -83,5 +83,5 @@ index a11a1f8691cc..6f8846b19f57 100644
|
||||
}
|
||||
|
||||
--
|
||||
2.17.1
|
||||
2.18.0
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From d39172ffc6b245f02da1898793ccaef20bb6858a Mon Sep 17 00:00:00 2001
|
||||
From 6cba061d6d42e2e40267dbf8628480ec0c5d376a Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Mon, 30 Jul 2018 19:34:01 +1000
|
||||
Subject: [PATCH] build: add -buildmode=pie
|
||||
@ -7,6 +7,7 @@ Make all dynbinary builds be position-independent (this adds both
|
||||
security benefits and can help with flaky builds on POWER
|
||||
architectures).
|
||||
|
||||
SUSE-Bugs: bsc#1100727
|
||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
---
|
||||
components/cli/scripts/build/dynbinary | 2 +-
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:dd19ad9900aaabb9eb5870be6271262aebbd4f86fa12f7c59677d47876492bf9
|
||||
size 6237800
|
3
docker-18.06.0_ce.tar.xz
Normal file
3
docker-18.06.0_ce.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:df4b5d33d8a1d17c4707fe9610a33bd8a1618ae7a7d3a0fa0b8c38ed1d1d53e1
|
||||
size 8550432
|
@ -1,3 +1,25 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 1 09:40:59 UTC 2018 - asarai@suse.com
|
||||
|
||||
- Enable seccomp support on SLE12, since libseccomp is now a new enough vintage
|
||||
to work with Docker and containerd. fate#325877
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 31 09:48:16 UTC 2018 - asarai@suse.com
|
||||
|
||||
- Upgrade to docker-ce v18.06.0-ce. bsc#1102522
|
||||
- Remove systemd-service dependency on containerd, which is now being started
|
||||
by dockerd to align with upstream defaults.
|
||||
- Removed the following patches as they are merged upstream:
|
||||
- bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
|
||||
- bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
|
||||
- Rebased the following patches:
|
||||
* bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
||||
* bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
|
||||
* bsc1100727-0001-build-add-buildmode-pie.patch
|
||||
* secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
|
||||
* secrets-0002-SUSE-implement-SUSE-container-secrets.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 30 09:44:47 UTC 2018 - asarai@suse.com
|
||||
|
||||
|
@ -1,8 +1,7 @@
|
||||
[Unit]
|
||||
Description=Docker Application Container Engine
|
||||
Documentation=http://docs.docker.com
|
||||
After=network.target containerd.socket containerd.service lvm2-monitor.service SuSEfirewall2.service
|
||||
Requires=containerd.socket containerd.service
|
||||
After=network.target lvm2-monitor.service SuSEfirewall2.service
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=/etc/sysconfig/docker
|
||||
@ -11,7 +10,7 @@ EnvironmentFile=/etc/sysconfig/docker
|
||||
# enabled by default because enabling socket activation means that on boot your
|
||||
# containers won't start until someone tries to administer the Docker daemon.
|
||||
Type=notify
|
||||
ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
|
||||
ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
|
||||
ExecReload=/bin/kill -s HUP $MAINPID
|
||||
|
||||
# Having non-zero Limit*s causes performance problems due to accounting overhead
|
||||
|
70
docker.spec
70
docker.spec
@ -36,12 +36,12 @@
|
||||
|
||||
# These are the git commits required. We verify them against the source to make
|
||||
# sure we didn't miss anything important when doing upgrades.
|
||||
%define required_containerd 06b9cb35161009dcb7123345749fef02f7cea8e0
|
||||
%define required_dockerrunc 3f2f8b84a77f73d38244dd690525642a72156c64
|
||||
%define required_libnetwork 7b2b1feb1de4817d522cc372af149ff48d25028e
|
||||
%define required_containerd d64c661f1d51c48782c9cec8fda7604785f93587
|
||||
%define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340
|
||||
%define required_libnetwork 3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b
