Accepting request 1082884 from home:cyphar:docker
- Update to Docker 23.0.4-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/23.0/#2304>. bsc#1208074 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Renumbered patches: - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Remove upstreamed patches: - 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch - 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch - 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch - Backport <https://github.com/docker/cli/pull/4228> to allow man pages to be built without internet access in OBS. + cli-0001-docs-include-required-tools-in-source-tree.patch OBS-URL: https://build.opensuse.org/request/show/1082884 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=384
This commit is contained in:
parent
fd8d986a59
commit
31e1155fb8
@ -1,7 +1,7 @@
|
|||||||
From 823bedd07fac6778a3d94b6f949ac16e6bd12638 Mon Sep 17 00:00:00 2001
|
From 5c6812a104e161599fc8569d0b4af04224ef3b5a Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
||||||
Subject: [PATCH 1/7] SECRETS: daemon: allow directory creation in /run/secrets
|
Subject: [PATCH 1/3] SECRETS: daemon: allow directory creation in /run/secrets
|
||||||
|
|
||||||
Since FileMode can have the directory bit set, allow a SecretStore
|
Since FileMode can have the directory bit set, allow a SecretStore
|
||||||
implementation to return secrets that are actually directories. This is
|
implementation to return secrets that are actually directories. This is
|
||||||
@ -10,11 +10,11 @@ useful for creating directories and subdirectories of secrets.
|
|||||||
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
|
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
|
||||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||||
---
|
---
|
||||||
daemon/container_operations_unix.go | 24 +++++++++++++++++++++---
|
daemon/container_operations_unix.go | 23 ++++++++++++++++++++---
|
||||||
1 file changed, 21 insertions(+), 3 deletions(-)
|
1 file changed, 20 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
|
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
|
||||||
index 75b4b09b8dc4..583db20aa459 100644
|
index 561077b66b60..0b70825dd2ff 100644
|
||||||
--- a/daemon/container_operations_unix.go
|
--- a/daemon/container_operations_unix.go
|
||||||
+++ b/daemon/container_operations_unix.go
|
+++ b/daemon/container_operations_unix.go
|
||||||
@@ -4,6 +4,7 @@
|
@@ -4,6 +4,7 @@
|
||||||
@ -23,12 +23,12 @@ index 75b4b09b8dc4..583db20aa459 100644
|
|||||||
import (
|
import (
|
||||||
+ "bytes"
|
+ "bytes"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
|
||||||
"os"
|
"os"
|
||||||
@@ -13,6 +14,7 @@ import (
|
"path/filepath"
|
||||||
"github.com/docker/docker/container"
|
@@ -14,6 +15,7 @@ import (
|
||||||
"github.com/docker/docker/daemon/links"
|
"github.com/docker/docker/daemon/links"
|
||||||
"github.com/docker/docker/errdefs"
|
"github.com/docker/docker/errdefs"
|
||||||
|
"github.com/docker/docker/libnetwork"
|
||||||
+ "github.com/docker/docker/pkg/archive"
|
+ "github.com/docker/docker/pkg/archive"
|
||||||
"github.com/docker/docker/pkg/idtools"
|
"github.com/docker/docker/pkg/idtools"
|
||||||
"github.com/docker/docker/pkg/stringid"
|
"github.com/docker/docker/pkg/stringid"
|
||||||
@ -37,13 +37,13 @@ index 75b4b09b8dc4..583db20aa459 100644
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, "unable to get secret from secret store")
|
return errors.Wrap(err, "unable to get secret from secret store")
|
||||||
}
|
}
|
||||||
- if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
|
- if err := os.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
|
||||||
- return errors.Wrap(err, "error injecting secret")
|
- return errors.Wrap(err, "error injecting secret")
|
||||||
- }
|
- }
|
||||||
|
|
||||||
uid, err := strconv.Atoi(s.File.UID)
|
uid, err := strconv.Atoi(s.File.UID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -219,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
@@ -219,6 +218,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -55,14 +55,13 @@ index 75b4b09b8dc4..583db20aa459 100644
|
|||||||
+ // If the "file" is a directory, then s.File.Data is actually a tar
|
+ // If the "file" is a directory, then s.File.Data is actually a tar
|
||||||
+ // archive of the directory. So we just do a tar extraction here.
|
+ // archive of the directory. So we just do a tar extraction here.
|
||||||
+ if err := archive.UntarUncompressed(bytes.NewBuffer(secret.Spec.Data), fPath, &archive.TarOptions{
|
+ if err := archive.UntarUncompressed(bytes.NewBuffer(secret.Spec.Data), fPath, &archive.TarOptions{
|
||||||
+ UIDMaps: daemon.idMapping.UIDs(),
|
+ IDMap: daemon.idMapping,
|
||||||
+ GIDMaps: daemon.idMapping.GIDs(),
|
|
||||||
+ }); err != nil {
|
+ }); err != nil {
|
||||||
+ return errors.Wrap(err, "error injecting secretdir")
|
+ return errors.Wrap(err, "error injecting secretdir")
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ } else {
|
+ } else {
|
||||||
+ if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
|
+ if err := os.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
|
||||||
+ return errors.Wrap(err, "error injecting secret")
|
+ return errors.Wrap(err, "error injecting secret")
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
@ -70,5 +69,5 @@ index 75b4b09b8dc4..583db20aa459 100644
|
|||||||
return errors.Wrap(err, "error setting ownership for secret")
|
return errors.Wrap(err, "error setting ownership for secret")
|
||||||
}
|
}
|
||||||
--
|
--
|
||||||
2.38.1
|
2.40.0
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From fa24396cbecbb6cdc7c734559389486849c2268c Mon Sep 17 00:00:00 2001
|
From 4138c02a19fbd3d3ff50f0b364bf4b99adc47298 Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
||||||
Subject: [PATCH 2/7] SECRETS: SUSE: implement SUSE container secrets
|
Subject: [PATCH 2/3] SECRETS: SUSE: implement SUSE container secrets
|
||||||
|
|
||||||
This allows for us to pass in host credentials to a container, allowing
|
This allows for us to pass in host credentials to a container, allowing
|
||||||
for SUSEConnect to work with containers.
|
for SUSEConnect to work with containers.
