* Removed patches that have been fixed upstream and in gcc-go:
- boltdb_bolt_powerpc.patch - fix-apparmor.patch - fix-btrfs-ioctl-structure.patch - fix-docker-init.patch - libnetwork_drivers_bridge_powerpc.patch - ignore-dockerinit-checksum.patch * Require containerd, as it is the only currently supported Docker execdriver. * Update docker.socket to require containerd.socket and use --containerd in docker.service so that the services are self-contained. * Update to Docker 1.11.0. OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=97
This commit is contained in:
parent
b8a3d24bad
commit
3e758ad610
4
_service
4
_service
@ -3,8 +3,8 @@
|
|||||||
<param name="url">https://github.com/docker/docker.git</param>
|
<param name="url">https://github.com/docker/docker.git</param>
|
||||||
<param name="scm">git</param>
|
<param name="scm">git</param>
|
||||||
<param name="exclude">.git</param>
|
<param name="exclude">.git</param>
|
||||||
<param name="versionformat">1.10.3</param>
|
<param name="versionformat">1.11.0</param>
|
||||||
<param name="revision">v1.10.3</param>
|
<param name="revision">v1.11.0</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="recompress" mode="disabled">
|
<service name="recompress" mode="disabled">
|
||||||
<param name="file">docker-*.tar</param>
|
<param name="file">docker-*.tar</param>
|
||||||
|
@ -1,18 +0,0 @@
|
|||||||
---
|
|
||||||
vendor/src/github.com/boltdb/bolt/bolt_ppc64.go | 9 +++++++++
|
|
||||||
1 file changed, 9 insertions(+)
|
|
||||||
|
|
||||||
Index: docker-1.10.2/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go
|
|
||||||
===================================================================
|
|
||||||
--- /dev/null
|
|
||||||
+++ docker-1.10.2/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go
|
|
||||||
@@ -0,0 +1,9 @@
|
|
||||||
+// +build ppc64
|
|
||||||
+
|
|
||||||
+package bolt
|
|
||||||
+
|
|
||||||
+// maxMapSize represents the largest mmap size supported by Bolt.
|
|
||||||
+const maxMapSize = 0xFFFFFFFFFFFF // 256TB
|
|
||||||
+
|
|
||||||
+// maxAllocSize is the size used when creating array pointers.
|
|
||||||
+const maxAllocSize = 0x7FFFFFFF
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:981d52320b7936c294d4b433deffe7af9934b715e207d38a7a993a5a74b3862e
|
|
||||||
size 8307800
|
|
3
docker-1.11.0.tar.xz
Normal file
3
docker-1.11.0.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:ac135ae993b4967ab1fc590aa9f9d5cca9b1eb806e3ab611d0c8ab715f162739
|
||||||
|
size 8788872
|
@ -1,302 +1,412 @@
|
|||||||
Index: docker-1.10.0/daemon/start.go
|
From fb84d5a3fbc3f1fad7dfc961b5dace3915eae7f9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
|
Date: Mon, 11 Apr 2016 22:54:35 +1000
|
||||||
|
Subject: [PATCH] SUSE: implement SUSE container secrets
|
||||||
|
|
||||||
|
This allows for us to pass in host credentials to a container, allowing
|
||||||
|
for SUSEConnect to work with containers.
|
||||||
|
|
||||||
|
THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
|
||||||
|
SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
|
||||||
|
MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
|
||||||
|
|
||||||
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||||
|
---
|
||||||
|
container/container_unix.go | 63 ++++++++++++
|
||||||
|
daemon/container_operations_unix.go | 50 ++++++++++
|
||||||
|
daemon/daemon_unix.go | 6 +-
|
||||||
|
daemon/oci_linux.go | 7 ++
|
||||||
|
daemon/start.go | 6 ++
|
||||||
|
daemon/suse_secrets.go | 184 ++++++++++++++++++++++++++++++++++++
|
||||||
|
6 files changed, 314 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 daemon/suse_secrets.go
|
||||||
|
|
||||||
|
Index: docker-1.11.0/container/container_unix.go
|
||||||
===================================================================
|
===================================================================
|
||||||
--- docker-1.10.0.orig/daemon/start.go
|
--- docker-1.11.0.orig/container/container_unix.go
|
||||||
+++ docker-1.10.0/daemon/start.go
|
+++ docker-1.11.0/container/container_unix.go
|
||||||
@@ -1,12 +1,17 @@
|
@@ -34,6 +34,8 @@ type Container struct {
|
||||||
package daemon
|
HostsPath string
|
||||||
|
ShmPath string
|
||||||
import (
|
ResolvConfPath string
|
||||||
+ "fmt"
|
+ // SUSE:secrets :: We need to add the container-specific secrets path here.
|
||||||
+ "os"
|
+ SuseSecretsPath string
|
||||||
+ "path/filepath"
|
SeccompProfile string
|
||||||
"runtime"
|
NoNewPrivileges bool
|
||||||
+ "syscall"
|
|
||||||
|
|
||||||
"github.com/Sirupsen/logrus"
|
|
||||||
"github.com/docker/docker/container"
|
|
||||||
derr "github.com/docker/docker/errors"
|
|
||||||
"github.com/docker/docker/runconfig"
|
|
||||||
+ "github.com/docker/docker/vendor/src/github.com/opencontainers/runc/libcontainer/label"
|
|
||||||
containertypes "github.com/docker/engine-api/types/container"
|
|
||||||
)
|
|
||||||
|
|
||||||
@@ -134,6 +139,10 @@ func (daemon *Daemon) containerStart(con
|
|
||||||
}
|
}
|
||||||
|
@@ -243,6 +245,67 @@ func (container *Container) IpcMounts()
|
||||||
|
return mounts
|
||||||
}
|
}
|
||||||
|
|
||||||
+ if err := daemon.setupSecretFiles(container); err != nil {
|
+// SUSE:secrets :: SuseSecretsResourcePath returns the path to the container's
|
||||||
+ return err
|
+// personal /run/secrets tmpfs.
|
||||||
|
+func (container *Container) SuseSecretsResourcePath() (string, error) {
|
||||||
|
+ return container.GetRootResourcePath("suse:secrets")
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
mounts, err := daemon.setupMounts(container)
|
+// SUSE:secrets :: SuseSecretMounts returns the list of mounts required for the
|
||||||
if err != nil {
|
+// SUSE-specific /run/secrets patch. The container's personal /run/secrets tmpfs
|
||||||
return err
|
+// has already been set up at this point.
|
||||||
@@ -142,13 +151,96 @@ func (daemon *Daemon) containerStart(con
|
+func (container *Container) SuseSecretMounts() []Mount {
|
||||||
mounts = append(mounts, container.TmpfsMounts()...)
|
+ var mounts []Mount
|
||||||
|
|
||||||
container.Command.Mounts = mounts
|
|
||||||
+
|
|
||||||
if err := daemon.waitForStart(container); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ // Now the container is running, unmount the secrets on the host
|
|
||||||
+ if err := daemon.UnmountSecrets(container, false); err != nil {
|
|
||||||
+ return err
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
container.HasBeenStartedBefore = true
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
+// unmount secrets on the host. Performs a lazy unmount by default unless
|
|
||||||
+// `force` is set to true.
|
|
||||||
+// No unmount operation is invoked if the secrets mount point has already been
|
|
||||||
+// unmounted.
|
|
||||||
+func (daemon *Daemon) UnmountSecrets(container *container.Container, force bool) error {
|
|
||||||
+ secretsPath, err := daemon.secretsPath(container)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return err
|
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
+ logrus.WithFields(logrus.Fields{
|
+ logrus.WithFields(logrus.Fields{
|
||||||
+ "container": container.ID,
|
+ "container": container.ID,
|
||||||
+ "path": secretsPath,
|
+ "path": container.SuseSecretsPath,
|
||||||
+ "force": force,
|
+ "hasmount": container.HasMountFor("/run/secrets"),
|
||||||
+ }).Debug("SUSE:secrets -> unmounting container secrets")
|
+ }).Debug("SUSE:secrets :: adding container secrets to mountpoint")
|
||||||
+
|
+
|
||||||
+ var stat_dot, stat_dot_dot syscall.Stat_t
|
+ // TODO(SUSE): How do we register for HasMountFor().
|
||||||
+ if err := syscall.Stat(secretsPath, &stat_dot); err != nil {
|
+ if !container.HasMountFor("/run/secrets") {
|
||||||
+ return fmt.Errorf("Something went wrong while getting stats for dot: %v", err)
|
+ label.SetFileLabel(container.SuseSecretsPath, container.MountLabel)
|
||||||
+ }
|
+ mounts = append(mounts, Mount{
|
||||||
+ if err := syscall.Stat(filepath.Join(secretsPath, ".."), &stat_dot_dot); err != nil {
|
+ Source: container.SuseSecretsPath,
|
||||||
+ return fmt.Errorf("Something went wrong while getting stats for dot dot: %v", err)
|
+ Destination: "/run/secrets",
|
||||||
|
+ Writable: true,
|
||||||
|
+ Propagation: volume.DefaultPropagationMode,
|
||||||
|
+ })
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ // Compare device IDs for /<secretsPath>/. and /<secretsPath>/..
|
+ return mounts
|
||||||
+ // If the device IDs are different then the secrets directory is actually
|
|
||||||
+ // mounted. Otherwise it has already been unmounted, hence there's nothing
|
|
||||||
+ // to do (calling unmount would return an error)
|
|
||||||
+ if stat_dot.Dev != stat_dot_dot.Dev {
|
|
||||||
+ // By default perform lazy unmount
|
|
||||||
+ flag := syscall.MNT_DETACH
|
|
||||||
+ if force {
|
|
||||||
+ flag = syscall.MNT_FORCE
|
|
||||||
+ }
|
|
||||||
+ if err := syscall.Unmount(secretsPath, flag); err != nil {
|
|
||||||
+ return err
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return nil
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+func (daemon *Daemon) secretsPath(container *container.Container) (string, error) {
|
|
||||||
+ return container.GetRootResourcePath("secrets")
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+func (daemon *Daemon) setupSecretFiles(container *container.Container) error {
|
|
||||||
+ secretsPath, err := daemon.secretsPath(container)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return err
|
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
|
+// SUSE:secrets :: Unmounts the container's personal /run/secrets tmpfs using the
|
||||||
|
+// provided function. This is done to clean up the mountpoints properly.