|
||||
|
||||
Name: docker
|
||||
Version: 17.09.1_ce
|
||||
Version: 18.06.0_ce
|
||||
Release: 0
|
||||
Summary: The Linux container runtime
|
||||
License: Apache-2.0
|
||||
@ -62,16 +62,12 @@ Source9: tests.sh
|
||||
# branch in http://github.com/suse/docker.mirror.
|
||||
Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
|
||||
Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
|
||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35205. bsc#1055676
|
||||
Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
|
||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173
|
||||
Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
|
||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877
|
||||
Patch402: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
||||
Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277
|
||||
Patch403: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
|
||||
Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
|
||||
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727
|
||||
Patch404: bsc1100727-0001-build-add-buildmode-pie.patch
|
||||
Patch402: bsc1100727-0001-build-add-buildmode-pie.patch
|
||||
BuildRequires: audit
|
||||
BuildRequires: bash-completion
|
||||
BuildRequires: ca-certificates
|
||||
@ -79,21 +75,7 @@ BuildRequires: device-mapper-devel >= 1.2.68
|
||||
BuildRequires: glibc-devel-static
|
||||
BuildRequires: libapparmor-devel
|
||||
BuildRequires: libbtrfs-devel >= 3.8
|
||||
# enable libseccomp for sle >= sle12sp2
|
||||
%if 0%{?sle_version} >= 120200
|
||||
%define with_libseccomp 1
|
||||
%endif
|
||||
# enable libseccomp for leap >= 42.2
|
||||
%if 0%{?leap_version} >= 420200
|
||||
%define with_libseccomp 1
|
||||
%endif
|
||||
# enable libseccomp for Factory
|
||||
%if 0%{?suse_version} > 1320
|
||||
%define with_libseccomp 1
|
||||
%endif
|
||||
%if 0%{?with_libseccomp}
|
||||
BuildRequires: libseccomp-devel
|
||||
%endif
|
||||
BuildRequires: libseccomp-devel >= 2.2
|
||||
BuildRequires: libtool
|
||||
BuildRequires: procps
|
||||
BuildRequires: sqlite3-devel
|
||||
@ -136,9 +118,9 @@ Recommends: lvm2 >= 2.2.89
|
||||
Conflicts: lxc < 1.0
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
ExcludeArch: s390 ppc
|
||||
# Make sure we build with go 1.8
|
||||
# Make sure we build with go 1.10
|
||||
BuildRequires: go-go-md2man
|
||||
BuildRequires: golang(API) = 1.8
|
||||
BuildRequires: golang(API) = 1.10
|
||||
|
||||
%description
|
||||
Docker complements LXC with a high-level API which operates at the process
|
||||
@ -196,25 +178,18 @@ Test package for docker. It contains the source code and the tests.
|
||||
%patch200 -p1
|
||||
%patch201 -p1
|
||||
%endif
|
||||
# bsc#1055676
|
||||
%patch400 -p1
|
||||
# bsc#1021227 bsc#1029320 bsc#1058173
|
||||
%patch401 -p1
|
||||
# bsc#1073877
|
||||
%patch402 -p1
|
||||
%patch400 -p1
|
||||
# bsc#1099277
|
||||
%patch403 -p1
|
||||
%patch401 -p1
|
||||
# bsc#1100727
|
||||
%patch404 -p1
|
||||
%patch402 -p1
|
||||
|
||||
cp %{SOURCE7} .
|
||||
cp %{SOURCE9} .
|
||||
|
||||
%build
|
||||
BUILDTAGS="exclude_graphdriver_aufs apparmor selinux pkcs11"
|
||||
%if 0%{?with_libseccomp}
|
||||
BUILDTAGS="seccomp $BUILDTAGS"
|
||||
%endif
|
||||
BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
|
||||
%if 0%{?sle_version} == 120000
|
||||
# Provided by patch406, to allow us to build with older distros but still
|
||||
# have deferred removal support at runtime. We only use this when building
|
||||
@ -279,9 +254,9 @@ cd ../..