|
||||||
@ -14,12 +14,12 @@ SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
|
|||||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||||
---
|
---
|
||||||
daemon/start.go | 5 +
|
daemon/start.go | 5 +
|
||||||
daemon/suse_secrets.go | 410 +++++++++++++++++++++++++++++++++++++++++
|
daemon/suse_secrets.go | 415 +++++++++++++++++++++++++++++++++++++++++
|
||||||
2 files changed, 415 insertions(+)
|
2 files changed, 420 insertions(+)
|
||||||
create mode 100644 daemon/suse_secrets.go
|
create mode 100644 daemon/suse_secrets.go
|
||||||
|
|
||||||
diff --git a/daemon/start.go b/daemon/start.go
|
diff --git a/daemon/start.go b/daemon/start.go
|
||||||
index d9bc082b1078..091dae2ae65e 100644
|
index 9d6f7812b67c..53c42082c5bf 100644
|
||||||
--- a/daemon/start.go
|
--- a/daemon/start.go
|
||||||
+++ b/daemon/start.go
|
+++ b/daemon/start.go
|
||||||
@@ -150,6 +150,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
|
@@ -150,6 +150,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
|
||||||
@ -36,10 +36,10 @@ index d9bc082b1078..091dae2ae65e 100644
|
|||||||
return errdefs.System(err)
|
return errdefs.System(err)
|
||||||
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
|
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000000..9ee33adf7497
|
index 000000000000..32b0ece91b59
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/daemon/suse_secrets.go
|
+++ b/daemon/suse_secrets.go
|
||||||
@@ -0,0 +1,410 @@
|
@@ -0,0 +1,415 @@
|
||||||
+/*
|
+/*
|
||||||
+ * suse-secrets: patch for Docker to implement SUSE secrets
|
+ * suse-secrets: patch for Docker to implement SUSE secrets
|
||||||
+ * Copyright (C) 2017-2021 SUSE LLC.
|
+ * Copyright (C) 2017-2021 SUSE LLC.
|
||||||
@ -75,8 +75,8 @@ index 000000000000..9ee33adf7497
|
|||||||
+ "github.com/docker/docker/pkg/idtools"
|
+ "github.com/docker/docker/pkg/idtools"
|
||||||
+
|
+
|
||||||
+ swarmtypes "github.com/docker/docker/api/types/swarm"
|
+ swarmtypes "github.com/docker/docker/api/types/swarm"
|
||||||
+ swarmexec "github.com/docker/swarmkit/agent/exec"
|
+ swarmexec "github.com/moby/swarmkit/v2/agent/exec"
|
||||||
+ swarmapi "github.com/docker/swarmkit/api"
|
+ swarmapi "github.com/moby/swarmkit/v2/api"
|
||||||
+
|
+
|
||||||
+ "github.com/opencontainers/go-digest"
|
+ "github.com/opencontainers/go-digest"
|
||||||
+ "github.com/sirupsen/logrus"
|
+ "github.com/sirupsen/logrus"
|
||||||
@ -113,7 +113,7 @@ index 000000000000..9ee33adf7497
|
|||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+func (s SuseFakeFile) toSecretReference(idMaps *idtools.IdentityMapping) *swarmtypes.SecretReference {
|
+func (s SuseFakeFile) toSecretReference(idMaps idtools.IdentityMapping) *swarmtypes.SecretReference {
|
||||||
+ // Figure out the host-facing {uid,gid} based on the provided maps. Fall
|
+ // Figure out the host-facing {uid,gid} based on the provided maps. Fall
|
||||||
+ // back to root if the UID/GID don't match (we are guaranteed that root is
|
+ // back to root if the UID/GID don't match (we are guaranteed that root is
|
||||||
+ // mapped).
|
+ // mapped).
|
||||||
@ -345,6 +345,7 @@ index 000000000000..9ee33adf7497
|
|||||||
+ suseEmptyStore struct{}
|
+ suseEmptyStore struct{}
|
||||||
+ suseEmptySecret struct{}
|
+ suseEmptySecret struct{}
|
||||||
+ suseEmptyConfig struct{}
|
+ suseEmptyConfig struct{}
|
||||||
|
+ suseEmptyVolume struct{}
|
||||||
+)
|
+)
|
||||||
+
|
+
|
||||||
+// In order to reduce the amount of code touched outside of this file, we
|
+// In order to reduce the amount of code touched outside of this file, we
|
||||||
@ -356,14 +357,17 @@ index 000000000000..9ee33adf7497
|
|||||||
+ emptyStore swarmexec.DependencyGetter = suseEmptyStore{}
|
+ emptyStore swarmexec.DependencyGetter = suseEmptyStore{}
|
||||||
+ emptySecret swarmexec.SecretGetter = suseEmptySecret{}
|
+ emptySecret swarmexec.SecretGetter = suseEmptySecret{}
|
||||||
+ emptyConfig swarmexec.ConfigGetter = suseEmptyConfig{}
|
+ emptyConfig swarmexec.ConfigGetter = suseEmptyConfig{}
|
||||||
|
+ emptyVolume swarmexec.VolumeGetter = suseEmptyVolume{}
|
||||||
+)
|
+)
|
||||||
+
|
+
|
||||||
+var errSuseEmptyStore = fmt.Errorf("SUSE:secrets :: tried to get a resource from empty store [this is a bug]")
|
+var errSuseEmptyStore = fmt.Errorf("SUSE:secrets :: tried to get a resource from empty store [this is a bug]")
|
||||||
+
|
+
|
||||||
+func (_ suseEmptyConfig) Get(_ string) (*swarmapi.Config, error) { return nil, errSuseEmptyStore }
|
+func (_ suseEmptyConfig) Get(_ string) (*swarmapi.Config, error) { return nil, errSuseEmptyStore }
|
||||||
+func (_ suseEmptySecret) Get(_ string) (*swarmapi.Secret, error) { return nil, errSuseEmptyStore }
|
+func (_ suseEmptySecret) Get(_ string) (*swarmapi.Secret, error) { return nil, errSuseEmptyStore }
|
||||||
|
+func (_ suseEmptyVolume) Get(_ string) (string, error) { return "", errSuseEmptyStore }
|
||||||
+func (_ suseEmptyStore) Secrets() swarmexec.SecretGetter { return emptySecret }
|
+func (_ suseEmptyStore) Secrets() swarmexec.SecretGetter { return emptySecret }
|
||||||
+func (_ suseEmptyStore) Configs() swarmexec.ConfigGetter { return emptyConfig }
|
+func (_ suseEmptyStore) Configs() swarmexec.ConfigGetter { return emptyConfig }
|
||||||
|
+func (_ suseEmptyStore) Volumes() swarmexec.VolumeGetter { return emptyVolume }
|
||||||
+
|
+
|
||||||
+type suseDependencyStore struct {
|
+type suseDependencyStore struct {
|
||||||
+ dfl swarmexec.DependencyGetter
|
+ dfl swarmexec.DependencyGetter
|
||||||
@ -373,6 +377,7 @@ index 000000000000..9ee33adf7497
|
|||||||
+// The following are effectively dumb wrappers that return ourselves, or the
|
+// The following are effectively dumb wrappers that return ourselves, or the
|
||||||
+// default.