|
||||||
|
+func (container *Container) UnmountSuseSecretMounts(unmount func(string) error) {
|
||||||
+ logrus.WithFields(logrus.Fields{
|
+ logrus.WithFields(logrus.Fields{
|
||||||
+ "container": container.ID,
|
+ "container": container.ID,
|
||||||
+ "path": secretsPath,
|
+ "hasmount": container.HasMountFor("/run/secrets"),
|
||||||
+ }).Debug("SUSE:secrets -> setting up container secrets")
|
+ }).Debug("SUSE:secrets :: requested to clean up container secrets")
|
||||||
+
|
+
|
||||||
+ if err := os.MkdirAll(secretsPath, 0700); err != nil {
|
+ if !container.HasMountFor("/run/secrets") {
|
||||||
+ return err
|
+ logrus.Debugf("SUSE:secrets :: cleaning up secrets mount for container")
|
||||||
|
+
|
||||||
|
+ suseSecretsPath, err := container.SuseSecretsResourcePath()
|
||||||
|
+ if err != nil {
|
||||||
|
+ logrus.Error("SUSE:secrets :: failed to clean up secrets mounts: no secrets resource path found for container %v: %v", container.ID, err)
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if err := syscall.Mount("tmpfs", secretsPath, "tmpfs", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), label.FormatMountLabel("", container.GetMountLabel())); err != nil {
|
+ if suseSecretsPath != "" {
|
||||||
+ return fmt.Errorf("mounting secret tmpfs: %s", err)
|
+ logrus.WithFields(logrus.Fields{
|
||||||
|
+ "path": suseSecretsPath,
|
||||||
|
+ }).Debugf("SUSE:secrets :: actually unmounting conatiner secrets")
|
||||||
|
+
|
||||||
|
+ if err := unmount(suseSecretsPath); err != nil && !os.IsNotExist(err) {
|
||||||
|
+ // We can't error out here.
|
||||||
|
+ logrus.Warnf("SUSE:secrets :: failed to clean up secrets mounts: failed to umount %s: %v", suseSecretsPath, err)
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+ data, err := getHostSecretData()
|
// UpdateContainer updates configuration of a container.
|
||||||
|
func (container *Container) UpdateContainer(hostConfig *containertypes.HostConfig) error {
|
||||||
|
container.Lock()
|
||||||
|
Index: docker-1.11.0/daemon/container_operations_unix.go
|
||||||
|
===================================================================
|
||||||
|
--- docker-1.11.0.orig/daemon/container_operations_unix.go
|
||||||
|
+++ docker-1.11.0/daemon/container_operations_unix.go
|
||||||
|
@@ -182,6 +182,56 @@ func (daemon *Daemon) getIpcContainer(co
|
||||||
|
return c, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
+// SUSE:secrets :: Create a container's personal /run/secrets tmpfs and fill it
|
||||||
|
+// with the host's credentials.
|
||||||
|
+func (daemon *Daemon) setupSuseSecrets(c *container.Container) (err error) {
|
||||||
|
+ c.SuseSecretsPath, err = c.SuseSecretsResourcePath()
|
||||||
+ if err != nil {
|
+ if err != nil {
|
||||||
+ return err
|
+ return err
|
||||||
+ }
|
+ }
|
||||||
|
+
|
||||||
|
+ if !c.HasMountFor("/run/secrets") {
|
||||||
|
+ rootUID, rootGID := daemon.GetRemappedUIDGID()
|
||||||
|
+ if err = idtools.MkdirAllAs(c.SuseSecretsPath, 0700, rootUID, rootGID); err != nil {
|
||||||
|
+ return fmt.Errorf("SUSE:secrets :: failed to create container secret: %v", err)
|
||||||
|
+ }
|
||||||
|
+ if err = syscall.Mount("tmpfs", c.SuseSecretsPath, "tmpfs", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), label.FormatMountLabel("", c.GetMountLabel())); err != nil {
|
||||||
|
+ return fmt.Errorf("SUSE:secrets :: mounting secrets tmpfs: %v", err)
|
||||||
|
+ }
|
||||||
|
+ // We need to defer a cleanup, to make sure errors that occur before the container
|
||||||
|
+ // starts don't cause wasted memory due to tmpfs-es that aren't being used.
|
||||||
|
+ defer func() {
|
||||||
|
+ if err != nil {
|
||||||
|
+ logrus.Infof("SUSE::secrets :: cleaning up secrets mount due to failed setup")
|
||||||
|
+ c.UnmountSuseSecretMounts(detachMounted)
|
||||||
|
+ }
|
||||||
|
+ }()
|
||||||
|
+ if err = os.Chown(c.SuseSecretsPath, rootUID, rootGID); err != nil {
|
||||||
|
+ return fmt.Errorf("SUSE:secrets :: failed to chown container secret to (uid=%d,gid=%d): %v", rootUID, rootGID, err)
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // Now we need to inject the credentials. But in order to play properly with
|
||||||
|
+ // user namespaces, they must be owned by rootUID:rootGID.
|
||||||
|
+
|
||||||
|
+ data, err := getHostSuseSecretData()
|
||||||
|
+ if err != nil {
|
||||||
|
+ return fmt.Errorf("SUSE:secrets :: failed to get host secret data: %v", err)
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ uidMap, gidMap := daemon.GetUIDGIDMaps()
|
||||||
+ for _, s := range data {
|
+ for _, s := range data {
|
||||||
+ s.SaveTo(secretsPath)
|
+ if err := s.SaveTo(c.SuseSecretsPath, uidMap, gidMap); err != nil {
|
||||||
|
+ logrus.WithFields(logrus.Fields{
|
||||||
|
+ "s.path": s.Path,
|
||||||
|
+ "path": c.SuseSecretsPath,
|
||||||
|
+ }).Errorf("SUSE:secrets :: failed to save secret data: %v", err)
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ return nil
|
+ return
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
func (daemon *Daemon) waitForStart(container *container.Container) error {
|
func (daemon *Daemon) setupIpcDirs(c *container.Container) error {
|
||||||
return container.StartMonitor(daemon, container.HostConfig.RestartPolicy)
|
var err error
|
||||||
}
|
|
||||||
Index: docker-1.10.0/daemon/delete.go
|
|
||||||
===================================================================
|
|
||||||
--- docker-1.10.0.orig/daemon/delete.go
|
|
||||||
+++ docker-1.10.0/daemon/delete.go
|
|
||||||
@@ -122,6 +122,17 @@ func (daemon *Daemon) cleanupContainer(c
|
|
||||||
}
|
|
||||||
}()
|
|
||||||
|
|
||||||
+ // Force unmount of the secrets tmpfs storage added by SUSE's Docker daemon.
|
Index: docker-1.11.0/daemon/daemon_unix.go
|
||||||
+ // This is unmounted automatically at container start time, however the unmount
|
|
||||||
+ // is done with the 'lazy' flag. This can introduce some race conditions, for
|
|
||||||
+ // example when the container dies immediately (e.g. wrong entry point). In
|
|
||||||
+ // that case the secrets directory has not been unmounted yet, causing the
|
|
||||||
+ // removal of the container to fail because the file system is still reported
|
|
||||||
+ // as in use. See bnc#954797
|
|
||||||
+ if err = daemon.UnmountSecrets(container, true); err != nil {
|
|
||||||
+ logrus.Errorf("SUSE:secrets -> Error unmounting secrets in cleanup: %v", err)
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if err = os.RemoveAll(container.Root); err != nil {
|
|
||||||
return derr.ErrorCodeRmFS.WithArgs(container.ID, err)
|
|
||||||
}
|
|
||||||
Index: docker-1.10.0/daemon/volumes_unix.go
|
|
||||||
===================================================================
|
===================================================================
|
||||||
--- docker-1.10.0.orig/daemon/volumes_unix.go
|
--- docker-1.11.0.orig/daemon/daemon_unix.go
|
||||||
+++ docker-1.10.0/daemon/volumes_unix.go
|
+++ docker-1.11.0/daemon/daemon_unix.go
|
||||||
@@ -7,6 +7,7 @@ import (
|
@@ -786,8 +786,10 @@ func initBridgeDriver(controller libnetw
|
||||||
"sort"
|
// the container from unwanted side-effects on the rw layer.
|
||||||
"strconv"
|
func setupInitLayer(initLayer string, rootUID, rootGID int) error {
|
||||||
|
for pth, typ := range map[string]string{
|
||||||
|
- "/dev/pts": "dir",
|
||||||
|
- "/dev/shm": "dir",
|
||||||
|
+ "/dev/pts": "dir",
|
||||||
|
+ "/dev/shm": "dir",
|
||||||
|
+ // SUSE:secrets :: We need to add the mountpoint in the init layer.
|
||||||
|
+ "/run/secrets": "dir",
|
||||||
|
"/proc": "dir",
|
||||||
|
"/sys": "dir",
|
||||||
|
"/.dockerenv": "file",
|
||||||
|
Index: docker-1.11.0/daemon/oci_linux.go
|
||||||
|
===================================================================
|
||||||
|
--- docker-1.11.0.orig/daemon/oci_linux.go
|
||||||
|
+++ docker-1.11.0/daemon/oci_linux.go
|
||||||
|
@@ -634,12 +634,19 @@ func (daemon *Daemon) createSpec(c *cont
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
+ "github.com/Sirupsen/logrus"
|
+ // SUSE:secrets :: We need to set up the container-specific secrets tmpfs here.
|
||||||
"github.com/docker/docker/container"
|
+ if err := daemon.setupSuseSecrets(c); err != nil {
|
||||||
"github.com/docker/docker/daemon/execdriver"
|
|
||||||
"github.com/docker/docker/volume"
|
|
||||||
@@ -18,6 +19,29 @@ import (
|
|
||||||
// calls Setup() on each. It also looks to see if is a network mount such as
|
|
||||||
// /etc/resolv.conf, and if it is not, appends it to the array of mounts.
|
|
||||||
func (daemon *Daemon) setupMounts(container *container.Container) ([]execdriver.Mount, error) {
|
|
||||||
+ if _, exists := container.MountPoints["/run/secrets"]; !exists {
|
|
||||||
+ const (
|
|
||||||
+ name = "suse:secrets"
|
|
||||||
+ dest = "/run/secrets"
|
|
||||||
+ rw = true
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ secretsPath, err := daemon.secretsPath(container)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return nil, err
|
+ return nil, err
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ logrus.WithFields(logrus.Fields{
|
mounts, err := daemon.setupMounts(c)
|
||||||
+ "name": name,
|
if err != nil {
|
||||||
+ "rw": rw,
|
return nil, err
|
||||||
+ "path": secretsPath,
|
}
|
||||||
+ "dest": dest,
|
mounts = append(mounts, c.IpcMounts()...)