|
||||
# of the upstream vendoring scripts. This is done on-build to make sure that
|
||||
# someone doing an update didn't miss anything.
|
||||
cd components/engine
|
||||
grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/binaries-commits
|
||||
grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits
|
||||
grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits
|
||||
grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/install/runc.installer
|
||||
grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/install/containerd.installer
|
||||
grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/install/proxy.installer
|
||||
|
||||
%install
|
||||
install -d %{buildroot}%{go_contribdir}
|
||||
@ -336,6 +311,17 @@ getent group docker >/dev/null || groupadd -r docker
|
||||
%service_add_post %{name}.service
|
||||
%{fillup_only -n docker}
|
||||
|
||||
# NOTE: This is a pretty hacky way of getting around the fact we've removed
|
||||
# containerd.service and now everything is spawned underneath Docker. In
|
||||
# order to force containerd.service to be stopped on the upgrade we need
|
||||
# to trick the systemd macros into thinking that this is an "uninstall".
|
||||
# Hopefully we can remove this soon.
|
||||
(
|
||||
FIRST_ARG=0
|
||||
%service_del_preun containerd.service containerd.socket
|
||||
%service_del_postun containerd.service containerd.socket
|
||||
)
|
||||
|
||||
%preun
|
||||
%service_del_preun %{name}.service
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From c607825b73e5f850b3804a10e9f3c8684cb29d16 Mon Sep 17 00:00:00 2001
|
||||
From 72ca29ce89146ac0c9a47881ebfc10883ed8ed39 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
||||
Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
|
||||
@ -14,26 +14,26 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
1 file changed, 21 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go
|
||||
index 954c194ea836..3ef1e0262edc 100644
|
||||
index bc7ee452332b..d34129dfd80b 100644
|
||||
--- a/components/engine/daemon/container_operations_unix.go
|
||||
+++ b/components/engine/daemon/container_operations_unix.go
|
||||
@@ -3,6 +3,7 @@
|
||||
package daemon
|
||||
package daemon // import "github.com/docker/docker/daemon"
|
||||
|
||||
import (
|
||||
+ "bytes"
|
||||
"context"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
@@ -13,6 +14,7 @@ import (
|
||||
|
||||
@@ -14,6 +15,7 @@ import (
|
||||
"github.com/docker/docker/container"
|
||||
"github.com/docker/docker/daemon/links"
|
||||
"github.com/docker/docker/errdefs"
|
||||
+ "github.com/docker/docker/pkg/archive"
|
||||
"github.com/docker/docker/pkg/idtools"
|
||||
"github.com/docker/docker/pkg/mount"
|
||||
"github.com/docker/docker/pkg/stringid"
|
||||
@@ -216,9 +218,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
||||
@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "unable to get secret from secret store")
|
||||
}
|
||||
@ -43,7 +43,7 @@ index 954c194ea836..3ef1e0262edc 100644
|
||||
|
||||
uid, err := strconv.Atoi(s.File.UID)
|
||||
if err != nil {
|
||||
@@ -229,6 +228,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
||||
@@ -219,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
||||
return err
|
||||
}
|
||||
|
||||
@ -70,5 +70,5 @@ index 954c194ea836..3ef1e0262edc 100644
|
||||
return errors.Wrap(err, "error setting ownership for secret")
|
||||
}
|
||||
--
|
||||
2.17.0
|
||||
2.18.0
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From a7533a3084e925eb478148ef30bec0d1f1b81ae3 Mon Sep 17 00:00:00 2001
|
||||
From 4b300d3fabe2c8fa7292967c63a83eb82a30925a Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
||||
Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
|
||||
@ -10,36 +10,36 @@ THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
