diff --git a/_service b/_service index aeaf081..a4ab6f1 100644 --- a/_service +++ b/_service @@ -3,8 +3,8 @@ https://github.com/docker/docker.git git .git - 1.10.3 - v1.10.3 + 1.11.0 + v1.11.0 docker-*.tar diff --git a/boltdb_bolt_powerpc.patch b/boltdb_bolt_powerpc.patch deleted file mode 100644 index 9858a0b..0000000 --- a/boltdb_bolt_powerpc.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- - vendor/src/github.com/boltdb/bolt/bolt_ppc64.go | 9 +++++++++ - 1 file changed, 9 insertions(+) - -Index: docker-1.10.2/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go -=================================================================== ---- /dev/null -+++ docker-1.10.2/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go -@@ -0,0 +1,9 @@ -+// +build ppc64 -+ -+package bolt -+ -+// maxMapSize represents the largest mmap size supported by Bolt. -+const maxMapSize = 0xFFFFFFFFFFFF // 256TB -+ -+// maxAllocSize is the size used when creating array pointers. -+const maxAllocSize = 0x7FFFFFFF diff --git a/docker-1.10.3.tar.xz b/docker-1.10.3.tar.xz deleted file mode 100644 index 9004edc..0000000 --- a/docker-1.10.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:981d52320b7936c294d4b433deffe7af9934b715e207d38a7a993a5a74b3862e -size 8307800 diff --git a/docker-1.11.0.tar.xz b/docker-1.11.0.tar.xz new file mode 100644 index 0000000..a5b9921 --- /dev/null +++ b/docker-1.11.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ac135ae993b4967ab1fc590aa9f9d5cca9b1eb806e3ab611d0c8ab715f162739 +size 8788872 diff --git a/docker-mount-secrets.patch b/docker-mount-secrets.patch index 0a5f108..ecda337 100644 --- a/docker-mount-secrets.patch +++ b/docker-mount-secrets.patch @@ -1,302 +1,412 @@ -Index: docker-1.10.0/daemon/start.go +From fb84d5a3fbc3f1fad7dfc961b5dace3915eae7f9 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Mon, 11 Apr 2016 22:54:35 +1000 +Subject: [PATCH] SUSE: implement SUSE container secrets + +This allows for us to pass in host credentials to a container, allowing +for SUSEConnect to work with containers. + +THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS +SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT +MAKES BUILDS NOT ENTIRELY REPRODUCIBLE. + +Signed-off-by: Aleksa Sarai +--- + container/container_unix.go | 63 ++++++++++++ + daemon/container_operations_unix.go | 50 ++++++++++ + daemon/daemon_unix.go | 6 +- + daemon/oci_linux.go | 7 ++ + daemon/start.go | 6 ++ + daemon/suse_secrets.go | 184 ++++++++++++++++++++++++++++++++++++ + 6 files changed, 314 insertions(+), 2 deletions(-) + create mode 100644 daemon/suse_secrets.go + +Index: docker-1.11.0/container/container_unix.go =================================================================== ---- docker-1.10.0.orig/daemon/start.go -+++ docker-1.10.0/daemon/start.go -@@ -1,12 +1,17 @@ - package daemon - - import ( -+ "fmt" -+ "os" -+ "path/filepath" - "runtime" -+ "syscall" - - "github.com/Sirupsen/logrus" - "github.com/docker/docker/container" - derr "github.com/docker/docker/errors" - "github.com/docker/docker/runconfig" -+ "github.com/docker/docker/vendor/src/github.com/opencontainers/runc/libcontainer/label" - containertypes "github.com/docker/engine-api/types/container" - ) - -@@ -134,6 +139,10 @@ func (daemon *Daemon) containerStart(con - } - } - -+ if err := daemon.setupSecretFiles(container); err != nil { -+ return err -+ } -+ - mounts, err := daemon.setupMounts(container) - if err != nil { - return err -@@ -142,13 +151,96 @@ func (daemon *Daemon) containerStart(con - mounts = append(mounts, container.TmpfsMounts()...) - - container.Command.Mounts = mounts -+ - if err := daemon.waitForStart(container); err != nil { - return err - } -+ -+ // Now the container is running, unmount the secrets on the host -+ if err := daemon.UnmountSecrets(container, false); err != nil { -+ return err -+ } -+ - container.HasBeenStartedBefore = true - return nil +--- docker-1.11.0.orig/container/container_unix.go ++++ docker-1.11.0/container/container_unix.go +@@ -34,6 +34,8 @@ type Container struct { + HostsPath string + ShmPath string + ResolvConfPath string ++ // SUSE:secrets :: We need to add the container-specific secrets path here. ++ SuseSecretsPath string + SeccompProfile string + NoNewPrivileges bool + } +@@ -243,6 +245,67 @@ func (container *Container) IpcMounts() + return mounts } -+// unmount secrets on the host. Performs a lazy unmount by default unless -+// `force` is set to true. -+// No unmount operation is invoked if the secrets mount point has already been -+// unmounted. -+func (daemon *Daemon) UnmountSecrets(container *container.Container, force bool) error { -+ secretsPath, err := daemon.secretsPath(container) -+ if err != nil { -+ return err -+ } ++// SUSE:secrets :: SuseSecretsResourcePath returns the path to the container's ++// personal /run/secrets tmpfs. ++func (container *Container) SuseSecretsResourcePath() (string, error) { ++ return container.GetRootResourcePath("suse:secrets") ++} ++ ++// SUSE:secrets :: SuseSecretMounts returns the list of mounts required for the ++// SUSE-specific /run/secrets patch. The container's personal /run/secrets tmpfs ++// has already been set up at this point. ++func (container *Container) SuseSecretMounts() []Mount { ++ var mounts []Mount + + logrus.WithFields(logrus.Fields{ + "container": container.ID, -+ "path": secretsPath, -+ "force": force, -+ }).Debug("SUSE:secrets -> unmounting container secrets") ++ "path": container.SuseSecretsPath, ++ "hasmount": container.HasMountFor("/run/secrets"), ++ }).Debug("SUSE:secrets :: adding container secrets to mountpoint") + -+ var stat_dot, stat_dot_dot syscall.Stat_t -+ if err := syscall.Stat(secretsPath, &stat_dot); err != nil { -+ return fmt.Errorf("Something went wrong while getting stats for dot: %v", err) -+ } -+ if err := syscall.Stat(filepath.Join(secretsPath, ".."), &stat_dot_dot); err != nil { -+ return fmt.Errorf("Something went wrong while getting stats for dot dot: %v", err) ++ // TODO(SUSE): How do we register for HasMountFor(). ++ if !container.HasMountFor("/run/secrets") { ++ label.SetFileLabel(container.SuseSecretsPath, container.MountLabel) ++ mounts = append(mounts, Mount{ ++ Source: container.SuseSecretsPath, ++ Destination: "/run/secrets", ++ Writable: true, ++ Propagation: volume.DefaultPropagationMode, ++ }) + } + -+ // Compare device IDs for //. and //.. -+ // If the device IDs are different then the secrets directory is actually -+ // mounted. Otherwise it has already been unmounted, hence there's nothing -+ // to do (calling unmount would return an error) -+ if stat_dot.Dev != stat_dot_dot.Dev { -+ // By default perform lazy unmount -+ flag := syscall.MNT_DETACH -+ if force { -+ flag = syscall.MNT_FORCE -+ } -+ if err := syscall.Unmount(secretsPath, flag); err != nil { -+ return err -+ } -+ } -+ -+ return nil ++ return mounts +} + -+func (daemon *Daemon) secretsPath(container *container.Container) (string, error) { -+ return container.GetRootResourcePath("secrets") -+} -+ -+func (daemon *Daemon) setupSecretFiles(container *container.Container) error { -+ secretsPath, err := daemon.secretsPath(container) -+ if err != nil { -+ return err -+ } -+ ++// SUSE:secrets :: Unmounts the container's personal /run/secrets tmpfs using the ++// provided function. This is done to clean up the mountpoints properly. ++func (container *Container) UnmountSuseSecretMounts(unmount func(string) error) { + logrus.WithFields(logrus.Fields{ + "container": container.ID, -+ "path": secretsPath, -+ }).Debug("SUSE:secrets -> setting up container secrets") ++ "hasmount": container.HasMountFor("/run/secrets"), ++ }).Debug("SUSE:secrets :: requested to clean up container secrets") + -+ if err := os.MkdirAll(secretsPath, 0700); err != nil { -+ return err -+ } ++ if !container.HasMountFor("/run/secrets") { ++ logrus.Debugf("SUSE:secrets :: cleaning up secrets mount for container") + -+ if err := syscall.Mount("tmpfs", secretsPath, "tmpfs", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), label.FormatMountLabel("", container.GetMountLabel())); err != nil { -+ return fmt.Errorf("mounting secret tmpfs: %s", err) -+ } -+ -+ data, err := getHostSecretData() -+ if err != nil { -+ return err -+ } -+ for _, s := range data { -+ s.SaveTo(secretsPath) -+ } -+ -+ return