|
||||||
+ "container": container.ID,
|
mounts = append(mounts, c.TmpfsMounts()...)
|
||||||
+ }).Debug("SUSE:secrets -> adding /run/secrets to bind-mount points")
|
+ // SUSE:secrets :: We add the mounts to the OCI config which containerd then uses.
|
||||||
|
+ mounts = append(mounts, c.SuseSecretMounts()...)
|
||||||
|
if err := setMounts(daemon, &s, c, mounts); err != nil {
|
||||||
|
return nil, fmt.Errorf("linux mounts: %v", err)
|
||||||
|
}
|
||||||
|
Index: docker-1.11.0/daemon/start.go
|
||||||
|
===================================================================
|
||||||
|
--- docker-1.11.0.orig/daemon/start.go
|
||||||
|
+++ docker-1.11.0/daemon/start.go
|
||||||
|
@@ -164,6 +164,12 @@ func (daemon *Daemon) Cleanup(container
|
||||||
|
|
||||||
|
container.UnmountIpcMounts(detachMounted)
|
||||||
|
|
||||||
|
+ // TODO(SUSE): Make sure this gets called by containerCleanup. Do we need to
|
||||||
|
+ // port this part of the patch there as well?
|
||||||
+
|
+
|
||||||
+ container.AddBindMountPoint(name, secretsPath, dest, rw)
|
+ // SUSE:secrets :: We need to unmount stuff here so that we clean up properly.
|
||||||
+ }
|
+ container.UnmountSuseSecretMounts(detachMounted)
|
||||||
+
|
+
|
||||||
var mounts []execdriver.Mount
|
if err := daemon.conditionalUnmountOnCleanup(container); err != nil {
|
||||||
for _, m := range container.MountPoints {
|
// FIXME: remove once reference counting for graphdrivers has been refactored
|
||||||
if err := daemon.lazyInitializeVolume(container.ID, m); err != nil {
|
// Ensure that all the mounts are gone
|
||||||
Index: docker-1.10.0/daemon/secrets.go
|
Index: docker-1.11.0/daemon/suse_secrets.go
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ docker-1.10.0/daemon/secrets.go
|
+++ docker-1.11.0/daemon/suse_secrets.go
|
||||||
@@ -0,0 +1,103 @@
|
@@ -0,0 +1,184 @@
|
||||||
+package daemon
|
+package daemon
|
||||||
+
|
+
|
||||||
|
+// SUSE:secrets :: This is a set of functions to copy host credentials into a
|
||||||
|
+// container's /run/secrets.
|
||||||
|
+
|
||||||
+import (
|
+import (
|
||||||
+ "io/ioutil"
|
+ "io/ioutil"
|
||||||
+ "os"
|
+ "os"
|
||||||
+ "path/filepath"
|
+ "path/filepath"
|
||||||
|
+ "syscall"
|
||||||
+
|
+
|
||||||
+ log "github.com/Sirupsen/logrus"
|
+ "github.com/Sirupsen/logrus"
|
||||||
|
+ "github.com/docker/docker/pkg/idtools"
|
||||||
+)
|
+)
|
||||||
+
|
+
|
||||||
+type Secret struct {
|
+// TODO(SUSE): We need to reimplement this to use tar. Immediately.
|
||||||
+ Name string
|
|
||||||
+ IsDir bool
|
|
||||||
+ HostBased bool
|
|
||||||
+}
|
|
||||||
+
|
+
|
||||||
+type SecretData struct {
|
+// Creating a fake file.
|
||||||
+ Name string
|
+type SuseFakeFile struct {
|
||||||
|
+ Path string
|
||||||
|
+ Uid int
|
||||||
|
+ Gid int
|
||||||
|
+ Mode os.FileMode
|
||||||
+ Data []byte
|
+ Data []byte
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+func (s SecretData) SaveTo(dir string) error {
|
+func (s *SuseFakeFile) SaveTo(dir string, uidMap, gidMap []idtools.IDMap) error {
|
||||||
+ path := filepath.Join(dir, s.Name)
|
+ // Create non-existant path components with an owner of root (other FakeFiles
|
||||||
+ if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil && !os.IsExist(err) {
|
+ // will clean this up if the owner is critical).
|
||||||
|
+ rootUid, rootGid, err := idtools.GetRootUIDGID(uidMap, gidMap)
|
||||||
|
+
|
||||||
|
+ path := filepath.Join(dir, s.Path)
|
||||||
|
+ if err := idtools.MkdirAllNewAs(filepath.Dir(path), 0755, rootUid, rootGid); err != nil && !os.IsExist(err) {
|
||||||
+ return err
|
+ return err
|
||||||
+ }
|
+ }
|
||||||
+ if err := ioutil.WriteFile(path, s.Data, 0755); err != nil {
|
+
|
||||||
|
+ uid, err := idtools.ToHost(s.Uid, uidMap)
|
||||||
|
+ if err != nil {
|
||||||
+ return err
|
+ return err
|
||||||
+ }
|
+ }
|
||||||
+ return nil
|
+
|
||||||
|
+ gid, err := idtools.ToHost(s.Gid, gidMap)
|
||||||
|
+ if err != nil {
|
||||||
|
+ return err
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+func readAll(root, prefix string) ([]SecretData, error) {
|
+ if s.Mode.IsDir() {
|
||||||
+ path := filepath.Join(root, prefix)
|
+ if err := idtools.MkdirAs(path, s.Mode, uid, gid); err != nil {
|
||||||
|
+ return err
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if err := ioutil.WriteFile(path, s.Data, s.Mode); err != nil {
|
||||||
|
+ return err
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ data := []SecretData{}
|
+ return os.Chown(path, uid, gid)
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// readDir will recurse into a directory prefix/dir, and return the set of secrets
|
||||||
|
+// in that directory. The Path attribute of each has the prefix stripped. Symlinks
|
||||||
|
+// are evaluated.
|
||||||
|
+func readDir(prefix, dir string) ([]*SuseFakeFile, error) {
|
||||||
|
+ var suseFiles []*SuseFakeFile
|
||||||
|
+
|
||||||
|
+ path := filepath.Join(prefix, dir)
|
||||||
|
+
|
||||||
|
+ fi, err := os.Stat(path)
|
||||||
|
+ if err != nil {
|
||||||
|
+ // Ignore dangling symlinks.
|
||||||
|
+ if os.IsNotExist(err) {
|
||||||
|
+ logrus.Warnf("SUSE:secrets :: dangling symlink: %s", path)
|
||||||
|
+ return suseFiles, nil
|
||||||
|
+ }
|
||||||
|
+ return nil, err
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ stat, ok := fi.Sys().(*syscall.Stat_t)
|
||||||
|
+ if !ok {
|
||||||
|
+ logrus.Warnf("SUSE:secrets :: failed to cast directory stat_t: defaulting to owned by root:root: %s", path)
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ suseFiles = append(suseFiles, &SuseFakeFile{
|
||||||
|
+ Path: dir,
|
||||||
|
+ Uid: int(stat.Uid),
|
||||||
|
+ Gid: int(stat.Gid),
|
||||||
|
+ Mode: fi.Mode(),
|
||||||
|
+ })
|
||||||
+
|
+
|
||||||
+ files, err := ioutil.ReadDir(path)
|
+ files, err := ioutil.ReadDir(path)
|
||||||
+ if err != nil {
|
+ if err != nil {
|
||||||
+ if os.IsNotExist(err) {
|
|
||||||
+ return data, nil
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return nil, err
|
+ return nil, err
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ for _, f := range files {
|
+ for _, f := range files {
|
||||||
+ fileData, err := readFile(root, filepath.Join(prefix, f.Name()))
|
+ subpath := filepath.Join(dir, f.Name())
|
||||||
|
+
|
||||||
|
+ if f.IsDir() {
|
||||||
|
+ secrets, err := readDir(prefix, subpath)
|
||||||
+ if err != nil {
|
+ if err != nil {
|
||||||
+ // If the file did not exist, might be a dangling symlink
|
+ return nil, err
|
||||||
+ // Ignore the error
|
+ }
|
||||||
|
+ suseFiles = append(suseFiles, secrets...)
|
||||||
|
+ } else {
|
||||||
|
+ secrets, err := readFile(prefix, subpath)
|
||||||
|
+ if err != nil {
|
||||||
|
+ return nil, err
|
||||||
|
+ }
|
||||||
|
+ suseFiles = append(suseFiles, secrets...)
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return suseFiles, nil
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+func readFile(prefix, file string) ([]*SuseFakeFile, error) {
|
||||||
|
+ var suseFiles []*SuseFakeFile
|
||||||
|
+
|
||||||
|
+ path := filepath.Join(prefix, file)
|
||||||
|
+ fi, err := os.Stat(path)
|
||||||
|
+ if err != nil {
|
||||||
|
+ // Ignore dangling symlinks.
|
||||||
+ if os.IsNotExist(err) {
|
+ if os.IsNotExist(err) {
|
||||||
+ continue
|
+ logrus.Warnf("SUSE:secrets :: dangling symlink: %s", path)
|
||||||
|
+ return suseFiles, nil
|
||||||
+ }
|
+ }
|
||||||
+ return nil, err
|
+ return nil, err
|
||||||
+ }
|
+ }
|
||||||
+ data = append(data, fileData...)
|
+
|
||||||
|
+ stat, ok := fi.Sys().(*syscall.Stat_t)
|
||||||
|
+ if !ok {
|
||||||
|
+ logrus.Warnf("SUSE:secrets :: failed to cast file stat_t: defaulting to owned by root:root: %s", path)
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ return data, nil
|
+ if fi.IsDir() {
|
||||||
+}
|
+ secrets, err := readDir(prefix, file)
|
||||||
+
|
|
||||||
+func readFile(root, name string) ([]SecretData, error) {
|
|
||||||
+ path := filepath.Join(root, name)
|
|
||||||
+
|
|
||||||
+ s, err := os.Stat(path)
|
|
||||||
+ if err != nil {
|
+ if err != nil {
|
||||||
+ return nil, err
|
+ return nil, err
|
||||||
+ }
|
+ }
|
||||||
+
|
+ suseFiles = append(suseFiles, secrets...)