|
||||
SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
|
||||
MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
|
||||
|
||||
SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
|
||||
SUSE-Bugs: bsc#1057743 bsc#1055676 bsc#1030702
|
||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
---
|
||||
components/engine/daemon/start.go | 5 +
|
||||
components/engine/daemon/suse_secrets.go | 399 +++++++++++++++++++++++
|
||||
2 files changed, 404 insertions(+)
|
||||
components/engine/daemon/suse_secrets.go | 396 +++++++++++++++++++++++
|
||||
2 files changed, 401 insertions(+)
|
||||
create mode 100644 components/engine/daemon/suse_secrets.go
|
||||
|
||||
diff --git a/components/engine/daemon/start.go b/components/engine/daemon/start.go
|
||||
index 55438cf2c45f..7dfa6cd1d055 100644
|
||||
index c00bd9ceb22b..aa705888df39 100644
|
||||
--- a/components/engine/daemon/start.go
|
||||
+++ b/components/engine/daemon/start.go
|
||||
@@ -147,6 +147,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
|
||||
@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
|
||||
return err
|
||||
}
|
||||
|
||||
+ // SUSE:secrets -- inject the SUSE secret store
|
||||
+ if err := daemon.injectSuseSecretStore(container); err != nil {
|
||||
+ return err
|
||||
+ return errdefs.System(err)
|
||||
+ }
|
||||
+
|
||||
spec, err := daemon.createSpec(container)
|
||||
if err != nil {
|
||||
return systemError{err}
|
||||
return errdefs.System(err)
|
||||
diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go
|
||||
new file mode 100644
|
||||
index 000000000000..00e485368b47
|
||||
index 000000000000..817cd5561023
|
||||
--- /dev/null
|
||||
+++ b/components/engine/daemon/suse_secrets.go
|
||||
@@ -0,0 +1,399 @@
|
||||
@@ -0,0 +1,396 @@
|
||||
+/*
|
||||
+ * suse-secrets: patch for Docker to implement SUSE secrets
|
||||
+ * Copyright (C) 2017 SUSE LLC.
|
||||
@ -143,10 +143,6 @@ index 000000000000..00e485368b47
|
||||
+ var suseFiles []*SuseFakeFile
|
||||
+
|
||||
+ path := filepath.Join(prefix, dir)
|
||||
+ if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) {
|
||||
+ // If the path doesn't exist at all we don't inject anything.
|
||||
+ return nil, nil
|
||||
+ }
|
||||
+ fi, err := os.Stat(path)
|
||||
+ if err != nil {
|
||||
+ // Ignore dangling symlinks.
|
||||
@ -263,10 +259,6 @@ index 000000000000..00e485368b47
|
||||
+// readFile returns a secret given a file under a given prefix.
|
||||
+func readFile(prefix, file string) ([]*SuseFakeFile, error) {
|
||||
+ path := filepath.Join(prefix, file)
|
||||
+ if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) {
|
||||
+ // If the path doesn't exist at all we don't inject anything.
|
||||
+ return nil, nil
|
||||
+ }
|
||||
+ fi, err := os.Stat(path)
|
||||
+ if err != nil {
|
||||
+ // Ignore dangling symlinks.
|
||||
@ -430,7 +422,12 @@ index 000000000000..00e485368b47
|
||||
+ // to the mount list. This causes clashes because of duplicate namespaces.
|
||||
+ // If we see an existing mount that will clash with the in-built secrets
|
||||
+ // mount we assume it's our fault.
|
||||
+ for _, intendedMount := range c.SecretMounts() {
|
||||
+ intendedMounts, err := c.SecretMounts()
|
||||
+ if err != nil {
|
||||
+ logrus.Warnf("SUSE:secrets :: fetching old secret mounts: %v", err)
|
||||
+ return err
|
||||
+ }
|
||||
+ for _, intendedMount := range intendedMounts {
|
||||
+ mountPath := intendedMount.Destination
|
||||
+ if volume, ok := c.MountPoints[mountPath]; ok {
|
||||
+ logrus.Debugf("SUSE:secrets :: removing pre-existing %q mount: %#v", mountPath, volume)
|
||||
@ -440,5 +437,5 @@ index 000000000000..00e485368b47
|
||||
+ return nil
|
||||
+}
|
||||
--
|
||||
2.17.0
|
||||
2.18.0
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user