nil -+} -+ - func (daemon *Daemon) waitForStart(container *container.Container) error { - return container.StartMonitor(daemon, container.HostConfig.RestartPolicy) - } -Index: docker-1.10.0/daemon/delete.go -=================================================================== ---- docker-1.10.0.orig/daemon/delete.go -+++ docker-1.10.0/daemon/delete.go -@@ -122,6 +122,17 @@ func (daemon *Daemon) cleanupContainer(c - } - }() - -+ // Force unmount of the secrets tmpfs storage added by SUSE's Docker daemon. -+ // This is unmounted automatically at container start time, however the unmount -+ // is done with the 'lazy' flag. This can introduce some race conditions, for -+ // example when the container dies immediately (e.g. wrong entry point). In -+ // that case the secrets directory has not been unmounted yet, causing the -+ // removal of the container to fail because the file system is still reported -+ // as in use. See bnc#954797 -+ if err = daemon.UnmountSecrets(container, true); err != nil { -+ logrus.Errorf("SUSE:secrets -> Error unmounting secrets in cleanup: %v", err) -+ } -+ - if err = os.RemoveAll(container.Root); err != nil { - return derr.ErrorCodeRmFS.WithArgs(container.ID, err) - } -Index: docker-1.10.0/daemon/volumes_unix.go -=================================================================== ---- docker-1.10.0.orig/daemon/volumes_unix.go -+++ docker-1.10.0/daemon/volumes_unix.go -@@ -7,6 +7,7 @@ import ( - "sort" - "strconv" - -+ "github.com/Sirupsen/logrus" - "github.com/docker/docker/container" - "github.com/docker/docker/daemon/execdriver" - "github.com/docker/docker/volume" -@@ -18,6 +19,29 @@ import ( - // calls Setup() on each. It also looks to see if is a network mount such as - // /etc/resolv.conf, and if it is not, appends it to the array of mounts. - func (daemon *Daemon) setupMounts(container *container.Container) ([]execdriver.Mount, error) { -+ if _, exists := container.MountPoints["/run/secrets"]; !exists { -+ const ( -+ name = "suse:secrets" -+ dest = "/run/secrets" -+ rw = true -+ ) -+ -+ secretsPath, err := daemon.secretsPath(container) ++ suseSecretsPath, err := container.SuseSecretsResourcePath() + if err != nil { -+ return nil, err ++ logrus.Error("SUSE:secrets :: failed to clean up secrets mounts: no secrets resource path found for container %v: %v", container.ID, err) + } + -+ logrus.WithFields(logrus.Fields{ -+ "name": name, -+ "rw": rw, -+ "path": secretsPath, -+ "dest": dest, -+ "container": container.ID, -+ }).Debug("SUSE:secrets -> adding /run/secrets to bind-mount points") ++ if suseSecretsPath != "" { ++ logrus.WithFields(logrus.Fields{ ++ "path": suseSecretsPath, ++ }).Debugf("SUSE:secrets :: actually unmounting conatiner secrets") + -+ container.AddBindMountPoint(name, secretsPath, dest, rw) ++ if err := unmount(suseSecretsPath); err != nil && !os.IsNotExist(err) { ++ // We can't error out here. ++ logrus.Warnf("SUSE:secrets :: failed to clean up secrets mounts: failed to umount %s: %v", suseSecretsPath, err) ++ } ++ } ++ } ++} ++ + // UpdateContainer updates configuration of a container. + func (container *Container) UpdateContainer(hostConfig *containertypes.HostConfig) error { + container.Lock() +Index: docker-1.11.0/daemon/container_operations_unix.go +=================================================================== +--- docker-1.11.0.orig/daemon/container_operations_unix.go ++++ docker-1.11.0/daemon/container_operations_unix.go +@@ -182,6 +182,56 @@ func (daemon *Daemon) getIpcContainer(co + return c, nil + } + ++// SUSE:secrets :: Create a container's personal /run/secrets tmpfs and fill it ++// with the host's credentials. ++func (daemon *Daemon) setupSuseSecrets(c *container.Container) (err error) { ++ c.SuseSecretsPath, err = c.SuseSecretsResourcePath() ++ if err != nil { ++ return err + } + - var mounts []execdriver.Mount - for _, m := range container.MountPoints { - if err := daemon.lazyInitializeVolume(container.ID, m); err != nil { -Index: docker-1.10.0/daemon/secrets.go ++ if !c.HasMountFor("/run/secrets") { ++ rootUID, rootGID := daemon.GetRemappedUIDGID() ++ if err = idtools.MkdirAllAs(c.SuseSecretsPath, 0700, rootUID, rootGID); err != nil { ++ return fmt.Errorf("SUSE:secrets :: failed to create container secret: %v", err) ++ } ++ if err = syscall.Mount("tmpfs", c.SuseSecretsPath, "tmpfs", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), label.FormatMountLabel("", c.GetMountLabel())); err != nil { ++ return fmt.Errorf("SUSE:secrets :: mounting secrets tmpfs: %v", err) ++ } ++ // We need to defer a cleanup, to make sure errors that occur before the container ++ // starts don't cause wasted memory due to tmpfs-es that aren't being used. ++ defer func() { ++ if err != nil { ++ logrus.Infof("SUSE::secrets :: cleaning up secrets mount due to failed setup") ++ c.UnmountSuseSecretMounts(detachMounted) ++ } ++ }() ++ if err = os.Chown(c.SuseSecretsPath, rootUID, rootGID); err != nil { ++ return fmt.Errorf("SUSE:secrets :: failed to chown container secret to (uid=%d,gid=%d): %v", rootUID, rootGID, err) ++ } ++ ++ // Now we need to inject the credentials. But in order to play properly with ++ // user namespaces, they must be owned by rootUID:rootGID. ++ ++ data, err := getHostSuseSecretData() ++ if err != nil { ++ return fmt.Errorf("SUSE:secrets :: failed to get host secret data: %v", err) ++ } ++ ++ uidMap, gidMap := daemon.GetUIDGIDMaps() ++ for _, s := range data { ++ if err := s.SaveTo(c.SuseSecretsPath, uidMap, gidMap); err != nil { ++ logrus.WithFields(logrus.Fields{ ++ "s.path": s.Path, ++ "path": c.SuseSecretsPath, ++ }).Errorf("SUSE:secrets :: failed to save secret data: %v", err) ++ } ++ } ++ } ++ ++ return ++} ++ + func (daemon *Daemon) setupIpcDirs(c *container.Container) error { + var err error + +Index: docker-1.11.0/daemon/daemon_unix.go +=================================================================== +--- docker-1.11.0.orig/daemon/daemon_unix.go ++++ docker-1.11.0/daemon/daemon_unix.go +@@ -786,8 +786,10 @@ func initBridgeDriver(controller libnetw + // the container from unwanted side-effects on the rw layer. + func setupInitLayer(initLayer string, rootUID, rootGID int) error { + for pth, typ := range map[string]string{ +- "/dev/pts": "dir", +- "/dev/shm": "dir", ++ "/dev/pts": "dir", ++ "/dev/shm": "dir", ++ // SUSE:secrets :: We need to add the mountpoint in the init layer. ++ "/run/secrets": "dir", + "/proc": "dir", + "/sys": "dir", + "/.dockerenv": "file", +Index: docker-1.11.0/daemon/oci_linux.go +=================================================================== +--- docker-1.11.0.orig/daemon/oci_linux.go ++++ docker-1.11.0/daemon/oci_linux.go +@@ -634,12 +634,19 @@ func (daemon *Daemon) createSpec(c *cont + return nil, err + } + ++ // SUSE:secrets :: We need to set up the container-specific secrets tmpfs here. ++ if err := daemon.setupSuseSecrets(c); err != nil { ++ return nil, err ++ } ++ + mounts, err := daemon.setupMounts(c) + if err != nil { + return nil, err + } + mounts = append(mounts, c.IpcMounts()...) + mounts = append(mounts, c.TmpfsMounts()...) ++ // SUSE:secrets :: We add the mounts to the OCI config which containerd then uses. ++ mounts = append(mounts, c.SuseSecretMounts()...) + if err := setMounts(daemon, &s, c, mounts); err != nil { + return nil, fmt.Errorf("linux mounts: %v", err) + } +Index: docker-1.11.0/daemon/start.go +=================================================================== +--- docker-1.11.0.orig/daemon/start.go ++++ docker-1.11.0/daemon/start.go +@@ -164,6 +164,12 @@ func (daemon *Daemon) Cleanup(container + + container.UnmountIpcMounts(detachMounted) + ++ // TODO(SUSE): Make sure this gets called by containerCleanup. Do we need to ++ // port this part of the patch there as well? ++ ++ // SUSE:secrets :: We need to unmount stuff here so that we clean up properly. ++ container.UnmountSuseSecretMounts(detachMounted) ++ + if err := daemon.conditionalUnmountOnCleanup(container); err != nil { + // FIXME: remove once reference counting for graphdrivers has been refactored + // Ensure that all the mounts are gone +Index: docker-1.11.0/daemon/suse_secrets.go =================================================================== --- /dev/null -+++ docker-1.10.0/daemon/secrets.go -@@ -0,0 +1,103 @@ ++++ docker-1.11.0/daemon/suse_secrets.go +@@ -0,0 +1,184 @@ +package daemon + ++// SUSE:secrets :: This is a set of functions to copy host credentials into a ++// container's /run/secrets. ++ +import ( + "io/ioutil" + "os" + "path/filepath" ++ "syscall" + -+ log "github.com/Sirupsen/logrus" ++ "github.com/Sirupsen/logrus" ++ "github.com/docker/docker/pkg/idtools" +) + -+type Secret struct { -+ Name string -+ IsDir bool -+ HostBased bool -+} ++// TODO(SUSE): We need to reimplement this to use tar. Immediately. + -+type SecretData struct { -+ Name string ++// Creating a fake file. ++type SuseFakeFile struct { ++ Path string ++ Uid int ++ Gid int ++ Mode os.FileMode + Data []byte +} + -+func (s SecretData) SaveTo(dir string) error { -+ path := filepath.Join(dir, s.Name) -+ if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil && !os.IsExist(err) { ++func (s *SuseFakeFile) SaveTo(dir string, uidMap, gidMap []idtools.IDMap) error { ++ // Create non-existant path components with an owner of root (other FakeFiles ++ // will clean this up if the owner is critical). ++ rootUid, rootGid, err := idtools.GetRootUIDGID(uidMap, gidMap) ++ ++ path := filepath.Join(dir, s.Path) ++ if err := idtools.MkdirAllNewAs(filepath.Dir(path), 0755, rootUid, rootGid); err != nil && !os.IsExist(err) { + return err + } -+ if err := ioutil.WriteFile(path, s.Data, 0755); err != nil { ++ ++ uid, err := idtools.ToHost(s.Uid, uidMap) ++ if err != nil { + return err + } -+ return nil ++ ++ gid, err := idtools.ToHost(s.Gid, gidMap) ++ if err != nil { ++ return err ++ } ++ ++ if s.Mode.IsDir() { ++ if err := idtools.MkdirAs(path, s.Mode, uid, gid); err != nil { ++ return err ++ } ++ } else { ++ if err := ioutil.WriteFile(path, s.Data, s.Mode); err != nil { ++ return err ++ } ++ } ++ ++ return os.Chown(path, uid, gid) +} + -+func readAll(root, prefix string) ([]SecretData, error) { -+ path := filepath.Join(root, prefix) ++// readDir will recurse into a directory prefix/dir, and return the set of secrets ++// in that directory. The Path attribute of each has the prefix stripped. Symlinks ++// are evaluated. ++func readDir(prefix, dir string) ([]*SuseFakeFile, error) { ++ var suseFiles []*SuseFakeFile + -+ data := []SecretData{} ++ path := filepath.Join(prefix, dir) ++ ++ fi, err := os.Stat(path) ++ if err != nil { ++ // Ignore dangling symlinks. ++ if os.IsNotExist(err) { ++ logrus.Warnf("SUSE:secrets :: dangling symlink: %s", path) ++ return suseFiles, nil ++ } ++ return nil, err ++ } ++ ++ stat, ok := fi.Sys().(*syscall.Stat_t) ++ if !ok { ++ logrus.Warnf("SUSE:secrets :: failed to cast directory stat_t: defaulting to owned by root:root: %s", path) ++ } ++ ++ suseFiles = append(suseFiles, &SuseFakeFile{ ++ Path: dir, ++ Uid: int(stat.Uid), ++ Gid: int(stat.Gid), ++ Mode: fi.Mode(), ++ }) + + files, err := ioutil.ReadDir(path) + if err != nil { -+ if os.IsNotExist(err) { -+ return data, nil -+ } -+ + return nil, err + } + + for _, f := range files { -+ fileData, err := readFile(root, filepath.Join(prefix, f.Name())) -+ if err != nil { -+ // If the file did not exist, might be a dangling symlink -+ // Ignore the error -+ if os.IsNotExist(err) { -+ continue ++ subpath := filepath.Join(dir, f.Name()) ++ ++ if f.IsDir() { ++ secrets, err := readDir(prefix, subpath) ++ if err != nil { ++ return nil, err + } -+ return nil, err ++ suseFiles = append(suseFiles, secrets...) ++ } else { ++ secrets, err := readFile(prefix, subpath) ++ if err != nil { ++ return nil, err ++ } ++ suseFiles = append(suseFiles, secrets...) + } -+ data = append(data, fileData...) + } + -+ return data, nil ++ return suseFiles, nil +} + -+func readFile(root, name string) ([]SecretData, error) { -+ path := filepath.Join(root, name) ++func readFile(prefix, file string) ([]*SuseFakeFile, error) { ++ var suseFiles []*SuseFakeFile + -+ s, err := os.Stat(path) ++ path := filepath.Join(prefix, file) ++ fi, err := os.Stat(path) + if err != nil { ++ // Ignore dangling symlinks. ++ if os.IsNotExist(err) { ++ logrus.Warnf("SUSE:secrets :: dangling symlink: %s", path) ++ return suseFiles, nil ++ } + return nil, err + } + -+ if s.IsDir() { -+ dirData, err := readAll(root, name) ++ stat, ok := fi.Sys().(*syscall.Stat_t) ++ if !ok { ++ logrus.Warnf("SUSE:secrets :: failed to cast file stat_t: defaulting to owned by root:root: %s", path) ++ } ++ ++ if fi.IsDir() { ++ secrets, err := readDir(prefix, file) + if err != nil { + return nil, err + } -+ return dirData, nil ++ suseFiles = append(suseFiles, secrets...) + } else { + bytes, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } -+ return []SecretData{{Name: name, Data: bytes}}, nil ++ suseFiles = append(suseFiles, &SuseFakeFile{ ++ Path: file, ++ Uid: int(stat.Uid), ++ Gid: int(stat.Gid), ++ Mode: fi.Mode(), ++ Data: bytes, ++ }) + } ++ ++ return suseFiles, nil +} + -+func getHostSecretData() ([]SecretData, error) { -+ credentials, err := readAll("/etc/zypp/", "credentials.d") ++func getHostSuseSecretData() ([]*SuseFakeFile, error) { ++ secrets := []*SuseFakeFile{} ++ ++ credentials, err := readDir("/etc/zypp", "credentials.d") + if err != nil { -+ log.Errorf("Error while reading zypp credentials: %s", err) -+ return credentials, err ++ if os.IsNotExist(err) { ++ credentials = []*SuseFakeFile{} ++ } else { ++ logrus.Errorf("SUSE:secrets :: error while reading zypp credentials: %s", err) ++ return nil, err ++ } + } ++ secrets = append(secrets, credentials...) + + suseConnect, err := readFile("/etc", "SUSEConnect") + if err != nil { + if os.IsNotExist(err) { -+ suseConnect = []SecretData{} ++ suseConnect = []*SuseFakeFile{} + } else { -+ log.Errorf("Error while reading /etc/SUSEConnect: %s", err) ++ logrus.Errorf("SUSE:secrets :: error while reading /etc/SUSEConnect: %s", err) + return nil, err + } + } -+ return append(credentials, suseConnect...), nil ++ secrets = append(secrets, suseConnect...) ++ ++ return secrets, nil +} diff --git a/docker.changes b/docker.changes index b676ca2..c054efe 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,158 @@ +------------------------------------------------------------------- +Mon Apr 18 06:19:18 UTC 2016 - asarai@suse.de + +* Removed patches that have been fixed upstream and in gcc-go: + - boltdb_bolt_powerpc.patch + - fix-apparmor.patch + - fix-btrfs-ioctl-structure.patch + - fix-docker-init.patch + - libnetwork_drivers_bridge_powerpc.patch + - ignore-dockerinit-checksum.patch +* Require containerd, as it is the only currently supported Docker execdriver. +* Update docker.socket to require containerd.socket and use --containerd in + docker.service so that the services are self-contained. +* Update to Docker 1.11.0. Changelog from upstream: + + * Builder + - Fix a bug where Docker would not used the correct uid/gid when processing the `WORKDIR` command ([#21033](https://github.com/docker/docker/pull/21033)) + - Fix a bug where copy operations with userns would not use the proper uid/gid ([#20782](https://github.com/docker/docker/pull/20782), [#21162](https://github.com/docker/docker/pull/21162)) + + * Client + * Usage of the `:` separator for security option has been deprecated. `=` should be used instead ([#21232](https://github.com/docker/docker/pull/21232)) + + The client user agent is now passed to the registry on `pull`, `build`, `push`, `login` and `search` operations ([#21306](https://github.com/docker/docker/pull/21306), [#21373](https://github.com/docker/docker/pull/21373)) + * Allow setting the Domainname and Hostname separately through the API ([#20200](https://github.com/docker/docker/pull/20200)) + * Docker info will now warn users if it can not detect the kernel version or the operating system ([#21128](https://github.com/docker/docker/pull/21128)) + - Fix an issue where `docker stats --no-stream` output could be all 0s ([#20803](https://github.com/docker/docker/pull/20803)) + - Fix a bug where some newly started container would not appear in a running `docker stats` command ([#20792](https://github.com/docker/docker/pull/20792)) + * Post processing is no longer enabled for linux-cgo terminals ([#20587](https://github.com/docker/docker/pull/20587)) + - Values to `--hostname` are now refused if they do not comply with [RFC1123](https://tools.ietf.org/html/rfc1123) ([#20566](https://github.com/docker/docker/pull/20566)) + + Docker