|
+// default.
|
||||||
+func (s *suseDependencyStore) Secrets() swarmexec.SecretGetter { return s }
|
+func (s *suseDependencyStore) Secrets() swarmexec.SecretGetter { return s }
|
||||||
|
+func (s *suseDependencyStore) Volumes() swarmexec.VolumeGetter { return emptyVolume }
|
||||||
+func (s *suseDependencyStore) Configs() swarmexec.ConfigGetter { return s.dfl.Configs() }
|
+func (s *suseDependencyStore) Configs() swarmexec.ConfigGetter { return s.dfl.Configs() }
|
||||||
+
|
+
|
||||||
+// Get overrides the underlying DependencyGetter with our own secrets (falling
|
+// Get overrides the underlying DependencyGetter with our own secrets (falling
|
||||||
@ -451,5 +456,5 @@ index 000000000000..9ee33adf7497
|
|||||||
+ return nil
|
+ return nil
|
||||||
+}
|
+}
|
||||||
--
|
--
|
||||||
2.38.1
|
2.40.0
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From bc52d15141402d94eeaee618f1df0b540f527b98 Mon Sep 17 00:00:00 2001
|
From 3e37bbad6f0a0c2576ad0b9dfe7a4a9290aa2aa0 Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
||||||
Subject: [PATCH 4/7] bsc1073877: apparmor: clobber docker-default profile on
|
Subject: [PATCH 3/3] bsc1073877: apparmor: clobber docker-default profile on
|
||||||
start
|
start
|
||||||
|
|
||||||
In the process of making docker-default reloading far less expensive,
|
In the process of making docker-default reloading far less expensive,
|
||||||
@ -22,7 +22,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|||||||
3 files changed, 17 insertions(+), 6 deletions(-)
|
3 files changed, 17 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
|
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
|
||||||
index 21813ec14f8f..0de75b32b7fa 100644
|
index 6376001613f7..5fde21a4af8a 100644
|
||||||
--- a/daemon/apparmor_default.go
|
--- a/daemon/apparmor_default.go
|
||||||
+++ b/daemon/apparmor_default.go
|
+++ b/daemon/apparmor_default.go
|
||||||
@@ -24,6 +24,15 @@ func DefaultApparmorProfile() string {
|
@@ -24,6 +24,15 @@ func DefaultApparmorProfile() string {
|
||||||
@ -30,7 +30,7 @@ index 21813ec14f8f..0de75b32b7fa 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
+func clobberDefaultAppArmorProfile() error {
|
+func clobberDefaultAppArmorProfile() error {
|
||||||
+ if apparmor.IsEnabled() {
|
+ if apparmor.HostSupports() {
|
||||||
+ if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil {
|
+ if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil {
|
||||||
+ return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err)
|
+ return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err)
|
||||||
+ }
|
+ }
|
||||||
@ -39,7 +39,7 @@ index 21813ec14f8f..0de75b32b7fa 100644
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
func ensureDefaultAppArmorProfile() error {
|
func ensureDefaultAppArmorProfile() error {
|
||||||
if apparmor.IsEnabled() {
|
if apparmor.HostSupports() {
|
||||||
loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
|
loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
|
||||||
@@ -37,10 +46,7 @@ func ensureDefaultAppArmorProfile() error {
|
@@ -37,10 +46,7 @@ func ensureDefaultAppArmorProfile() error {
|
||||||
}
|
}
|
||||||
@ -69,10 +69,10 @@ index e3dc18b32b5e..9c7723056268 100644
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
diff --git a/daemon/daemon.go b/daemon/daemon.go
|
diff --git a/daemon/daemon.go b/daemon/daemon.go
|
||||||
index f15a4b038498..2f0c23bc62c9 100644
|
index 40abbe8cc19c..05c6db818c30 100644
|
||||||
--- a/daemon/daemon.go
|
--- a/daemon/daemon.go
|
||||||
+++ b/daemon/daemon.go
|
+++ b/daemon/daemon.go
|
||||||
@@ -857,8 +857,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
@@ -807,8 +807,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
||||||
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
|
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -85,5 +85,5 @@ index f15a4b038498..2f0c23bc62c9 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
--
|
--
|
||||||
2.38.1
|
2.40.0
|
||||||
|
|
@ -1,144 +0,0 @@
|
|||||||
From 57673ad5455b1b27e41716e33b67c9cd8099b580 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michal Rostecki <mrostecki@opensuse.org>
|
|
||||||
Date: Thu, 8 Apr 2021 14:42:02 +0100
|
|
||||||
Subject: [PATCH 5/7] bsc1183855: btrfs: Do not disable quota on cleanup
|
|
||||||
|
|
||||||
Before this change, cleanup of the btrfs driver (occuring on each daemon
|
|
||||||
shutdown) resulted in disabling quotas. It was done with an assumption
|
|
||||||
that quotas can be enabled or disabled on a subvolume level, which is
|
|
||||||
not true - enabling or disabling quota is always done on a filesystem
|
|
||||||
level.
|
|
||||||
|
|
||||||
That was leading to disabling quota on btrfs filesystems on each daemon
|
|
||||||
shutdown.
|
|
||||||
|
|
||||||
This change fixes that behavior and removes misleading `subvol` prefix
|
|
||||||
from functions and methods which set up quota (on a filesystem level).
|
|
||||||
|
|
||||||
SUSE-Bugs: bsc#1175081 bsc#1183855
|
|
||||||
SUSE-Upstream-Commit: 1ec689c4c2ecda24ed8495451c53072bb0497871
|
|
||||||
Fixes: 401c8d176743 ("Add disk quota support for btrfs")
|
|
||||||
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
|
|
||||||
---
|
|
||||||
daemon/graphdriver/btrfs/btrfs.go | 50 +++++--------------------------
|
|
||||||
1 file changed, 8 insertions(+), 42 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
|
|
||||||
index fa0cdf8666b1..02bbb5da1088 100644
|
|
||||||
--- a/daemon/graphdriver/btrfs/btrfs.go
|
|
||||||
+++ b/daemon/graphdriver/btrfs/btrfs.go
|
|
||||||
@@ -104,7 +104,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
|
|
||||||
}
|
|
||||||
|
|
||||||
if userDiskQuota {
|
|
||||||
- if err := driver.subvolEnableQuota(); err != nil {
|
|
||||||
+ if err := driver.enableQuota(); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -173,18 +173,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
|
|
||||||
|
|
||||||
// Cleanup unmounts the home directory.
