From 1ab6c95c8efb6ac5c724072a4d90ff2b7c9ee2ef08ba7b24b74b49b6c047a0a7 Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Wed, 15 Aug 2018 07:09:12 +0000 Subject: [PATCH 1/8] Docker v18.06 upgrade. OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=258 --- _service | 4 +- ...namically-load-dm_task_deferred_remo.patch | 243 ------------------ ...CL_UNPRIVILEGED-for-user-namespaced-.patch | 95 ------- ...eceiving-of-signals-from-docker-kill.patch | 6 +- ...bber-docker-default-profile-on-start.patch | 14 +- bsc1100727-0001-build-add-buildmode-pie.patch | 3 +- docker-17.09.1_ce.tar.xz | 3 - docker-18.06.0_ce.tar.xz | 3 + docker.changes | 22 ++ docker.service | 5 +- docker.spec | 70 ++--- ...ow-directory-creation-in-run-secrets.patch | 16 +- ...USE-implement-SUSE-container-secrets.patch | 37 ++- 13 files changed, 94 insertions(+), 427 deletions(-) delete mode 100644 bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch delete mode 100644 bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch delete mode 100644 docker-17.09.1_ce.tar.xz create mode 100644 docker-18.06.0_ce.tar.xz diff --git a/_service b/_service index 6c5b887..0458f97 100644 --- a/_service +++ b/_service @@ -3,8 +3,8 @@ https://github.com/docker/docker-ce.git git .git - 17.09.1_ce - v17.09.1-ce + 18.06.0_ce + v18.06.0-ce docker diff --git a/bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch b/bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch deleted file mode 100644 index 98cf3f0..0000000 --- a/bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch +++ /dev/null @@ -1,243 +0,0 @@ -From e57d7270deb50c31ac1f732d8f28812e5b809062 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Thu, 16 Nov 2017 17:09:16 +1100 -Subject: [PATCH] pkg: devmapper: dynamically load dm_task_deferred_remove - -dm_task_deferred_remove is not supported by all distributions, due to -out-dated versions of devicemapper. However, in the case where the -devicemapper library was updated without rebuilding Docker (which can -happen in some distributions) then we should attempt to dynamically load -the relevant object rather than try to link to it. - -This can only be done if Docker was built dynamically, for obvious -reasons. - -In order to avoid having issues arise when dlsym(3) was unnecessary, -gate the whole dlsym(3) logic behind a buildflag that we disable by -default (libdm_dlsym_deferred_remove). - -SUSE-Bugs: bsc#1021227 bsc#1029320 bsc#1058173 -Signed-off-by: Aleksa Sarai ---- - components/engine/hack/make.sh | 12 +- - ...> devmapper_wrapper_dynamic_deferred_remove.go} | 10 +- - ...mapper_wrapper_dynamic_dlsym_deferred_remove.go | 128 +++++++++++++++++++++ - .../devmapper_wrapper_no_deferred_remove.go | 6 +- - 4 files changed, 149 insertions(+), 7 deletions(-) - rename components/engine/pkg/devicemapper/{devmapper_wrapper_deferred_remove.go => devmapper_wrapper_dynamic_deferred_remove.go} (78%) - create mode 100644 components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go - -diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh -index 58e0d8cd628a..3b78ddef30b0 100755 ---- a/components/engine/hack/make.sh -+++ b/components/engine/hack/make.sh -@@ -112,6 +112,12 @@ if [ ! "$GOPATH" ]; then - exit 1 - fi - -+# Adds $1_$2 to DOCKER_BUILDTAGS unless it already -+# contains a word starting from $1_ -+add_buildtag() { -+ [[ " $DOCKER_BUILDTAGS" == *" $1_"* ]] || DOCKER_BUILDTAGS+=" $1_$2" -+} -+ - if ${PKG_CONFIG} 'libsystemd >= 209' 2> /dev/null ; then - DOCKER_BUILDTAGS+=" journald" - elif ${PKG_CONFIG} 'libsystemd-journal' 2> /dev/null ; then -@@ -127,12 +133,14 @@ if \ - fi - - # test whether "libdevmapper.h" is new enough to support deferred remove --# functionality. -+# functionality. We favour libdm_dlsym_deferred_remove over -+# libdm_no_deferred_remove in dynamic cases because the binary could be shipped -+# with a newer libdevmapper than the one it was built wih. - if \ - command -v gcc &> /dev/null \ - && ! ( echo -e '#include \nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null ) \ - ; then -- DOCKER_BUILDTAGS+=' libdm_no_deferred_remove' -+ add_buildtag libdm dlsym_deferred_remove - fi - - # Use these flags when compiling the tests and final binary -diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go -similarity index 78% -rename from components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go -rename to components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go -index 7f793c270868..bf57371ff4cf 100644 ---- a/components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go -+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go -@@ -1,11 +1,15 @@ --// +build linux,cgo,!libdm_no_deferred_remove -+// +build linux,cgo,!static_build -+// +build !libdm_dlsym_deferred_remove,!libdm_no_deferred_remove - - package devicemapper - --// #include -+/* -+#include -+*/ - import "C" - --// LibraryDeferredRemovalSupport tells if the feature is enabled in the build -+// LibraryDeferredRemovalSupport tells if the feature is supported by the -+// current Docker invocation. - const LibraryDeferredRemovalSupport = true - - func dmTaskDeferredRemoveFct(task *cdmTask) int { -diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go -new file mode 100644 -index 000000000000..5dfb369f1ff8 ---- /dev/null -+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go -@@ -0,0 +1,128 @@ -+// +build linux,cgo,!static_build -+// +build libdm_dlsym_deferred_remove,!libdm_no_deferred_remove -+ -+package devicemapper -+ -+/* -+#cgo LDFLAGS: -ldl -+#include -+#include -+#include -+ -+// Yes, I know this looks scary. In order to be able to fill our own internal -+// dm_info with deferred_remove we need to have a struct definition that is -+// correct (regardless of the version of libdm that was used to compile it). To -+// this end, we define struct_backport_dm_info. This code comes from lvm2, and -+// I have verified that the structure has only ever had elements *appended* to -+// it (since 2001). -+// -+// It is also important that this structure be _larger_ than the dm_info that -+// libdevmapper expected. Otherwise libdm might try to write to memory it -+// shouldn't (they don't have a "known size" API). -+struct backport_dm_info { -+ int exists; -+ int suspended; -+ int live_table; -+ int inactive_table; -+ int32_t open_count; -+ uint32_t event_nr; -+ uint32_t major; -+ uint32_t minor; -+ int read_only; -+ -+ int32_t target_count; -+ -+ int deferred_remove; -+ int internal_suspend; -+ -+ // Padding, purely for our own safety. This is to avoid cases where libdm -+ // was updated underneath us and we call into dm_task_get_info() with too -+ // small of a buffer. -+ char _[512]; -+}; -+ -+// We have to wrap this in CGo, because Go really doesn't like function pointers. -+int call_dm_task_deferred_remove(void *fn, struct dm_task *task) -+{ -+ int (*_dm_task_deferred_remove)(struct dm_task *task) = fn; -+ return _dm_task_deferred_remove(task); -+} -+*/ -+import "C" -+ -+import ( -+ "unsafe" -+ -+ "github.com/sirupsen/logrus" -+) -+ -+// dm_task_deferred_remove is not supported by all distributions, due to -+// out-dated versions of devicemapper. However, in the case where the -+// devicemapper library was updated without rebuilding Docker (which can happen -+// in some distributions) then we should attempt to dynamically load the -+// relevant object rather than try to link to it. -+ -+// dmTaskDeferredRemoveFct is a "bound" version of dm_task_deferred_remove. -+// It is nil if dm_task_deferred_remove was not found in the libdevmapper that -+// is currently loaded. -+var dmTaskDeferredRemovePtr unsafe.Pointer -+ -+// LibraryDeferredRemovalSupport tells if the feature is supported by the -+// current Docker invocation. This value is fixed during init. -+var