learned how to use a SOCKS proxy ([#20366](https://github.com/docker/docker/pull/20366), [#18373](https://github.com/docker/docker/pull/18373)) + + Docker now supports external credential stores ([#20107](https://github.com/docker/docker/pull/20107)) + * `docker ps` now supports displaying the list of volumes mounted inside a container ([#20017](https://github.com/docker/docker/pull/20017)) + * `docker info` now also report Docker's root directory location ([#19986](https://github.com/docker/docker/pull/19986)) + - Docker now prohibits login in with an empty username (spaces are trimmed) ([#19806](https://github.com/docker/docker/pull/19806)) + * Docker events attributes are now sorted by key ([#19761](https://github.com/docker/docker/pull/19761)) + * `docker ps` no longer show exported port for stopped containers ([#19483](https://github.com/docker/docker/pull/19483)) + - Docker now cleans after itself if a save/export command fails ([#17849](https://github.com/docker/docker/pull/17849)) + * Docker load learned how to display a progress bar ([#17329](https://github.com/docker/docker/pull/17329), [#120078](https://github.com/docker/docker/pull/20078)) + + * Distribution + - Fix a panic that occurred when pulling an images with 0 layers ([#21222](https://github.com/docker/docker/pull/21222)) + - Fix a panic that could occur on error while pushing to a registry with a misconfigured token service ([#21212](https://github.com/docker/docker/pull/21212)) + + All first-level delegation roles are now signed when doing a trusted push ([#21046](https://github.com/docker/docker/pull/21046)) + + OAuth support for registries was added ([#20970](https://github.com/docker/docker/pull/20970)) + * `docker login` now handles token using the implementation found in [docker/distribution](https://github.com/docker/distribution) ([#20832](https://github.com/docker/docker/pull/20832)) + * `docker login` will no longer prompt for an email ([#20565](https://github.com/docker/docker/pull/20565)) + * Docker will now fallback to registry V1 if no basic auth credentials are available ([#20241](https://github.com/docker/docker/pull/20241)) + * Docker will now try to resume layer download where it left off after a network error/timeout ([#19840](https://github.com/docker/docker/pull/19840)) + - Fix generated manifest mediaType when pushing cross-repository ([#19509](https://github.com/docker/docker/pull/19509)) + - Fix docker requesting additional push credentials when pulling an image if Content Trust is enabled ([#20382](https://github.com/docker/docker/pull/20382)) + + * Logging + - Fix a race in the journald log driver ([#21311](https://github.com/docker/docker/pull/21311)) + * Docker syslog driver now uses the RFC-5424 format when emitting logs ([#20121](https://github.com/docker/docker/pull/20121)) + * Docker GELF log driver now allows to specify the compression algorithm and level via the `gelf-compression-type` and `gelf-compression-level` options ([#19831](https://github.com/docker/docker/pull/19831)) + * Docker daemon learned to output uncolorized logs via the `--raw-logs` options ([#19794](https://github.com/docker/docker/pull/19794)) + + Docker, on Windows platform, now includes an ETW (Event Tracing in Windows) logging driver named `etwlogs` ([#19689](https://github.com/docker/docker/pull/19689)) + * Journald log driver learned how to handle tags ([#19564](https://github.com/docker/docker/pull/19564)) + + The fluentd log driver learned the following options: `fluentd-address`, `fluentd-buffer-limit`, `fluentd-retry-wait`, `fluentd-max-retries` and `fluentd-async-connect` ([#19439](https://github.com/docker/docker/pull/19439)) + + Docker learned to send log to Google Cloud via the new `gcplogs` logging driver. ([#18766](https://github.com/docker/docker/pull/18766)) + + * Misc + + When saving linked images together with `docker save` a subsequent `docker load` will correctly restore their parent/child relationship ([#21385](https://github.com/docker/docker/pull/c)) + + Support for building the Docker cli for OpenBSD was added ([#21325](https://github.com/docker/docker/pull/21325)) + + Labels can now be applied at network, volume and image creation ([#21270](https://github.com/docker/docker/pull/21270)) + * The `dockremap` is now created as a system user ([#21266](https://github.com/docker/docker/pull/21266)) + - Fix a few response body leaks ([#21258](https://github.com/docker/docker/pull/21258)) + - Docker, when run as a service with systemd, will now properly manage its processes cgroups ([#20633](https://github.com/docker/docker/pull/20633)) + * Docker info now reports the value of cgroup KernelMemory or emits a warning if it is not supported ([#20863](https://github.com/docker/docker/pull/20863)) + * Docker info now also reports the cgroup driver in use ([#20388](https://github.com/docker/docker/pull/20388)) + * Docker completion is now available on PowerShell ([#19894](https://github.com/docker/docker/pull/19894)) + * `dockerinit` is no more ([#19490](https://github.com/docker/docker/pull/19490),[#19851](https://github.com/docker/docker/pull/19851)) + + Support for building Docker on arm64 was added ([#19013](https://github.com/docker/docker/pull/19013)) + + Experimental support for building docker.exe in a native Windows Docker installation ([#18348](https://github.com/docker/docker/pull/18348)) + + * Networking + - Fix panic if a node is forcibly removed from the cluster ([#21671](https://github.com/docker/docker/pull/21671)) + - Fix "error creating vxlan interface" when starting a container in a Swarm cluster ([#21671](https://github.com/docker/docker/pull/21671)) + * `docker network inspect` will now report all endpoints whether they have an active container or not ([#21160](https://github.com/docker/docker/pull/21160)) + + Experimental support for the MacVlan and IPVlan network drivers have been added ([#21122](https://github.com/docker/docker/pull/21122)) + * Output of `docker network ls` is now sorted by network name ([#20383](https://github.com/docker/docker/pull/20383)) + - Fix a bug where Docker would allow a network to be created with the reserved `default` name ([#19431](https://github.com/docker/docker/pull/19431)) + * `docker network inspect` returns whether a network is internal or not ([#19357](https://github.com/docker/docker/pull/19357)) + + Control IPv6 via explicit option when creating a network (`docker network create --ipv6`). This shows up as a new `EnableIPv6` field in `docker network inspect` ([#17513](https://github.com/docker/docker/pull/17513)) + * Support for AAAA Records (aka IPv6 Service Discovery) in embedded DNS Server ([#21396](https://github.com/docker/docker/pull/21396)) + - Fix to not forward docker domain IPv6 queries to external servers ([#21396](https://github.com/docker/docker/pull/21396)) + * Multiple A/AAAA records from embedded DNS Server for DNS Round robin ([#21019](https://github.com/docker/docker/pull/21019)) + - Fix endpoint count inconsistency after an ungraceful dameon restart ([#21261](https://github.com/docker/docker/pull/21261)) + - Move the ownership of exposed ports and port-mapping options from Endpoint to Sandbox ([#21019](https://github.com/docker/docker/pull/21019)) + - Fixed a bug which prevents docker reload when host is configured with ipv6.disable=1 ([#21019](https://github.com/docker/docker/pull/21019)) + - Added inbuilt nil IPAM driver ([#21019](https://github.com/docker/docker/pull/21019)) + - Fixed bug in iptables.Exists() logic [#21019](https://github.com/docker/docker/pull/21019) + - Fixed a Veth interface leak when using overlay network ([#21019](https://github.com/docker/docker/pull/21019)) + - Fixed a bug which prevents docker reload after a network delete during shutdown ([#20214](https://github.com/docker/docker/pull/20214)) + - Make sure iptables chains are recreated on firewalld reload ([#20419](https://github.com/docker/docker/pull/20419)) + - Allow to pass global datastore during config reload ([#20419](https://github.com/docker/docker/pull/20419)) + - For anonymous containers use the alias name for IP to name mapping, ie:DNS PTR record ([#21019](https://github.com/docker/docker/pull/21019)) + - Fix a panic when deleting an entry from /etc/hosts file ([#21019](https://github.com/docker/docker/pull/21019)) + - Source the forwarded DNS queries from the container net namespace ([#21019](https://github.com/docker/docker/pull/21019)) + - Fix to retain the network internal mode config for bridge networks on daemon reload ([#21780] (https://github.com/docker/docker/pull/21780)) + - Fix to retain IPAM driver option configs on daemon reload ([#21914] (https://github.com/docker/docker/pull/21914)) + + * Plugins + - Fix a file descriptor leak that would occur every time plugins were enumerated ([#20686](https://github.com/docker/docker/pull/20686)) + - Fix an issue where Authz plugin would corrupt the payload body when faced with a large amount of data ([#20602](https://github.com/docker/docker/pull/20602)) + + * Runtime + - Fix a panic that could occur when cleanup after a container started with invalid parameters ([#21716](https://github.com/docker/docker/pull/21716)) + - Fix a race with event timers stopping early ([#21692](https://github.com/docker/docker/pull/21692)) + - Fix race conditions in the layer store, potentially corrupting the map and crashing the process ([#21677](https://github.com/docker/docker/pull/21677)) + - Un-deprecate auto-creation of host directories for mounts. This feature was marked deprecated in ([#21666](https://github.com/docker/docker/pull/21666)) + Docker 1.9, but was decided to be too much of an backward-incompatible change, so it was decided to keep the feature. + + It is now possible for containers to share the NET and IPC namespaces when `userns` is enabled ([#21383](https://github.com/docker/docker/pull/21383)) + + `docker inspect ` will now expose the rootfs layers ([#21370](https://github.com/docker/docker/pull/21370)) + + Docker Windows gained a minimal `top` implementation ([#21354](https://github.com/docker/docker/pull/21354)) + * Docker learned to report the faulty exe when a container cannot be started due to its condition ([#21345](https://github.com/docker/docker/pull/21345)) + * Docker with device mapper will now refuse to run if `udev sync` is not available ([#21097](https://github.com/docker/docker/pull/21097)) + - Fix a bug where Docker would not validate the config file upon configuration reload ([#21089](https://github.com/docker/docker/pull/21089)) + - Fix a hang that would happen on attach if initial start was to fail ([#21048](https://github.com/docker/docker/pull/21048)) + - Fix an issue where registry service options in the daemon configuration file were not properly taken into account ([#21045](https://github.com/docker/docker/pull/21045)) + - Fix a race between the exec and resize operations ([#21022](https://github.com/docker/docker/pull/21022)) + - Fix an issue where nanoseconds were not correctly taken in account when filtering Docker events ([#21013](https://github.com/docker/docker/pull/21013)) + - Fix the handling of Docker command when passed a 64 bytes id ([#21002](https://github.com/docker/docker/pull/21002)) + * Docker will now return a `204` (i.e http.StatusNoContent) code when it successfully deleted a network ([#20977](https://github.com/docker/docker/pull/20977)) + - Fix a bug where the daemon would wait indefinitely in case the process it was about to killed had already exited on its own ([#20967](https://github.com/docker/docker/pull/20967) + * The devmapper driver learned the `dm.min_free_space` option. If the mapped device free space reaches the passed value, new device creation will be prohibited. ([#20786](https://github.com/docker/docker/pull/20786)) + + Docker can now prevent processes in container to gain new privileges via the `--security-opt=no-new-privileges` flag ([#20727](https://github.com/docker/docker/pull/20727)) + - Starting a container with the `--device` option will now correctly resolves symlinks ([#20684](https://github.com/docker/docker/pull/20684)) + + Docker now relies on [`containerd`](https://github.com/docker/containerd) and [`runc`](https://github.com/opencontainers/runc) to spawn containers. ([#20662](https://github.com/docker/docker/pull/20662)) + - Fix docker configuration reloading to only alter value present in the given config file ([#20604](https://github.com/docker/docker/pull/20604)) + + Docker now allows setting a container hostname via the `--hostname` flag when `--net=host` ([#20177](https://github.com/docker/docker/pull/20177)) + + Docker now allows executing privileged container while running with `--userns-remap` if both `--privileged` and the new `--userns=host` flag are specified ([#20111](https://github.com/docker/docker/pull/20111)) + - Fix Docker not cleaning up correctly old containers upon restarting after a crash ([#19679](https://github.com/docker/docker/pull/19679)) + * Docker will now error out if it doesn't recognize a configuration key within the config file ([#19517](https://github.com/docker/docker/pull/19517)) + - Fix container loading, on daemon startup, when they depends on a plugin running within a container ([#19500](https://github.com/docker/docker/pull/19500)) + * `docker update` learned how to change a container restart policy ([#19116](https://github.com/docker/docker/pull/19116)) + * `docker inspect` now also returns a new `State` field containing the container state in a human readable way (i.e. one of `created`, `restarting`, `running`, `paused`, `exited` or `dead`)([#18966](https://github.com/docker/docker/pull/18966)) + + Docker learned to limit the number of active pids (i.e. processes) within the container via the `pids-limit` flags. NOTE: This requires `CGROUP_PIDS=y` to be in the kernel configuration. ([#18697](https://github.com/docker/docker/pull/18697)) + - `docker load` now has a `--quiet` option to suppress the load output ([#20078](https://github.com/docker/docker/pull/20078)) + - Fix a bug in neighbor discovery for IPv6 peers ([#20842](https://github.com/docker/docker/pull/20842)) + - Fix a panic during cleanup if a container was started with invalid options ([#21802](https://github.com/docker/docker/pull/21802)) + - Fix a situation where a container cannot be stopped if the terminal is closed ([#21840](https://github.com/docker/docker/pull/21840)) + + * Security + * Object with the `pcp_pmcd_t` selinux type were given management access to `/var/lib/docker(/.*)?` ([#21370](https://github.com/docker/docker/pull/21370)) + * `restart_syscall`, `copy_file_range`, `mlock2` joined the list of allowed calls in the default seccomp profile ([#21117](https://github.com/docker/docker/pull/21117), [#21262](https://github.com/docker/docker/pull/21262)) + * `send`, `recv` and `x32` were added to the list of allowed syscalls and arch in the default seccomp profile ([#19432](https://github.com/docker/docker/pull/19432)) + * Docker Content Trust now requests the server to perform snapshot signing ([#21046](https://github.com/docker/docker/pull/21046)) + * Support for using YubiKeys for Content Trust signing has been moved out of experimental ([#21591](https://github.com/docker/docker/pull/21591)) + + * Volumes + * Output of `docker volume ls` is now sorted by volume name ([#20389](https://github.com/docker/docker/pull/20389)) + * Local volumes can now accepts options similar to the unix `mount` tool ([#20262](https://github.com/docker/docker/pull/20262)) + - Fix an issue where one letter directory name could not be used as source for volumes ([#21106](https://github.com/docker/docker/pull/21106)) + + `docker run -v` now accepts a new flag `nocopy`. This tell the runtime not to copy the container path content into the volume (which is the default behavior) ([#21223](https://github.com/docker/docker/pull/21223)) + ------------------------------------------------------------------- Wed Apr 13 11:16:51 UTC 2016 - jmassaguerpla@suse.com @@ -5,7 +160,7 @@ Wed Apr 13 11:16:51 UTC 2016 - jmassaguerpla@suse.com because gcc5 has been updated there as well. - docker.spec: add a "is_opensuse" check for the mount-secrets patch. - This way we can use this same package for opensuse. + This way we can use this same package for opensuse. ------------------------------------------------------------------- Fri Apr 8 13:27:55 UTC 2016 - dmueller@suse.com @@ -456,13 +611,13 @@ Thu Oct 29 14:17:32 UTC 2015 - jmassaguerpla@suse.com Thu Oct 22 12:11:14 UTC 2015 - jmassaguerpla@suse.com - Exclude libgo as a requirement. The auto requires script was adding - libgo as a requirement when building with gcc-go which was wrong. + libgo as a requirement when building with gcc-go which was wrong. ------------------------------------------------------------------- Fri Oct 16 15:43:46 UTC 2015 - jmassaguerpla@suse.com - Add patch for missing systemcall for s390x. See - + https://github.com/docker/docker/commit/eecf6cd48cf7c48f00aa8261cf431c87084161ae add_missing_syscall_for_s390x.patch: contains the patch @@ -485,11 +640,11 @@ Tue Sep 22 13:20:49 UTC 2015 - jmassaguerpla@suse.com see detailed changelog in - https://github.com/docker/docker/releases/tag/v1.8.2 + https://github.com/docker/docker/releases/tag/v1.8.2 fix bsc#946653 update do docker 1.8.2 -- devicemapper: fix zero-sized field access +- devicemapper: fix zero-sized field access Fix issue #15279: does not build with Go 1.5 tip Due to golang/go@7904946 the devices field is dropped. @@ -497,7 +652,7 @@ Tue Sep 22 13:20:49 UTC 2015 - jmassaguerpla@suse.com This solution works on go1.4 and go1.5 See more in https://github.com/docker/docker/pull/15404 - + This fix was not included in v1.8.2. See previous link on why. @@ -524,9 +679,9 @@ Thu Aug 13 09:38:03 UTC 2015 - jmassaguerpla@suse.com - Update to docker 1.8.0: see detailed changelog in - https://github.com/docker/docker/releases/tag/v1.8.0 + https://github.com/docker/docker/releases/tag/v1.8.0 -- remove docker-netns-aarch64.patch: This patch was adding +- remove docker-netns-aarch64.patch: This patch was adding vendor/src/github.com/vishvananda/netns/netns_linux_arm64.go which is now included upstream, so we don't need this patch anymore @@ -535,7 +690,7 @@ Thu Aug 13 09:38:03 UTC 2015 - jmassaguerpla@suse.com Fri Jul 24 14:41:21 UTC 2015 - jmassaguerpla@suse.com - Remove 0002-Stripped-dockerinit-binary.patch because we do not - use it anymore (we got rid of that when updating to 1.7.1) + use it anymore (we got rid of that when updating to 1.7.1) ------------------------------------------------------------------- Fri Jul 24 14:14:38 UTC 2015 - jmassaguerpla@suse.com @@ -543,7 +698,7 @@ Fri Jul 24 14:14:38 UTC 2015 - jmassaguerpla@suse.com - Exclude archs where docker does not build. Otherwise it gets into and infinite loop when building. - We'll fix that later if we want to release for those archs. + We'll fix that later if we want to release for those archs. ------------------------------------------------------------------- Wed Jul 15 08:11:11 UTC 2015 - jmassaguerpla@suse.com @@ -571,13 +726,13 @@ Wed Jul 15 08:11:11 UTC 2015 - jmassaguerpla@suse.com ------------------------------------------------------------------- Fri Jul 10 11:22:00 UTC 2015 - jmassaguerpla@suse.com -- Exclude init scripts other than systemd from the test-package +- Exclude init scripts other than systemd from the test-package ------------------------------------------------------------------- Wed Jul 1 12:38:50 UTC 2015 - jmassaguerpla@suse.com - Exclude intel 32 bits arch. Docker does not built on that. Let's - make it explicit. + make it explicit. ------------------------------------------------------------------- Thu Jun 25 16:49:59 UTC 2015 - dmueller@suse.com @@ -629,7 +784,7 @@ Mon Jun 22 08:48:11 UTC 2015 - fcastelli@suse.com ------------------------------------------------------------------- Tue Jun 9 16:35:46 UTC 2015 - jmassaguerpla@suse.com -- Add test subpackage and fix line numbers in patches +- Add test subpackage and fix line numbers in patches ------------------------------------------------------------------- Fri Jun 5 15:29:45 UTC 2015 - fcastelli@suse.com @@ -827,7 +982,7 @@ Fri Dec 12 16:13:30 UTC 2014 - fcastelli@suse.com * Notable Features since 1.3.0: - Set key=value labels to the daemon (displayed in `docker info`), applied with new `-label` daemon flag - - Add support for `ENV` in Dockerfile of the form: + - Add support for `ENV` in Dockerfile of the form: `ENV name=value name2=value2...` - New Overlayfs Storage Driver - `docker info` now returns an `ID` and `Name` field @@ -1305,7 +1460,7 @@ Wed Feb 19 08:35:27 UTC 2014 - fcastelli@suse.com - Fix broken images API for version less than 1.7 - Use the right encoding for all API endpoints which return JSON - Move remote api client to api/ - - Queue calls to the API using generic socket wait + - Queue calls to the API using generic socket wait * Runtime: - Fix the use of custom settings for bridges and custom bridges - Refactor the devicemapper code to avoid many mount/unmount race @@ -1428,7 +1583,7 @@ Fri Jan 10 10:44:23 UTC 2014 - fcastelli@suse.com * Do not add hostname when networking is disabled * Return most recent image from the cache by date * Return all errors from docker wait - * Add Content-Type Header "application/json" to GET /version and /info responses + * Add Content-Type Header "application/json" to GET /version and /info responses * Other: - Update DCO to version 1.1 - Update Makefile to use "docker:GIT_BRANCH" as the generated image name @@ -1447,7 +1602,7 @@ Fri Jan 10 10:44:23 UTC 2014 - fcastelli@suse.com - Fix for wrong version warning on master instead of latest * Runtime: - Only get the image's rootfs when we need to calculate the image size - - Correctly handle unmapping UDP ports + - Correctly handle unmapping UDP ports - Make CopyFileWithTar use a pipe instead of a buffer to save memory on docker build - Fix login message to say pull instead of push - Fix "docker load" help by removing "SOURCE" prompt and mentioning STDIN diff --git a/docker.service b/docker.service index c2fc918..ba34b05 100644 --- a/docker.service +++ b/docker.service @@ -1,21 +1,15 @@ [Unit] Description=Docker Application Container Engine Documentation=http://docs.docker.com -After=network.target docker.socket -Requires=docker.socket +After=network.target docker.socket containerd.socket +Requires=docker.socket containerd.socket [Service] -# the default is not to use systemd for cgroups because the delegate issues still -# exists and systemd currently does not support the cgroup feature set required -# for containers run by docker EnvironmentFile=/etc/sysconfig/docker -ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS -MountFlags=slave +ExecStart=/usr/bin/docker daemon -H fd:// --containerd /run/containerd/containerd.sock $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS LimitNOFILE=1048576 LimitNPROC=1048576 LimitCORE=infinity -# set delegate yes so that systemd does not reset the cgroups of docker containers -Delegate=yes [Install] WantedBy=multi-user.target diff --git a/docker.spec b/docker.spec index 7a366a7..5dbd5c0 100644 --- a/docker.spec +++ b/docker.spec @@ -22,8 +22,10 @@ %define git_version 9e83765 %define go_arches %ix86 x86_64 aarch64 +%define version_unconverted 1.11.0 + Name: docker -Version: 1.10.3 +Version: 1.11.0 Release: 0 Summary: The Linux container runtime License: Apache-2.0 @@ -46,8 +48,6 @@ Source8: docker-audit.rules # TODO: remove once we figure out what is wrong with iptables on ppc64le Source100: sysconfig.docker.ppc64le Patch1: gcc5_socket_workaround.patch -Patch2: fix-docker-init.patch -Patch3: fix-apparmor.patch %if 0%{?is_opensuse} # nothing %else @@ -55,19 +55,10 @@ Patch3: fix-apparmor.patch # PATCH-FEATURE-SLE docker-mount-secrets.patch -- pass the SCC machine credentials and the /etc/SUSEConnect file to containers Patch200: docker-mount-secrets.patch %endif -# TODO: Remove this once we update to Docker 1.11.0. This has been merged in -# https://github.com/docker/docker/pull/21723 -Patch4: fix-btrfs-ioctl-structure.patch # Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ -# Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time -# We cannot do that, right now a quick and really dirty way to get it running is -# to simply disable this check -Patch100: ignore-dockerinit-checksum.patch Patch101: gcc-go-patches.patch Patch102: netlink_gcc_go.patch Patch103: netlink_netns_powerpc.patch -Patch104: boltdb_bolt_powerpc.patch -Patch105: libnetwork_drivers_bridge_powerpc.