|
|
||||||
func (d *Driver) Cleanup() error {
|
|
||||||
- err := d.subvolDisableQuota()
|
|
||||||
- umountErr := mount.Unmount(d.home)
|
|
||||||
-
|
|
||||||
- // in case we have two errors, prefer the one from disableQuota()
|
|
||||||
- if err != nil {
|
|
||||||
+ if err := mount.Unmount(d.home); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
- if umountErr != nil {
|
|
||||||
- return umountErr
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -342,7 +334,7 @@ func (d *Driver) updateQuotaStatus() {
|
|
||||||
d.once.Do(func() {
|
|
||||||
if !d.quotaEnabled {
|
|
||||||
// In case quotaEnabled is not set, check qgroup and update quotaEnabled as needed
|
|
||||||
- if err := subvolQgroupStatus(d.home); err != nil {
|
|
||||||
+ if err := qgroupStatus(d.home); err != nil {
|
|
||||||
// quota is still not enabled
|
|
||||||
return
|
|
||||||
}
|
|
||||||
@@ -351,7 +343,7 @@ func (d *Driver) updateQuotaStatus() {
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
-func (d *Driver) subvolEnableQuota() error {
|
|
||||||
+func (d *Driver) enableQuota() error {
|
|
||||||
d.updateQuotaStatus()
|
|
||||||
|
|
||||||
if d.quotaEnabled {
|
|
||||||
@@ -377,32 +369,6 @@ func (d *Driver) subvolEnableQuota() error {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
-func (d *Driver) subvolDisableQuota() error {
|
|
||||||
- d.updateQuotaStatus()
|
|
||||||
-
|
|
||||||
- if !d.quotaEnabled {
|
|
||||||
- return nil
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- dir, err := openDir(d.home)
|
|
||||||
- if err != nil {
|
|
||||||
- return err
|
|
||||||
- }
|
|
||||||
- defer closeDir(dir)
|
|
||||||
-
|
|
||||||
- var args C.struct_btrfs_ioctl_quota_ctl_args
|
|
||||||
- args.cmd = C.BTRFS_QUOTA_CTL_DISABLE
|
|
||||||
- _, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.BTRFS_IOC_QUOTA_CTL,
|
|
||||||
- uintptr(unsafe.Pointer(&args)))
|
|
||||||
- if errno != 0 {
|
|
||||||
- return fmt.Errorf("Failed to disable btrfs quota for %s: %v", dir, errno.Error())
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- d.quotaEnabled = false
|
|
||||||
-
|
|
||||||
- return nil
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
func (d *Driver) subvolRescanQuota() error {
|
|
||||||
d.updateQuotaStatus()
|
|
||||||
|
|
||||||
@@ -445,11 +411,11 @@ func subvolLimitQgroup(path string, size uint64) error {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
-// subvolQgroupStatus performs a BTRFS_IOC_TREE_SEARCH on the root path
|
|
||||||
+// qgroupStatus performs a BTRFS_IOC_TREE_SEARCH on the root path
|
|
||||||
// with search key of BTRFS_QGROUP_STATUS_KEY.
|
|
||||||
// In case qgroup is enabled, the retuned key type will match BTRFS_QGROUP_STATUS_KEY.
|
|
||||||
// For more details please see https://github.com/kdave/btrfs-progs/blob/v4.9/qgroup.c#L1035
|
|
||||||
-func subvolQgroupStatus(path string) error {
|
|
||||||
+func qgroupStatus(path string) error {
|
|
||||||
dir, err := openDir(path)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
@@ -623,7 +589,7 @@ func (d *Driver) setStorageSize(dir string, driver *Driver) error {
|
|
||||||
if d.options.minSpace > 0 && driver.options.size < d.options.minSpace {
|
|
||||||
return fmt.Errorf("btrfs: storage size cannot be less than %s", units.HumanSize(float64(d.options.minSpace)))
|
|
||||||
}
|
|
||||||
- if err := d.subvolEnableQuota(); err != nil {
|
|
||||||
+ if err := d.enableQuota(); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
return subvolLimitQgroup(dir, driver.options.size)
|
|
||||||
@@ -677,7 +643,7 @@ func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
|
|
||||||
|
|
||||||
if quota, err := ioutil.ReadFile(d.quotasDirID(id)); err == nil {
|
|
||||||
if size, err := strconv.ParseUint(string(quota), 10, 64); err == nil && size >= d.options.minSpace {
|
|
||||||
- if err := d.subvolEnableQuota(); err != nil {
|
|
||||||
+ if err := d.enableQuota(); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
if err := subvolLimitQgroup(dir, size); err != nil {
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,56 +0,0 @@
|
|||||||
From 6451aa1559ce5a135f599682ab33721e116925bd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sebastiaan van Stijn <github@gone.nl>
|
|
||||||
Date: Fri, 29 Jan 2021 14:55:08 +0100
|
|
||||||
Subject: [PATCH 7/7] bsc1200022: fifo.Close(): prevent possible panic if fifo
|
|
||||||
is nil
|
|
||||||
|
|
||||||
I'm not sure if this is the right approach, and synchronisation should probably
|
|
||||||
be added elsewhere to fix the underlying issue.
|
|
||||||
|
|
||||||
Trying to prevent a panic that was seen on container restore in th docker daemon:
|
|
||||||
|
|
||||||
panic: runtime error: invalid memory address or nil pointer dereference
|
|
||||||
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x5586c892a7a4]
|
|
||||||
|
|
||||||
goroutine 420 [running]:
|
|
||||||
github.com/docker/docker/vendor/github.com/containerd/fifo.(*fifo).Close(0x0, 0x0, 0x0)
|
|
||||||
/go/src/github.com/docker/docker/vendor/github.com/containerd/fifo/fifo.go:208 +0x44
|
|
||||||
github.com/docker/docker/vendor/github.com/containerd/containerd/cio.(*cio).Close(0xc000d06f60, 0x5586cb5654d0, 0xc000d8e9e8)
|
|
||||||
/go/src/github.com/docker/docker/vendor/github.com/containerd/containerd/cio/io.go:203 +0x90
|
|
||||||
github.com/docker/docker/libcontainerd/remote.(*client).Restore.func1(0xc0008bf820, 0xc0008a2040)
|
|
||||||
/go/src/github.com/docker/docker/libcontainerd/remote/client.go:86 +0x5a
|
|
||||||
github.com/docker/docker/libcontainerd/remote.(*client).Restore(0xc00098e5b0, 0x5586cb61c7c0, 0xc000052088, 0xc0011b6500, 0x40, 0xc0008bf810, 0x5586cb05cf00, 0xffffffffffffffff, 0x0, 0x0, ...)