|
||||||
+ if s.IsDir() {
|
|
||||||
+ dirData, err := readAll(root, name)
|
|
||||||
+ if err != nil {
|
|
||||||
+ return nil, err
|
|
||||||
+ }
|
|
||||||
+ return dirData, nil
|
|
||||||
+ } else {
|
+ } else {
|
||||||
+ bytes, err := ioutil.ReadFile(path)
|
+ bytes, err := ioutil.ReadFile(path)
|
||||||
+ if err != nil {
|
+ if err != nil {
|
||||||
+ return nil, err
|
+ return nil, err
|
||||||
+ }
|
+ }
|
||||||
+ return []SecretData{{Name: name, Data: bytes}}, nil
|
+ suseFiles = append(suseFiles, &SuseFakeFile{
|
||||||
+ }
|
+ Path: file,
|
||||||
|
+ Uid: int(stat.Uid),
|
||||||
|
+ Gid: int(stat.Gid),
|
||||||
|
+ Mode: fi.Mode(),
|
||||||
|
+ Data: bytes,
|
||||||
|
+ })
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+func getHostSecretData() ([]SecretData, error) {
|
+ return suseFiles, nil
|
||||||
+ credentials, err := readAll("/etc/zypp/", "credentials.d")
|
|
||||||
+ if err != nil {
|
|
||||||
+ log.Errorf("Error while reading zypp credentials: %s", err)
|
|
||||||
+ return credentials, err
|
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
|
+func getHostSuseSecretData() ([]*SuseFakeFile, error) {
|
||||||
|
+ secrets := []*SuseFakeFile{}
|
||||||
|
+
|
||||||
|
+ credentials, err := readDir("/etc/zypp", "credentials.d")
|
||||||
|
+ if err != nil {
|
||||||
|
+ if os.IsNotExist(err) {
|
||||||
|
+ credentials = []*SuseFakeFile{}
|
||||||
|
+ } else {
|
||||||
|
+ logrus.Errorf("SUSE:secrets :: error while reading zypp credentials: %s", err)
|
||||||
|
+ return nil, err
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ secrets = append(secrets, credentials...)
|
||||||
|
+
|
||||||
+ suseConnect, err := readFile("/etc", "SUSEConnect")
|
+ suseConnect, err := readFile("/etc", "SUSEConnect")
|
||||||
+ if err != nil {
|
+ if err != nil {
|
||||||
+ if os.IsNotExist(err) {
|
+ if os.IsNotExist(err) {
|
||||||
+ suseConnect = []SecretData{}
|
+ suseConnect = []*SuseFakeFile{}
|
||||||
+ } else {
|
+ } else {
|
||||||
+ log.Errorf("Error while reading /etc/SUSEConnect: %s", err)
|
+ logrus.Errorf("SUSE:secrets :: error while reading /etc/SUSEConnect: %s", err)
|
||||||
+ return nil, err
|
+ return nil, err
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ return append(credentials, suseConnect...), nil
|
+ secrets = append(secrets, suseConnect...)
|
||||||
|
+
|
||||||
|
+ return secrets, nil
|
||||||
+}
|
+}
|
||||||
|
155
docker.changes
155
docker.changes
@ -1,3 +1,158 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Apr 18 06:19:18 UTC 2016 - asarai@suse.de
|
||||||
|
|
||||||
|
* Removed patches that have been fixed upstream and in gcc-go:
|
||||||
|
- boltdb_bolt_powerpc.patch
|
||||||
|
- fix-apparmor.patch
|
||||||
|
- fix-btrfs-ioctl-structure.patch
|
||||||
|
- fix-docker-init.patch
|
||||||
|
- libnetwork_drivers_bridge_powerpc.patch
|
||||||
|
- ignore-dockerinit-checksum.patch
|
||||||
|
* Require containerd, as it is the only currently supported Docker execdriver.
|
||||||
|
* Update docker.socket to require containerd.socket and use --containerd in
|
||||||
|
docker.service so that the services are self-contained.
|
||||||
|
* Update to Docker 1.11.0. Changelog from upstream:
|
||||||
|
|
||||||
|
* Builder
|
||||||
|
- Fix a bug where Docker would not used the correct uid/gid when processing the `WORKDIR` command ([#21033](https://github.com/docker/docker/pull/21033))
|
||||||
|
- Fix a bug where copy operations with userns would not use the proper uid/gid ([#20782](https://github.com/docker/docker/pull/20782), [#21162](https://github.com/docker/docker/pull/21162))
|
||||||
|
|
||||||
|
* Client
|
||||||
|
* Usage of the `:` separator for security option has been deprecated. `=` should be used instead ([#21232](https://github.com/docker/docker/pull/21232))
|
||||||
|
+ The client user agent is now passed to the registry on `pull`, `build`, `push`, `login` and `search` operations ([#21306](https://github.com/docker/docker/pull/21306), [#21373](https://github.com/docker/docker/pull/21373))
|
||||||
|
* Allow setting the Domainname and Hostname separately through the API ([#20200](https://github.com/docker/docker/pull/20200))
|
||||||
|
* Docker info will now warn users if it can not detect the kernel version or the operating system ([#21128](https://github.com/docker/docker/pull/21128))
|
||||||
|
- Fix an issue where `docker stats --no-stream` output could be all 0s ([#20803](https://github.com/docker/docker/pull/20803))
|
||||||
|
- Fix a bug where some newly started container would not appear in a running `docker stats` command ([#20792](https://github.com/docker/docker/pull/20792))
|
||||||
|
* Post processing is no longer enabled for linux-cgo terminals ([#20587](https://github.com/docker/docker/pull/20587))
|
||||||
|
- Values to `--hostname` are now refused if they do not comply with [RFC1123](https://tools.ietf.org/html/rfc1123) ([#20566](https://github.com/docker/docker/pull/20566))
|
||||||
|
+ Docker learned how to use a SOCKS proxy ([#20366](https://github.com/docker/docker/pull/20366), [#18373](https://github.com/docker/docker/pull/18373))
|
||||||
|
+ Docker now supports external credential stores ([#20107](https://github.com/docker/docker/pull/20107))
|
||||||
|
* `docker ps` now supports displaying the list of volumes mounted inside a container ([#20017](https://github.com/docker/docker/pull/20017))
|
||||||
|
* `docker info` now also report Docker's root directory location ([#19986](https://github.com/docker/docker/pull/19986))
|
||||||
|
- Docker now prohibits login in with an empty username (spaces are trimmed) ([#19806](https://github.com/docker/docker/pull/19806))
|
||||||
|
* Docker events attributes are now sorted by key ([#19761](https://github.com/docker/docker/pull/19761))
|
||||||
|
* `docker ps` no longer show exported port for stopped containers ([#19483](https://github.com/docker/docker/pull/19483))
|
||||||
|
- Docker now cleans after itself if a save/export command fails ([#17849](https://github.com/docker/docker/pull/17849))
|
||||||
|
* Docker load learned how to display a progress bar ([#17329](https://github.com/docker/docker/pull/17329), [#120078](https://github.com/docker/docker/pull/20078))
|
||||||
|
|
||||||
|
* Distribution
|
||||||
|
- Fix a panic that occurred when pulling an images with 0 layers ([#21222](https://github.com/docker/docker/pull/21222))
|
||||||
|
- Fix a panic that could occur on error while pushing to a registry with a misconfigured token service ([#21212](https://github.com/docker/docker/pull/21212))
|
||||||
|
+ All first-level delegation roles are now signed when doing a trusted push ([#21046](https://github.com/docker/docker/pull/21046))
|
||||||
|
+ OAuth support for registries was added ([#20970](https://github.com/docker/docker/pull/20970))
|
||||||
|
* `docker login` now handles token using the implementation found in [docker/distribution](https://github.com/docker/distribution) ([#20832](https://github.com/docker/docker/pull/20832))
|
||||||
|
* `docker login` will no longer prompt for an email ([#20565](https://github.com/docker/docker/pull/20565))
|
||||||
|
* Docker will now fallback to registry V1 if no basic auth credentials are available ([#20241](https://github.com/docker/docker/pull/20241))
|
||||||
|
* Docker will now try to resume layer download where it left off after a network error/timeout ([#19840](https://github.com/docker/docker/pull/19840))
|
||||||
|
- Fix generated manifest mediaType when pushing cross-repository ([#19509](https://github.com/docker/docker/pull/19509))
|
||||||
|
- Fix docker requesting additional push credentials when pulling an image if Content Trust is enabled ([#20382](https://github.com/docker/docker/pull/20382))
|
||||||
|
|
||||||
|
* Logging
|
||||||
|
- Fix a race in the journald log driver ([#21311](https://github.com/docker/docker/pull/21311))
|
||||||
|
* Docker syslog driver now uses the RFC-5424 format when emitting logs ([#20121](https://github.com/docker/docker/pull/20121))
|
||||||
|
* Docker GELF log driver now allows to specify the compression algorithm and level via the `gelf-compression-type` and `gelf-compression-level` options ([#19831](https://github.com/docker/docker/pull/19831))
|
||||||
|
* Docker daemon learned to output uncolorized logs via the `--raw-logs` options ([#19794](https://github.com/docker/docker/pull/19794))
|
||||||
|
+ Docker, on Windows platform, now includes an ETW (Event Tracing in Windows) logging driver named `etwlogs` ([#19689](https://github.com/docker/docker/pull/19689))
|
||||||
|
* Journald log driver learned how to handle tags ([#19564](https://github.com/docker/docker/pull/19564))
|
||||||
|
+ The fluentd log driver learned the following options: `fluentd-address`, `fluentd-buffer-limit`, `fluentd-retry-wait`, `fluentd-max-retries` and `fluentd-async-connect` ([#19439](https://github.com/docker/docker/pull/19439))
|
||||||
|
+ Docker learned to send log to Google Cloud via the new `gcplogs` logging driver. ([#18766](https://github.com/docker/docker/pull/18766))
|
||||||
|
|
||||||
|
* Misc
|
||||||
|
+ When saving linked images together with `docker save` a subsequent `docker load` will correctly restore their parent/child relationship ([#21385](https://github.com/docker/docker/pull/c))