LibraryDeferredRemovalSupport bool -+ -+func init() { -+ // Clear any errors. -+ var err *C.char -+ C.dlerror() -+ -+ // The symbol we want to fetch. -+ symName := C.CString("dm_task_deferred_remove") -+ defer C.free(unsafe.Pointer(symName)) -+ -+ // See if we can find dm_task_deferred_remove. Since we already are linked -+ // to libdevmapper, we can search our own address space (rather than trying -+ // to guess what libdevmapper is called). We use NULL here, as RTLD_DEFAULT -+ // is not available in CGO (even if you set _GNU_SOURCE for some reason). -+ // The semantics are identical on glibc. -+ sym := C.dlsym(nil, symName) -+ err = C.dlerror() -+ if err != nil { -+ logrus.Debugf("devmapper: could not load dm_task_deferred_remove: %s", C.GoString(err)) -+ return -+ } -+ -+ logrus.Debugf("devmapper: found dm_task_deferred_remove at %x", uintptr(sym)) -+ dmTaskDeferredRemovePtr = sym -+ LibraryDeferredRemovalSupport = true -+} -+ -+func dmTaskDeferredRemoveFct(task *cdmTask) int { -+ sym := dmTaskDeferredRemovePtr -+ if sym == nil || !LibraryDeferredRemovalSupport { -+ return -1 -+ } -+ return int(C.call_dm_task_deferred_remove(sym, (*C.struct_dm_task)(task))) -+} -+ -+func dmTaskGetInfoWithDeferredFct(task *cdmTask, info *Info) int { -+ if !LibraryDeferredRemovalSupport { -+ return -1 -+ } -+ -+ Cinfo := C.struct_backport_dm_info{} -+ defer func() { -+ info.Exists = int(Cinfo.exists) -+ info.Suspended = int(Cinfo.suspended) -+ info.LiveTable = int(Cinfo.live_table) -+ info.InactiveTable = int(Cinfo.inactive_table) -+ info.OpenCount = int32(Cinfo.open_count) -+ info.EventNr = uint32(Cinfo.event_nr) -+ info.Major = uint32(Cinfo.major) -+ info.Minor = uint32(Cinfo.minor) -+ info.ReadOnly = int(Cinfo.read_only) -+ info.TargetCount = int32(Cinfo.target_count) -+ info.DeferredRemove = int(Cinfo.deferred_remove) -+ }() -+ return int(C.dm_task_get_info((*C.struct_dm_task)(task), (*C.struct_dm_info)(unsafe.Pointer(&Cinfo)))) -+} -diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go -index a880fec8c499..80b034b3ff17 100644 ---- a/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go -+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go -@@ -1,8 +1,10 @@ --// +build linux,cgo,libdm_no_deferred_remove -+// +build linux,cgo -+// +build !libdm_dlsym_deferred_remove,libdm_no_deferred_remove - - package devicemapper - --// LibraryDeferredRemovalSupport tells if the feature is enabled in the build -+// LibraryDeferredRemovalSupport tells if the feature is supported by the -+// current Docker invocation. - const LibraryDeferredRemovalSupport = false - - func dmTaskDeferredRemoveFct(task *cdmTask) int { --- -2.16.1 - diff --git a/bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch b/bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch deleted file mode 100644 index 4823872..0000000 --- a/bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch +++ /dev/null @@ -1,95 +0,0 @@ -From ff7b94c76f343931463b5916fb3fbd2610869a1a Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Sun, 15 Oct 2017 17:06:20 +1100 -Subject: [PATCH] daemon: oci: obey CL_UNPRIVILEGED for user namespaced daemon - -When runc is bind-mounting a particular path "with options", it has to -do so by first creating a bind-mount and the modifying the options of -said bind-mount via remount. However, in a user namespace, there are -restrictions on which flags you can change with a remount (due to -CL_UNPRIVILEGED being set in this instance). Docker historically has -ignored this, and as a result, internal Docker mounts (such as secrets) -haven't worked with --userns-remap. Fix this by preserving -CL_UNPRIVILEGED mount flags when Docker is spawning containers with user -namespaces enabled. - -SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1055676 -Signed-off-by: Aleksa Sarai ---- - components/engine/daemon/oci_linux.go | 46 +++++++++++++++++++++++++++++++++++ - 1 file changed, 46 insertions(+) - -diff --git a/components/engine/daemon/oci_linux.go b/components/engine/daemon/oci_linux.go -index 6917b4841429..936cb8f998ca 100644 ---- a/components/engine/daemon/oci_linux.go -+++ b/components/engine/daemon/oci_linux.go -@@ -27,6 +27,7 @@ import ( - "github.com/opencontainers/runc/libcontainer/user" - specs "github.com/opencontainers/runtime-spec/specs-go" - "github.com/sirupsen/logrus" -+ "golang.org/x/sys/unix" - ) - - var ( -@@ -469,6 +470,38 @@ func ensureSharedOrSlave(path string) error { - return nil - } - -+// Get the set of mount flags that are set on the mount that contains the given -+// path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that -+// bind-mounting "with options" will not fail with user namespaces, due to -+// kernel restrictions that require user namespace mounts to preserve -+// CL_UNPRIVILEGED locked flags. -+func getUnprivilegedMountFlags(path string) ([]string, error) { -+ var statfs unix.Statfs_t -+ if err := unix.Statfs(path, &statfs); err != nil { -+ return nil, err -+ } -+ -+ // The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048. -+ unprivilegedFlags := map[uint64]string{ -+ unix.MS_RDONLY: "ro", -+ unix.MS_NODEV: "nodev", -+ unix.MS_NOEXEC: "noexec", -+ unix.MS_NOSUID: "nosuid", -+ unix.MS_NOATIME: "noatime", -+ unix.MS_RELATIME: "relatime", -+ unix.MS_NODIRATIME: "nodiratime", -+ } -+ -+ var flags []string -+ for mask, flag := range unprivilegedFlags { -+ if uint64(statfs.Flags)&mask == mask { -+ flags = append(flags, flag) -+ } -+ } -+ -+ return flags, nil -+} -+ - var ( - mountPropagationMap = map[string]int{ - "private": mount.PRIVATE, -@@ -586,6 +619,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c - opts = append(opts, mountPropagationReverseMap[pFlag]) - } - -+ // If we are using user namespaces, then we must make sure that we -+ // don't drop any of the CL_UNPRIVILEGED "locked" flags of the source -+ // "mount" when we bind-mount. The reason for this is that at the point -+ // when runc sets up the root filesystem, it is already inside a user -+ // namespace, and thus cannot change any flags that are locked. -+ if daemon.configStore.RemappedRoot != "" { -+ unprivOpts, err := getUnprivilegedMountFlags(m.Source) -+ if err != nil { -+ return err -+ } -+ opts = append(opts, unprivOpts...) -+ } -+ - mt.Options = opts - s.Mounts = append(s.Mounts, mt) - } --- -2.16.1 - diff --git a/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch b/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch index 3a6f9e0..12c3bbb 100644 --- a/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch +++ b/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch @@ -1,4 +1,4 @@ -From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001 +From 690b89f58f34dc03333988577d49bae04a11a27c Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sun, 8 Apr 2018 20:21:30 +1000 Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill' @@ -15,7 +15,7 @@ Signed-off-by: Aleksa Sarai 1 file changed, 6 insertions(+) diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go -index c5ea4584de6b..082638e85903 100644 +index c00a3f70e993..772c4a4873f6 100644 --- a/components/engine/profiles/apparmor/template.go +++ b/components/engine/profiles/apparmor/template.go @@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { @@ -32,5 +32,5 @@ index c5ea4584de6b..082638e85903 100644 deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc//** or /proc/sys/** -- -2.17.1 +2.18.0 diff --git a/bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch b/bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch index 3ace15b..ca1dc05 100644 --- a/bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch +++ b/bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch @@ -1,4 +1,4 @@ -From 8edc54753ab5ea9294c55ec32b49c9eb7cdf3892 Mon Sep 17 00:00:00 2001 +From 45d68c6f85da51dc6e292ce09855e79794fd8984 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 29 Jun 2018 17:59:30 +1000 Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start @@ -21,7 +21,7 @@ Signed-off-by: Aleksa Sarai 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/components/engine/daemon/apparmor_default.go b/components/engine/daemon/apparmor_default.go -index 2a418b25c241..c3e271ee4774 100644 +index 461f5c7f96b2..8f21c5c0c566 100644 --- a/components/engine/daemon/apparmor_default.go +++ b/components/engine/daemon/apparmor_default.go @@ -14,6 +14,15 @@ const ( @@ -53,12 +53,12 @@ index 2a418b25c241..c3e271ee4774 100644 return nil } diff --git a/components/engine/daemon/apparmor_default_unsupported.go b/components/engine/daemon/apparmor_default_unsupported.go -index cd2dd9702ef2..17584063c711 100644 +index 51f9c526b350..97d7758442ee 100644 --- a/components/engine/daemon/apparmor_default_unsupported.go +++ b/components/engine/daemon/apparmor_default_unsupported.go @@ -2,6 +2,10 @@ - package daemon + package daemon // import "github.com/docker/docker/daemon" +func clobberDefaultAppArmorProfile() error { + return nil @@ -68,10 +68,10 @@ index cd2dd9702ef2..17584063c711 100644 return nil } diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go -index a11a1f8691cc..6f8846b19f57 100644 +index 5e5f586ae085..6ca6a7aaa268 100644 --- a/components/engine/daemon/daemon.go +++ b/components/engine/daemon/daemon.go -@@ -594,7 +594,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe +@@ -660,7 +660,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe logrus.Warnf("Failed to configure golang's threads limit: %v", err) } @@ -83,5 +83,5 @@ index a11a1f8691cc..6f8846b19f57 100644 } -- -2.17.1 +2.18.0 diff --git a/bsc1100727-0001-build-add-buildmode-pie.patch b/bsc1100727-0001-build-add-buildmode-pie.patch index 61b1505..310059d 100644 --- a/bsc1100727-0001-build-add-buildmode-pie.patch +++ b/bsc1100727-0001-build-add-buildmode-pie.patch @@ -1,4 +1,4 @@ -From d39172ffc6b245f02da1898793ccaef20bb6858a Mon Sep 17 00:00:00 2001 +From 6cba061d6d42e2e40267dbf8628480ec0c5d376a Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Mon, 30 Jul 2018 19:34:01 +1000 Subject: [PATCH] build: add -buildmode=pie @@ -7,6 +7,7 @@ Make all dynbinary builds be position-independent (this adds both security benefits and can help with flaky builds on POWER architectures). +SUSE-Bugs: bsc#1100727 Signed-off-by: Aleksa Sarai --- components/cli/scripts/build/dynbinary | 2 +- diff --git a/docker-17.09.1_ce.tar.xz b/docker-17.09.1_ce.tar.xz deleted file mode 100644 index a659615..0000000 --- a/docker-17.09.1_ce.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:dd19ad9900aaabb9eb5870be6271262aebbd4f86fa12f7c59677d47876492bf9 -size 6237800 diff --git a/docker-18.06.0_ce.tar.xz b/docker-18.06.0_ce.tar.xz new file mode 100644 index 0000000..fe2ff31 --- /dev/null +++ b/docker-18.06.0_ce.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:df4b5d33d8a1d17c4707fe9610a33bd8a1618ae7a7d3a0fa0b8c38ed1d1d53e1 +size 8550432 diff --git a/docker.changes b/docker.changes index 96803d4..cda58be 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Wed Aug 1 09:40:59 UTC 2018 - asarai@suse.com + +- Enable seccomp support on SLE12, since libseccomp is now a new enough vintage + to work with Docker and containerd. fate#325877 + +------------------------------------------------------------------- +Tue Jul 31 09:48:16 UTC 2018 - asarai@suse.com + +- Upgrade to docker-ce v18.06.0-ce. bsc#1102522 +- Remove systemd-service dependency on containerd, which is now being started + by dockerd to align with upstream defaults. +- Removed the following patches as they are merged upstream: + - bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch + - bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch +- Rebased the following patches: + * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch + * bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch + * bsc1100727-0001-build-add-buildmode-pie.patch + * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch + * secrets-0002-SUSE-implement-SUSE-container-secrets.patch + ------------------------------------------------------------------- Mon Jul 30 09:44:47 UTC 2018 - asarai@suse.com diff --git a/docker.service b/docker.service index ead1d5f..18510af 100644 --- a/docker.service +++ b/docker.service @@ -1,8 +1,7 @@ [Unit] Description=Docker Application Container Engine Documentation=http://docs.docker.com -After=network.target containerd.socket containerd.service lvm2-monitor.service SuSEfirewall2.service -Requires=containerd.socket containerd.service +After=network.target lvm2-monitor.service SuSEfirewall2.service [Service] EnvironmentFile=/etc/sysconfig/docker @@ -11,7 +10,7 @@ EnvironmentFile=/etc/sysconfig/docker # enabled by default because enabling socket activation means that on boot your # containers won't start until someone tries to administer the Docker daemon. Type=notify -ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS +ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS ExecReload=/bin/kill -s HUP $MAINPID # Having non-zero Limit*s causes performance problems due to accounting overhead diff --git a/docker.spec b/docker.spec index dd6857f..7f98a88 100644 --- a/docker.spec +++ b/docker.spec @@ -36,12 +36,12 @@ # These are the git commits required. We verify them against the source to make # sure we didn't miss anything important when doing upgrades. -%define required_containerd 06b9cb35161009dcb7123345749fef02f7cea8e0 -%define required_dockerrunc 3f2f8b84a77f73d38244dd690525642a72156c64 -%define required_libnetwork 7b2b1feb1de4817d522cc372af149ff48d25028e +%define required_containerd d64c661f1d51c48782c9cec8fda7604785f93587 +%define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340 +%define required_libnetwork 3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b Name: docker -Version: 17.09.1_ce +Version: 18.06.0_ce Release: 0 Summary: The Linux container runtime License: Apache-2.0 @@ -62,16 +62,12 @@ Source9: tests.sh # branch in http://github.com/suse/docker.mirror. Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35205. bsc#1055676 -Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173 -Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877 -Patch402: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch +Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277 -Patch403: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch +Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727 -Patch404: bsc1100727-0001-build-add-buildmode-pie.patch +Patch402: bsc1100727-0001-build-add-buildmode-pie.