|
|
||||||
/go/src/github.com/docker/docker/libcontainerd/remote/client.go:107 +0x923
|
|
||||||
github.com/docker/docker/daemon.(*Daemon).restore.func3(0xc00079d9e0, 0xc000a38230, 0xc00000c1e0, 0xc00079d9a8, 0xc000d84f00, 0xc000d84ed0, 0xc000d84ea0, 0xc00128a280)
|
|
||||||
/go/src/github.com/docker/docker/daemon/daemon.go:351 +0x48a
|
|
||||||
created by github.com/docker/docker/daemon.(*Daemon).restore
|
|
||||||
/go/src/github.com/docker/docker/daemon/daemon.go:319 +0x4b3
|
|
||||||
|
|
||||||
If the fifo is nil, there's nothing to be done in Close(), so returning early
|
|
||||||
in that situation.
|
|
||||||
|
|
||||||
Backport: <https://github.com/containerd/fifo/pull/32>
|
|
||||||
SUSE-Bugs: bsc#1200022
|
|
||||||
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
|
||||||
---
|
|
||||||
vendor/github.com/containerd/fifo/fifo.go | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/vendor/github.com/containerd/fifo/fifo.go b/vendor/github.com/containerd/fifo/fifo.go
|
|
||||||
index 96c214f270bf..c3eec295b578 100644
|
|
||||||
--- a/vendor/github.com/containerd/fifo/fifo.go
|
|
||||||
+++ b/vendor/github.com/containerd/fifo/fifo.go
|
|
||||||
@@ -204,6 +204,10 @@ func (f *fifo) Write(b []byte) (int, error) {
|
|
||||||
// before open(2) has returned and fifo was never opened.
|
|
||||||
func (f *fifo) Close() (retErr error) {
|
|
||||||
for {
|
|
||||||
+ if f == nil {
|
|
||||||
+ return
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
select {
|
|
||||||
case <-f.closed:
|
|
||||||
f.handle.Close()
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
16
_service
16
_service
@ -3,26 +3,18 @@
|
|||||||
<param name="url">https://github.com/moby/moby.git</param>
|
<param name="url">https://github.com/moby/moby.git</param>
|
||||||
<param name="scm">git</param>
|
<param name="scm">git</param>
|
||||||
<param name="exclude">.git</param>
|
<param name="exclude">.git</param>
|
||||||
<param name="versionformat">20.10.23_ce_%h</param>
|
<param name="versionformat">23.0.4_ce_%h</param>
|
||||||
<param name="revision">v20.10.23</param>
|
<param name="revision">v23.0.4</param>
|
||||||
<param name="filename">docker</param>
|
<param name="filename">docker</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="tar_scm" mode="disabled">
|
<service name="tar_scm" mode="disabled">
|
||||||
<param name="url">https://github.com/docker/cli.git</param>
|
<param name="url">https://github.com/docker/cli.git</param>
|
||||||
<param name="scm">git</param>
|
<param name="scm">git</param>
|
||||||
<param name="exclude">.git</param>
|
<param name="exclude">.git</param>
|
||||||
<param name="versionformat">20.10.23_ce</param>
|
<param name="versionformat">23.0.4_ce</param>
|
||||||
<param name="revision">v20.10.23</param>
|
<param name="revision">v23.0.4</param>
|
||||||
<param name="filename">docker-cli</param>
|
<param name="filename">docker-cli</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="tar_scm" mode="disabled">
|
|
||||||
<param name="url">https://github.com/docker/libnetwork.git</param>
|
|
||||||
<param name="scm">git</param>
|
|
||||||
<param name="exclude">.git</param>
|
|
||||||
<param name="versionformat">%H</param>
|
|
||||||
<param name="revision">05b93e0d3a95952f70c113b0bc5bdb538d7afdd7</param>
|
|
||||||
<param name="filename">docker-libnetwork</param>
|
|
||||||
</service>
|
|
||||||
<service name="recompress" mode="disabled">
|
<service name="recompress" mode="disabled">
|
||||||
<param name="file">docker-*.tar</param>
|
<param name="file">docker-*.tar</param>
|
||||||
<param name="compression">xz</param>
|
<param name="compression">xz</param>
|
||||||
|
23756
cli-0001-docs-include-required-tools-in-source-tree.patch
Normal file
23756
cli-0001-docs-include-required-tools-in-source-tree.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:0d6b832806f3144a4b917657f615d9388081e7c7b3f77db3b4b7c6c01b931686
|
|
||||||
size 6589992
|
|
3
docker-23.0.4_ce_cbce3319305c.tar.xz
Normal file
3
docker-23.0.4_ce_cbce3319305c.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:5a4b5308b55bf785e97acf5dca70866a362b71b8d314ce4762fb0bc7be59d611
|
||||||
|
size 8261820
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:c2a96dd55814fc22ccfe054b78438963fc139b292696bc3ba7667abd399d7c70
|
|
||||||
size 4320480
|
|
3
docker-cli-23.0.4_ce.tar.xz
Normal file
3
docker-cli-23.0.4_ce.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:5d870ff012fbf1abc1dd7d01188894940ad7a9fc1d829ebb95377b298f1cbee7
|
||||||
|
size 3497948
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:44fa1530b22f18434174b03895c8933b356f254b718855fd7487888afbb10e91
|
|
||||||
size 1983112
|
|
@ -1,3 +1,22 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 26 00:31:54 UTC 2023 - Aleksa Sarai <asarai@suse.com>
|
||||||
|
|
||||||
|
- Update to Docker 23.0.4-ce. See upstream changelog online at
|
||||||
|
<https://docs.docker.com/engine/release-notes/23.0/#2304>. bsc#1208074
|
||||||
|
- Rebase patches:
|
||||||
|
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
||||||
|
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
||||||
|
* 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||||
|
- Renumbered patches:
|
||||||
|
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||||
|
- Remove upstreamed patches:
|
||||||
|
- 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
|
||||||
|
- 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
|
||||||
|
- 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
|
||||||
|
- Backport <https://github.com/docker/cli/pull/4228> to allow man pages to be
|
||||||
|
built without internet access in OBS.
|
||||||
|
+ cli-0001-docs-include-required-tools-in-source-tree.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Feb 1 14:33:19 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
Wed Feb 1 14:33:19 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|
||||||
|
184
docker.spec
184
docker.spec
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package docker
|
# spec file for package docker
|
||||||
#
|
#
|
||||||
# Copyright (c) 2021 SUSE LLC
|
# Copyright (c) 2023 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -26,37 +26,16 @@
|
|||||||
%define _fillupdir /var/adm/fillup-templates
|
%define _fillupdir /var/adm/fillup-templates
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Handle _multibuild magic.