|
||||||
|
+ Support for building the Docker cli for OpenBSD was added ([#21325](https://github.com/docker/docker/pull/21325))
|
||||||
|
+ Labels can now be applied at network, volume and image creation ([#21270](https://github.com/docker/docker/pull/21270))
|
||||||
|
* The `dockremap` is now created as a system user ([#21266](https://github.com/docker/docker/pull/21266))
|
||||||
|
- Fix a few response body leaks ([#21258](https://github.com/docker/docker/pull/21258))
|
||||||
|
- Docker, when run as a service with systemd, will now properly manage its processes cgroups ([#20633](https://github.com/docker/docker/pull/20633))
|
||||||
|
* Docker info now reports the value of cgroup KernelMemory or emits a warning if it is not supported ([#20863](https://github.com/docker/docker/pull/20863))
|
||||||
|
* Docker info now also reports the cgroup driver in use ([#20388](https://github.com/docker/docker/pull/20388))
|
||||||
|
* Docker completion is now available on PowerShell ([#19894](https://github.com/docker/docker/pull/19894))
|
||||||
|
* `dockerinit` is no more ([#19490](https://github.com/docker/docker/pull/19490),[#19851](https://github.com/docker/docker/pull/19851))
|
||||||
|
+ Support for building Docker on arm64 was added ([#19013](https://github.com/docker/docker/pull/19013))
|
||||||
|
+ Experimental support for building docker.exe in a native Windows Docker installation ([#18348](https://github.com/docker/docker/pull/18348))
|
||||||
|
|
||||||
|
* Networking
|
||||||
|
- Fix panic if a node is forcibly removed from the cluster ([#21671](https://github.com/docker/docker/pull/21671))
|
||||||
|
- Fix "error creating vxlan interface" when starting a container in a Swarm cluster ([#21671](https://github.com/docker/docker/pull/21671))
|
||||||
|
* `docker network inspect` will now report all endpoints whether they have an active container or not ([#21160](https://github.com/docker/docker/pull/21160))
|
||||||
|
+ Experimental support for the MacVlan and IPVlan network drivers have been added ([#21122](https://github.com/docker/docker/pull/21122))
|
||||||
|
* Output of `docker network ls` is now sorted by network name ([#20383](https://github.com/docker/docker/pull/20383))
|
||||||
|
- Fix a bug where Docker would allow a network to be created with the reserved `default` name ([#19431](https://github.com/docker/docker/pull/19431))
|
||||||
|
* `docker network inspect` returns whether a network is internal or not ([#19357](https://github.com/docker/docker/pull/19357))
|
||||||
|
+ Control IPv6 via explicit option when creating a network (`docker network create --ipv6`). This shows up as a new `EnableIPv6` field in `docker network inspect` ([#17513](https://github.com/docker/docker/pull/17513))
|
||||||
|
* Support for AAAA Records (aka IPv6 Service Discovery) in embedded DNS Server ([#21396](https://github.com/docker/docker/pull/21396))
|
||||||
|
- Fix to not forward docker domain IPv6 queries to external servers ([#21396](https://github.com/docker/docker/pull/21396))
|
||||||
|
* Multiple A/AAAA records from embedded DNS Server for DNS Round robin ([#21019](https://github.com/docker/docker/pull/21019))
|
||||||
|
- Fix endpoint count inconsistency after an ungraceful dameon restart ([#21261](https://github.com/docker/docker/pull/21261))
|
||||||
|
- Move the ownership of exposed ports and port-mapping options from Endpoint to Sandbox ([#21019](https://github.com/docker/docker/pull/21019))
|
||||||
|
- Fixed a bug which prevents docker reload when host is configured with ipv6.disable=1 ([#21019](https://github.com/docker/docker/pull/21019))
|
||||||
|
- Added inbuilt nil IPAM driver ([#21019](https://github.com/docker/docker/pull/21019))
|
||||||
|
- Fixed bug in iptables.Exists() logic [#21019](https://github.com/docker/docker/pull/21019)
|
||||||
|
- Fixed a Veth interface leak when using overlay network ([#21019](https://github.com/docker/docker/pull/21019))
|
||||||
|
- Fixed a bug which prevents docker reload after a network delete during shutdown ([#20214](https://github.com/docker/docker/pull/20214))
|
||||||
|
- Make sure iptables chains are recreated on firewalld reload ([#20419](https://github.com/docker/docker/pull/20419))
|
||||||
|
- Allow to pass global datastore during config reload ([#20419](https://github.com/docker/docker/pull/20419))
|
||||||
|
- For anonymous containers use the alias name for IP to name mapping, ie:DNS PTR record ([#21019](https://github.com/docker/docker/pull/21019))
|
||||||
|
- Fix a panic when deleting an entry from /etc/hosts file ([#21019](https://github.com/docker/docker/pull/21019))
|
||||||
|
- Source the forwarded DNS queries from the container net namespace ([#21019](https://github.com/docker/docker/pull/21019))
|
||||||
|
- Fix to retain the network internal mode config for bridge networks on daemon reload ([#21780] (https://github.com/docker/docker/pull/21780))
|
||||||
|
- Fix to retain IPAM driver option configs on daemon reload ([#21914] (https://github.com/docker/docker/pull/21914))
|
||||||
|
|
||||||
|
* Plugins
|
||||||
|
- Fix a file descriptor leak that would occur every time plugins were enumerated ([#20686](https://github.com/docker/docker/pull/20686))
|
||||||
|
- Fix an issue where Authz plugin would corrupt the payload body when faced with a large amount of data ([#20602](https://github.com/docker/docker/pull/20602))
|
||||||
|
|
||||||
|
* Runtime
|
||||||
|
- Fix a panic that could occur when cleanup after a container started with invalid parameters ([#21716](https://github.com/docker/docker/pull/21716))
|
||||||
|
- Fix a race with event timers stopping early ([#21692](https://github.com/docker/docker/pull/21692))
|
||||||
|
- Fix race conditions in the layer store, potentially corrupting the map and crashing the process ([#21677](https://github.com/docker/docker/pull/21677))
|
||||||
|
- Un-deprecate auto-creation of host directories for mounts. This feature was marked deprecated in ([#21666](https://github.com/docker/docker/pull/21666))
|
||||||
|
Docker 1.9, but was decided to be too much of an backward-incompatible change, so it was decided to keep the feature.
|
||||||
|
+ It is now possible for containers to share the NET and IPC namespaces when `userns` is enabled ([#21383](https://github.com/docker/docker/pull/21383))
|
||||||
|
+ `docker inspect <image-id>` will now expose the rootfs layers ([#21370](https://github.com/docker/docker/pull/21370))
|
||||||
|
+ Docker Windows gained a minimal `top` implementation ([#21354](https://github.com/docker/docker/pull/21354))
|
||||||
|
* Docker learned to report the faulty exe when a container cannot be started due to its condition ([#21345](https://github.com/docker/docker/pull/21345))
|
||||||
|
* Docker with device mapper will now refuse to run if `udev sync` is not available ([#21097](https://github.com/docker/docker/pull/21097))
|
||||||
|
- Fix a bug where Docker would not validate the config file upon configuration reload ([#21089](https://github.com/docker/docker/pull/21089))
|
||||||
|
- Fix a hang that would happen on attach if initial start was to fail ([#21048](https://github.com/docker/docker/pull/21048))
|
||||||
|
- Fix an issue where registry service options in the daemon configuration file were not properly taken into account ([#21045](https://github.com/docker/docker/pull/21045))
|
||||||
|
- Fix a race between the exec and resize operations ([#21022](https://github.com/docker/docker/pull/21022))
|
||||||
|
- Fix an issue where nanoseconds were not correctly taken in account when filtering Docker events ([#21013](https://github.com/docker/docker/pull/21013))
|
||||||
|
- Fix the handling of Docker command when passed a 64 bytes id ([#21002](https://github.com/docker/docker/pull/21002))
|
||||||
|
* Docker will now return a `204` (i.e http.StatusNoContent) code when it successfully deleted a network ([#20977](https://github.com/docker/docker/pull/20977))
|
||||||
|
- Fix a bug where the daemon would wait indefinitely in case the process it was about to killed had already exited on its own ([#20967](https://github.com/docker/docker/pull/20967)
|
||||||
|
* The devmapper driver learned the `dm.min_free_space` option. If the mapped device free space reaches the passed value, new device creation will be prohibited. ([#20786](https://github.com/docker/docker/pull/20786))
|
||||||
|
+ Docker can now prevent processes in container to gain new privileges via the `--security-opt=no-new-privileges` flag ([#20727](https://github.com/docker/docker/pull/20727))
|
||||||
|
- Starting a container with the `--device` option will now correctly resolves symlinks ([#20684](https://github.com/docker/docker/pull/20684))
|
||||||
|
+ Docker now relies on [`containerd`](https://github.com/docker/containerd) and [`runc`](https://github.com/opencontainers/runc) to spawn containers. ([#20662](https://github.com/docker/docker/pull/20662))
|
||||||
|
- Fix docker configuration reloading to only alter value present in the given config file ([#20604](https://github.com/docker/docker/pull/20604))
|
||||||
|