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -79,21 +75,7 @@ BuildRequires: device-mapper-devel >= 1.2.68 BuildRequires: glibc-devel-static BuildRequires: libapparmor-devel BuildRequires: libbtrfs-devel >= 3.8 -# enable libseccomp for sle >= sle12sp2 -%if 0%{?sle_version} >= 120200 -%define with_libseccomp 1 -%endif -# enable libseccomp for leap >= 42.2 -%if 0%{?leap_version} >= 420200 -%define with_libseccomp 1 -%endif -# enable libseccomp for Factory -%if 0%{?suse_version} > 1320 -%define with_libseccomp 1 -%endif -%if 0%{?with_libseccomp} -BuildRequires: libseccomp-devel -%endif +BuildRequires: libseccomp-devel >= 2.2 BuildRequires: libtool BuildRequires: procps BuildRequires: sqlite3-devel @@ -136,9 +118,9 @@ Recommends: lvm2 >= 2.2.89 Conflicts: lxc < 1.0 BuildRoot: %{_tmppath}/%{name}-%{version}-build ExcludeArch: s390 ppc -# Make sure we build with go 1.8 +# Make sure we build with go 1.10 BuildRequires: go-go-md2man -BuildRequires: golang(API) = 1.8 +BuildRequires: golang(API) = 1.10 %description Docker complements LXC with a high-level API which operates at the process @@ -196,25 +178,18 @@ Test package for docker. It contains the source code and the tests. %patch200 -p1 %patch201 -p1 %endif -# bsc#1055676 -%patch400 -p1 -# bsc#1021227 bsc#1029320 bsc#1058173 -%patch401 -p1 # bsc#1073877 -%patch402 -p1 +%patch400 -p1 # bsc#1099277 -%patch403 -p1 +%patch401 -p1 # bsc#1100727 -%patch404 -p1 +%patch402 -p1 cp %{SOURCE7} . cp %{SOURCE9} . %build -BUILDTAGS="exclude_graphdriver_aufs apparmor selinux pkcs11" -%if 0%{?with_libseccomp} -BUILDTAGS="seccomp $BUILDTAGS" -%endif +BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11" %if 0%{?sle_version} == 120000 # Provided by patch406, to allow us to build with older distros but still # have deferred removal support at runtime. We only use this when building @@ -279,9 +254,9 @@ cd ../.. # of the upstream vendoring scripts. This is done on-build to make sure that # someone doing an update didn't miss anything. cd components/engine -grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/binaries-commits -grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits -grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits +grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/install/runc.installer +grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/install/containerd.installer +grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/install/proxy.installer %install install -d %{buildroot}%{go_contribdir} @@ -336,6 +311,17 @@ getent group docker >/dev/null || groupadd -r docker %service_add_post %{name}.service %{fillup_only -n docker} +# NOTE: This is a pretty hacky way of getting around the fact we've removed +# containerd.service and now everything is spawned underneath Docker. In +# order to force containerd.service to be stopped on the upgrade we need +# to trick the systemd macros into thinking that this is an "uninstall". +# Hopefully we can remove this soon. +( + FIRST_ARG=0 + %service_del_preun containerd.service containerd.socket + %service_del_postun containerd.service containerd.socket +) + %preun %service_del_preun %{name}.service diff --git a/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch b/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch index 6d98e58..e11a185 100644 --- a/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch +++ b/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch @@ -1,4 +1,4 @@ -From c607825b73e5f850b3804a10e9f3c8684cb29d16 Mon Sep 17 00:00:00 2001 +From 72ca29ce89146ac0c9a47881ebfc10883ed8ed39 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 12:41:54 +1100 Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets @@ -14,26 +14,26 @@ Signed-off-by: Aleksa Sarai 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go -index 954c194ea836..3ef1e0262edc 100644 +index bc7ee452332b..d34129dfd80b 100644 --- a/components/engine/daemon/container_operations_unix.go +++ b/components/engine/daemon/container_operations_unix.go @@ -3,6 +3,7 @@ - package daemon + package daemon // import "github.com/docker/docker/daemon" import ( + "bytes" "context" "fmt" "io/ioutil" -@@ -13,6 +14,7 @@ import ( - +@@ -14,6 +15,7 @@ import ( "github.com/docker/docker/container" "github.com/docker/docker/daemon/links" + "github.com/docker/docker/errdefs" + "github.com/docker/docker/pkg/archive" "github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/mount" "github.com/docker/docker/pkg/stringid" -@@ -216,9 +218,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { +@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { if err != nil { return errors.Wrap(err, "unable to get secret from secret store") } @@ -43,7 +43,7 @@ index 954c194ea836..3ef1e0262edc 100644 uid, err := strconv.Atoi(s.File.UID) if err != nil { -@@ -229,6 +228,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { +@@ -219,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { return err } @@ -70,5 +70,5 @@ index 954c194ea836..3ef1e0262edc 100644 return errors.Wrap(err, "error setting ownership for secret") } -- -2.17.0 +2.18.0 diff --git a/secrets-0002-SUSE-implement-SUSE-container-secrets.patch b/secrets-0002-SUSE-implement-SUSE-container-secrets.patch index 606689e..2ac6325 100644 --- a/secrets-0002-SUSE-implement-SUSE-container-secrets.patch +++ b/secrets-0002-SUSE-implement-SUSE-container-secrets.patch @@ -1,4 +1,4 @@ -From a7533a3084e925eb478148ef30bec0d1f1b81ae3 Mon Sep 17 00:00:00 2001 +From 4b300d3fabe2c8fa7292967c63a83eb82a30925a Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 11:43:29 +1100 Subject: [PATCH 2/2] SUSE: implement SUSE container secrets @@ -10,36 +10,36 @@ THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT MAKES BUILDS NOT ENTIRELY REPRODUCIBLE. -SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702 +SUSE-Bugs: bsc#1057743 bsc#1055676 bsc#1030702 Signed-off-by: Aleksa Sarai --- components/engine/daemon/start.go | 5 + - components/engine/daemon/suse_secrets.go | 399 +++++++++++++++++++++++ - 2 files changed, 404 insertions(+) + components/engine/daemon/suse_secrets.go | 396 +++++++++++++++++++++++ + 2 files changed, 401 insertions(+) create mode 100644 components/engine/daemon/suse_secrets.go diff --git a/components/engine/daemon/start.go b/components/engine/daemon/start.go -index 55438cf2c45f..7dfa6cd1d055 100644 +index c00bd9ceb22b..aa705888df39 100644 --- a/components/engine/daemon/start.go +++ b/components/engine/daemon/start.go -@@ -147,6 +147,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint +@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint return err } + // SUSE:secrets -- inject the SUSE secret store + if err := daemon.injectSuseSecretStore(container); err != nil { -+ return err ++ return errdefs.System(err) + } + spec, err := daemon.createSpec(container) if err != nil { - return systemError{err} + return errdefs.System(err) diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go new file mode 100644 -index 000000000000..00e485368b47 +index 000000000000..817cd5561023 --- /dev/null +++ b/components/engine/daemon/suse_secrets.go -@@ -0,0 +1,399 @@ +@@ -0,0 +1,396 @@ +/* + * suse-secrets: patch for Docker to implement SUSE secrets + * Copyright (C) 2017 SUSE LLC. @@ -143,10 +143,6 @@ index 000000000000..00e485368b47 + var suseFiles []*SuseFakeFile + + path := filepath.Join(prefix, dir) -+ if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) { -+ // If the path doesn't exist at all we don't inject anything. -+ return nil, nil -+ } + fi, err := os.Stat(path) + if err != nil { + // Ignore dangling symlinks. @@ -263,10 +259,6 @@ index 000000000000..00e485368b47 +// readFile returns a secret given a file under a given prefix. +func readFile(prefix, file string) ([]*SuseFakeFile, error) { + path := filepath.Join(prefix, file) -+ if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) { -+ // If the path doesn't exist at all we don't inject anything. -+ return nil, nil -+ } + fi, err := os.Stat(path) + if err != nil { + // Ignore dangling symlinks. @@ -430,7 +422,12 @@ index 000000000000..00e485368b47 + // to the mount list. This causes clashes because of duplicate namespaces. + // If we see an existing mount that will clash with the in-built secrets + // mount we assume it's our fault. -+ for _, intendedMount := range c.SecretMounts() { ++ intendedMounts, err := c.SecretMounts() ++ if err != nil { ++ logrus.Warnf("SUSE:secrets :: fetching old secret mounts: %v", err) ++ return err ++ } ++ for _, intendedMount := range intendedMounts { + mountPath := intendedMount.Destination + if volume, ok := c.MountPoints[mountPath]; ok { + logrus.Debugf("SUSE:secrets :: removing pre-existing %q mount: %#v", mountPath, volume) @@ -440,5 +437,5 @@ index 000000000000..00e485368b47 + return nil +} -- -2.17.0 +2.18.0 From cc1fefc9bf4646a2432e8a492b44066b6529d6c67997787cb6787ba30f5471ca Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Mon, 20 Aug 2018 08:55:46 +0000 Subject: [PATCH 2/8] - Merge -kubic packages back into the main Virtualization:containers packages. This is done using _multibuild to add a "kubic" flavour, which is then used to conditionally compile patches and other kubic-specific features. bsc#1105000 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=259 --- _multibuild | 3 + docker-kubic-service.conf | 4 + docker-rpmlintrc | 16 +- docker.changes | 69 +- docker.spec | 117 +- ...