|
|
||||||
%define flavour @BUILD_FLAVOR@%{nil}
|
|
||||||
|
|
||||||
# We split the Name: into "realname" and "name_suffix".
|
|
||||||
%define realname docker
|
|
||||||
%if "%flavour" == ""
|
|
||||||
%define name_suffix %{nil}
|
|
||||||
%else
|
|
||||||
%define name_suffix -%{flavour}
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# Used when generating the "build" information for Docker version. The value of
|
# Used when generating the "build" information for Docker version. The value of
|
||||||
# git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm
|
# git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm
|
||||||
# helpfully injects into our build environment from the changelog). If you want
|
# helpfully injects into our build environment from the changelog). If you want
|
||||||
# to generate a new git_commit_epoch, use this:
|
# to generate a new git_commit_epoch, use this:
|
||||||
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
|
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
|
||||||
%define real_version 20.10.23
|
%define real_version 23.0.4
|
||||||
%define git_version 6051f1429
|
%define git_version cbce3319305c
|
||||||
%define git_commit_epoch 1674059068
|
%define git_commit_epoch 1681433958
|
||||||
|
|
||||||
# We require a specific pin of libnetwork because it doesn't really do
|
Name: docker
|
||||||
# versioning and minor version mismatches in libnetwork can break Docker
|
|
||||||
# networking. All other key runtime dependencies (containerd, runc) are stable
|
|
||||||
# enough that this isn't necessary.
|
|
||||||
%define libnetwork_version 05b93e0d3a95952f70c113b0bc5bdb538d7afdd7
|
|
||||||
|
|
||||||
%define dist_builddir %{_builddir}/dist-suse
|
|
||||||
%define cli_builddir %{dist_builddir}/src/github.com/docker/cli
|
|
||||||
%define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
|
|
||||||
|
|
||||||
Name: %{realname}%{name_suffix}
|
|
||||||
Version: %{real_version}_ce
|
Version: %{real_version}_ce
|
||||||
# This "nice version" is so that docker --version gives a result that can be
|
# This "nice version" is so that docker --version gives a result that can be
|
||||||
# parsed by other people. boo#1182476
|
# parsed by other people. boo#1182476
|
||||||
@ -66,9 +45,8 @@ Summary: The Moby-project Linux container runtime
|
|||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
Group: System/Management
|
Group: System/Management
|
||||||
URL: http://www.docker.io
|
URL: http://www.docker.io
|
||||||
Source: %{realname}-%{version}_%{git_version}.tar.xz
|
Source: %{name}-%{version}_%{git_version}.tar.xz
|
||||||
Source1: %{realname}-cli-%{version}.tar.xz
|
Source1: %{name}-cli-%{version}.tar.xz
|
||||||
Source2: %{realname}-libnetwork-%{libnetwork_version}.tar.xz
|
|
||||||
Source3: docker-rpmlintrc
|
Source3: docker-rpmlintrc
|
||||||
# TODO: Move these source files to somewhere nicer.
|
# TODO: Move these source files to somewhere nicer.
|
||||||
Source100: docker.service
|
Source100: docker.service
|
||||||
@ -87,14 +65,9 @@ Patch100: 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
|||||||
Patch101: 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
Patch101: 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
||||||
# SUSE-FEATURE: Add support to mirror unofficial/private registries
|
# SUSE-FEATURE: Add support to mirror unofficial/private registries
|
||||||
# <https://github.com/docker/docker/pull/34319>.
|
# <https://github.com/docker/docker/pull/34319>.
|
||||||
Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
Patch300: 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081
|
# UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
|
||||||
Patch301: 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
|
Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch
|
||||||
# SUSE-BACKPORT: Backport of several golang.org/x/crypto updates.
|
|
||||||
# bsc#1193930 CVE-2021-43565 bsc#1197284 CVE-2022-27191
|
|
||||||
Patch302: 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
|
|
||||||
# SUSE-BACKPORT: Backport of <https://github.com/containerd/fifo/pull/32>. bsc#1200022
|
|
||||||
Patch303: 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
|
|
||||||
BuildRequires: audit
|
BuildRequires: audit
|
||||||
BuildRequires: bash-completion
|
BuildRequires: bash-completion
|
||||||
BuildRequires: ca-certificates
|
BuildRequires: ca-certificates
|
||||||
@ -111,17 +84,17 @@ BuildRequires: fish
|
|||||||
BuildRequires: go-go-md2man
|
BuildRequires: go-go-md2man
|
||||||
BuildRequires: pkgconfig(libsystemd)
|
BuildRequires: pkgconfig(libsystemd)
|
||||||
BuildRequires: sysuser-tools
|
BuildRequires: sysuser-tools
|
||||||
BuildRequires: golang(API) = 1.18
|
BuildRequires: golang(API) = 1.19
|
||||||
Requires: (apparmor-parser or container-selinux)
|
Requires: (apparmor-parser or container-selinux)
|
||||||
Requires: ca-certificates-mozilla
|
Requires: ca-certificates-mozilla
|
||||||
# The docker-proxy binary used to be in a separate package. We obsolete it,
|
# The docker-proxy binary used to be in a separate package. We obsolete it,
|
||||||
# since now docker-proxy is maintained as part of this package.
|
# since now docker-proxy is maintained as part of this package.
|
||||||
Obsoletes: docker-libnetwork%{name_suffix} < 0.7.0.2
|
Obsoletes: docker-libnetwork < 0.7.0.2
|
||||||
Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
|
Provides: docker-libnetwork = 0.7.0.2.%{version}
|
||||||
# Required to actually run containers. We require the minimum version that is
|
# Required to actually run containers. We require the minimum version that is
|
||||||
# pinned by Docker, but in order to avoid headaches we allow for updates.
|
# pinned by Docker, but in order to avoid headaches we allow for updates.
|
||||||
Requires: runc >= 1.1.2
|
Requires: runc >= 1.1.5
|
||||||
Requires: containerd >= 1.6.9
|
Requires: containerd >= 1.6.20
|
||||||
# Needed for --init support. We don't use "tini", we use our own implementation
|
# Needed for --init support. We don't use "tini", we use our own implementation
|
||||||
# which handles edge-cases better.
|
# which handles edge-cases better.
|
||||||
Requires: catatonit
|
Requires: catatonit
|
||||||
@ -149,7 +122,6 @@ Recommends: lvm2 >= 2.2.89
|
|||||||
Recommends: git-core >= 1.7
|
Recommends: git-core >= 1.7
|
||||||
ExcludeArch: s390 ppc
|
ExcludeArch: s390 ppc
|
||||||
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Docker complements LXC with a high-level API which operates at the process
|
Docker complements LXC with a high-level API which operates at the process
|
||||||
level. It runs unix processes with strong guarantees of isolation and
|
level. It runs unix processes with strong guarantees of isolation and
|
||||||
@ -193,38 +165,27 @@ BuildArch: noarch
|
|||||||
Fish command line completion support for %{name}.
