From 39b29090832ea81ffadaa9293bf7b4c2005da9460fa50ff5e493d58b9f56a991 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sat, 30 Jan 2021 01:14:10 +0000 Subject: [PATCH] - Update to Docker 20.10.2-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1181594 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=352 --- ...-Remove-docker-prefix-for-containerd.patch | 110 ++++++++ ...llow-directory-creation-in-run-secre.patch | 20 +- ...USE-implement-SUSE-container-secrets.patch | 58 ++-- ...-add-private-registry-mirror-support.patch | 265 +++++++++--------- ...mor-clobber-docker-default-profile-o.patch | 53 ++-- _service | 14 +- ...-interfaces-to-firewalld-docker-zone.patch | 230 --------------- ...1-apparmor-allow-readby-and-tracedby.patch | 40 --- ...1-Rename-bin-md2man-to-bin-go-md2man.patch | 59 ++++ docker-19.03.14_ce_5eb3275d4006.tar.xz | 3 - docker-20.10.2_ce_8891c58a433a.tar.xz | 3 + docker-cli-20.10.2_ce.tar.xz | 3 + docker.changes | 24 ++ docker.spec | 157 ++++++----- ...cker-prefix-for-containerd-and-runc-.patch | 126 --------- 15 files changed, 497 insertions(+), 668 deletions(-) create mode 100644 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch rename secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch => 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch (76%) rename secrets-0002-SUSE-implement-SUSE-container-secrets.patch => 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch (92%) rename private-registry-0001-Add-private-registry-mirror-support.patch => 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch (84%) rename bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch => 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch (55%) delete mode 100644 boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch delete mode 100644 bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch create mode 100644 cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch delete mode 100644 docker-19.03.14_ce_5eb3275d4006.tar.xz create mode 100644 docker-20.10.2_ce_8891c58a433a.tar.xz create mode 100644 docker-cli-20.10.2_ce.tar.xz delete mode 100644 packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch diff --git a/0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch b/0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch new file mode 100644 index 0000000..28d9dc8 --- /dev/null +++ b/0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch @@ -0,0 +1,110 @@ +From 9961826453fee3b52244ba920359b9e2f9ad137c Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 29 Nov 2018 20:53:16 +1100 +Subject: [PATCH 1/5] PACKAGING: revert "Remove 'docker-' prefix for containerd + and runc binaries" + +This reverts commit 34eede0296bce6a9c335cb429f10728ae3f4252d, as it +would significantly break openSUSE's packaging (as well as causing +conflicts between the very-outdated runc that Docker uses and the more +up-to-date one available for Podman). + +Signed-off-by: Aleksa Sarai +--- + builder/builder-next/executor_unix.go | 2 +- + daemon/daemon_unix.go | 8 ++++++-- + libcontainerd/supervisor/remote_daemon.go | 4 ++-- + libcontainerd/supervisor/remote_daemon_linux.go | 4 ++-- + libcontainerd/supervisor/remote_daemon_windows.go | 4 ++-- + 5 files changed, 13 insertions(+), 9 deletions(-) + +diff --git a/builder/builder-next/executor_unix.go b/builder/builder-next/executor_unix.go +index c052ec707fec..d1caf53f5023 100644 +--- a/builder/builder-next/executor_unix.go ++++ b/builder/builder-next/executor_unix.go +@@ -32,7 +32,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dn + } + return runcexecutor.New(runcexecutor.Opt{ + Root: filepath.Join(root, "executor"), +- CommandCandidates: []string{"runc"}, ++ CommandCandidates: []string{"docker-runc", "runc"}, + DefaultCgroupParent: cgroupParent, + Rootless: rootless, + NoPivot: os.Getenv("DOCKER_RAMDISK") != "", +diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go +index 5fa688dff4c7..f610fdb01d27 100644 +--- a/daemon/daemon_unix.go ++++ b/daemon/daemon_unix.go +@@ -58,11 +58,11 @@ const ( + + // DefaultShimBinary is the default shim to be used by containerd if none + // is specified +- DefaultShimBinary = "containerd-shim" ++ DefaultShimBinary = "docker-containerd-shim" + + // DefaultRuntimeBinary is the default runtime to be used by + // containerd if none is specified +- DefaultRuntimeBinary = "runc" ++ DefaultRuntimeBinary = "docker-runc" + + // See https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/tree/kernel/sched/sched.h?id=8cd9234c64c584432f6992fe944ca9e46ca8ea76#n269 + linuxMinCPUShares = 2 +@@ -78,6 +78,10 @@ const ( + cgroupFsDriver = "cgroupfs" + cgroupSystemdDriver = "systemd" + cgroupNoneDriver = "none" ++ ++ // DefaultRuntimeName is the default runtime to be used by ++ // containerd if none is specified ++ DefaultRuntimeName = "docker-runc" + ) + + type containerGetter interface { +diff --git a/libcontainerd/supervisor/remote_daemon.go b/libcontainerd/supervisor/remote_daemon.go +index 3538612246f4..f17868a7e1f8 100644 +--- a/libcontainerd/supervisor/remote_daemon.go ++++ b/libcontainerd/supervisor/remote_daemon.go +@@ -27,8 +27,8 @@ const ( + shutdownTimeout = 15 * time.Second + startupTimeout = 15 * time.Second + configFile = "containerd.toml" +- binaryName = "containerd" +- pidFile = "containerd.pid" ++ binaryName = "docker-containerd" ++ pidFile = "docker-containerd.pid" + ) + + type pluginConfigs struct { +diff --git a/libcontainerd/supervisor/remote_daemon_linux.go b/libcontainerd/supervisor/remote_daemon_linux.go +index d229881a62b3..da93fc45371d 100644 +--- a/libcontainerd/supervisor/remote_daemon_linux.go ++++ b/libcontainerd/supervisor/remote_daemon_linux.go +@@ -11,8 +11,8 @@ import ( + ) + + const ( +- sockFile = "containerd.sock" +- debugSockFile = "containerd-debug.sock" ++ sockFile = "docker-containerd.sock" ++ debugSockFile = "docker-containerd-debug.sock" + ) + + func (r *remote) setDefaults() { +diff --git a/libcontainerd/supervisor/remote_daemon_windows.go b/libcontainerd/supervisor/remote_daemon_windows.go +index 9b254ef58a0a..bcdc9529e0f7 100644 +--- a/libcontainerd/supervisor/remote_daemon_windows.go ++++ b/libcontainerd/supervisor/remote_daemon_windows.go +@@ -7,8 +7,8 @@ import ( + ) + + const ( +- grpcPipeName = `\\.\pipe\containerd-containerd` +- debugPipeName = `\\.\pipe\containerd-debug` ++ grpcPipeName = `\\.\pipe\docker-containerd-containerd` ++ debugPipeName = `\\.\pipe\docker-containerd-debug` + ) + + func (r *remote) setDefaults() { +-- +2.30.0 + diff --git a/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch b/0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch similarity index 76% rename from secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch rename to 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch index 82fb391..f51629e 100644 --- a/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch +++ b/0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch @@ -1,7 +1,7 @@ -From 47b241f184e61474957c4ffb8a3dcbaa543eadb9 Mon Sep 17 00:00:00 2001 +From e24062ca12b575bc417fea2f46544ccd18e5f1eb Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 12:41:54 +1100 -Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets +Subject: [PATCH 2/5] SECRETS: daemon: allow directory creation in /run/secrets Since FileMode can have the directory bit set, allow a SecretStore implementation to return secrets that are actually directories. This is @@ -10,13 +10,13 @@ useful for creating directories and subdirectories of secrets. Signed-off-by: Antonio Murdaca Signed-off-by: Aleksa Sarai --- - .../daemon/container_operations_unix.go | 24 ++++++++++++++++--- + daemon/container_operations_unix.go | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) -diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go -index 3fcdc1913bed..4920def81a7e 100644 ---- a/components/engine/daemon/container_operations_unix.go -+++ b/components/engine/daemon/container_operations_unix.go +diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go +index f4f1bd2c0b6a..f18f522485ee 100644 +--- a/daemon/container_operations_unix.go ++++ b/daemon/container_operations_unix.go @@ -3,6 +3,7 @@ package daemon // import "github.com/docker/docker/daemon" @@ -31,9 +31,9 @@ index 3fcdc1913bed..4920def81a7e 100644 "github.com/docker/docker/errdefs" + "github.com/docker/docker/pkg/archive" "github.com/docker/docker/pkg/idtools" - "github.com/docker/docker/pkg/mount" "github.com/docker/docker/pkg/stringid" -@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { + "github.com/docker/docker/pkg/system" +@@ -207,9 +209,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { if err != nil { return errors.Wrap(err, "unable to get secret from secret store") } @@ -43,7 +43,7 @@ index 3fcdc1913bed..4920def81a7e 100644 uid, err := strconv.Atoi(s.File.UID) if err != nil { -@@ -219,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { +@@ -220,6 +219,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { return err } diff --git a/secrets-0002-SUSE-implement-SUSE-container-secrets.patch