From ca40a59d67f7ce459bd40c7ab2e0c49376e56475308f36a8195eca202b44ce89 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Mon, 16 May 2016 13:58:14 +0000 Subject: [PATCH 1/3] * Add a patch to fix database soft corruption issues if the Docker dameon dies in a bad state. There is a PR upstream to vendor Docker to have this fix as well, but it probably won't get in until 1.11.2. bnc#964673 (https://github.com/docker/docker/pull/22765) + bnc964673-boltdb-metadata-recovery.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=105 --- bnc964673-boltdb-metadata-recovery.patch | 95 ++++++++++++++++++++++++ docker.changes | 10 +++ docker.spec | 6 ++ 3 files changed, 111 insertions(+) create mode 100644 bnc964673-boltdb-metadata-recovery.patch diff --git a/bnc964673-boltdb-metadata-recovery.patch b/bnc964673-boltdb-metadata-recovery.patch new file mode 100644 index 0000000..15a4fc3 --- /dev/null +++ b/bnc964673-boltdb-metadata-recovery.patch @@ -0,0 +1,95 @@ +From 8f0e47cee034cdc08ca515d98a6733130908fc26 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Mon, 16 May 2016 23:53:46 +1000 +Subject: [PATCH] db: fix recovery from unsynced metadata + +Bolt stores the two latest transactions' metadata, but previously did +not recover from validation failures in the latest by using the second +latest. Fix this by correctly handling validation failures in db.go, as +well as returning the metadata with highest txid which is also valid in +DB.meta(). + +Signed-off-by: Aleksa Sarai +--- + vendor/src/github.com/boltdb/bolt/db.go | 49 +++++++++++++++++++++++++-------- + 1 file changed, 38 insertions(+), 11 deletions(-) + +diff --git a/vendor/src/github.com/boltdb/bolt/db.go b/vendor/src/github.com/boltdb/bolt/db.go +index 501d36aac24a..f713485ffab6 100644 +--- a/vendor/src/github.com/boltdb/bolt/db.go ++++ b/vendor/src/github.com/boltdb/bolt/db.go +@@ -200,9 +200,15 @@ func Open(path string, mode os.FileMode, options *Options) (*DB, error) { + if _, err := db.file.ReadAt(buf[:], 0); err == nil { + m := db.pageInBuffer(buf[:], 0).meta() + if err := m.validate(); err != nil { +- return nil, err ++ // If we can't read the page size, we can assume it's the same ++ // as the OS -- since that's how the page size was chosen in the ++ // first place. ++ // XXX: Does this cause issues with opening a database on a ++ // different OS than the one it was created on? ++ db.pageSize = os.Getpagesize() ++ } else { ++ db.pageSize = int(m.pageSize) + } +- db.pageSize = int(m.pageSize) + } + } + +@@ -262,12 +268,13 @@ func (db *DB) mmap(minsz int) error { + db.meta0 = db.page(0).meta() + db.meta1 = db.page(1).meta() + +- // Validate the meta pages. +- if err := db.meta0.validate(); err != nil { +- return err +- } +- if err := db.meta1.validate(); err != nil { +- return err ++ // Validate the meta pages. We only return an error if both meta pages fail ++ // validation, since meta0 failing validation means that it wasn't saved ++ // properly -- but we can recover using meta1. And vice-versa. ++ err0 := db.meta0.validate() ++ err1 := db.meta1.validate() ++ if err0 != nil && err1 != nil { ++ return fmt.Errorf("meta0(%v) meta1(%v)", err0, err1) + } + + return nil +@@ -778,10 +785,30 @@ func (db *DB) pageInBuffer(b []byte, id pgid) *page { + + // meta retrieves the current meta page reference. + func (db *DB) meta() *meta { +- if db.meta0.txid > db.meta1.txid { +- return db.meta0 ++ // We have to return the meta with the highest txid which doesn't fail ++ // validation. Otherwise, we can cause errors when in fact the database is ++ // in a consistent state. metaA is the one with the higher txid. ++ metaA := db.meta0 ++ metaB := db.meta1 ++ if db.meta1.txid > db.meta0.txid { ++ metaA = db.meta1 ++ metaB = db.meta0 + } +- return db.meta1 ++ ++ errA := metaA.validate() ++ errB := metaB.validate() ++ ++ if errA == nil { ++ return metaA ++ } ++ ++ if errB == nil { ++ return metaB ++ } ++ ++ // This should never be reached, because both meta1 and meta0 were validated ++ // on mmap() and we do fsync() on every write. ++ panic("both meta0 and meta1 could not be validated in DB.meta()!") + } + + // allocate returns a contiguous