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: device-mapper-devel >= 1.2.68 @@ -97,6 +88,8 @@ Requires: lvm2 >= 2.2.89 Requires: procps Requires: tar >= 1.26 Requires: xz >= 4.9 +# Containerd is required as it is the only currently supported execdriver of Docker. +Requires: containerd # Not necessary, but must be installed to have a smooth upgrade. Recommends: docker-image-migrator Conflicts: lxc < 1.0 @@ -174,9 +167,6 @@ Test package for docker. It contains the source code and the tests. %if 0%{?suse_version} >= 1315 %patch1 -p1 %endif -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 %if 0%{?is_opensuse} # nothing %else @@ -186,9 +176,6 @@ Test package for docker. It contains the source code and the tests. %patch101 -p1 %patch102 -p1 %patch103 -p1 -%patch104 -p1 -%patch105 -p1 -%patch100 -p1 %endif cp %{SOURCE7} . @@ -225,10 +212,8 @@ install -d %{buildroot}%{go_contribdir} install -d %{buildroot}%{_bindir} %ifarch %go_arches install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name} -install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit %else install -D -m755 bundles/%{version}/dyngccgo/%{name}-%{version} %{buildroot}/%{_bindir}/%{name} -install -D -m755 bundles/%{version}/dyngccgo/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit %endif install -d %{buildroot}/%{_prefix}/lib/docker install -Dd -m 0755 \ @@ -363,7 +348,6 @@ groupadd -r docker 2>/dev/null || : %{_bindir}/docker %{_sbindir}/rcdocker %{_prefix}/lib/docker/ -%{_prefix}/lib/docker/dockerinit %{_unitdir}/%{name}.service %{_unitdir}/%{name}.socket %config %{_sysconfdir}/audit/rules.d/%{name}.rules diff --git a/fix-apparmor.patch b/fix-apparmor.patch deleted file mode 100644 index fa463bd..0000000 --- a/fix-apparmor.patch +++ /dev/null @@ -1,292 +0,0 @@ -Index: docker-1.10.1/contrib/apparmor/main.go -=================================================================== ---- docker-1.10.1.orig/contrib/apparmor/main.go -+++ docker-1.10.1/contrib/apparmor/main.go -@@ -11,8 +11,7 @@ import ( - ) - - type profileData struct { -- MajorVersion int -- MinorVersion int -+ Version int - } - - func main() { -@@ -23,13 +22,12 @@ func main() { - // parse the arg - apparmorProfilePath := os.Args[1] - -- majorVersion, minorVersion, err := aaparser.GetVersion() -+ version, err := aaparser.GetVersion() - if err != nil { - log.Fatal(err) - } - data := profileData{ -- MajorVersion: majorVersion, -- MinorVersion: minorVersion, -+ Version: version, - } - fmt.Printf("apparmor_parser is of version %+v\n", data) - -Index: docker-1.10.1/daemon/execdriver/native/apparmor.go -=================================================================== ---- docker-1.10.1.orig/daemon/execdriver/native/apparmor.go -+++ docker-1.10.1/daemon/execdriver/native/apparmor.go -@@ -25,8 +25,7 @@ type data struct { - ExecPath string - Imports []string - InnerImports []string -- MajorVersion int -- MinorVersion int -+ Version int - } - - const baseTemplate = ` -@@ -64,14 +63,17 @@ profile {{.Name}} flags=(attach_disconne - deny /sys/firmware/efi/efivars/** rwklx, - deny /sys/kernel/security/** rwklx, - --{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}} -+{{if ge .Version 208095}} -+ # apparmor-2.8.95 is Ubuntu 14.04 LTS (Trusty Tahr) -+ # apparmor-2.8.95 is apparmor-2.9 beta, which supports ptrace rule -+ # other apparmor-2.8 versions do not support this rule - # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container - ptrace (trace,read) peer=docker-default, --{{end}}{{end}} --{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} -+{{end}} -+{{if ge .Version 209000}} - # docker daemon confinement requires explict allow rule for signal - signal (receive) set=(kill,term) peer={{.ExecPath}}, --{{end}}{{end}} -+{{end}} - } - ` - -@@ -91,7 +93,7 @@ func generateProfile(out io.Writer) erro - if abstractionsExists() { - data.InnerImports = append(data.InnerImports, "#include ") - } -- data.MajorVersion, data.MinorVersion, err = aaparser.GetVersion() -+ data.Version, err = aaparser.GetVersion() - if err != nil { - return err - } -Index: docker-1.10.1/pkg/aaparser/aaparser.go -=================================================================== ---- docker-1.10.1.orig/pkg/aaparser/aaparser.go -+++ docker-1.10.1/pkg/aaparser/aaparser.go -@@ -1,45 +1,92 @@ -+// Package aaparser is a convenience package interacting with `apparmor_parser`. - package aaparser - - import ( - "fmt" -- "log" - "os/exec" -+ "path/filepath" - "strconv" - "strings" - ) - --// GetVersion returns the major and minor version of apparmor_parser --func GetVersion() (int, int, error) { -- // get the apparmor_version version -- cmd := exec.Command("apparmor_parser", "--version") -+const ( -+ binary = "apparmor_parser" -+) -+ -+// GetVersion returns the major and minor version of apparmor_parser. -+func GetVersion() (int, error) { -+ output, err := cmd("", "--version") -+ if err != nil { -+ return -1, err -+ } -+ -+ return parseVersion(output) -+} - -- output, err := cmd.CombinedOutput() -+// LoadProfile runs `apparmor_parser -r -W` on a specified apparmor profile to -+// replace and write it to disk. -+func LoadProfile(profilePath string) error { -+ _, err := cmd(filepath.Dir(profilePath), "-r", "-W", filepath.Base(profilePath)) - if err != nil { -- log.Fatalf("getting apparmor_parser version failed: %s (%s)", err, output) -+ return err - } -+ return nil -+} -+ -+// cmd runs `apparmor_parser` with the passed arguments. -+func cmd(dir string, arg ...string) (string, error) { -+ c := exec.Command(binary, arg...) -+ c.Dir = dir - -- // parse the version from the output -+ output, err := c.CombinedOutput() -+ if err != nil { -+ return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), string(output), err) -+ } -+ -+ return string(output), nil -+} -+ -+// parseVersion takes the output from `apparmor_parser --version` and returns -+// a representation of the {major, minor, patch} version as a single number of -+// the form MMmmPPP {major, minor, patch}. -+func parseVersion(output string) (int, error) { - // output is in the form of the following: - // AppArmor parser version 2.9.1 - // Copyright (C) 1999-2008 Novell Inc. - // Copyright 2009-2012 Canonical Ltd. -- lines := strings.SplitN(string(output), "\n", 2) -+ -+ lines := strings.SplitN(output, "\n", 2) - words := strings.Split(lines[0], " ") - version := words[len(words)-1] -+ - // split by major minor version - v := strings.Split(version, ".") -- if len(v) < 2 { -- return -1, -1, fmt.Errorf("parsing major minor version failed for %q", version) -+ if len(v) == 0 || len(v) > 3 { -+ return -1, fmt.Errorf("parsing version failed for output: `%s`", output) - } - -+ // Default the versions to 0. -+ var majorVersion, minorVersion, patchLevel int -+ - majorVersion, err := strconv.Atoi(v[0]) - if err != nil { -- return -1, -1, err -+ return -1, err - } -- minorVersion, err := strconv.Atoi(v[1]) -- if err != nil { -- return -1, -1, err -+ -+ if len(v) > 1 { -+ minorVersion, err = strconv.Atoi(v[1]) -+ if err != nil { -+ return -1, err -+ } -+ } -+ if len(v) > 2 { -+ patchLevel, err = strconv.Atoi(v[2]) -+ if err != nil { -+ return -1, err -+ } - } - -- return majorVersion, minorVersion, nil -+ // major*10^5 + minor*10^3 + patch*10^0 -+ numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel -+ return numericVersion, nil - } -Index: docker-1.10.1/contrib/apparmor/template.go -=================================================================== ---- docker-1.10.1.orig/contrib/apparmor/template.go -+++ docker-1.10.1/contrib/apparmor/template.go -@@ -20,11 +20,11 @@ profile /usr/bin/docker (attach_disconne - - umount, - pivot_root, --{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} -+{{if ge .Version 209000}} - signal (receive) peer=@{profile_name}, - signal (receive) peer=unconfined, - signal (send), --{{end}}{{end}} -+{{end}} - network, - capability, - owner /** rw, -@@ -46,12 +46,12 @@ profile /usr/bin/docker (attach_disconne - /etc/ld.so.cache r, - /etc/passwd r, - --{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} -+{{if ge .Version 209000}} - ptrace peer=@{profile_name}, - ptrace (read) peer=docker-default, - deny ptrace (trace) peer=docker-default, - deny ptrace peer=/usr/bin/docker///bin/ps, --{{end}}{{end}} -+{{end}} - - /usr/lib/** rm, - /lib/** rm, -@@ -72,11 +72,11 @@ profile /usr/bin/docker (attach_disconne - /sbin/zfs rCx, - /sbin/apparmor_parser rCx, - --{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} -+{{if ge .Version 209000}} - # Transitions - change_profile -> docker-*, - change_profile -> unconfined, --{{end}}{{end}} -+{{end}} - - profile /bin/cat (complain) { - /etc/ld.so.cache r, -@@ -98,10 +98,10 @@ profile /usr/bin/docker (attach_disconne - /dev/null rw, - /bin/ps mr, - --{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} -+{{if ge .Version 209000}} - # We don't need ptrace so we'll deny and ignore the error. - deny ptrace (read, trace), --{{end}}{{end}} -+{{end}} - - # Quiet dac_override denials - deny capability dac_override, -@@ -119,15 +119,15 @@ profile /usr/bin/docker (attach_disconne - /proc/tty/drivers r, - } - profile /sbin/iptables (complain) { --{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} -+{{if ge .Version 209000}} - signal (receive) peer=/usr/bin/docker, --{{end}}{{end}} -+{{end}} - capability net_admin, - } - profile /sbin/auplink flags=(attach_disconnected, complain) { --{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} -+{{if ge .Version 209000}} - signal (receive) peer=/usr/bin/docker, --{{end}}{{end}} -+{{end}} - capability sys_admin, - capability dac_override, - -@@ -146,9 +146,9 @@ profile /usr/bin/docker (attach_disconne - /proc/[0-9]*/mounts rw, - } - profile /sbin/modprobe /bin/kmod (complain) { --{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} -+{{if ge .Version 209000}} - signal (receive) peer=/usr/bin/docker, --{{end}}{{end}} -+{{end}} - capability sys_module, - /etc/ld.so.cache r, - /lib/** rm, -@@ -162,9 +162,9 @@ profile /usr/bin/docker (attach_disconne - } - # xz works via pipes, so we do not need access to the filesystem. - profile /usr/bin/xz (complain) { --{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} -+{{if ge .Version 209000}} - signal (receive) peer=/usr/bin/docker, --{{end}}{{end}} -+{{end}} - /etc/ld.so.cache r, - /lib/** rm, - /usr/bin/xz rm, diff --git a/fix-btrfs-ioctl-structure.patch b/fix-btrfs-ioctl-structure.patch deleted file mode 100644 index 37cd6ec..0000000 --- a/fix-btrfs-ioctl-structure.patch +++ /dev/null @@ -1,48 +0,0 @@ -From a038cccf88998814249a7a40b71a33a680e3f02f Mon Sep 17 00:00:00 2001 -From: Julio Montes -Date: Fri, 1 Apr 2016 08:58:29 -0600 -Subject: [PATCH] Fix compilation errors with btrfs-progs-4.5 - -btrfs-progs-4.5 introduces device delete by devid -for this reason btrfs_ioctl_vol_args_v2's name was encapsulated -in a union - -this patch is for setting btrfs_ioctl_vol_args_v2's name -using a C function in order to preserve compatibility -with all btrfs-progs versions - -Signed-off-by: Julio Montes -Signed-off-by: Aleksa Sarai ---- - daemon/graphdriver/btrfs/btrfs.go | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -Index: docker-1.10.3/daemon/graphdriver/btrfs/btrfs.go -=================================================================== ---- docker-1.10.3.orig/daemon/graphdriver/btrfs/btrfs.go -+++ docker-1.10.3/daemon/graphdriver/btrfs/btrfs.go -@@ -7,6 +7,10 @@ package btrfs - #include - #include - #include -+ -+static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) { -+ snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value); -+} - */ - import "C" - -@@ -160,9 +164,10 @@ func subvolSnapshot(src, dest, name stri - - var args C.struct_btrfs_ioctl_vol_args_v2 - args.fd = C.__s64(getDirFd(srcDir)) -- for i, c := range []byte(name) { -- args.name[i] = C.char(c) -- } -+ -+ var cs = C.CString(name) -+ C.set_name_btrfs_ioctl_vol_args_v2(&args, cs) -+ C.free(unsafe.Pointer(cs)) - - _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, getDirFd(destDir), C.BTRFS_IOC_SNAP_CREATE_V2, - uintptr(unsafe.Pointer(&args))) diff --git a/fix-docker-init.patch b/fix-docker-init.patch deleted file mode 100644 index 718b93d..0000000 --- a/fix-docker-init.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -Naur a/hack/make/.dockerinit b/hack/make/.dockerinit ---- a/hack/make/.dockerinit 2015-08-11 18:35:27.000000000 +0200 -+++ b/hack/make/.dockerinit 2015-08-12 18:14:25.743452565 +0200 -@@ -29,5 +29,6 @@ - exit 1 - fi - -+/usr/bin/strip -s $DEST/dockerinit-$VERSION - # sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another - export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1) -diff --git a/hack/make/.dockerinit-gccgo b/hack/make/.dockerinit-gccgo -index 3caa526..f272d29 100644 ---- a/hack/make/.dockerinit-gccgo -+++ b/hack/make/.dockerinit-gccgo -@@ -27,5 +27,6 @@ else - exit 1 - fi - -+/usr/bin/strip -s $DEST/dockerinit-$VERSION - # sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another - export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1) diff --git a/gcc5_socket_workaround.patch b/gcc5_socket_workaround.patch index 1f5b9d3..8b7a4df 100644 --- a/gcc5_socket_workaround.patch +++ b/gcc5_socket_workaround.patch @@ -1,21 +1,20 @@ -diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go -index 007ccb2..65f638f 100644 ---- a/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go -+++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go -@@ -22,7 +22,7 @@ type ifreqIndex struct { - +Index: docker-1.11.0/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go +=================================================================== +--- docker-1.11.0.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go ++++ docker-1.11.0/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go +@@ -24,7 +24,7 @@ type ifreqIndex struct { + type ifreqHwaddr struct { IfrnName [ifNameSize]byte - IfruHwaddr syscall.RawSockaddr + IfruHwaddr patchedRawSockAddr } - + var rnd = rand.New(rand.NewSource(time.Now().UnixNano())) -diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go -new file mode 100644 -index 0000000..118f7bf +Index: docker-1.11.0/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go +=================================================================== --- /dev/null -+++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go ++++ docker-1.11.0/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go @@ -0,0 +1,11 @@ +// Copyright (c) 2015 SUSE LLC. All rights reserved. + @@ -28,11 +27,10 @@ index 0000000..118f7bf + Family uint16 + Data [14]int8 +} -diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go -new file mode 100644 -index 0000000..cdba329 +Index: docker-1.11.0/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go +=================================================================== --- /dev/null -+++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go ++++ docker-1.11.0/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go @@ -0,0 +1,10 @@ +// Copyright (c) 2015 SUSE LLC. All rights reserved. + diff --git a/ignore-dockerinit-checksum.patch b/ignore-dockerinit-checksum.patch deleted file mode 100644 index 7c033f7..0000000 --- a/ignore-dockerinit-checksum.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/utils/utils.go b/utils/utils.go -index 340b9e4..70a85a6 100644 ---- a/utils/utils.go -+++ b/utils/utils.go -@@ -75,7 +75,7 @@ func isValidDockerInitPath(target string, selfPath string) bool { // target and - } - return os.SameFile(targetFileInfo, selfPathFileInfo) - } -- return dockerversion.InitSHA1 != "" && dockerInitSha1(target) == dockerversion.InitSHA1 -+ return true - } - - // DockerInitPath figures out the path of our dockerinit (which may be SelfPath()) diff --git a/libnetwork_drivers_bridge_powerpc.patch b/libnetwork_drivers_bridge_powerpc.patch deleted file mode 100644 index d1ffbdd..0000000 --- a/libnetwork_drivers_bridge_powerpc.patch +++ /dev/null @@ -1,25 +0,0 @@ ---- - vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go | 2 +- - vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -Index: docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go -=================================================================== ---- docker-1.10.2.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go -+++ docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go -@@ -1,4 +1,4 @@ --// +build arm ppc64 ppc64le -+// +build arm,!ppc64,!ppc64le - - package bridge - -Index: docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go -=================================================================== ---- docker-1.10.2.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go -+++ docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go -@@ -1,4 +1,4 @@ --// +build !arm,!ppc64,!ppc64le -+// +build !arm ppc64 ppc64le - - package bridge -