+ Docker now allows setting a container hostname via the `--hostname` flag when `--net=host` ([#20177](https://github.com/docker/docker/pull/20177))
|
||||||
|
+ Docker now allows executing privileged container while running with `--userns-remap` if both `--privileged` and the new `--userns=host` flag are specified ([#20111](https://github.com/docker/docker/pull/20111))
|
||||||
|
- Fix Docker not cleaning up correctly old containers upon restarting after a crash ([#19679](https://github.com/docker/docker/pull/19679))
|
||||||
|
* Docker will now error out if it doesn't recognize a configuration key within the config file ([#19517](https://github.com/docker/docker/pull/19517))
|
||||||
|
- Fix container loading, on daemon startup, when they depends on a plugin running within a container ([#19500](https://github.com/docker/docker/pull/19500))
|
||||||
|
* `docker update` learned how to change a container restart policy ([#19116](https://github.com/docker/docker/pull/19116))
|
||||||
|
* `docker inspect` now also returns a new `State` field containing the container state in a human readable way (i.e. one of `created`, `restarting`, `running`, `paused`, `exited` or `dead`)([#18966](https://github.com/docker/docker/pull/18966))
|
||||||
|
+ Docker learned to limit the number of active pids (i.e. processes) within the container via the `pids-limit` flags. NOTE: This requires `CGROUP_PIDS=y` to be in the kernel configuration. ([#18697](https://github.com/docker/docker/pull/18697))
|
||||||
|
- `docker load` now has a `--quiet` option to suppress the load output ([#20078](https://github.com/docker/docker/pull/20078))
|
||||||
|
- Fix a bug in neighbor discovery for IPv6 peers ([#20842](https://github.com/docker/docker/pull/20842))
|
||||||
|
- Fix a panic during cleanup if a container was started with invalid options ([#21802](https://github.com/docker/docker/pull/21802))
|
||||||
|
- Fix a situation where a container cannot be stopped if the terminal is closed ([#21840](https://github.com/docker/docker/pull/21840))
|
||||||
|
|
||||||
|
* Security
|
||||||
|
* Object with the `pcp_pmcd_t` selinux type were given management access to `/var/lib/docker(/.*)?` ([#21370](https://github.com/docker/docker/pull/21370))
|
||||||
|
* `restart_syscall`, `copy_file_range`, `mlock2` joined the list of allowed calls in the default seccomp profile ([#21117](https://github.com/docker/docker/pull/21117), [#21262](https://github.com/docker/docker/pull/21262))
|
||||||
|
* `send`, `recv` and `x32` were added to the list of allowed syscalls and arch in the default seccomp profile ([#19432](https://github.com/docker/docker/pull/19432))
|
||||||
|
* Docker Content Trust now requests the server to perform snapshot signing ([#21046](https://github.com/docker/docker/pull/21046))
|
||||||
|
* Support for using YubiKeys for Content Trust signing has been moved out of experimental ([#21591](https://github.com/docker/docker/pull/21591))
|
||||||
|
|
||||||
|
* Volumes
|
||||||
|
* Output of `docker volume ls` is now sorted by volume name ([#20389](https://github.com/docker/docker/pull/20389))
|
||||||
|
* Local volumes can now accepts options similar to the unix `mount` tool ([#20262](https://github.com/docker/docker/pull/20262))
|
||||||
|
- Fix an issue where one letter directory name could not be used as source for volumes ([#21106](https://github.com/docker/docker/pull/21106))
|
||||||
|
+ `docker run -v` now accepts a new flag `nocopy`. This tell the runtime not to copy the container path content into the volume (which is the default behavior) ([#21223](https://github.com/docker/docker/pull/21223))
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Apr 13 11:16:51 UTC 2016 - jmassaguerpla@suse.com
|
Wed Apr 13 11:16:51 UTC 2016 - jmassaguerpla@suse.com
|
||||||
|
|
||||||
|
@ -1,21 +1,15 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Docker Application Container Engine
|
Description=Docker Application Container Engine
|
||||||
Documentation=http://docs.docker.com
|
Documentation=http://docs.docker.com
|
||||||
After=network.target docker.socket
|
After=network.target docker.socket containerd.socket
|
||||||
Requires=docker.socket
|
Requires=docker.socket containerd.socket
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
# the default is not to use systemd for cgroups because the delegate issues still
|
|
||||||
# exists and systemd currently does not support the cgroup feature set required
|
|
||||||
# for containers run by docker
|
|
||||||
EnvironmentFile=/etc/sysconfig/docker
|
EnvironmentFile=/etc/sysconfig/docker
|
||||||
ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
|
ExecStart=/usr/bin/docker daemon -H fd:// --containerd /run/containerd/containerd.sock $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
|
||||||
MountFlags=slave
|
|
||||||
LimitNOFILE=1048576
|
LimitNOFILE=1048576
|
||||||
LimitNPROC=1048576
|
LimitNPROC=1048576
|
||||||
LimitCORE=infinity
|
LimitCORE=infinity
|
||||||
# set delegate yes so that systemd does not reset the cgroups of docker containers
|
|
||||||
Delegate=yes
|
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
26
docker.spec
26
docker.spec
@ -22,8 +22,10 @@
|
|||||||
|
|
||||||
%define git_version 9e83765
|
%define git_version 9e83765
|
||||||
%define go_arches %ix86 x86_64 aarch64
|
%define go_arches %ix86 x86_64 aarch64
|
||||||
|
%define version_unconverted 1.11.0
|
||||||
|
|
||||||
Name: docker
|
Name: docker
|
||||||
Version: 1.10.3
|
Version: 1.11.0
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: The Linux container runtime
|
Summary: The Linux container runtime
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
@ -46,8 +48,6 @@ Source8: docker-audit.rules
|
|||||||
# TODO: remove once we figure out what is wrong with iptables on ppc64le
|
# TODO: remove once we figure out what is wrong with iptables on ppc64le
|
||||||
Source100: sysconfig.docker.ppc64le
|
Source100: sysconfig.docker.ppc64le
|
||||||
Patch1: gcc5_socket_workaround.patch
|
Patch1: gcc5_socket_workaround.patch
|
||||||
Patch2: fix-docker-init.patch
|
|
||||||
Patch3: fix-apparmor.patch
|
|
||||||
%if 0%{?is_opensuse}
|
%if 0%{?is_opensuse}
|
||||||
# nothing
|
# nothing
|
||||||
%else
|
%else
|
||||||
@ -55,19 +55,10 @@ Patch3: fix-apparmor.patch
|
|||||||
# PATCH-FEATURE-SLE docker-mount-secrets.patch -- pass the SCC machine credentials and the /etc/SUSEConnect file to containers
|
# PATCH-FEATURE-SLE docker-mount-secrets.patch -- pass the SCC machine credentials and the /etc/SUSEConnect file to containers
|
||||||
Patch200: docker-mount-secrets.patch
|
Patch200: docker-mount-secrets.patch
|
||||||
%endif
|
%endif
|
||||||
# TODO: Remove this once we update to Docker 1.11.0. This has been merged in
|
|
||||||
# https://github.com/docker/docker/pull/21723
|
|
||||||
Patch4: fix-btrfs-ioctl-structure.patch
|
|
||||||
# Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
|
# Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
|
||||||
# Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time
|
|
||||||
# We cannot do that, right now a quick and really dirty way to get it running is
|
|
||||||
# to simply disable this check
|
|
||||||
Patch100: ignore-dockerinit-checksum.patch
|
|
||||||
Patch101: gcc-go-patches.patch
|
Patch101: gcc-go-patches.patch
|
||||||
Patch102: netlink_gcc_go.patch
|
Patch102: netlink_gcc_go.patch
|
||||||
Patch103: netlink_netns_powerpc.patch
|
Patch103: netlink_netns_powerpc.patch
|
||||||
Patch104: boltdb_bolt_powerpc.patch
|
|
||||||
Patch105: libnetwork_drivers_bridge_powerpc.patch
|
|
||||||
BuildRequires: audit
|
BuildRequires: audit
|
||||||
BuildRequires: bash-completion
|
BuildRequires: bash-completion
|
||||||
BuildRequires: device-mapper-devel >= 1.2.68
|
BuildRequires: device-mapper-devel >= 1.2.68
|
||||||
@ -97,6 +88,8 @@ Requires: lvm2 >= 2.2.89
|
|||||||
Requires: procps
|
Requires: procps
|
||||||
Requires: tar >= 1.26
|
Requires: tar >= 1.26
|
||||||
Requires: xz >= 4.9
|
Requires: xz >= 4.9
|
||||||
|
# Containerd is required as it is the only currently supported execdriver of Docker.
|
||||||
|
Requires: containerd
|
||||||
# Not necessary, but must be installed to have a smooth upgrade.
|
# Not necessary, but must be installed to have a smooth upgrade.
|
||||||
Recommends: docker-image-migrator
|
Recommends: docker-image-migrator
|
||||||
Conflicts: lxc < 1.0
|
Conflicts: lxc < 1.0
|
||||||
@ -174,9 +167,6 @@ Test package for docker. It contains the source code and the tests.
|
|||||||
%if 0%{?suse_version} >= 1315
|
%if 0%{?suse_version} >= 1315
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%endif
|
%endif
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
|
||||||
%patch4 -p1
|
|
||||||
%if 0%{?is_opensuse}
|
%if 0%{?is_opensuse}
|
||||||
# nothing
|
# nothing
|
||||||
%else
|
%else
|
||||||
@ -186,9 +176,6 @@ Test package for docker. It contains the source code and the tests.
|
|||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
%patch102 -p1
|
%patch102 -p1
|
||||||
%patch103 -p1
|
%patch103 -p1
|
||||||
%patch104 -p1
|
|
||||||
%patch105 -p1
|
|
||||||
%patch100 -p1
|
|
||||||
%endif
|
%endif
|
||||||
cp %{SOURCE7} .
|
cp %{SOURCE7} .