b/0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch similarity index 92% rename from secrets-0002-SUSE-implement-SUSE-container-secrets.patch rename to 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch index da7c18d..33ef489 100644 --- a/secrets-0002-SUSE-implement-SUSE-container-secrets.patch +++ b/0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch @@ -1,7 +1,7 @@ -From 3b3a583ef0704d1a83d172c8a996b1d536e2839b Mon Sep 17 00:00:00 2001 +From 3469fd3b7da0477ba781d95b02bd698c770916f6 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 11:43:29 +1100 -Subject: [PATCH 2/2] SUSE: implement SUSE container secrets +Subject: [PATCH 3/5] SECRETS: SUSE: implement SUSE container secrets This allows for us to pass in host credentials to a container, allowing for SUSEConnect to work with containers. @@ -13,16 +13,16 @@ MAKES BUILDS NOT ENTIRELY REPRODUCIBLE. SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702 Signed-off-by: Aleksa Sarai --- - components/engine/daemon/start.go | 5 + - components/engine/daemon/suse_secrets.go | 406 +++++++++++++++++++++++ - 2 files changed, 411 insertions(+) - create mode 100644 components/engine/daemon/suse_secrets.go + daemon/start.go | 5 + + daemon/suse_secrets.go | 410 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 415 insertions(+) + create mode 100644 daemon/suse_secrets.go -diff --git a/components/engine/daemon/start.go b/components/engine/daemon/start.go -index 57a7267b7cbb..46c3a603554f 100644 ---- a/components/engine/daemon/start.go -+++ b/components/engine/daemon/start.go -@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint +diff --git a/daemon/start.go b/daemon/start.go +index d9bc082b1078..091dae2ae65e 100644 +--- a/daemon/start.go ++++ b/daemon/start.go +@@ -150,6 +150,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint return err } @@ -34,15 +34,15 @@ index 57a7267b7cbb..46c3a603554f 100644 spec, err := daemon.createSpec(container) if err != nil { return errdefs.System(err) -diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go +diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go new file mode 100644 -index 000000000000..e8de931cb7ca +index 000000000000..177efcb22295 --- /dev/null -+++ b/components/engine/daemon/suse_secrets.go -@@ -0,0 +1,406 @@ ++++ b/daemon/suse_secrets.go +@@ -0,0 +1,410 @@ +/* + * suse-secrets: patch for Docker to implement SUSE secrets -+ * Copyright (C) 2017 SUSE LLC. ++ * Copyright (C) 2017-2021 SUSE LLC. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. @@ -68,17 +68,18 @@ index 000000000000..e8de931cb7ca + "os" + "path/filepath" + "strings" -+ "syscall" + + "github.com/docker/docker/container" + "github.com/docker/docker/pkg/archive" + "github.com/docker/docker/pkg/idtools" -+ "github.com/opencontainers/go-digest" -+ "github.com/sirupsen/logrus" + + swarmtypes "github.com/docker/docker/api/types/swarm" + swarmexec "github.com/docker/swarmkit/agent/exec" + swarmapi "github.com/docker/swarmkit/api" ++ ++ "github.com/opencontainers/go-digest" ++ "github.com/sirupsen/logrus" ++ "golang.org/x/sys/unix" +) + +func init() { @@ -148,7 +149,7 @@ index 000000000000..e8de931cb7ca + // Ignore missing files. + if os.IsNotExist(err) { + // If the path itself exists it was a dangling symlink so give a -+ // warning about the dangling symlink. ++ // warning about the symlink dangling. + _, err2 := os.Lstat(path) + if !os.IsNotExist(err2) { + logrus.Warnf("SUSE:secrets :: ignoring dangling symlink: %s", path) @@ -158,7 +159,7 @@ index 000000000000..e8de931cb7ca + return nil, err + } else if !fi.IsDir() { + // Just to be safe. -+ logrus.Warnf("SUSE:secrets :: expected %q to be a directory, but was a file", path) ++ logrus.Infof("SUSE:secrets :: expected %q to be a directory, but was a file", path) + return readFile(prefix, dir) + } + path, err = filepath.EvalSymlinks(path) @@ -269,7 +270,7 @@ index 000000000000..e8de931cb7ca + // Ignore missing files. + if os.IsNotExist(err) { + // If the path itself exists it was a dangling symlink so give a -+ // warning about the dangling symlink. ++ // warning about the symlink dangling. + _, err2 := os.Lstat(path) + if !os.IsNotExist(err2) { + logrus.Warnf("SUSE:secrets :: ignoring dangling symlink: %s", path) @@ -279,13 +280,16 @@ index 000000000000..e8de931cb7ca + return nil, err + } else if fi.IsDir() { + // Just to be safe. -+ logrus.Warnf("SUSE:secrets :: expected %q to be a file, but was a directory", path) ++ logrus.Infof("SUSE:secrets :: expected %q to be a file, but was a directory", path) + return readDir(prefix, file) + } + -+ stat, ok := fi.Sys().(*syscall.Stat_t) -+ if !ok { ++ var uid, gid int ++ if stat, ok := fi.Sys().(*unix.Stat_t); ok { ++ uid, gid = int(stat.Uid), int(stat.Gid) ++ } else { + logrus.Warnf("SUSE:secrets :: failed to cast file stat_t: defaulting to owned by root:root: %s", path) ++ uid, gid = 0, 0 + } + + bytes, err := ioutil.ReadFile(path) @@ -296,8 +300,8 @@ index 000000000000..e8de931cb7ca + var suseFiles []*SuseFakeFile + suseFiles = append(suseFiles, &SuseFakeFile{ + Path: file, -+ Uid: int(stat.Uid), -+ Gid: int(stat.Gid), ++ Uid: uid, ++ Gid: gid, + Mode: fi.Mode(), + Data: bytes, + }) diff --git a/private-registry-0001-Add-private-registry-mirror-support.patch b/0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch similarity index 84% rename from private-registry-0001-Add-private-registry-mirror-support.patch rename to 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch index f6ead07..5bdb33f 100644 --- a/private-registry-0001-Add-private-registry-mirror-support.patch +++ b/0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch @@ -1,11 +1,11 @@ -From 69d43a9550cdedf86b0d4b29e9d737af90221109 Mon Sep 17 00:00:00 2001 +From 3e63781e1bf40affdb884ddd83b82fc51c54d88a Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Mon, 2 Jul 2018 13:37:34 +0200 -Subject: [PATCH] Add private-registry mirror support +Subject: [PATCH 4/5] PRIVATE-REGISTRY: add private-registry mirror support NOTE: This is a backport/downstream patch of the upstream pull-request for Moby, which is still subject to changes. Please visit - https://github.com/moby/moby/pull/34319 for the current status. + for the current status. Add support for mirroring private registries. The daemon.json config can now be configured as exemplified below: @@ -65,24 +65,24 @@ Signed-off-by: Flavio Castelli Signed-off-by: Valentin Rothberg Signed-off-by: Aleksa Sarai --- - .../engine/api/types/registry/registry.go | 144 ++++++++++++++++++ - components/engine/daemon/config/config.go | 4 + - components/engine/daemon/reload.go | 33 ++++ - components/engine/daemon/reload_test.go | 95 ++++++++++++ - components/engine/distribution/pull.go | 2 +- - components/engine/distribution/pull_v2.go | 2 +- - components/engine/distribution/push.go | 2 +- - components/engine/registry/config.go | 124 ++++++++++++++- - components/engine/registry/config_test.go | 136 +++++++++++++++++ - components/engine/registry/registry_test.go | 91 ++++++++++- - components/engine/registry/service.go | 45 ++++-- - components/engine/registry/service_v2.go | 66 +++++--- - 12 files changed, 697 insertions(+), 47 deletions(-) + api/types/registry/registry.go | 144 +++++++++++++++++++++++++++++++++ + daemon/config/config.go | 4 + + daemon/reload.go | 33 ++++++++ + daemon/reload_test.go | 95 ++++++++++++++++++++++ + distribution/pull.go | 2 +- + distribution/pull_v2.go | 2 +- + distribution/push.go | 2 +- + registry/config.go | 126 ++++++++++++++++++++++++++++- + registry/config_test.go | 142 ++++++++++++++++++++++++++++++++ + registry/registry_test.go | 99 ++++++++++++++++++++--- + registry/service.go | 43 +++++++--- + registry/service_v2.go | 64 +++++++++++---- + 12 files changed, 710 insertions(+), 46 deletions(-) -diff --git a/components/engine/api/types/registry/registry.go b/components/engine/api/types/registry/registry.go -index 8789ad3b3210..c663fec7d881 100644 ---- a/components/engine/api/types/registry/registry.go -+++ b/components/engine/api/types/registry/registry.go +diff --git a/api/types/registry/registry.go b/api/types/registry/registry.go +index 53e47084c8d5..b4bb9ef805d3 100644 +--- a/api/types/registry/registry.go ++++ b/api/types/registry/registry.go @@ -2,7 +2,10 @@ package registry // import "github.com/docker/docker/api/types/registry" import ( @@ -92,7 +92,7 @@ index 8789ad3b3210..c663fec7d881 100644 + "net/url" + "strings" - "github.com/opencontainers/image-spec/specs-go/v1" + v1 "github.com/opencontainers/image-spec/specs-go/v1" ) @@ -14,6 +17,147 @@ type ServiceConfig struct { InsecureRegistryCIDRs []*NetIPNet `json:"InsecureRegistryCIDRs"` @@ -242,11 +242,11 @@ index 8789ad3b3210..c663fec7d881 100644 } // NetIPNet is the net.IPNet type, which can be marshalled and -diff --git a/components/engine/daemon/config/config.go b/components/engine/daemon/config/config.go -index 80ecbbd9550d..8ce69714d9bf 100644 ---- a/components/engine/daemon/config/config.go -+++ b/components/engine/daemon/config/config.go -@@ -467,6 +467,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag +diff --git a/daemon/config/config.go b/daemon/config/config.go +index 4990727597c9..f3a53c692d73 100644 +--- a/daemon/config/config.go ++++ b/daemon/config/config.go +@@ -482,6 +482,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag // 1. Search keys from the file that we don't recognize as flags. unknownKeys := make(map[string]interface{}) for key, value := range config { @@ -257,11 +257,11 @@ index 80ecbbd9550d..8ce69714d9bf 100644 if flag := flags.Lookup(key); flag == nil && !skipValidateOptions[key] { unknownKeys[key] = value } -diff --git a/components/engine/daemon/reload.go b/components/engine/daemon/reload.go -index a31dd0cb87c1..99cc4a65a79d 100644 ---- a/components/engine/daemon/reload.go -+++ b/components/engine/daemon/reload.go -@@ -21,8 +21,14 @@ import ( +diff --git a/daemon/reload.go b/daemon/reload.go +index 72379c054ef6..1e4afe9b3b03 100644 +--- a/daemon/reload.go ++++ b/daemon/reload.go +@@ -22,8 +22,14 @@ import ( // - Daemon labels // - Insecure registries // - Registry mirrors @@ -276,7 +276,7 @@ index a31dd0cb87c1..99cc4a65a79d 100644 daemon.configStore.Lock() attributes := map[string]string{} -@@ -65,6 +71,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) { +@@ -69,6 +75,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) { if err := daemon.reloadLiveRestore(conf, attributes); err != nil { return err } @@ -286,7 +286,7 @@ index a31dd0cb87c1..99cc4a65a79d 100644 return daemon.reloadNetworkDiagnosticPort(conf, attributes) } -@@ -295,6 +304,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[ +@@ -320,6 +329,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[ return nil } @@ -317,10 +317,10 @@ index a31dd0cb87c1..99cc4a65a79d 100644 // reloadLiveRestore updates configuration with live restore option // and updates the passed attributes func (daemon *Daemon) reloadLiveRestore(conf *config.Config, attributes map[string]string) error { -diff --git a/components/engine/daemon/reload_test.go b/components/engine/daemon/reload_test.go -index ffad297f71b7..21733c3f1e33 100644 ---- a/components/engine/daemon/reload_test.go -+++ b/components/engine/daemon/reload_test.go +diff --git a/daemon/reload_test.go b/daemon/reload_test.go +index 4a8466616dee..46664f4b1eda 100644 +--- a/daemon/reload_test.go ++++ b/daemon/reload_test.go @@ -7,6 +7,7 @@ import ( "testing" "time" @@ -329,7 +329,7 @@ index ffad297f71b7..21733c3f1e33 100644 "github.com/docker/docker/daemon/config" "github.com/docker/docker/daemon/images" "github.com/docker/docker/pkg/discovery" -@@ -201,6 +202,100 @@ func TestDaemonReloadMirrors(t *testing.T) { +@@ -211,6 +212,100 @@ func TestDaemonReloadMirrors(t *testing.T) { } } @@ -430,11 +430,11 @@ index ffad297f71b7..21733c3f1e33 100644 func TestDaemonReloadInsecureRegistries(t *testing.T) { daemon := &Daemon{ imageService: images.NewImageService(images.ImageServiceConfig{}), -diff --git a/components/engine/distribution/pull.go b/components/engine/distribution/pull.go -index be366ce4a99b..49e0d0352778 100644 ---- a/components/engine/distribution/pull.go -+++ b/components/engine/distribution/pull.go -@@ -58,7 +58,7 @@ func Pull(ctx context.Context, ref reference.Named, imagePullConfig *ImagePullCo +diff --git a/distribution/pull.go b/distribution/pull.go +index c8ddd4c5cfcd..b17e9d25d6c2 100644 +--- a/distribution/pull.go ++++ b/distribution/pull.go +@@ -61,7 +61,7 @@ func Pull(ctx context.Context, ref reference.Named, imagePullConfig *ImagePullCo return err } @@ -443,11 +443,11 @@ index be366ce4a99b..49e0d0352778 100644 if err != nil { return err } -diff --git a/components/engine/distribution/pull_v2.go b/components/engine/distribution/pull_v2.go -index dd91ff2157b1..2640f6134e5d 100644 ---- a/components/engine/distribution/pull_v2.go -+++ b/components/engine/distribution/pull_v2.go -@@ -379,7 +379,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform +diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go +index 12497ea890e7..926e02f851fd 100644 +--- a/distribution/pull_v2.go ++++ b/distribution/pull_v2.go +@@ -431,7 +431,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform // the other side speaks the v2 protocol. p.confirmedV2 = true @@ -456,10 +456,10 @@ index dd91ff2157b1..2640f6134e5d 100644 progress.Message(p.config.ProgressOutput, tagOrDigest, "Pulling from "+reference.FamiliarName(p.repo.Named())) var ( -diff --git a/components/engine/distribution/push.go b/components/engine/distribution/push.go +diff --git a/distribution/push.go b/distribution/push.go index 5617a4c95f49..0a24aebed968 100644 ---- a/components/engine/distribution/push.go -+++ b/components/engine/distribution/push.go +--- a/distribution/push.go ++++ b/distribution/push.go @@ -58,7 +58,7 @@ func Push(ctx context.Context, ref reference.Named, imagePushConfig *ImagePushCo return err } @@ -469,10 +469,10 @@ index 5617a4c95f49..0a24aebed968 100644 if err != nil { return err } -diff --git a/components/engine/registry/config.go b/components/engine/registry/config.go -index 6bb9258c9b6f..f1945237d235 100644 ---- a/components/engine/registry/config.go -+++ b/components/engine/registry/config.go +diff --git a/registry/config.go b/registry/config.go +index 54b83fa40aab..e1ba24b83bdd 100644 +--- a/registry/config.go ++++ b/registry/config.go @@ -14,11 +14,12 @@ import ( "github.com/sirupsen/logrus" ) @@ -490,9 +490,9 @@ index 6bb9258c9b6f..f1945237d235 100644 } // serviceConfig holds daemon configuration for the registry service. -@@ -62,8 +63,21 @@ var ( - // for mocking in unit tests - var lookupIP = net.LookupIP +@@ -59,8 +60,21 @@ var ( + lookupIP = net.LookupIP + ) +// CompatCheck performs some compatibility checks among the config options and +// returns an error in case of conflicts. @@ -512,7 +512,7 @@ index 6bb9258c9b6f..f1945237d235 100644 config := &serviceConfig{ ServiceConfig: registrytypes.ServiceConfig{ InsecureRegistryCIDRs: make([]*registrytypes.NetIPNet, 0), -@@ -81,10 +95,104 @@ func newServiceConfig(options ServiceOptions) (*serviceConfig, error) { +@@ -78,10 +92,106 @@ func newServiceConfig(options ServiceOptions) (*serviceConfig, error) { if err := config.LoadInsecureRegistries(options.InsecureRegistries); err != nil { return nil, err } @@ -546,7 +546,9 @@ index 6bb9258c9b6f..f1945237d235 100644 + inUse[mirror.URL.Host()] = reg.URL.Host() + // also warnf if seucurity levels differ + if reg.URL.IsSecure() != mirror.URL.IsSecure() { -+ logrus.Warnf("registry '%s' and mirror '%s' have different security levels", reg.URL.URL(), mirror.URL.URL()) ++ regURL := reg.URL.URL() ++ mirrorURL := mirror.URL.URL() ++ logrus.Warnf("registry '%s' and mirror '%s' have different security levels", ®URL, &mirrorURL) + } + } + if reg.URL.IsSecure() && len(reg.Mirrors) == 0 { @@ -617,7 +619,7 @@ index 6bb9258c9b6f..f1945237d235 100644 // LoadAllowNondistributableArtifacts loads allow-nondistributable-artifacts registries into config. func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []string) error { cidrs := map[string]*registrytypes.NetIPNet{} -@@ -125,6 +233,10 @@ func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []str +@@ -122,6 +232,10 @@ func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []str // LoadMirrors loads mirrors to config, after removing duplicates. // Returns an error if mirrors contains an invalid mirror. func (config *serviceConfig) LoadMirrors(mirrors []string) error { @@ -628,7 +630,7 @@ index 6bb9258c9b6f..f1945237d235 100644 mMap := map[string]struct{}{} unique := []string{} -@@ -154,6 +266,10 @@ func (config *serviceConfig) LoadMirrors(mirrors []string) error { +@@ -151,6 +265,10 @@ func (config *serviceConfig) LoadMirrors(mirrors []string) error { // LoadInsecureRegistries loads insecure registries to config func (config *serviceConfig) LoadInsecureRegistries(registries []string) error { @@ -639,17 +641,17 @@ index 6bb9258c9b6f..f1945237d235 100644 // Localhost is by default considered as an insecure registry // This is a stop-gap for people who are running a private registry on localhost (especially on Boot2docker). // -diff --git a/components/engine/registry/config_test.go b/components/engine/registry/config_test.go -index 30a257e32556..78a4fadd733f 100644 ---- a/components/engine/registry/config_test.go -+++ b/components/engine/registry/config_test.go -@@ -6,10 +6,146 @@ import ( +diff --git a/registry/config_test.go b/registry/config_test.go +index ae8cb23f94b6..7f31b1eb2bf4 100644 +--- a/registry/config_test.go ++++ b/registry/config_test.go +@@ -6,10 +6,152 @@ import ( "strings" "testing" + registrytypes "github.com/docker/docker/api/types/registry" - "gotest.tools/assert" - is "gotest.tools/assert/cmp" + "gotest.tools/v3/assert" + is "gotest.tools/v3/assert/cmp" ) +func TestLoadValidRegistries(t *testing.T) { @@ -682,11 +684,14 @@ index 30a257e32556..78a4fadd733f 100644 + officialMirrors := []string{"https://official.mirror1.com", "https://official.mirror2.com"} + + // create serciveConfig -+ config = newServiceConfig( ++ config, err = newServiceConfig( + ServiceOptions{ + Mirrors: officialMirrors, + Registries: []registrytypes.Registry{secReg, insecReg}, + }) ++ if err != nil { ++ t.Fatal(err) ++ } + + // now test if the config looks as expected + getMirrors := func(reg registrytypes.Registry) []string { @@ -760,53 +765,56 @@ index 30a257e32556..78a4fadd733f 100644 + } + + // create serciveConfig -+ config = newServiceConfig( ++ config, err = newServiceConfig( + ServiceOptions{ + Registries: []registrytypes.Registry{regA, regB}, + }) ++ if err != nil { ++ t.Fatal(err) ++ } + + // no match -> nil + reg := config.FindRegistry("foo") -+ assert.Nil(t, reg) ++ assert.Assert(t, is.Nil(reg)) + + // prefix match -> registry + reg = config.FindRegistry("registry-a.com/my-prefix/image:latest") -+ assert.NotNil(t, reg) ++ assert.Assert(t, reg != nil) + assert.Equal(t, "registry-a.com", reg.URL.Host()) + // no prefix match -> nil + reg = config.FindRegistry("registry-a.com/not-my-prefix/image:42") -+ assert.Nil(t, reg) ++ assert.Assert(t, is.Nil(reg)) + + // prefix match -> registry + reg = config.FindRegistry("registry-b.com/image:latest") -+ assert.NotNil(t, reg) ++ assert.Assert(t, reg != nil) + assert.Equal(t, "registry-b.com", reg.URL.Host()) + // prefix match -> registry + reg = config.FindRegistry("registry-b.com/also-in-namespaces/image:latest") -+ assert.NotNil(t, reg) ++ assert.Assert(t, reg != nil) + assert.Equal(t, "registry-b.com", reg.URL.Host()) +} + func TestLoadAllowNondistributableArtifacts(t *testing.T) { testCases := []struct { registries []string -diff --git a/components/engine/registry/registry_test.go b/components/engine/registry/registry_test.go -index b7459471b3f6..1e0d53e7dc21 100644 ---- a/components/engine/registry/registry_test.go -+++ b/components/engine/registry/registry_test.go -@@ -665,7 +665,32 @@ func TestNewIndexInfo(t *testing.T) { +diff --git a/registry/registry_test.go b/registry/registry_test.go +index 417c9574bc5d..b3a978474ec1 100644 +--- a/registry/registry_test.go ++++ b/registry/registry_test.go +@@ -507,40 +507,119 @@ func TestNewIndexInfo(t *testing.T) { } func TestMirrorEndpointLookup(t *testing.T) { +- skip.If(t, os.Getuid() != 0, "skipping test that requires root") +- containsMirror := func(endpoints []APIEndpoint) bool { + var ( ++ registries []registrytypes.Registry + secReg registrytypes.Registry -+ config *serviceConfig + pushAPIEndpoints []APIEndpoint + pullAPIEndpoints []APIEndpoint + err error + ) -+ - skip.If(t, os.Getuid() != 0, "skipping test that requires root") + + // secure with mirrors + secReg, err = registrytypes.NewRegistry("https://secure.registry.com/test-prefix/") @@ -820,19 +828,25 @@ index b7459471b3f6..1e0d53e7dc21 100644 + if err := secReg.AddMirror(secMirrors[1]); err != nil { + t.Fatal(err) + } ++ registries = append(registries, secReg) + + // docker.io mirrors to test backwards compatibility + officialMirrors := []string{"https://official.mirror1.com/", "https://official.mirror2.com/"} + - containsMirror := func(endpoints []APIEndpoint) bool { ++ containsMirror := func(needle string, endpoints []APIEndpoint) bool { for _, pe := range endpoints { - if pe.URL.Host == "my.mirror" { -@@ -674,31 +699,83 @@ func TestMirrorEndpointLookup(t *testing.T) { +- if pe.URL.Host == "my.mirror" { ++ if pe.URL.String() == needle { + return true + } } return false } - cfg, err := makeServiceConfig([]string{"https://my.mirror"}, nil) -+ cfg, err := makeServiceConfig(officialMirrors, nil) ++ cfg, err := newServiceConfig(ServiceOptions{ ++ Mirrors: officialMirrors, ++ Registries: registries, ++ }) if err != nil { t.Fatal(err) } @@ -848,20 +862,19 @@ index b7459471b3f6..1e0d53e7dc21 100644 + } + if containsMirror(officialMirrors[0], pushAPIEndpoints) { + t.Fatal("Push endpoint should not contain mirror") - } -- pushAPIEndpoints, err := s.LookupPushEndpoints(reference.Domain(imageName)) ++ } + if containsMirror(officialMirrors[1], pushAPIEndpoints) { + t.Fatal("Push endpoint should not contain mirror") + } + + pullAPIEndpoints, err = s.LookupPullEndpoints(officialRef) - if err != nil { - t.Fatal(err) - } -- if containsMirror(pushAPIEndpoints) { ++ if err != nil { ++ t.Fatal(err) ++ } + if !containsMirror(officialMirrors[0], pullAPIEndpoints) { + t.Fatal("Pull endpoint should contain mirror") -+ } + } +- pushAPIEndpoints, err := s.LookupPushEndpoints(reference.Domain(imageName)) + if !containsMirror(officialMirrors[1], pullAPIEndpoints) { + t.Fatal("Pull endpoint should contain mirror") + } @@ -869,9 +882,10 @@ index b7459471b3f6..1e0d53e7dc21 100644 + // prefix lookups + prefixRef := "secure.registry.com/test-prefix/foo:latest" + pushAPIEndpoints, err = s.LookupPushEndpoints(prefixRef) -+ if err != nil { -+ t.Fatal(err) -+ } + if err != nil { + t.Fatal(err) + } +- if containsMirror(pushAPIEndpoints) { + if containsMirror(secMirrors[0], pushAPIEndpoints) { + t.Fatal("Push endpoint should not contain mirror") + } @@ -917,11 +931,11 @@ index b7459471b3f6..1e0d53e7dc21 100644 + } } - func TestPushRegistryTag(t *testing.T) { -diff --git a/components/engine/registry/service.go b/components/engine/registry/service.go -index 08f5c7a4e12c..ee0c97a8a21b 100644 ---- a/components/engine/registry/service.go -+++ b/components/engine/registry/service.go + func TestSearchRepositories(t *testing.T) { +diff --git a/registry/service.go b/registry/service.go +index 3b08e39da2c2..62556ba1ba70 100644 +--- a/registry/service.go ++++ b/registry/service.go @@ -8,7 +8,7 @@ import ( "strings" "sync" @@ -984,7 +998,7 @@ index 08f5c7a4e12c..ee0c97a8a21b 100644 // Auth contacts the public registry with the provided credentials, // and returns OK if authentication was successful. // It can be used to verify the validity of a client's credentials. -@@ -241,7 +255,7 @@ func (s *DefaultService) Search(ctx context.Context, term string, limit int, aut +@@ -230,7 +244,7 @@ func (s *DefaultService) Search(ctx context.Context, term string, limit int, aut // ResolveRepository splits a repository name into its components // and configuration of the associated registry. @@ -993,13 +1007,12 @@ index 08f5c7a4e12c..ee0c97a8a21b 100644 s.mu.Lock() defer s.mu.Unlock() return newRepositoryInfo(s.config, name) -@@ -280,24 +294,25 @@ func (s *DefaultService) tlsConfigForMirror(mirrorURL *url.URL) (*tls.Config, er +@@ -270,22 +284,25 @@ func (s *DefaultService) tlsConfigForMirror(mirrorURL *url.URL) (*tls.Config, er return s.tlsConfig(mirrorURL.Host) } --// LookupPullEndpoints creates a list of endpoints to try to pull from, in order of preference. --// It gives preference to v2 endpoints over v1, mirrors over the actual --// registry, and HTTPS over plain HTTP. +-// LookupPullEndpoints creates a list of v2 endpoints to try to pull from, in order of preference. +-// It gives preference to mirrors over the actual registry, and HTTPS over plain HTTP. -func (s *DefaultService) LookupPullEndpoints(hostname string) (endpoints []APIEndpoint, err error) { +// LookupPullEndpoints creates a list of endpoints based on the provided +// reference to try to pull from, in order of preference. It gives preference @@ -1009,13 +1022,12 @@ index 08f5c7a4e12c..ee0c97a8a21b 100644 s.mu.Lock() defer s.mu.Unlock() -- return s.lookupEndpoints(hostname) -+ return s.lookupEndpoints(reference) +- return s.lookupV2Endpoints(hostname) ++ return s.lookupV2Endpoints(reference) } --// LookupPushEndpoints creates a list of endpoints to try to push to, in order of preference. --// It gives preference to v2 endpoints over v1, and HTTPS over plain HTTP. --// Mirrors are not included. +-// LookupPushEndpoints creates a list of v2 endpoints to try to push to, in order of preference. +-// It gives preference to HTTPS over plain HTTP. Mirrors are not included. -func (s *DefaultService) LookupPushEndpoints(hostname string) (endpoints []APIEndpoint, err error) { +// LookupPushEndpoints creates a list of endpoints based on the provided +// reference to try to push to, in order of preference. It gives preference to @@ -1024,16 +1036,16 @@ index 08f5c7a4e12c..ee0c97a8a21b 100644 s.mu.Lock() defer s.mu.Unlock() -- allEndpoints, err := s.lookupEndpoints(hostname) -+ allEndpoints, err := s.lookupEndpoints(reference) +- allEndpoints, err := s.lookupV2Endpoints(hostname) ++ allEndpoints, err := s.lookupV2Endpoints(reference) if err == nil { for _, endpoint := range allEndpoints { if !endpoint.Mirror { -diff --git a/components/engine/registry/service_v2.go b/components/engine/registry/service_v2.go -index 1a4c9e310547..efebb4f41486 100644 ---- a/components/engine/registry/service_v2.go -+++ b/components/engine/registry/service_v2.go -@@ -1,30 +1,51 @@ +diff --git a/registry/service_v2.go b/registry/service_v2.go +index 3e3a5b41ffbd..451a6f874bc1 100644 +--- a/registry/service_v2.go ++++ b/registry/service_v2.go +@@ -1,39 +1,71 @@ package registry // import "github.com/docker/docker/registry" import ( @@ -1049,7 +1061,6 @@ index 1a4c9e310547..efebb4f41486 100644 +func (s *DefaultService) lookupV2Endpoints(reference string) (endpoints []APIEndpoint, err error) { tlsConfig := tlsconfig.ServerDefault() - if