|
Fish command line completion support for %{name}.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{realname}-%{version}_%{git_version}
|
# docker-cli
|
||||||
|
%define cli_builddir %{_builddir}/%{name}-cli-%{version}
|
||||||
|
%setup -q -T -b 1 -n %{name}-cli-%{version}
|
||||||
|
[ "%{cli_builddir}" = "$PWD" ]
|
||||||
|
# offline manpages
|
||||||
|
%patch900 -p1
|
||||||
|
|
||||||
%if 0%{?is_opensuse}
|
# docker
|
||||||
# nothing
|
%define docker_builddir %{_builddir}/%{name}-%{version}_%{git_version}
|
||||||
%else
|
%setup -q -n %{name}-%{version}_%{git_version}
|
||||||
|
[ "%{docker_builddir}" = "$PWD" ]
|
||||||
|
# README_SUSE.md for documentation.
|
||||||
|
cp %{SOURCE103} .
|
||||||
|
|
||||||
|
%if 0%{?is_opensuse} == 0
|
||||||
# PATCH-SUSE: Secrets patches.
|
# PATCH-SUSE: Secrets patches.
|
||||||
%patch100 -p1
|
%patch100 -p1
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
%endif
|
%endif
|
||||||
# bsc#1099277
|
# bsc#1099277
|
||||||
%patch300 -p1
|
%patch300 -p1
|
||||||
# bsc#1183855 bsc#1175081
|
|
||||||
%patch301 -p1
|
|
||||||
# bsc#1193930 CVE-2021-43565 bsc#1197284 CVE-2022-27191
|
|
||||||
%patch302 -p1
|
|
||||||
# bsc#1200022
|
|
||||||
%patch303 -p1
|
|
||||||
|
|
||||||
# README_SUSE.md for documentation.
|
|
||||||
cp %{SOURCE103} .
|
|
||||||
|
|
||||||
# Extract the docker-cli source in a subdir.
|
|
||||||
mkdir -p %{cli_builddir}
|
|
||||||
pushd %{cli_builddir}
|
|
||||||
xz -dc %{SOURCE1} | tar -xof - --strip-components=1
|
|
||||||
popd
|
|
||||||
|
|
||||||
# Extract the docker-libnetwork source in a subdir.
|
|
||||||
mkdir -p %{proxy_builddir}
|
|
||||||
pushd %{proxy_builddir}
|
|
||||||
xz -dc %{SOURCE2} | tar -xof - --strip-components=1
|
|
||||||
popd
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%sysusers_generate_pre %{SOURCE106} %{name} %{name}.conf
|
%sysusers_generate_pre %{SOURCE106} %{name} %{name}.conf
|
||||||
@ -239,12 +200,7 @@ BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
|
|||||||
BUILDTAGS="libdm_dlsym_deferred_remove $BUILDTAGS"
|
BUILDTAGS="libdm_dlsym_deferred_remove $BUILDTAGS"
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
(cat <<EOF
|
|
||||||
export AUTO_GOPATH=1
|
export AUTO_GOPATH=1
|
||||||
export DOCKER_BUILDTAGS="$BUILDTAGS"
|
|
||||||
# Until boo#1038493 is fixed properly we need to do this hack to get the
|
|
||||||
# compiled-into-the-binary GOROOT.
|
|
||||||
export GOROOT="$(GOROOT= go env GOROOT)"
|
|
||||||
# Make sure we always build PIC code. bsc#1048046
|
# Make sure we always build PIC code. bsc#1048046
|
||||||
export BUILDFLAGS="-buildmode=pie"
|
export BUILDFLAGS="-buildmode=pie"
|
||||||
# Specify all of the versioning information. We use SOURCE_DATE_EPOCH if it's
|
# Specify all of the versioning information. We use SOURCE_DATE_EPOCH if it's
|
||||||
@ -255,50 +211,29 @@ export DOCKER_GITCOMMIT="%{git_version}"
|
|||||||
export GITCOMMIT="%{git_version}"
|
export GITCOMMIT="%{git_version}"
|
||||||
export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-%{git_commit_epoch}}"
|
export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-%{git_commit_epoch}}"
|
||||||
export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null | sed -e 's/ /T/')"
|
export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null | sed -e 's/ /T/')"
|
||||||
# NOTE: This will have to be removed with the next major Docker bump.
|
|
||||||
export GO111MODULE=off
|
|
||||||
EOF
|
|
||||||
) > docker_build_env
|
|
||||||
. ./docker_build_env
|
|
||||||
|
|
||||||
# Preparing GOPATH so that the client is visible to the compiler
|
|
||||||
mkdir -p src/github.com/docker/
|
|
||||||
ln -s "%{cli_builddir}" "$PWD/src/github.com/docker/cli"
|
|
||||||
export GOPATH="$GOPATH:$PWD"
|
|
||||||
|
|
||||||
###################
|
###################
|
||||||
## DOCKER ENGINE ##
|
## DOCKER ENGINE ##
|
||||||
###################
|
###################
|
||||||
|
|
||||||
# Ignore the warning that we compile outside a Docker container.
|
pushd "%{docker_builddir}"
|
||||||
|
# use go module for build
|
||||||
|
ln -s {vendor,go}.mod
|
||||||
|
ln -s {vendor,go}.sum
|
||||||
./hack/make.sh dynbinary
|
./hack/make.sh dynbinary
|
||||||
|
popd
|
||||||
|
|
||||||
###################
|
###################
|
||||||
## DOCKER CLIENT ##
|
## DOCKER CLIENT ##
|
||||||
###################
|
###################
|
||||||
|
|
||||||
pushd %{cli_builddir}
|
pushd "%{cli_builddir}"
|
||||||
make dynbinary
|
# use go module for build
|
||||||
|
ln -s {vendor,go}.mod
|
||||||
mkdir -p ./man/man1
|
ln -s {vendor,go}.sum
|
||||||
go build -buildmode=pie -o gen-manpages github.com/docker/cli/man
|
make DISABLE_WARN_OUTSIDE_CONTAINER=1 dynbinary manpages
|
||||||
./gen-manpages --root "$PWD" --target "$PWD/man/man1"