block of memory starting at a given page. +-- +2.8.2 + diff --git a/docker.changes b/docker.changes index e747e8d..8a3d67a 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon May 16 13:55:07 UTC 2016 - asarai@suse.de + +* Add a patch to fix database soft corruption issues if the Docker dameon dies + in a bad state. There is a PR upstream to vendor Docker to have this fix as + well, but it probably won't get in until 1.11.2. bnc#964673 + (https://github.com/docker/docker/pull/22765) + + + bnc964673-boltdb-metadata-recovery.patch + ------------------------------------------------------------------- Mon May 2 07:40:22 UTC 2016 - asarai@suse.de diff --git a/docker.spec b/docker.spec index 8fa280f..f4e268c 100644 --- a/docker.spec +++ b/docker.spec @@ -57,6 +57,10 @@ Patch103: netlink_netns_powerpc.patch # This fixes bsc#976777. While the fix is upstream, it isn't in Docker 1.10.3 or # Docker 1.11.0. This patch was squashed and cherry-picked from runc#708. Patch301: cve-2016-3697-numeric-uid.patch +# This fixes bnc#964673. This fix is in boltdb upstream, but has yet to be +# merged into Docker (in a vendor commit). This patch was cherry-picked from +# bolt#555. +Patch302: bnc964673-boltdb-metadata-recovery.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: device-mapper-devel >= 1.2.68 @@ -167,6 +171,8 @@ Test package for docker. It contains the source code and the tests. %endif # bsc#976777 %patch301 -p1 +# bnc#964673 +%patch302 -p1 cp %{SOURCE7} . %build From 22d959a1c73bd2290d1d932dcaa3e79f6a513916ef453dc4d43b525e280d0a22 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 18 May 2016 14:21:48 +0000 Subject: [PATCH 2/3] * Make sure we *always* build unstripped Go binaries. OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=106 --- docker.changes | 5 +++++ docker.spec | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/docker.changes b/docker.changes index 8a3d67a..b4775e0 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed May 18 14:21:09 UTC 2016 - asarai@suse.de + +* Make sure we *always* build unstripped Go binaries. + ------------------------------------------------------------------- Mon May 16 13:55:07 UTC 2016 - asarai@suse.de diff --git a/docker.spec b/docker.spec index f4e268c..43a9eb7 100644 --- a/docker.spec +++ b/docker.spec @@ -104,6 +104,13 @@ ExcludeArch: s390x %endif ExcludeArch: ppc +# It's a bad idea to strip Go binaries (apart from making debugging impossible, +# it also is known to cause some interesting runtime bugs). However, rpmbuild +# will strip your binaries if it is creating debuginfo packages (as well as +# doing it by default). So we have to manually disable both of these things. +%undefine _build_create_debug +%define __arch_install_post export NO_BRP_STRIP_DEBUG=true + %description Docker complements LXC with a high-level API which operates at the process level. It runs unix processes with strong guarantees of isolation and From fd323b7e8017a1fdfca0d32b6ddd4930995ca0180f3ff9c4e571eec904b507a5 Mon Sep 17 00:00:00 2001 From: Jordi Massaguer Date: Fri, 20 May 2016 10:32:51 +0000 Subject: [PATCH 3/3] Accepting request 396996 from home:jordimassaguerpla:mbranch:VC:2016-05-20:docker - Fix udev files ownership OBS-URL: https://build.opensuse.org/request/show/396996 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=107 --- docker.changes | 5 +++++ docker.spec | 1 + 2 files changed, 6 insertions(+) diff --git a/docker.changes b/docker.changes index b4775e0..30154b9 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri May 20 10:26:39 UTC 2016 - jmassaguerpla@suse.com + +- Fix udev files ownership + ------------------------------------------------------------------- Wed May 18 14:21:09 UTC 2016 - asarai@suse.de diff --git a/docker.spec b/docker.spec index 43a9eb7..f101c1e 100644 --- a/docker.spec +++ b/docker.spec @@ -61,6 +61,7 @@ Patch301: cve-2016-3697-numeric-uid.patch # merged into Docker (in a vendor commit). This patch was cherry-picked from # bolt#555. Patch302: bnc964673-boltdb-metadata-recovery.patch +Requires(post): udev BuildRequires: audit BuildRequires: bash-completion BuildRequires: device-mapper-devel >= 1.2.68