hostname == DefaultNamespace || hostname == IndexHostname { -- // v2 mirrors - for _, mirror := range s.config.Mirrors { - if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") { - mirror = "https://" + mirror @@ -1094,16 +1105,14 @@ index 1a4c9e310547..efebb4f41486 100644 + return nil, fmt.Errorf("SUSE PATCH [lookupV2Endpoints]: %s", err) } endpoints = append(endpoints, APIEndpoint{ -- URL: mirrorURL, -+ URL: &mURL, - // guess mirrors are v2 +- URL: mirrorURL, ++ URL: &mURL, Version: APIVersion2, Mirror: true, -@@ -32,11 +53,20 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp + TrimHostname: true, TLSConfig: mirrorTLSConfig, }) } -- // v2 registry + // add the registry + var endpointURL *url.URL + if official { @@ -1123,7 +1132,7 @@ index 1a4c9e310547..efebb4f41486 100644 TrimHostname: true, TLSConfig: tlsConfig, }) -@@ -48,7 +78,7 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp +@@ -45,7 +77,7 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp tlsConfig, err = s.tlsConfig(hostname) if err != nil { @@ -1133,5 +1142,5 @@ index 1a4c9e310547..efebb4f41486 100644 endpoints = []APIEndpoint{ -- -2.22.0 +2.30.0 diff --git a/bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch b/0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch similarity index 55% rename from bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch rename to 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch index dd05e01..9763dc0 100644 --- a/bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch +++ b/0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch @@ -1,7 +1,8 @@ -From a67925f5d977db2b5a1b0162149cbd0de2b20598 Mon Sep 17 00:00:00 2001 +From 4d134a69323ba490b1f8976394cdd9fe0c278b3d Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 29 Jun 2018 17:59:30 +1000 -Subject: [PATCH] apparmor: clobber docker-default profile on start +Subject: [PATCH 5/5] bsc1073877: apparmor: clobber docker-default profile on + start In the process of making docker-default reloading far less expensive, 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor @@ -15,23 +16,23 @@ Fixes: 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles" SUSE-Bugs: bsc#1099277 Signed-off-by: Aleksa Sarai --- - components/engine/daemon/apparmor_default.go | 14 ++++++++++---- - .../engine/daemon/apparmor_default_unsupported.go | 4 ++++ - components/engine/daemon/daemon.go | 5 +++-- + daemon/apparmor_default.go | 14 ++++++++++---- + daemon/apparmor_default_unsupported.go | 4 ++++ + daemon/daemon.go | 5 +++-- 3 files changed, 17 insertions(+), 6 deletions(-) -diff --git a/components/engine/daemon/apparmor_default.go b/components/engine/daemon/apparmor_default.go -index 461f5c7f96b2..8f21c5c0c566 100644 ---- a/components/engine/daemon/apparmor_default.go -+++ b/components/engine/daemon/apparmor_default.go -@@ -14,6 +14,15 @@ const ( - defaultApparmorProfile = "docker-default" +diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go +index 2045412a7966..0c1fd0f0c940 100644 +--- a/daemon/apparmor_default.go ++++ b/daemon/apparmor_default.go +@@ -15,6 +15,15 @@ const ( + defaultAppArmorProfile = "docker-default" ) +func clobberDefaultAppArmorProfile() error { + if apparmor.IsEnabled() { -+ if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil { -+ return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err) ++ if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil { ++ return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err) + } + } + return nil @@ -39,23 +40,23 @@ index 461f5c7f96b2..8f21c5c0c566 100644 + func ensureDefaultAppArmorProfile() error { if apparmor.IsEnabled() { - loaded, err := aaprofile.IsLoaded(defaultApparmorProfile) -@@ -27,10 +36,7 @@ func ensureDefaultAppArmorProfile() error { + loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile) +@@ -28,10 +37,7 @@ func ensureDefaultAppArmorProfile() error { } // Load the profile. -- if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil { -- return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err) +- if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil { +- return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err) - } + return clobberDefaultAppArmorProfile() } - return nil } -diff --git a/components/engine/daemon/apparmor_default_unsupported.go b/components/engine/daemon/apparmor_default_unsupported.go +diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go index 51f9c526b350..97d7758442ee 100644 ---- a/components/engine/daemon/apparmor_default_unsupported.go -+++ b/components/engine/daemon/apparmor_default_unsupported.go +--- a/daemon/apparmor_default_unsupported.go ++++ b/daemon/apparmor_default_unsupported.go @@ -2,6 +2,10 @@ package daemon // import "github.com/docker/docker/daemon" @@ -67,11 +68,11 @@ index 51f9c526b350..97d7758442ee 100644 func ensureDefaultAppArmorProfile() error { return nil } -diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go -index f049b0d2a41f..7bd89e76b32f 100644 ---- a/components/engine/daemon/daemon.go -+++ b/components/engine/daemon/daemon.go -@@ -807,8 +807,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S +diff --git a/daemon/daemon.go b/daemon/daemon.go +index 3e86ab5c8721..4a574da030da 100644 +--- a/daemon/daemon.go ++++ b/daemon/daemon.go +@@ -855,8 +855,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S logrus.Warnf("Failed to configure golang's threads limit: %v", err) } @@ -84,5 +85,5 @@ index f049b0d2a41f..7bd89e76b32f 100644 } -- -2.22.0 +2.30.0 diff --git a/_service b/_service index 5af57a7..cd48a3f 100644 --- a/_service +++ b/_service @@ -1,12 +1,20 @@ - https://github.com/docker/docker-ce.git + https://github.com/docker/docker.git git .git - 19.03.14_ce_%h - v19.03.14 + 20.10.2_ce_%h + v20.10.2 docker + + https://github.com/docker/cli.git + git + .git + 20.10.2_ce + v20.10.2 + docker-cli + docker-*.tar xz diff --git a/boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch b/boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch deleted file mode 100644 index 176d9a5..0000000 --- a/boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch +++ /dev/null @@ -1,230 +0,0 @@ -From ea920fbc29225a71c9e07ffeeba00bc71423d839 Mon Sep 17 00:00:00 2001 -From: Arko Dasgupta -Date: Mon, 4 May 2020 13:51:42 -0700 -Subject: [PATCH] Add docker interfaces to firewalld docker zone - -If firewalld is running, create a new docker zone and -add the docker interfaces to the docker zone to allow -container networking for distros with firewalld enabled - -Fixes: https://github.com/moby/libnetwork/issues/2496 - -Signed-off-by: Arko Dasgupta -(cherry picked from commit 7a7209221542dc99b316748c97608dfc276c40f6) -Signed-off-by: Sebastiaan van Stijn ---- - .../docker/libnetwork/iptables/firewalld.go | 136 ++++++++++++++++-- - .../docker/libnetwork/iptables/iptables.go | 13 ++ - 2 files changed, 139 insertions(+), 10 deletions(-) - -diff --git a/components/engine/vendor/github.com/docker/libnetwork/iptables/firewalld.go b/components/engine/vendor/github.com/docker/libnetwork/iptables/firewalld.go -index 8f13c86448..33eb749ab0 100644 ---- a/components/engine/vendor/github.com/docker/libnetwork/iptables/firewalld.go -+++ b/components/engine/vendor/github.com/docker/libnetwork/iptables/firewalld.go -@@ -19,20 +19,46 @@ const ( - // Ebtables point to bridge table - Ebtables IPV = "eb" - ) -+ - const ( -- dbusInterface = "org.fedoraproject.FirewallD1" -- dbusPath = "/org/fedoraproject/FirewallD1" -+ dbusInterface = "org.fedoraproject.FirewallD1" -+ dbusPath = "/org/fedoraproject/FirewallD1" -+ dbusConfigPath = "/org/fedoraproject/FirewallD1/config" -+ dockerZone = "docker" - ) - - // Conn is a connection to firewalld dbus endpoint. - type Conn struct { -- sysconn *dbus.Conn -- sysobj dbus.BusObject -- signal chan *dbus.Signal -+ sysconn *dbus.Conn -+ sysObj dbus.BusObject -+ sysConfObj dbus.BusObject -+ signal chan *dbus.Signal -+} -+ -+// ZoneSettings holds the firewalld zone settings, documented in -+// https://firewalld.org/documentation/man-pages/firewalld.dbus.html -+type ZoneSettings struct { -+ version string -+ name string -+ description string -+ unused bool -+ target string -+ services []string -+ ports [][]interface{} -+ icmpBlocks []string -+ masquerade bool -+ forwardPorts [][]interface{} -+ interfaces []string -+ sourceAddresses []string -+ richRules []string -+ protocols []string -+ sourcePorts [][]interface{} -+ icmpBlockInversion bool - } - - var ( -- connection *Conn -+ connection *Conn -+ - firewalldRunning bool // is Firewalld service running - onReloaded []*func() // callbacks when Firewalld has been reloaded - ) -@@ -51,6 +77,9 @@ func FirewalldInit() error { - } - if connection != nil { - go signalHandler() -+ if err := setupDockerZone(); err != nil { -+ return err -+ } - } - - return nil -@@ -76,8 +105,8 @@ func (c *Conn) initConnection() error { - } - - // This never fails, even if the service is not running atm. -- c.sysobj = c.sysconn.Object(dbusInterface, dbus.ObjectPath(dbusPath)) -- -+ c.sysObj = c.sysconn.Object(dbusInterface, dbus.ObjectPath(dbusPath)) -+ c.sysConfObj = c.sysconn.Object(dbusInterface, dbus.ObjectPath(dbusConfigPath)) - rule := fmt.Sprintf("type='signal',path='%s',interface='%s',sender='%s',member='Reloaded'", - dbusPath, dbusInterface, dbusInterface) - c.sysconn.BusObject().Call("org.freedesktop.DBus.AddMatch", 0, rule) -@@ -150,7 +179,7 @@ func checkRunning() bool { - var err error - - if connection != nil { -- err = connection.sysobj.Call(dbusInterface+".getDefaultZone", 0).Store(&zone) -+ err = connection.sysObj.Call(dbusInterface+".getDefaultZone", 0).Store(&zone) - return err == nil - } - return false -@@ -160,8 +189,95 @@ func checkRunning() bool { - func Passthrough(ipv IPV, args ...string) ([]byte, error) { - var output string - logrus.Debugf("Firewalld passthrough: %s, %s", ipv, args) -- if err := connection.sysobj.Call(dbusInterface+".direct.passthrough", 0, ipv, args).Store(&output); err != nil { -+ if err := connection.sysObj.Call(dbusInterface+".direct.passthrough", 0, ipv, args).Store(&output); err != nil { - return nil, err - } - return []byte(output), nil - } -+ -+// getDockerZoneSettings converts the ZoneSettings struct into a interface slice -+func getDockerZoneSettings() map[string]string { -+ return map[string]string{ -+ "version": "1.0", -+ "name": dockerZone, -+ "description": "zone for docker bridge network interfaces", -+ "target": "ACCEPT", -+ } -+} -+ -+// setupDockerZone creates a zone called docker in firewalld which includes docker interfaces to allow -+// container networking -+func setupDockerZone() error { -+ var zones []string -+ // Check if zone exists -+ if err := connection.sysObj.Call(dbusInterface+".zone.getZones", 0).Store(&zones); err != nil { -+ return err -+ } -+ if contains(zones, dockerZone) { -+ logrus.Infof("Firewalld: %s zone already exists, returning", dockerZone) -+ return nil -+ } -+ logrus.Debugf("Firewalld: creating %s zone", dockerZone) -+ -+ settings := getDockerZoneSettings() -+ // Permanent -+ if err := connection.sysConfObj.Call(dbusInterface+".config.addZone", 0, dockerZone, settings).Err; err != nil { -+ return err -+ } -+ // Reload for change to take effect -+ if err := connection.sysObj.Call(dbusInterface+".reload", 0).Err; err != nil { -+ return err -+ } -+ -+ return nil -+} -+ -+// AddInterfaceFirewalld adds the interface to the trusted zone -+func AddInterfaceFirewalld(intf string) error { -+ var intfs []string -+ // Check if interface is already added to the zone -+ if err := connection.sysObj.Call(dbusInterface+".zone.getInterfaces", 0, dockerZone).Store(&intfs); err != nil { -+ return err -+ } -+ // Return if interface is already part of the zone -+ if contains(intfs, intf) { -+ logrus.Infof("Firewalld: interface %s already part of %s zone, returning", intf, dockerZone) -+ return nil -+ } -+ -+ logrus.Debugf("Firewalld: adding %s interface to %s zone", intf, dockerZone) -+ // Runtime -+ if err := connection.sysObj.Call(dbusInterface+".zone.addInterface", 0, dockerZone, intf).Err; err != nil { -+ return err -+ } -+ return nil -+} -+ -+// DelInterfaceFirewalld removes the interface from the trusted zone -+func DelInterfaceFirewalld(intf string) error { -+ var intfs []string -+ // Check if interface is part of the zone -+ if err := connection.sysObj.Call(dbusInterface+".zone.getInterfaces", 0, dockerZone).Store(&intfs); err != nil { -+ return err -+ } -+ // Remove interface if it exists -+ if !contains(intfs, intf) { -+ return fmt.Errorf("Firewalld: unable to find interface %s in %s zone", intf, dockerZone) -+ } -+ -+ logrus.Debugf("Firewalld: removing %s interface from %s zone", intf, dockerZone) -+ // Runtime -+ if err := connection.sysObj.Call(dbusInterface+".zone.removeInterface", 0, dockerZone, intf).Err; err != nil { -+ return err -+ } -+ return nil -+} -+ -+func contains(list []string, val string) bool { -+ for _, v := range list { -+ if v == val { -+ return true -+ } -+ } -+ return false -+} -diff --git a/components/engine/vendor/github.com/docker/libnetwork/iptables/iptables.go b/components/engine/vendor/github.com/docker/libnetwork/iptables/iptables.go -index 5523c4858c..bd262eb86c 100644 ---- a/components/engine/vendor/github.com/docker/libnetwork/iptables/iptables.go -+++ b/components/engine/vendor/github.com/docker/libnetwork/iptables/iptables.go -@@ -146,6 +146,19 @@ func ProgramChain(c *ChainInfo, bridgeName string, hairpinMode, enable bool) err - return errors.New("Could not program chain, missing chain name") - } - -+ // Either add or remove the interface from the firewalld zone -+ if firewalldRunning { -+ if enable { -+ if err := AddInterfaceFirewalld(bridgeName); err != nil { -+ return err -+ } -+ } else { -+ if err := DelInterfaceFirewalld(bridgeName); err != nil { -+ return err -+ } -+ } -+ } -+ - switch c.Table { - case Nat: - preroute := []string{ --- -2.29.2 - diff --git a/bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch b/bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch deleted file mode 100644 index 03349db..0000000 --- a/bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch +++ /dev/null @@ -1,40 +0,0 @@ -From cb676052272ed4f6f3b901dbc21510fabf742860 Mon Sep 17 00:00:00 2001 -From: Goldwyn Rodrigues -Date: Mon, 22 Apr 2019 09:08:28 -0500 -Subject: [PATCH] apparmor: allow readby and tracedby - -Fixes audit errors such as: - -type=AVC msg=audit(1550236803.810:143): -apparmor="DENIED" operation="ptrace" profile="docker-default" -pid=3181 comm="ps" requested_mask="readby" denied_mask="readby" -peer="docker-default" - -audit(1550236375.918:3): apparmor="DENIED" operation="ptrace" -profile="docker-default" pid=2267 comm="ps" -requested_mask="tracedby" denied_mask="tracedby" -peer="docker-default" - -SUSE-Bugs: bsc#1122469 -Signed-off-by: Goldwyn Rodrigues -Signed-off-by: Aleksa Sarai ---- - components/engine/profiles/apparmor/template.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go -index 400b3bd50a11..d8db0ee2fb36 100644 ---- a/components/engine/profiles/apparmor/template.go -+++ b/components/engine/profiles/apparmor/template.go -@@ -44,7 +44,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { - - {{if ge .Version 208095}} - # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container -- ptrace (trace,read) peer={{.Name}}, -+ ptrace (trace,read,tracedby,readby) peer={{.Name}}, - {{end}} - } - ` --- -2.24.0 - diff --git a/cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch b/cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch new file mode 100644 index 0000000..0ccfab2 --- /dev/null +++ b/cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch @@ -0,0 +1,59 @@ +From 6e2607c6a68ecf1a7378133f22cb7192e2eb9d5b Mon Sep 17 00:00:00 2001 +From: Arnaud Rebillout +Date: Wed, 16 Dec 2020 10:19:43 +0700 +Subject: [PATCH] Rename bin/md2man to bin/go-md2man + +In the recent PR !2877, some code was added to check if md2man is +already installed in the build environment. This is to cater to the +needs of Linux distributions. + +However it turns out that Linux distributions install md2man as +bin/go-md2man instead of bin/md2man, hence the PR !2877 doesn't help +much. + +This commit fixes it by settling on using the binary name go-md2man. + +For reference, here the file list of the package go-md2man in several +distributions: + +- Debian: +- Ubuntu: +- Fedora: +- ArchLinux: + +Signed-off-by: Arnaud Rebillout +--- + man/md2man-all.sh | 2 +- + scripts/docs/generate-man.sh | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/md2man-all.sh b/man/md2man-all.sh +index eb0bc6366a27..46c7b8f08eae 100755 +--- a/man/md2man-all.sh ++++ b/man/md2man-all.sh +@@ -18,5 +18,5 @@ for FILE in *.md; do + continue + fi + mkdir -p "./man${num}" +- md2man -in "$FILE" -out "./man${num}/${name}" ++ go-md2man -in "$FILE" -out "./man${num}/${name}" + done +diff --git a/scripts/docs/generate-man.sh b/scripts/docs/generate-man.sh +index 136ed1e00094..e312c87dd321 100755 +--- a/scripts/docs/generate-man.sh ++++ b/scripts/docs/generate-man.sh +@@ -4,9 +4,9 @@ set -eu -o pipefail + + mkdir -p ./man/man1 + +-if ! command -v md2man &> /dev/null; then ++if ! command -v go-md2man &> /dev/null; then + # yay, go install creates a binary named "v2" ¯\_(ツ)_/¯ +- go build -o "/go/bin/md2man" ./vendor/github.com/cpuguy83/go-md2man/v2 ++ go build -o "/go/bin/go-md2man" ./vendor/github.com/cpuguy83/go-md2man/v2 + fi + + # Generate man pages from cobra commands +-- +2.30.0 + diff --git a/docker-19.03.14_ce_5eb3275d4006.tar.xz b/docker-19.03.14_ce_5eb3275d4006.tar.xz deleted file mode 100644 index 6392dee..0000000 --- a/docker-19.03.14_ce_5eb3275d4006.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5bf99fd416c9a282dc97ac3568da541d378ea1c003a5680c07f11f91115d984d -size 10421676 diff --git a/docker-20.10.2_ce_8891c58a433a.tar.xz b/docker-20.10.2_ce_8891c58a433a.tar.xz new file mode 100644 index 0000000..a7b3bb6 --- /dev/null +++ b/docker-20.10.2_ce_8891c58a433a.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8f38527e3b117ca42b0b702a3a8a2a3d73cb629d170730d7d741115e72da8171 +size 6463700 diff --git a/docker-cli-20.10.2_ce.tar.xz b/docker-cli-20.10.2_ce.tar.xz new file mode 100644 index 0000000..211bd68 --- /dev/null +++ b/docker-cli-20.10.2_ce.