-Add-private-registry-mirror-support.patch | 1163 +++++++++++++++++ 6 files changed, 1337 insertions(+), 35 deletions(-) create mode 100644 _multibuild create mode 100644 docker-kubic-service.conf create mode 100644 private-registry-0001-Add-private-registry-mirror-support.patch diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..ef76501 --- /dev/null +++ b/_multibuild @@ -0,0 +1,3 @@ + + kubic + diff --git a/docker-kubic-service.conf b/docker-kubic-service.conf new file mode 100644 index 0000000..8b60aa1 --- /dev/null +++ b/docker-kubic-service.conf @@ -0,0 +1,4 @@ +[Service] +# Put docker under the podruntime slice. This the recommended +# deployment to allow fine resource control on Kubernetes. +Slice=podruntime.slice diff --git a/docker-rpmlintrc b/docker-rpmlintrc index 62838b9..ec2474b 100644 --- a/docker-rpmlintrc +++ b/docker-rpmlintrc @@ -1,7 +1,9 @@ -addFilter ("^docker.x86_64: W: statically-linked-binary /usr/lib64/docker/dockerinit") -addFilter ("^docker-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash") -addFilter ("^docker.x86_64: W: statically-linked-binary /usr/lib/docker/dockerinit") -addFilter ("^docker.x86_64: W: unstripped-binary-or-object /usr/lib/docker/dockerinit") -addFilter ("^docker.x86_64: W: no-manual-page-for-binary docker") -addFilter ("^docker.x86_64: W: no-manual-page-for-binary nsinit") -addFilter ("^docker-test.*") +# This is intentional, since we use _multibuild for the flavours. +addFilter ("^docker-kubic.src: W: invalid-spec-name") + +# The #! comes from upstream. +addFilter ("^docker(-kubic)?-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash") +addFilter ("^docker(-kubic)?-zsh-completion.noarch: W: sourced-script-with-shebang /etc/zsh_completion.d/docker zsh") + +# -test is something that is used internally and isn't actually shipped -- it's a pseduo-source package. +addFilter ("^docker(-kubic)?-test.*") diff --git a/docker.changes b/docker.changes index cda58be..727147e 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Aug 16 02:00:31 UTC 2018 - asarai@suse.com + +- Merge -kubic packages back into the main Virtualization:containers packages. + This is done using _multibuild to add a "kubic" flavour, which is then used + to conditionally compile patches and other kubic-specific features. + bsc#1105000 +- Rework docker-rpmlintrc with the new _multibuild setup. + ------------------------------------------------------------------- Wed Aug 1 09:40:59 UTC 2018 - asarai@suse.com @@ -36,11 +45,6 @@ Fri Jun 29 08:35:56 UTC 2018 - asarai@suse.com * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch + bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch -------------------------------------------------------------------- -Wed Jun 13 10:19:23 UTC 2018 - dcassany@suse.com - -- Make use of %license macro - ------------------------------------------------------------------- Tue Jun 5 11:24:35 UTC 2018 - asarai@suse.com @@ -48,6 +52,11 @@ Tue Jun 5 11:24:35 UTC 2018 - asarai@suse.com between in-container processes. bsc#1073877 * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch +------------------------------------------------------------------- +Tue Jun 5 08:41:07 UTC 2018 - dcassany@suse.com + +- Make use of %license macro + ------------------------------------------------------------------- Tue Jun 5 06:38:40 UTC 2018 - asarai@suse.com @@ -63,6 +72,18 @@ Tue May 29 08:10:48 UTC 2018 - asarai@suse.com * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch +------------------------------------------------------------------- +Wed May 16 10:12:56 UTC 2018 - jmassaguerpla@suse.com + +- Review Obsoletes to fix bsc#1080978 + +------------------------------------------------------------------- +Thu Apr 12 12:49:25 UTC 2018 - fcastelli@suse.com + +- Put docker under the podruntime slice. This the recommended + deployment to allow fine resource control on Kubernetes. + bsc#1086185 + ------------------------------------------------------------------- Tue Apr 10 09:25:43 UTC 2018 - mmeister@suse.com @@ -88,6 +109,13 @@ Tue Mar 27 10:13:41 UTC 2018 - asarai@suse.com - Add requirement for catatonit, which provides a docker-init implementation. fate#324652 bsc#1085380 +------------------------------------------------------------------- +Thu Mar 8 13:14:54 UTC 2018 - vrothberg@suse.com + +- Fix private-registry-0001-Add-private-registry-mirror-support.patch to + deal corretly with TLS configs of 3rd party registries. + fix bsc#1084533 + ------------------------------------------------------------------- Tue Feb 13 10:45:58 UTC 2018 - asarai@suse.com @@ -97,9 +125,40 @@ Tue Feb 13 10:45:58 UTC 2018 - asarai@suse.com patch maintenance is much simpler. * bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch * bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch + * private-registry-0001-Add-private-registry-mirror-support.patch * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch +------------------------------------------------------------------- +Mon Feb 12 10:52:33 UTC 2018 - rbrown@suse.com + +- Add ${version} to equivalent non-kubic package provides + +------------------------------------------------------------------- +Thu Feb 8 12:34:51 UTC 2018 - rbrown@suse.com + +- Add Provides for equivalent non-kubic packages + +------------------------------------------------------------------- +Tue Jan 30 12:27:44 UTC 2018 - vrothberg@suse.com + +- Disable all tests for docker/client and docker/pkg/discovery. The unit tests + of those packages broke reproducibly the builds in IBS. + +------------------------------------------------------------------- +Mon Jan 29 14:39:02 UTC 2018 - vrothberg@suse.com + +- Disable flaky tests github.com/docker/docker/pkg/discovery/kv. + +------------------------------------------------------------------- +Fri Jan 26 07:15:53 UTC 2018 - vrothberg@suse.com + +- Add patch to support mirroring of private/non-upstream registries. As soon as + the upstream PR (https://github.com/moby/moby/pull/34319) is merged, this + patch will be replaced by the backported one from upstream. + + private-registry-0001-Add-private-registry-mirror-support.patch + fix bsc#1074971 + ------------------------------------------------------------------- Fri Jan 19 14:12:32 UTC 2018 - asarai@suse.com diff --git a/docker.spec b/docker.spec index 7f98a88..a007cd9 100644 --- a/docker.spec +++ b/docker.spec @@ -26,6 +26,17 @@ %define _fillupdir /var/adm/fillup-templates %endif +# Handle _multibuild magic. +%define flavour @BUILD_FLAVOR@%{nil} + +# We split the Name: into "realname" and "name_suffix". +%define realname docker +%if "%flavour" == "" +%define name_suffix %{nil} +%else +%define name_suffix -%{flavour} +%endif + # Used when generating the "build" information for Docker version. The value of # git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm # helpfully injects into our build environment from the changelog). If you want @@ -40,7 +51,7 @@ %define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340 %define required_libnetwork 3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b -Name: docker +Name: %{realname}%{name_suffix} Version: 18.06.0_ce Release: 0 Summary: The Linux container runtime @@ -48,8 +59,10 @@ License: Apache-2.0 Group: System/Management Url: http://www.docker.io # TODO(VR): check those SOURCE files below -Source: %{name}-%{version}.tar.xz +Source: %{realname}-%{version}.tar.xz Source1: docker.service +# bsc#1086185 -- but we only apply this on Kubic. +Source2: docker-kubic-service.conf Source3: 80-docker.rules Source4: sysconfig.docker Source6: docker-rpmlintrc @@ -68,6 +81,9 @@ Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker- Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727 Patch402: bsc1100727-0001-build-add-buildmode-pie.patch +# SUSE-FEATURE: Add support to mirror inofficial/private registries +# (https://github.com/moby/moby/pull/34319) +Patch500: private-registry-0001-Add-private-registry-mirror-support.