|
|
||||||
./man/md2man-all.sh
|
|
||||||
popd
|
popd
|
||||||
|
|
||||||
##################
|
|
||||||
## DOCKER PROXY ##
|
|
||||||
##################
|
|
||||||
|
|
||||||
pushd %{proxy_builddir}
|
|
||||||
GOPATH="%{dist_builddir}" \
|
|
||||||
go build -buildmode=pie -o docker-proxy github.com/docker/libnetwork/cmd/proxy
|
|
||||||
popd
|
|
||||||
|
|
||||||
# We verify that our libnetwork source is the correct version. This is done
|
|
||||||
# on-build to make sure that someone doing an update didn't miss anything.
|
|
||||||
grep 'LIBNETWORK_COMMIT:=%{libnetwork_version}' hack/dockerfile/install/proxy.installer
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
install -Dd -m0755 \
|
install -Dd -m0755 \
|
||||||
%{buildroot}%{_sysconfdir}/init.d \
|
%{buildroot}%{_sysconfdir}/init.d \
|
||||||
@ -306,30 +241,31 @@ install -Dd -m0755 \
|
|||||||
%{buildroot}%{_sbindir}
|
%{buildroot}%{_sbindir}
|
||||||
|
|
||||||
# docker daemon
|
# docker daemon
|
||||||
install -D -m0755 bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd
|
install -D -m0755 %{docker_builddir}/bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd
|
||||||
|
# docker proxy
|
||||||
|
install -D -m0755 %{docker_builddir}/bundles/dynbinary-daemon/docker-proxy %{buildroot}/%{_bindir}/docker-proxy
|
||||||
|
|
||||||
|
# /var/lib/docker
|
||||||
install -d %{buildroot}/%{_localstatedir}/lib/docker
|
install -d %{buildroot}/%{_localstatedir}/lib/docker
|
||||||
# daemon.json config file
|
# daemon.json config file
|
||||||
install -D -m0644 %{SOURCE105} %{buildroot}%{_sysconfdir}/docker/daemon.json
|
install -D -m0644 %{SOURCE105} %{buildroot}%{_sysconfdir}/docker/daemon.json
|
||||||
|
|
||||||
# docker cli
|
# docker cli
|
||||||
install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
|
install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
|
||||||
install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}"
|
install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{name}"
|
||||||
install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}"
|
install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{name}"
|
||||||
install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish"
|
install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{name}.fish"
|
||||||
|
|
||||||
# docker proxy
|
|
||||||
install -D -m0755 %{proxy_builddir}/docker-proxy %{buildroot}/%{_bindir}/docker-proxy
|
|
||||||
|
|
||||||
# systemd service
|
# systemd service
|
||||||
install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{realname}.service
|
install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{name}.service
|
||||||
ln -sf service %{buildroot}%{_sbindir}/rcdocker
|
ln -sf service %{buildroot}%{_sbindir}/rcdocker
|
||||||
|
|
||||||
# udev rules that prevents dolphin to show all docker devices and slows down
|
# udev rules that prevents dolphin to show all docker devices and slows down
|
||||||
# upstream report https://bugs.kde.org/show_bug.cgi?id=329930
|
# upstream report https://bugs.kde.org/show_bug.cgi?id=329930
|
||||||
install -D -m0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules
|
install -D -m0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{name}.rules
|
||||||
|
|
||||||
# audit rules
|
# audit rules
|
||||||
install -D -m0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules
|
install -D -m0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules
|
||||||
|
|
||||||
# sysconfig file
|
# sysconfig file
|
||||||
install -D -m0644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker
|
install -D -m0644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker
|
||||||
@ -363,17 +299,17 @@ grep -q '^dockremap:' /etc/subgid || \
|
|||||||
usermod -w 100000000-200000000 dockremap &>/dev/null || \
|
usermod -w 100000000-200000000 dockremap &>/dev/null || \
|
||||||
echo "dockremap:100000000:100000001" >>/etc/subgid ||:
|
echo "dockremap:100000000:100000001" >>/etc/subgid ||:
|
||||||
|
|
||||||
%service_add_pre %{realname}.service
|
%service_add_pre %{name}.service
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%service_add_post %{realname}.service
|
%service_add_post %{name}.service
|
||||||
%{fillup_only -n docker}
|
%{fillup_only -n docker}
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%service_del_preun %{realname}.service
|
%service_del_preun %{name}.service
|
||||||
|
|
||||||
%postun
|
%postun
|
||||||
%service_del_postun %{realname}.service
|
%service_del_postun %{name}.service
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
@ -385,15 +321,15 @@ grep -q '^dockremap:' /etc/subgid || \
|
|||||||
%{_sbindir}/rcdocker
|
%{_sbindir}/rcdocker
|
||||||
%dir %{_localstatedir}/lib/docker/
|
%dir %{_localstatedir}/lib/docker/
|
||||||
|
|
||||||
%{_unitdir}/%{realname}.service
|
%{_unitdir}/%{name}.service
|
||||||
%{_sysusersdir}/%{name}.conf
|
%{_sysusersdir}/%{name}.conf
|
||||||
|
|
||||||
%dir %{_sysconfdir}/docker
|
%dir %{_sysconfdir}/docker
|
||||||
%config(noreplace) %{_sysconfdir}/docker/daemon.json
|
%config(noreplace) %{_sysconfdir}/docker/daemon.json
|
||||||
%{_fillupdir}/sysconfig.docker
|
%{_fillupdir}/sysconfig.docker
|
||||||
|
|
||||||
%config %{_sysconfdir}/audit/rules.d/%{realname}.rules
|
%config %{_sysconfdir}/audit/rules.d/%{name}.rules
|
||||||
%{_udevrulesdir}/80-%{realname}.rules
|
%{_udevrulesdir}/80-%{name}.rules
|
||||||
|
|
||||||
%{_mandir}/man1/docker-*.1%{ext_man}
|
%{_mandir}/man1/docker-*.1%{ext_man}
|
||||||
%{_mandir}/man1/docker.1%{ext_man}
|
%{_mandir}/man1/docker.1%{ext_man}
|
||||||
@ -402,14 +338,14 @@ grep -q '^dockremap:' /etc/subgid || \
|
|||||||
|
|
||||||
%files bash-completion
|
%files bash-completion
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%{_datarootdir}/bash-completion/completions/%{realname}
|
%{_datarootdir}/bash-completion/completions/%{name}
|
||||||
|
|
||||||
%files zsh-completion
|
%files zsh-completion
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%{_sysconfdir}/zsh_completion.d/_%{realname}
|
%{_sysconfdir}/zsh_completion.d/_%{name}
|
||||||
|
|
||||||
%files fish-completion
|
%files fish-completion
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%{_datadir}/fish/vendor_completions.d/%{realname}.fish
|
%{_datadir}/fish/vendor_completions.d/%{name}.fish
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
Loading…
Reference in New Issue
Block a user