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:83f9812b3d0fda73d6645d82577b0e3c7d603c042be6ee80119d0d5a48d73866 +size 4432320 diff --git a/docker.changes b/docker.changes index db89647..a900884 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Fri Jan 29 22:55:48 UTC 2021 - Aleksa Sarai + +- Update to Docker 20.10.2-ce. See upstream changelog in the packaged + /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1181594 +- Remove upstreamed patches: + - bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch + - boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch +- Add patches to fix build: + + cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch +- Since upstream has changed their source repo (again) we have to rebase all of + our patches. While doing this, I've collapsed all patches into one branch + per-release and thus all the patches are now just one series: + - packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch + + 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch + - secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch + + 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + - secrets-0002-SUSE-implement-SUSE-container-secrets.patch + + 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch + - private-registry-0001-Add-private-registry-mirror-support.patch + + 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch + - bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch + + 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + ------------------------------------------------------------------- Fri Jan 29 11:54:53 UTC 2021 - Aleksa Sarai diff --git a/docker.spec b/docker.spec index f647c92..477c69c 100644 --- a/docker.spec +++ b/docker.spec @@ -1,7 +1,7 @@ # # spec file for package docker # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -42,52 +42,55 @@ # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define git_version 5eb3275d4006 -%define git_commit_epoch 1606849828 +%define git_version 8891c58a433a +%define git_commit_epoch 1608908869 # These are the git commits required. We verify them against the source to make # sure we didn't miss anything important when doing upgrades. -%define required_containerd ea765aba0d05254012b0b9e595e995c09186427f -%define required_dockerrunc dc9208a3303feef5b3839f4323d9beb36df0a9dd -%define required_libnetwork 55e924b8a84231a065879156c0de95aefc5f5435 +%define required_containerd 269548fa27e0089a8b8278fc4fc781d7f65a939b +%define required_dockerrunc ff819c7e9184c13b7c2607fe6c30ae19403a7aff +%define required_libnetwork fa125a3512ee0f6187721c88582bf8c4378bd4d7 Name: %{realname}%{name_suffix} -Version: 19.03.14_ce +Version: 20.10.2_ce Release: 0 Summary: The Moby-project Linux container runtime License: Apache-2.0 Group: System/Management URL: http://www.docker.io -# TODO(VR): check those SOURCE files below Source: %{realname}-%{version}_%{git_version}.tar.xz -Source1: docker.service +Source1: %{realname}-cli-%{version}.tar.xz +Source2: docker-rpmlintrc +# TODO: Move these source files to somewhere nicer. +Source100: docker.service +Source101: 80-docker.rules +Source102: sysconfig.docker +Source103: README_SUSE.md +Source104: docker-audit.rules +Source105: tests.sh +Source106: docker-daemon.json +# Kubelet-specific sources. # bsc#1086185 -- but we only apply this on Kubic. -Source2: docker-kubic-service.conf -Source3: 80-docker.rules -Source4: sysconfig.docker -Source5: kubelet.env -Source6: docker-rpmlintrc -Source7: README_SUSE.md -Source8: docker-audit.rules -Source9: tests.sh -Source10: docker-daemon.json +Source900: docker-kubic-service.conf +Source901: kubelet.env +# NOTE: All of these patches are maintained in +# in the suse- branch. Make sure you update the patches in that +# branch and then git-format-patch the patch here. # SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers # which is not snapshotted when images are committed. Note that if you modify # this patch, please also modify the patch in the suse-secrets-v -# branch in http://github.com/suse/docker.mirror. -Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch -Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch -# SUSE-ISSUE: Revert of https://github.com/docker/docker/pull/37907. -Patch300: packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch -# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1099277 -Patch401: bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch -# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/39121. bsc#1122469 -Patch402: bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/libnetwork/pull/2548. boo#1178801, SLE-16460 -Patch403: boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch +# branch in . +Patch100: 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch +Patch101: 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch # SUSE-FEATURE: Add support to mirror inofficial/private registries -# (https://github.com/docker/docker/pull/34319) -Patch500: private-registry-0001-Add-private-registry-mirror-support.patch +# . +Patch200: 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch +# SUSE-ISSUE: Revert of . +Patch300: 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch +# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1073877 bsc#1099277 +Patch301: 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/2888. +Patch302: cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -273,34 +276,41 @@ docker container runtime configuration for kubeadm %prep %setup -q -n %{realname}-%{version}_%{git_version} + %if 0%{?is_opensuse} # nothing %else # PATCH-SUSE: Secrets patches. -%patch200 -p1 -%patch201 -p1 +%patch100 -p1 +%patch101 -p1 %endif -# revert upstream -%patch300 -p1 -# bsc#1099277 -%patch401 -p1 -# bsc#1122469 -%patch402 -p1 -# boo#1178801, SLE-16460 -%patch403 -p1 %if "%flavour" == "kubic" # PATCH-SUSE: Mirror patch. -%patch500 -p1 +%patch200 -p1 %endif +# packaging +%patch300 -p1 +# bsc#1099277 +%patch301 -p1 -cp %{SOURCE7} . +# README_SUSE.md for documentation. +cp %{SOURCE103} . + +# Fill the CLI sources in a subdir. +mkdir -p dist-suse/cli +pushd dist-suse/cli/ +xz -dc %{SOURCE1} | tar -xof - --strip-components=1 +# https://github.com/docker/cli/pull/2888 +%patch302 -p1 +popd %build BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11" %if 0%{?sle_version} == 120000 - # Provided by patch406, to allow us to build with older distros but still - # have deferred removal support at runtime. We only use this when building - # on SLE12. + # Allow us to build with older distros but still have deferred removal + # support at runtime. We only use this when building on SLE12, because + # later openSUSE/SLE versions have a new enough libdevicemapper to not + # require the runtime checking. BUILDTAGS="libdm_dlsym_deferred_remove $BUILDTAGS" %endif @@ -326,14 +336,13 @@ EOF # Preparing GOPATH so that the client is visible to the compiler mkdir -p src/github.com/docker/ -ln -s $(pwd)/components/cli $(pwd)/src/github.com/docker/cli +ln -s $(pwd)/dist-suse/cli $(pwd)/src/github.com/docker/cli export GOPATH=$GOPATH:$(pwd) ################### ## DOCKER ENGINE ## ################### -pushd components/engine/ # Ignore the warning that we compile outside a Docker container. ./hack/make.sh dynbinary @@ -343,18 +352,17 @@ pushd components/engine/ for testdir in {integration-cli,integration/*/} do ( find "$testdir" -name '*_test.go' | grep -q '.' ) || continue - GOPATH=$(pwd)/vendor:$(pwd)/.gopath/ go test \ - -buildmode=pie \ - -tags "$DOCKER_BUILDTAGS daemon autogen" \ - -c "github.com/docker/docker/$testdir" -o "$testdir/tests.main" + GOPATH=$(pwd)/vendor:$(pwd)/.gopath/ go test -c \ + -o "$testdir/tests.main" -buildmode=pie \ + -tags "$DOCKER_BUILDTAGS daemon" \ + "github.com/docker/docker/$testdir" done -popd ################### ## DOCKER CLIENT ## ################### -pushd components/cli/ +pushd dist-suse/cli/ ./scripts/build/dynbinary mkdir -p ./man/man1 @@ -373,30 +381,29 @@ popd # We verify that all of our -git requires are correct, and match the contents # of the upstream vendoring scripts. This is done on-build to make sure that # someone doing an update didn't miss anything. -cd components/engine grep 'RUNC_COMMIT:=%{required_dockerrunc}' hack/dockerfile/install/runc.installer grep 'CONTAINERD_COMMIT:=%{required_containerd}' hack/dockerfile/install/containerd.installer grep 'LIBNETWORK_COMMIT:=%{required_libnetwork}' hack/dockerfile/install/proxy.installer %install install -d %{buildroot}%{_bindir} -install -D -m755 components/cli/build/docker %{buildroot}/%{_bindir}/docker -install -D -m755 components/engine/bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd +install -D -m755 dist-suse/cli/build/docker %{buildroot}/%{_bindir}/docker +install -D -m755 bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd install -d %{buildroot}/%{_localstatedir}/lib/docker install -Dd -m 0755 \ %{buildroot}%{_sysconfdir}/init.d \ %{buildroot}%{_sbindir} -install -D -m0644 components/cli/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}" -install -D -m0644 components/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}" -install -D -m0644 components/cli/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish" +install -D -m0644 dist-suse/cli/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}" +install -D -m0644 dist-suse/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}" +install -D -m0644 dist-suse/cli/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish" # # systemd service # -install -D -m0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{realname}.service +install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{realname}.service %if "%flavour" == "kubic" -install -D -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf +install -D -m0644 %{SOURCE900} %{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf %endif ln -sf service %{buildroot}%{_sbindir}/rcdocker @@ -404,30 +411,30 @@ ln -sf service %{buildroot}%{_sbindir}/rcdocker # udev rules that prevents dolphin to show all docker devices and slows down # upstream report https://bugs.kde.org/show_bug.cgi?id=329930 # -install -D -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules +install -D -m 0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules # audit rules -install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules +install -D -m 0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules # sysconfig file -install -D -m 644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.docker +install -D -m 644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker # install docker config file -install -D -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/docker/daemon.json +install -D -m 644 %{SOURCE106} %{buildroot}%{_sysconfdir}/docker/daemon.json # install manpages (using the ones from the engine) install -d %{buildroot}%{_mandir}/man1 -install -p -m 644 components/cli/man/man1/*.1 %{buildroot}%{_mandir}/man1 +install -p -m 644 dist-suse/cli/man/man1/*.1 %{buildroot}%{_mandir}/man1 install -d %{buildroot}%{_mandir}/man5 -install -p -m 644 components/cli/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5 +install -p -m 644 dist-suse/cli/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5 install -d %{buildroot}%{_mandir}/man8 -install -p -m 644 components/cli/man/man8/*.8 %{buildroot}%{_mandir}/man8 +install -p -m 644 dist-suse/cli/man/man8/*.8 %{buildroot}%{_mandir}/man8 # install docker-test files -- we want to avoid installing the entire source tree. install -d %{buildroot}%{_prefix}/src/docker/ -install -D -m0755 %{SOURCE9} %{buildroot}%{_prefix}/src/docker/tests.sh +install -D -m0755 %{SOURCE105} %{buildroot}%{_prefix}/src/docker/tests.sh # We need hack/, contrib/, profiles/, and the integration*/ trees. -cp -a components/engine/{hack,contrib,profiles,integration{,-cli}} %{buildroot}%{_prefix}/src/docker/ +cp -a {hack,contrib,profiles,integration{,-cli}} %{buildroot}%{_prefix}/src/docker/ echo "%{version}" > %{buildroot}%{_prefix}/src/docker/VERSION # And now we can remove all *_test.go files -- since we already have test # binaries. Due to a lot of hacks within the Docker integration tests, we can't @@ -437,8 +444,8 @@ find %{buildroot}%{_prefix}/src/docker \ %if "%flavour" == "kubic" # place kubelet.env in fillupdir (for kubeadm-criconfig) -sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE5} -install -D -m 0644 %{SOURCE5} %{buildroot}%{_fillupdir}/sysconfig.kubelet +sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE901} +install -D -m 0644 %{SOURCE901} %{buildroot}%{_fillupdir}/sysconfig.kubelet %endif %fdupes %{buildroot} @@ -485,8 +492,8 @@ grep -q '^dockremap:' /etc/subgid || \ %files %defattr(-,root,root) -%doc components/engine/README.md README_SUSE.md CHANGELOG.md -%license components/engine/LICENSE +%doc README.md README_SUSE.md CHANGELOG.md +%license LICENSE %{_bindir}/docker %{_bindir}/dockerd %{_sbindir}/rcdocker diff --git a/packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch b/packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch deleted file mode 100644 index 9d25662..0000000 --- a/packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 33d18d20a806e2541292acb55338dea2065d2501 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Thu, 29 Nov 2018 20:53:16 +1100 -Subject: [PATCH] revert "Remove 'docker-' prefix for containerd and runc - binaries" - -This reverts commit 34eede0296bce6a9c335cb429f10728ae3f4252d, as it -would significantly break openSUSE's packaging (as well as causing -conflicts between the very-outdated runc that Docker uses and the more -up-to-date one available for Podman). - -Signed-off-by: Aleksa Sarai ---- - components/engine/api/swagger.yaml | 4 ++-- - components/engine/builder/builder-next/executor_unix.go | 2 +- - components/engine/daemon/daemon_unix.go | 6 +++--- - components/engine/libcontainerd/supervisor/remote_daemon.go | 4 ++-- - .../engine/libcontainerd/supervisor/remote_daemon_linux.go | 4 ++-- - .../libcontainerd/supervisor/remote_daemon_windows.go | 4 ++-- - 6 files changed, 12 insertions(+), 12 deletions(-) - -diff --git a/components/engine/api/swagger.yaml b/components/engine/api/swagger.yaml -index 6e0bc25b52d6..58f860d22a49 100644 ---- a/components/engine/api/swagger.yaml -+++ b/components/engine/api/swagger.yaml -@@ -3980,10 +3980,10 @@ definitions: - $ref: "#/definitions/Runtime" - default: - runc: -- path: "runc" -+ path: "docker-runc" - example: - runc: -- path: "runc" -+ path: "docker-runc" - runc-master: - path: "/go/bin/runc" - custom: -diff --git a/components/engine/builder/builder-next/executor_unix.go b/components/engine/builder/builder-next/executor_unix.go -index 620ffb401de7..dd63779a27d2 100644 ---- a/components/engine/builder/builder-next/executor_unix.go -+++ b/components/engine/builder/builder-next/executor_unix.go -@@ -28,7 +28,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, ro - } - return runcexecutor.New(runcexecutor.Opt{ - Root: filepath.Join(root, "executor"), -- CommandCandidates: []string{"runc"}, -+ CommandCandidates: []string{"docker-runc", "runc"}, - DefaultCgroupParent: cgroupParent, - Rootless: rootless, - NoPivot: os.Getenv("DOCKER_RAMDISK") != "", -diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go -index df64de6edf13..fa9bfb528414 100644 ---- a/components/engine/daemon/daemon_unix.go -+++ b/components/engine/daemon/daemon_unix.go -@@ -54,11 +54,11 @@ import ( - const ( - // DefaultShimBinary is the default shim to be used by containerd if none - // is specified -- DefaultShimBinary = "containerd-shim" -+ DefaultShimBinary = "docker-containerd-shim" - - // DefaultRuntimeBinary is the default runtime to be used by - // containerd if none is specified -- DefaultRuntimeBinary = "runc" -+ DefaultRuntimeBinary = "docker-runc" - - // See https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/tree/kernel/sched/sched.h?id=8cd9234c64c584432f6992fe944ca9e46ca8ea76#n269 - linuxMinCPUShares = 2 -@@ -77,7 +77,7 @@ const ( - - // DefaultRuntimeName is the default runtime to be used by - // containerd if none is specified -- DefaultRuntimeName = "runc" -+ DefaultRuntimeName = "docker-runc" - ) - - type containerGetter interface { -diff --git a/components/engine/libcontainerd/supervisor/remote_daemon.go b/components/engine/libcontainerd/supervisor/remote_daemon.go -index 31b93f11f0b1..5fba7f29eff9 100644 ---- a/components/engine/libcontainerd/supervisor/remote_daemon.go -+++ b/components/engine/libcontainerd/supervisor/remote_daemon.go -@@ -27,8 +27,8 @@ const ( - shutdownTimeout = 15 * time.Second - startupTimeout = 15 * time.Second - configFile = "containerd.toml" -- binaryName = "containerd" -- pidFile = "containerd.pid" -+ binaryName = "docker-containerd" -+ pidFile = "docker-containerd.pid" - ) - - type pluginConfigs struct { -diff --git a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go -index 799399c07bc5..1ea91d2b5d0b 100644 ---- a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go -+++ b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go -@@ -11,8 +11,8 @@ import ( - ) - - const ( -- sockFile = "containerd.sock" -- debugSockFile = "containerd-debug.sock" -+ sockFile = "docker-containerd.sock" -+ debugSockFile = "docker-containerd-debug.sock" - ) - - func (r *remote) setDefaults() { -diff --git a/components/engine/libcontainerd/supervisor/remote_daemon_windows.go b/components/engine/libcontainerd/supervisor/remote_daemon_windows.go -index 9b254ef58a0a..bcdc9529e0f7 100644 ---- a/components/engine/libcontainerd/supervisor/remote_daemon_windows.go -+++ b/components/engine/libcontainerd/supervisor/remote_daemon_windows.go -@@ -7,8 +7,8 @@ import ( - ) - - const ( -- grpcPipeName = `\\.\pipe\containerd-containerd` -- debugPipeName = `\\.\pipe\containerd-debug` -+ grpcPipeName = `\\.\pipe\docker-containerd-containerd` -+ debugPipeName = `\\.\pipe\docker-containerd-debug` - ) - - func (r *remote) setDefaults() { --- -2.22.0 -