|
||||||
|
|
||||||
@ -225,10 +212,8 @@ install -d %{buildroot}%{go_contribdir}
|
|||||||
install -d %{buildroot}%{_bindir}
|
install -d %{buildroot}%{_bindir}
|
||||||
%ifarch %go_arches
|
%ifarch %go_arches
|
||||||
install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
|
install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
|
||||||
install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit
|
|
||||||
%else
|
%else
|
||||||
install -D -m755 bundles/%{version}/dyngccgo/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
|
install -D -m755 bundles/%{version}/dyngccgo/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
|
||||||
install -D -m755 bundles/%{version}/dyngccgo/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit
|
|
||||||
%endif
|
%endif
|
||||||
install -d %{buildroot}/%{_prefix}/lib/docker
|
install -d %{buildroot}/%{_prefix}/lib/docker
|
||||||
install -Dd -m 0755 \
|
install -Dd -m 0755 \
|
||||||
@ -363,7 +348,6 @@ groupadd -r docker 2>/dev/null || :
|
|||||||
%{_bindir}/docker
|
%{_bindir}/docker
|
||||||
%{_sbindir}/rcdocker
|
%{_sbindir}/rcdocker
|
||||||
%{_prefix}/lib/docker/
|
%{_prefix}/lib/docker/
|
||||||
%{_prefix}/lib/docker/dockerinit
|
|
||||||
%{_unitdir}/%{name}.service
|
%{_unitdir}/%{name}.service
|
||||||
%{_unitdir}/%{name}.socket
|
%{_unitdir}/%{name}.socket
|
||||||
%config %{_sysconfdir}/audit/rules.d/%{name}.rules
|
%config %{_sysconfdir}/audit/rules.d/%{name}.rules
|
||||||
|
@ -1,292 +0,0 @@
|
|||||||
Index: docker-1.10.1/contrib/apparmor/main.go
|
|
||||||
===================================================================
|
|
||||||
--- docker-1.10.1.orig/contrib/apparmor/main.go
|
|
||||||
+++ docker-1.10.1/contrib/apparmor/main.go
|
|
||||||
@@ -11,8 +11,7 @@ import (
|
|
||||||
)
|
|
||||||
|
|
||||||
type profileData struct {
|
|
||||||
- MajorVersion int
|
|
||||||
- MinorVersion int
|
|
||||||
+ Version int
|
|
||||||
}
|
|
||||||
|
|
||||||
func main() {
|
|
||||||
@@ -23,13 +22,12 @@ func main() {
|
|
||||||
// parse the arg
|
|
||||||
apparmorProfilePath := os.Args[1]
|
|
||||||
|
|
||||||
- majorVersion, minorVersion, err := aaparser.GetVersion()
|
|
||||||
+ version, err := aaparser.GetVersion()
|
|
||||||
if err != nil {
|
|
||||||
log.Fatal(err)
|
|
||||||
}
|
|
||||||
data := profileData{
|
|
||||||
- MajorVersion: majorVersion,
|
|
||||||
- MinorVersion: minorVersion,
|
|
||||||
+ Version: version,
|
|
||||||
}
|
|
||||||
fmt.Printf("apparmor_parser is of version %+v\n", data)
|
|
||||||
|
|
||||||
Index: docker-1.10.1/daemon/execdriver/native/apparmor.go
|
|
||||||
===================================================================
|
|
||||||
--- docker-1.10.1.orig/daemon/execdriver/native/apparmor.go
|
|
||||||
+++ docker-1.10.1/daemon/execdriver/native/apparmor.go
|
|
||||||
@@ -25,8 +25,7 @@ type data struct {
|
|
||||||
ExecPath string
|
|
||||||
Imports []string
|
|
||||||
InnerImports []string
|
|
||||||
- MajorVersion int
|
|
||||||
- MinorVersion int
|
|
||||||
+ Version int
|
|
||||||
}
|
|
||||||
|
|
||||||
const baseTemplate = `
|
|
||||||
@@ -64,14 +63,17 @@ profile {{.Name}} flags=(attach_disconne
|
|
||||||
deny /sys/firmware/efi/efivars/** rwklx,
|
|
||||||
deny /sys/kernel/security/** rwklx,
|
|
||||||
|
|
||||||
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}}
|
|
||||||
+{{if ge .Version 208095}}
|
|
||||||
+ # apparmor-2.8.95 is Ubuntu 14.04 LTS (Trusty Tahr)
|
|
||||||
+ # apparmor-2.8.95 is apparmor-2.9 beta, which supports ptrace rule
|
|
||||||
+ # other apparmor-2.8 versions do not support this rule
|
|
||||||
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
|
|
||||||
ptrace (trace,read) peer=docker-default,
|
|
||||||
-{{end}}{{end}}
|
|
||||||
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
|
|
||||||
+{{end}}
|
|
||||||
+{{if ge .Version 209000}}
|
|
||||||
# docker daemon confinement requires explict allow rule for signal
|
|
||||||
signal (receive) set=(kill,term) peer={{.ExecPath}},
|
|
||||||
-{{end}}{{end}}
|
|
||||||
+{{end}}
|
|
||||||
}
|
|
||||||
`
|
|
||||||
|
|
||||||
@@ -91,7 +93,7 @@ func generateProfile(out io.Writer) erro
|
|
||||||
if abstractionsExists() {
|
|
||||||
data.InnerImports = append(data.InnerImports, "#include <abstractions/base>")
|
|
||||||
}
|
|
||||||
- data.MajorVersion, data.MinorVersion, err = aaparser.GetVersion()
|
|
||||||
+ data.Version, err = aaparser.GetVersion()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
Index: docker-1.10.1/pkg/aaparser/aaparser.go
|
|
||||||
===================================================================
|
|
||||||
--- docker-1.10.1.orig/pkg/aaparser/aaparser.go
|
|
||||||
+++ docker-1.10.1/pkg/aaparser/aaparser.go
|
|
||||||
@@ -1,45 +1,92 @@
|
|
||||||
+// Package aaparser is a convenience package interacting with `apparmor_parser`.
|
|
||||||
package aaparser
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
- "log"
|
|
||||||
"os/exec"
|
|
||||||
+ "path/filepath"
|
|
||||||
"strconv"
|
|
||||||
"strings"
|
|
||||||
)
|
|
||||||
|
|
||||||
-// GetVersion returns the major and minor version of apparmor_parser
|
|
||||||
-func GetVersion() (int, int, error) {
|
|
||||||
- // get the apparmor_version version
|
|
||||||
- cmd := exec.Command("apparmor_parser", "--version")
|
|
||||||
+const (
|
|
||||||
+ binary = "apparmor_parser"
|
|
||||||
+)
|
|
||||||
+
|
|
||||||
+// GetVersion returns the major and minor version of apparmor_parser.
|
|
||||||
+func GetVersion() (int, error) {
|
|
||||||
+ output, err := cmd("", "--version")
|
|
||||||
+ if err != nil {
|
|
||||||
+ return -1, err
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return parseVersion(output)
|
|
||||||
+}
|
|
||||||
|
|
||||||
- output, err := cmd.CombinedOutput()
|
|
||||||
+// LoadProfile runs `apparmor_parser -r -W` on a specified apparmor profile to
|
|
||||||
+// replace and write it to disk.
|
|
||||||
+func LoadProfile(profilePath string) error {
|
|
||||||
+ _, err := cmd(filepath.Dir(profilePath), "-r", "-W", filepath.Base(profilePath))
|
|
||||||
if err != nil {
|
|
||||||
- log.Fatalf("getting apparmor_parser version failed: %s (%s)", err, output)
|
|
||||||
+ return err
|
|
||||||
}
|
|
||||||
+ return nil
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+// cmd runs `apparmor_parser` with the passed arguments.
|
|
||||||
+func cmd(dir string, arg ...string) (string, error) {
|
|
||||||
+ c := exec.Command(binary, arg...)
|
|
||||||
+ c.Dir = dir
|
|
||||||
|
|
||||||
- // parse the version from the output
|
|
||||||
+ output, err := c.CombinedOutput()
|
|
||||||
+ if err != nil {
|
|
||||||
+ return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), string(output), err)
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return string(output), nil
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+// parseVersion takes the output from `apparmor_parser --version` and returns
|
|
||||||
+// a representation of the {major, minor, patch} version as a single number of
|
|
||||||
+// the form MMmmPPP {major, minor, patch}.
|
|
||||||
+func parseVersion(output string) (int, error) {
|
|
||||||
// output is in the form of the following:
|
|
||||||
// AppArmor parser version 2.9.1
|
|
||||||
// Copyright (C) 1999-2008 Novell Inc.
|
|
||||||
// Copyright 2009-2012 Canonical Ltd.
|
|
||||||
- lines := strings.SplitN(string(output), "\n", 2)
|
|
||||||
+
|
|
||||||
+ lines := strings.SplitN(output, "\n", 2)
|
|
||||||
words := strings.Split(lines[0], " ")
|
|
||||||
version := words[len(words)-1]
|
|
||||||
+
|
|
||||||
// split by major minor version
|
|
||||||
v := strings.Split(version, ".")
|
|
||||||
- if len(v) < 2 {
|
|
||||||
- return -1, -1, fmt.Errorf("parsing major minor version failed for %q", version)
|
|
||||||
+ if len(v) == 0 || len(v) > 3 {
|
|
||||||
+ return -1, fmt.Errorf("parsing version failed for output: `%s`", output)
|
|
||||||
}
|
|
||||||
|
|
||||||
+ // Default the versions to 0.
|
|
||||||
+ var majorVersion, minorVersion, patchLevel int
|
|
||||||
+
|
|
||||||
majorVersion, err := strconv.Atoi(v[0])
|
|
||||||
if err != nil {
|
|
||||||
- return -1, -1, err
|
|
||||||
+ return -1, err
|
|
||||||
}
|
|
||||||
- minorVersion, err := strconv.Atoi(v[1])
|
|
||||||
- if err != nil {
|
|
||||||
- return -1, -1, err
|
|
||||||
+
|
|
||||||
+ if len(v) > 1 {
|
|
||||||
+ minorVersion, err = strconv.Atoi(v[1])
|
|
||||||
+ if err != nil {
|
|
||||||
+ return -1, err
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if len(v) > 2 {
|
|
||||||
+ patchLevel, err = strconv.Atoi(v[2])
|
|
||||||
+ if err != nil {
|
|
||||||
+ return -1, err
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
- return majorVersion, minorVersion, nil
|
|
||||||
+ // major*10^5 + minor*10^3 + patch*10^0
|
|
||||||
+ numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel
|
|
||||||
+ return numericVersion, nil
|
|
||||||
}
|
|
||||||
Index: docker-1.10.1/contrib/apparmor/template.go
|
|
||||||
===================================================================
|
|
||||||
--- docker-1.10.1.orig/contrib/apparmor/template.go
|
|
||||||
+++ docker-1.10.1/contrib/apparmor/template.go
|
|
||||||
@@ -20,11 +20,11 @@ profile /usr/bin/docker (attach_disconne
|
|
||||||
|
|
||||||
umount,
|
|
||||||
pivot_root,
|
|
||||||
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
|
|
||||||
+{{if ge .Version 209000}}
|
|
||||||
signal (receive) peer=@{profile_name},
|
|
||||||
signal (receive) peer=unconfined,
|
|
||||||
signal (send),
|
|
||||||
-{{end}}{{end}}
|
|
||||||
+{{end}}
|
|
||||||
network,
|
|
||||||
capability,
|
|
||||||
owner /** rw,
|
|
||||||
@@ -46,12 +46,12 @@ profile /usr/bin/docker (attach_disconne
|
|
||||||
/etc/ld.so.cache r,
|
|
||||||
/etc/passwd r,
|
|
||||||
|
|
||||||
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
|
|
||||||
+{{if ge .Version 209000}}
|
|
||||||
ptrace peer=@{profile_name},
|
|
||||||
ptrace (read) peer=docker-default,
|
|
||||||
deny ptrace (trace) peer=docker-default,
|
|
||||||
deny ptrace peer=/usr/bin/docker///bin/ps,
|
|
||||||
-{{end}}{{end}}
|
|
||||||
+{{end}}
|
|
||||||
|
|
||||||
/usr/lib/** rm,
|
|
||||||
/lib/** rm,
|
|
||||||
@@ -72,11 +72,11 @@ profile /usr/bin/docker (attach_disconne
|
|
||||||
/sbin/zfs rCx,
|
|
||||||
/sbin/apparmor_parser rCx,
|
|
||||||
|
|
||||||
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
|
|
||||||
+{{if ge .Version 209000}}
|
|
||||||
# Transitions
|
|
||||||
change_profile -> docker-*,
|
|
||||||
change_profile -> unconfined,
|
|
||||||
-{{end}}{{end}}
|
|
||||||
+{{end}}
|
|
||||||
|
|
||||||
profile /bin/cat (complain) {
|
|
||||||
/etc/ld.so.cache r,
|
|
||||||
@@ -98,10 +98,10 @@ profile /usr/bin/docker (attach_disconne
|
|
||||||
/dev/null rw,
|
|
||||||
/bin/ps mr,
|
|
||||||
|
|
||||||
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
|
|
||||||
+{{if ge .Version 209000}}
|
|
||||||
# We don't need ptrace so we'll deny and ignore the error.
|
|
||||||
deny ptrace (read, trace),
|
|
||||||
-{{end}}{{end}}
|
|
||||||
+{{end}}
|
|
||||||
|
|
||||||
# Quiet dac_override denials
|
|
||||||
deny capability dac_override,
|
|
||||||
@@ -119,15 +119,15 @@ profile /usr/bin/docker (attach_disconne
|
|
||||||
/proc/tty/drivers r,
|
|
||||||
}
|
|
||||||
profile /sbin/iptables (complain) {
|
|
||||||
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
|
|
||||||
+{{if ge .Version 209000}}
|
|
||||||
signal (receive) peer=/usr/bin/docker,
|
|
||||||
-{{end}}{{end}}
|
|
||||||
+{{end}}
|
|
||||||
capability net_admin,
|
|
||||||
}
|
|
||||||
profile /sbin/auplink flags=(attach_disconnected, complain) {
|
|
||||||
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
|
|
||||||
+{{if ge .Version 209000}}
|
|
||||||
signal (receive) peer=/usr/bin/docker,
|
|
||||||
-{{end}}{{end}}
|
|
||||||
+{{end}}
|
|
||||||
capability sys_admin,
|
|
||||||
capability dac_override,
|
|
||||||
|
|
||||||
@@ -146,9 +146,9 @@ profile /usr/bin/docker (attach_disconne
|
|
||||||
/proc/[0-9]*/mounts rw,
|
|
||||||
}
|
|
||||||
profile /sbin/modprobe /bin/kmod (complain) {
|
|
||||||
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
|
|
||||||
+{{if ge .Version 209000}}
|
|
||||||
signal (receive) peer=/usr/bin/docker,
|
|
||||||
-{{end}}{{end}}
|
|
||||||
+{{end}}
|
|
||||||
capability sys_module,
|
|
||||||
/etc/ld.so.cache r,
|
|
||||||
/lib/** rm,
|
|
||||||
@@ -162,9 +162,9 @@ profile /usr/bin/docker (attach_disconne
|
|
||||||
}
|
|
||||||
# xz works via pipes, so we do not need access to the filesystem.
|
|
||||||
profile /usr/bin/xz (complain) {
|
|
||||||
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
|
|
||||||
+{{if ge .Version 209000}}
|
|
||||||
signal (receive) peer=/usr/bin/docker,
|
|
||||||
-{{end}}{{end}}
|
|
||||||
+{{end}}
|
|
||||||
/etc/ld.so.cache r,
|
|
||||||
/lib/** rm,
|
|
||||||
/usr/bin/xz rm,
|
|
@ -1,48 +0,0 @@
|
|||||||
From a038cccf88998814249a7a40b71a33a680e3f02f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Julio Montes <imc.coder@gmail.com>
|
|
||||||
Date: Fri, 1 Apr 2016 08:58:29 -0600
|
|
||||||
Subject: [PATCH] Fix compilation errors with btrfs-progs-4.5
|
|
||||||
|
|
||||||
btrfs-progs-4.5 introduces device delete by devid
|
|
||||||
for this reason btrfs_ioctl_vol_args_v2's name was encapsulated
|
|
||||||
in a union
|
|
||||||
|
|
||||||
this patch is for setting btrfs_ioctl_vol_args_v2's name
|
|
||||||
using a C function in order to preserve compatibility
|
|
||||||
with all btrfs-progs versions
|
|
||||||
|
|
||||||
Signed-off-by: Julio Montes <imc.coder@gmail.com>
|
|
||||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|
||||||
---
|
|
||||||
daemon/graphdriver/btrfs/btrfs.go | 11 ++++++++---
|
|
||||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
Index: docker-1.10.3/daemon/graphdriver/btrfs/btrfs.go
|
|
||||||
===================================================================
|
|
||||||
--- docker-1.10.3.orig/daemon/graphdriver/btrfs/btrfs.go
|
|
||||||
+++ docker-1.10.3/daemon/graphdriver/btrfs/btrfs.go
|
|
||||||
@@ -7,6 +7,10 @@ package btrfs
|
|
||||||
#include <dirent.h>
|
|
||||||
#include <btrfs/ioctl.h>
|
|
||||||
#include <btrfs/ctree.h>
|
|
||||||
+
|
|
||||||
+static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
|
|
||||||
+ snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
|
|
||||||
+}
|
|
||||||
*/
|
|
||||||
import "C"
|
|
||||||
|
|
||||||
@@ -160,9 +164,10 @@ func subvolSnapshot(src, dest, name stri
|
|
||||||
|
|
||||||
var args C.struct_btrfs_ioctl_vol_args_v2
|
|
||||||
args.fd = C.__s64(getDirFd(srcDir))
|
|
||||||
- for i, c := range []byte(name) {
|
|
||||||
- args.name[i] = C.char(c)
|
|
||||||
- }
|
|
||||||
+
|
|
||||||
+ var cs = C.CString(name)
|
|
||||||
+ C.set_name_btrfs_ioctl_vol_args_v2(&args, cs)
|
|
||||||
+ C.free(unsafe.Pointer(cs))
|
|
||||||
|
|
||||||
_, _, errno := syscall.Syscall(syscall.SYS_IOCTL, getDirFd(destDir), C.BTRFS_IOC_SNAP_CREATE_V2,
|
|
||||||
uintptr(unsafe.Pointer(&args)))
|
|
@ -1,21 +0,0 @@
|
|||||||
diff -Naur a/hack/make/.dockerinit b/hack/make/.dockerinit
|
|
||||||
--- a/hack/make/.dockerinit 2015-08-11 18:35:27.000000000 +0200
|
|
||||||
+++ b/hack/make/.dockerinit 2015-08-12 18:14:25.743452565 +0200
|
|
||||||
@@ -29,5 +29,6 @@
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
+/usr/bin/strip -s $DEST/dockerinit-$VERSION
|
|
||||||
# sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another
|
|
||||||
export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1)
|
|
||||||
diff --git a/hack/make/.dockerinit-gccgo b/hack/make/.dockerinit-gccgo
|
|
||||||
index 3caa526..f272d29 100644
|
|
||||||
--- a/hack/make/.dockerinit-gccgo
|
|
||||||
+++ b/hack/make/.dockerinit-gccgo
|
|
||||||
@@ -27,5 +27,6 @@ else
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
+/usr/bin/strip -s $DEST/dockerinit-$VERSION
|
|
||||||
# sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another
|
|
||||||
export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1)
|
|
@ -1,8 +1,8 @@
|
|||||||
diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go
|
Index: docker-1.11.0/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go
|
||||||
index 007ccb2..65f638f 100644
|
===================================================================
|
||||||
--- a/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go
|
--- docker-1.11.0.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go
|
||||||
+++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go
|
+++ docker-1.11.0/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go
|
||||||
@@ -22,7 +22,7 @@ type ifreqIndex struct {
|
@@ -24,7 +24,7 @@ type ifreqIndex struct {
|
||||||
|
|
||||||
type ifreqHwaddr struct {
|
type ifreqHwaddr struct {
|
||||||
IfrnName [ifNameSize]byte
|
IfrnName [ifNameSize]byte
|
||||||
@ -11,11 +11,10 @@ index 007ccb2..65f638f 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
var rnd = rand.New(rand.NewSource(time.Now().UnixNano()))
|
var rnd = rand.New(rand.NewSource(time.Now().UnixNano()))
|
||||||
diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go
|
Index: docker-1.11.0/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go
|
||||||
new file mode 100644
|
===================================================================
|
||||||
index 0000000..118f7bf
|
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go
|
+++ docker-1.11.0/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go
|
||||||
@@ -0,0 +1,11 @@
|
@@ -0,0 +1,11 @@
|
||||||
+// Copyright (c) 2015 SUSE LLC. All rights reserved.
|
+// Copyright (c) 2015 SUSE LLC. All rights reserved.
|
||||||
+
|
+
|
||||||
@ -28,11 +27,10 @@ index 0000000..118f7bf
|
|||||||
+ Family uint16
|
+ Family uint16
|
||||||
+ Data [14]int8
|
+ Data [14]int8
|
||||||
+}
|
+}
|
||||||
diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go
|
Index: docker-1.11.0/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go
|
||||||
new file mode 100644
|
===================================================================
|
||||||
index 0000000..cdba329
|
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go
|
+++ docker-1.11.0/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go
|
||||||
@@ -0,0 +1,10 @@
|
@@ -0,0 +1,10 @@
|
||||||
+// Copyright (c) 2015 SUSE LLC. All rights reserved.
|
+// Copyright (c) 2015 SUSE LLC. All rights reserved.
|
||||||
+
|
+
|
||||||
|
@ -1,13 +0,0 @@
|
|||||||
diff --git a/utils/utils.go b/utils/utils.go
|
|
||||||
index 340b9e4..70a85a6 100644
|
|
||||||
--- a/utils/utils.go
|
|
||||||
+++ b/utils/utils.go
|
|
||||||
@@ -75,7 +75,7 @@ func isValidDockerInitPath(target string, selfPath string) bool { // target and
|
|
||||||
}
|
|
||||||
return os.SameFile(targetFileInfo, selfPathFileInfo)
|
|
||||||
}
|
|
||||||
- return dockerversion.InitSHA1 != "" && dockerInitSha1(target) == dockerversion.InitSHA1
|
|
||||||
+ return true
|
|
||||||
}
|
|
||||||
|
|
||||||
// DockerInitPath figures out the path of our dockerinit (which may be SelfPath())
|
|
@ -1,25 +0,0 @@
|
|||||||
---
|
|
||||||
vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go | 2 +-
|
|
||||||
vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
Index: docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
|
|
||||||
===================================================================
|
|
||||||
--- docker-1.10.2.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
|
|
||||||
+++ docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
|
|
||||||
@@ -1,4 +1,4 @@
|
|
||||||
-// +build arm ppc64 ppc64le
|
|
||||||
+// +build arm,!ppc64,!ppc64le
|
|
||||||
|
|
||||||
package bridge
|
|
||||||
|
|
||||||
Index: docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go
|
|
||||||
===================================================================
|
|
||||||
--- docker-1.10.2.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go
|
|
||||||
+++ docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go
|
|
||||||
@@ -1,4 +1,4 @@
|
|
||||||
-// +build !arm,!ppc64,!ppc64le
|
|
||||||
+// +build !arm ppc64 ppc64le
|
|
||||||
|
|
||||||
package bridge
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user