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -86,14 +102,14 @@ Requires: ca-certificates-mozilla # Required in order for networking to work. fix_bsc_1057743 is a work-around # for some old packaging issues (where rpm would delete a binary that was # installed by docker-libnetwork). See bsc#1057743 for more details. -Requires: docker-libnetwork-git = %{required_libnetwork} +Requires: docker-libnetwork%{name_suffix}-git = %{required_libnetwork} Requires: fix_bsc_1057743 # Containerd and runC are required as they are the only currently supported # execdrivers of Docker. NOTE: The version pinning here matches upstream's # vendor.conf to ensure that we don't use a slightly incompatible version of # runC or containerd (which would be bad). -Requires: containerd-git = %{required_containerd} -Requires: docker-runc-git = %{required_dockerrunc} +Requires: containerd%{name_suffix}-git = %{required_containerd} +Requires: docker-runc%{name_suffix}-git = %{required_dockerrunc} # Needed for --init support. We don't use "tini", we use our own implementation # which handles edge-cases better. Requires: catatonit @@ -116,11 +132,22 @@ Obsoletes: docker-image-migrator # different storage-driver than devicemapper Recommends: lvm2 >= 2.2.89 Conflicts: lxc < 1.0 -BuildRoot: %{_tmppath}/%{name}-%{version}-build ExcludeArch: s390 ppc # Make sure we build with go 1.10 BuildRequires: go-go-md2man BuildRequires: golang(API) = 1.10 +# KUBIC-SPECIFIC: This was required when upgrading from the original kubic +# packaging, when everything was renamed to -kubic. It also is +# used to ensure that nothing complains too much when using +# -kubic packages. Hopfully it can be removed one day. +%if "%flavour" == "kubic" +# Obsolete old packege without the -kubic suffix +Obsoletes: %{realname} = 1.12.6 +Obsoletes: %{realname}_1_12_6 +# Conflict with non-kubic package, and provide equivalent +Conflicts: %{realname} +Provides: %{realname} = %{version} +%endif %description Docker complements LXC with a high-level API which operates at the process @@ -135,8 +162,19 @@ service-oriented architectures, etc. Summary: Bash Completion for %{name} Group: System/Management Requires: %{name} = %{version} -Supplements: packageand(docker:bash-completion) +Supplements: packageand(%{name}:bash-completion) BuildArch: noarch +# KUBIC-SPECIFIC: This was required when upgrading from the original kubic +# packaging, when everything was renamed to -kubic. It also is +# used to ensure that nothing complains too much when using +# -kubic packages. Hopfully it can be removed one day. +%if "%flavour" == "kubic" +# Obsolete old packege without the -kubic suffix +Obsoletes: %{realname}-bash-completion = 1.12.6 +# Conflict with non-kubic package, and provide equivalent +Conflicts: %{realname}-bash-completion > 1.12.6 +Provides: %{realname}-bash-completion = %{version} +%endif %description bash-completion Bash command line completion support for %{name}. @@ -145,8 +183,19 @@ Bash command line completion support for %{name}. Summary: Zsh Completion for %{name} Group: System/Management Requires: %{name} = %{version} -Supplements: packageand(docker:zsh) +Supplements: packageand(%{name}:zsh) BuildArch: noarch +# KUBIC-SPECIFIC: This was required when upgrading from the original kubic +# packaging, when everything was renamed to -kubic. It also is +# used to ensure that nothing complains too much when using +# -kubic packages. Hopfully it can be removed one day. +%if "%flavour" == "kubic" +# Obsolete old packege without the -kubic suffix +Obsoletes: %{realname}-zsh-completion = 1.12.6 +# Conflict with non-kubic package, and provide equivalent +Conflicts: %{realname}-zsh-completion > 1.12.6 +Provides: %{realname}-zsh-completion = %{version} +%endif %description zsh-completion Zsh command line completion support for %{name}. @@ -165,12 +214,23 @@ Requires: libbtrfs-devel >= 3.8 Requires: procps Requires: sqlite3-devel Requires: golang(API) = 1.8 +# KUBIC-SPECIFIC: This was required when upgrading from the original kubic +# packaging, when everything was renamed to -kubic. It also is +# used to ensure that nothing complains too much when using +# -kubic packages. Hopfully it can be removed one day. +%if "%flavour" == "kubic" +# Obsolete old packege without the -kubic suffix +Obsoletes: %{realname}-test = 1.12.6 +# Conflict with non-kubic package, and provide equivalent +Conflicts: %{realname}-test > 1.12.6 +Provides: %{realname}-test = %{version} +%endif %description test Test package for docker. It contains the source code and the tests. %prep -%setup -q +%setup -q -n %{realname}-%{version} %if 0%{?is_opensuse} # nothing %else @@ -184,6 +244,10 @@ Test package for docker. It contains the source code and the tests. %patch401 -p1 # bsc#1100727 %patch402 -p1 +%if "%flavour" == "kubic" +# PATCH-SUSE: Mirror patch. +%patch500 -p1 +%endif cp %{SOURCE7} . cp %{SOURCE9} . @@ -268,8 +332,8 @@ install -Dd -m 0755 \ %{buildroot}%{_sysconfdir}/init.d \ %{buildroot}%{_sbindir} -install -D -m0644 components/cli/contrib/completion/bash/docker "%{buildroot}%{_sysconfdir}/bash_completion.d/%{name}" -install -D -m0644 components/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/%{name}" +install -D -m0644 components/cli/contrib/completion/bash/docker "%{buildroot}%{_sysconfdir}/bash_completion.d/%{realname}" +install -D -m0644 components/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/%{realname}" # copy all for the test package install -d %{buildroot}%{_prefix}/src/docker/ cp -a components/engine/. %{buildroot}%{_prefix}/src/docker/engine @@ -278,17 +342,20 @@ cp -a components/cli/. %{buildroot}%{_prefix}/src/docker/cli # # systemd service # -install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service +install -D -m0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{realname}.service +%if "%flavour" == "kubic" +install -D -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf +%endif ln -sf service %{buildroot}%{_sbindir}/rcdocker # # udev rules that prevents dolphin to show all docker devices and slows down # upstream report https://bugs.kde.org/show_bug.cgi?id=329930 # -install -D -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}/80-%{name}.rules +install -D -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules # audit rules -install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules +install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules # sysconfig file install -D -m 644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.docker @@ -305,10 +372,10 @@ install -p -m 644 components/cli/man/man8/*.8 %{buildroot}%{_mandir}/man8 %pre getent group docker >/dev/null || groupadd -r docker -%service_add_pre %{name}.service +%service_add_pre %{realname}.service %post -%service_add_post %{name}.service +%service_add_post %{realname}.service %{fillup_only -n docker} # NOTE: This is a pretty hacky way of getting around the fact we've removed @@ -323,10 +390,10 @@ getent group docker >/dev/null || groupadd -r docker ) %preun -%service_del_preun %{name}.service +%service_del_preun %{realname}.service %postun -%service_del_postun %{name}.service +%service_del_postun %{realname}.service %files %defattr(-,root,root) @@ -335,9 +402,13 @@ getent group docker >/dev/null || groupadd -r docker %{_bindir}/docker %{_bindir}/dockerd %{_sbindir}/rcdocker -%{_unitdir}/%{name}.service -%config %{_sysconfdir}/audit/rules.d/%{name}.rules -%{_udevrulesdir}/80-%{name}.rules +%{_unitdir}/%{realname}.service +%if "%flavour" == "kubic" +%dir %{_unitdir}/%{realname}.service.d/ +%{_unitdir}/%{realname}.service.d/90-kubic.conf +%endif +%config %{_sysconfdir}/audit/rules.d/%{realname}.rules +%{_udevrulesdir}/80-%{realname}.rules %{_fillupdir}/sysconfig.docker %dir %{_localstatedir}/lib/docker/ %{_mandir}/man1/docker-*.1%{ext_man} @@ -347,11 +418,11 @@ getent group docker >/dev/null || groupadd -r docker %files bash-completion %defattr(-,root,root) -%config %{_sysconfdir}/bash_completion.d/%{name} +%config %{_sysconfdir}/bash_completion.d/%{realname} %files zsh-completion %defattr(-,root,root) -%config %{_sysconfdir}/zsh_completion.d/%{name} +%config %{_sysconfdir}/zsh_completion.d/%{realname} %files test %defattr(-,root,root) diff --git a/private-registry-0001-Add-private-registry-mirror-support.patch b/private-registry-0001-Add-private-registry-mirror-support.patch new file mode 100644 index 0000000..5a88ed4 --- /dev/null +++ b/private-registry-0001-Add-private-registry-mirror-support.patch @@ -0,0 +1,1163 @@ +From a709df0266457218086de2747c70a1b001fe745f Mon Sep 17 00:00:00 2001 +From: Valentin Rothberg +Date: Mon, 2 Jul 2018 13:37:34 +0200 +Subject: [PATCH] Add private-registry mirror support + +NOTE: This is a backport/downstream patch of the upstream pull-request + for Moby, which is still subject to changes. Please visit + https://github.com/moby/moby/pull/34319 for the current status. + +Add support for mirroring private registries. The daemon.json config +can now be configured as exemplified below: + +```json +{ +"registries": [ + { + "Prefix": "docker.io/library/alpine", + "Mirrors": [ + { + "URL": "http://local-alpine-mirror.lan" + } + ] + }, + { + "Prefix": "registry.suse.com", + "Mirrors": [ + { + "URL": "https://remote.suse.mirror.com" + } + ] + }, + { + "Prefix": "http://insecure.registry.org:5000" + } +], +"registry-mirrors": ["https://deprecated-mirror.com"] +} +``` + +With the new semantics, a mirror will be selected as an endpoint if the +specified prefix matches the prefix of the requested resource (e.g., an +image reference). In the upper example, "local-alpine-mirror" will only +serve as a mirror for docker.io if the requested resource matches the +"alpine" prefix, such as "alpine:latest" or "alpine-foo/bar". + +Furthermore, private registries can now be mirrored as well. In the +example above, "remote.suse.mirror.com" will serve as a mirror for all +requests to "registry.suse.com". Notice that if no http{s,} scheme is +specified, the URI will always default to https without fallback to +http. An insecure registry can now be specified by adding the "http://" +scheme to the corresponding prefix. + +Note that the configuration is sanity checked, so that a given mirror +can serve multiple prefixes if they all point to the same registry, +while a registry cannot simultaneously serve as a mirror. The daemon +will warn in case the URI schemes of a registry and one of its mirrors +do not correspond. + +This change deprecates the "insecure-regestries" and "registry-mirrors" +options, while the "insecure-registries" cannot be used simultaneously +with the new "registries", which doesn't allow a fallback from https to +http for security reasons. + +Signed-off-by: Flavio Castelli +Signed-off-by: Valentin Rothberg +--- + .../engine/api/types/registry/registry.go | 144 ++++++++++++++++++ + components/engine/daemon/config/config.go | 4 + + components/engine/daemon/reload.go | 33 ++++ + components/engine/daemon/reload_test.go | 95 ++++++++++++ + components/engine/distribution/pull.go | 2 +- + components/engine/distribution/pull_v2.go | 2 +- + components/engine/distribution/push.go | 2 +- + components/engine/registry/config.go | 120 ++++++++++++++- + components/engine/registry/config_test.go | 136 +++++++++++++++++ + components/engine/registry/registry_test.go | 91 ++++++++++- + components/engine/registry/service.go | 56 ++++--- + components/engine/registry/service_v2.go | 66 +++++--- + 12 files changed, 705 insertions(+), 46 deletions(-) + +diff --git a/components/engine/api/types/registry/registry.go b/components/engine/api/types/registry/registry.go +index 8789ad3b3210..c663fec7d881 100644 +--- a/components/engine/api/types/registry/registry.go ++++ b/components/engine/api/types/registry/registry.go +@@ -2,7 +2,10 @@ package registry // import "github.com/docker/docker/api/types/registry" + + import ( + "encoding/json" ++ "fmt" + "net" ++ "net/url" ++ "strings" + + "github.com/opencontainers/image-spec/specs-go/v1" + ) +@@ -14,6 +17,147 @@ type ServiceConfig struct { + InsecureRegistryCIDRs []*NetIPNet `json:"InsecureRegistryCIDRs"` + IndexConfigs map[string]*IndexInfo `json:"IndexConfigs"` + Mirrors []string ++ Registries map[string]Registry ++} ++ ++// Registry holds information for a registry and its mirrors. ++type Registry struct { ++ // Prefix is used for the lookup of endpoints, where the given registry ++ // is selected when its Prefix is a prefix of the passed reference, for ++ // instance, Prefix:"docker.io/opensuse" will match a `docker pull ++ // opensuse:tumleweed`. ++ URL RegURL `json:"Prefix"` ++ // The mirrors will be selected prior to the registry during lookup of ++ // endpoints. ++ Mirrors []Mirror `json:"Mirrors,omitempty"` ++} ++ ++// NewRegistry returns a Registry and interprets input as a URL. ++func NewRegistry(input string) (Registry, error) { ++ reg := Registry{} ++ err := reg.URL.Parse(input) ++ return reg, err ++} ++ ++// AddMirror interprets input as a URL and adds it as a new mirror. ++func (r *Registry) AddMirror(input string) error { ++ mir, err := NewMirror(input) ++ if err != nil { ++ return err ++ } ++ r.Mirrors = append(r.Mirrors, mir) ++ return nil ++} ++ ++// ContainsMirror returns true if the URL of any mirror equals input. ++func (r *Registry) ContainsMirror(input string) bool { ++ for _, m := range r.Mirrors { ++ if m.URL.String() == input { ++ return true ++ } ++ } ++ return false ++} ++ ++// Mirror holds information for a given registry mirror. ++type Mirror struct { ++ // The URL of the mirror. ++ URL RegURL `json:"URL,omitempty"` ++} ++ ++// NewMirror returns a Registry and interprets input as a URL. ++func NewMirror(input string) (Mirror, error) { ++ mir := Mirror{} ++ err := mir.URL.Parse(input) ++ return mir, err ++} ++ ++// RegURL is a wrapper for url.URL to unmarshal it from the JSON config and to ++// make it an embedded type for its users. ++type RegURL struct { ++ // rURL is a simple url.URL. Notice it is no pointer to avoid potential ++ // null pointer dereferences. ++ rURL url.URL ++} ++ ++// UnmarshalJSON unmarshals the byte array into the RegURL pointer. ++func (r *RegURL) UnmarshalJSON(b []byte) error { ++ var input string ++ if err := json.Unmarshal(b, &input); err != nil { ++ return err ++ } ++ return r.Parse(input) ++} ++ ++// MarshalJSON marshals the RegURL. ++func (r *RegURL) MarshalJSON() ([]byte, error) { ++ return json.Marshal(r.String()) ++} ++ ++// Parse parses input as a URL. ++func (r *RegURL) Parse(input string) error { ++ input = strings.ToLower(input) ++ uri, err := url.Parse(input) ++ if err == nil { ++ r.rURL = *uri ++ } else { ++ return err ++ } ++ // default to https if no URI scheme is specified ++ if uri.Scheme == "" { ++ // we have to parse again to update all associated data ++ return r.Parse("https://" + input) ++ } ++ ++ // sanity checks ++ if uri.Scheme != "http" && uri.Scheme != "https" { ++ return fmt.Errorf("invalid url: unsupported scheme %q in %q", uri.Scheme, uri) ++ } ++ if uri.Host == "" { ++ return fmt.Errorf("invalid url: unspecified hostname in %s", uri) ++ } ++ if uri.User != nil { ++ // strip password from output ++ uri.User = url.UserPassword(uri.User.Username(), "xxxxx") ++ return fmt.Errorf("invalid url: username/password not allowed in URI %q", uri) ++ } ++ ++ return nil ++} ++ ++// Host returns the host:port of the URL. ++func (r *RegURL) Host() string { ++ return r.rURL.Host ++} ++ ++// Prefix returns the host:port/path of the URL. ++func (r *RegURL) Prefix() string { ++ return r.rURL.Host + r.rURL.Path ++} ++ ++// IsOfficial returns true if the URL points to an official "docker.io" host. ++func (r *RegURL) IsOfficial() bool { ++ return r.rURL.Hostname() == "docker.io" ++} ++ ++// IsSecure returns true if the URI scheme of the URL is "https". ++func (r *RegURL) IsSecure() bool { ++ return r.Scheme() == "https" ++} ++ ++// Scheme returns the URI scheme. ++func (r *RegURL) Scheme() string { ++ return r.rURL.Scheme ++} ++ ++// URL return URL of the RegURL. ++func (r *RegURL) URL() url.URL { ++ return r.rURL ++} ++ ++// String return URL as a string. ++func (r *RegURL) String() string { ++ return r.rURL.String() + } + + // NetIPNet is the net.IPNet type, which can be marshalled and +diff --git a/components/engine/daemon/config/config.go b/components/engine/daemon/config/config.go +index 6cda223a1181..308eb83f2116 100644 +--- a/components/engine/daemon/config/config.go ++++ b/components/engine/daemon/config/config.go +@@ -439,6 +439,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag + // 1. Search keys from the file that we don't recognize as flags. + unknownKeys := make(map[string]interface{}) + for key, value := range config { ++ // skip complex config-only options (daemon.json) ++ if key == "registries" { ++ continue ++ } + if flag := flags.Lookup(key); flag == nil { + unknownKeys[key] = value + } +diff --git a/components/engine/daemon/reload.go b/components/engine/daemon/reload.go +index 210864ff879d..5e744c5dcf8d 100644 +--- a/components/engine/daemon/reload.go ++++ b/components/engine/daemon/reload.go +@@ -21,8 +21,14 @@ import ( + // - Daemon labels + // - Insecure registries + // - Registry mirrors ++// - Registries + // - Daemon live restore + func (daemon *Daemon) Reload(conf *config.Config) (err error) { ++ // check for incompatible options ++ if err := conf.ServiceOptions.CompatCheck(); err != nil { ++ return err ++ } ++ + daemon.configStore.Lock() + attributes := map[string]string{} + +@@ -64,6 +70,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) { + if err := daemon.reloadLiveRestore(conf, attributes); err != nil { + return err + } ++ if err := daemon.reloadRegistries(conf, attributes); err != nil { ++ return err ++ } + return daemon.reloadNetworkDiagnosticPort(conf, attributes) + } + +@@ -293,6 +302,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[ + return nil + } + ++// reloadRegistries updates the registries configuration and the passed attributes ++func (daemon *Daemon) reloadRegistries(conf *config.Config, attributes map[string]string) error { ++ // update corresponding configuration ++ if conf.IsValueSet("registries") { ++ daemon.configStore.Registries = conf.Registries ++ if err := daemon.RegistryService.LoadRegistries(conf.Registries); err != nil { ++ return err ++ } ++ } ++ ++ // prepare reload event attributes with updatable configurations ++ if daemon.configStore.Registries != nil { ++ registries, err := json.Marshal(daemon.configStore.Registries) ++ if err != nil { ++ return err ++ } ++ attributes["registries"] = string(registries) ++ } else { ++ attributes["registries"] = "[]" ++ } ++ ++ return nil ++} ++ + // reloadLiveRestore updates configuration with live retore option + // and updates the passed attributes + func (daemon *Daemon) reloadLiveRestore(conf *config.Config, attributes map[string]string) error { +diff --git a/components/engine/daemon/reload_test.go b/components/engine/daemon/reload_test.go +index ffad297f71b7..21733c3f1e33 100644 +--- a/components/engine/daemon/reload_test.go ++++ b/components/engine/daemon/reload_test.go +@@ -7,6 +7,7 @@ import ( + "testing" + "time" + ++ registrytypes "github.com/docker/docker/api/types/registry" + "github.com/docker/docker/daemon/config" + "github.com/docker/docker/daemon/images" + "github.com/docker/docker/pkg/discovery" +@@ -201,6 +202,100 @@ func TestDaemonReloadMirrors(t *testing.T) { + } + } + ++func TestDaemonReloadRegistries(t *testing.T) { ++ daemon := &Daemon{ ++ imageService: images.NewImageService(images.ImageServiceConfig{}), ++ } ++ ++ // create registries: note that this is done implicitly when loading ++ // daemon.json file. ++ var ( ++ err error ++ regA registrytypes.Registry // no change ++ regB registrytypes.Registry // will be changed ++ regC registrytypes.Registry // will be added ++ ) ++ ++ regA, err = registrytypes.NewRegistry("https://registry-a.com") ++ if err != nil { ++ t.Fatal(err) ++ } ++ if err := regA.AddMirror("https://mirror-a.com"); err != nil { ++ t.Fatal(err) ++ } ++ ++ // we'll add a 2nd mirror before reloading ++ regB, err = registrytypes.NewRegistry("https://registry-b.com") ++ if err != nil { ++ t.Fatal(err) ++ } ++ if err := regB.AddMirror("https://mirror1-b.com"); err != nil { ++ t.Fatal(err) ++ } ++ ++ // insecure regC will be added before reloading ++ regC, err = registrytypes.NewRegistry("http://registry-c.com") ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ daemon.RegistryService, err = registry.NewService(registry.ServiceOptions{ ++ Registries: []registrytypes.Registry{regA, regB}, ++ }) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ daemon.configStore = &config.Config{} ++ ++ if err := regB.AddMirror("https://mirror2-b.com"); err != nil { ++ t.Fatal(err) ++ } ++ ++ registries := []registrytypes.Registry{regA, regB, regC} ++ ++ valuesSets := make(map[string]interface{}) ++ valuesSets["registries"] = registries ++ ++ newConfig := &config.Config{ ++ CommonConfig: config.CommonConfig{ ++ ServiceOptions: registry.ServiceOptions{ ++ Registries: registries, ++ }, ++ ValuesSet: valuesSets, ++ }, ++ } ++ ++ if err := daemon.Reload(newConfig); err != nil { ++ t.Fatal(err) ++ } ++ ++ registryService := daemon.RegistryService.ServiceConfig() ++ ++ if reg, exists := registryService.Registries["registry-a.com"]; !exists { ++ t.Fatal("registry should exist but doesn't") ++ } else { ++ if !reg.ContainsMirror("https://mirror-a.com") { ++ t.Fatal("registry should contain mirror but doesn't") ++ } ++ } ++ ++ if reg, exists := registryService.Registries["registry-b.com"]; !exists { ++ t.Fatal("registry should exist but doesn't") ++ } else { ++ if !reg.ContainsMirror("https://mirror1-b.com") { ++ t.Fatal("registry should contain mirror but doesn't") ++ } ++ if !reg.ContainsMirror("https://mirror2-b.com") { ++ t.Fatal("registry should contain mirror but doesn't") ++ } ++ } ++ ++ if _, exists := registryService.Registries["registry-c.com"]; !exists { ++ t.Fatal("registry should exist but doesn't") ++ } ++} ++ + func TestDaemonReloadInsecureRegistries(t *testing.T) { + daemon := &Daemon{ + imageService: images.NewImageService(images.ImageServiceConfig{}), +diff --git a/components/engine/distribution/pull.go b/components/engine/distribution/pull.go +index 5de73ae99ac3..8e78c49273dd 100644 +--- a/components/engine/distribution/pull.go ++++ b/components/engine/distribution/pull.go +@@ -63,7 +63,7 @@ func Pull(ctx context.Context, ref reference.Named, imagePullConfig *ImagePullCo + return err + } + +- endpoints, err := imagePullConfig.RegistryService.LookupPullEndpoints(reference.Domain(repoInfo.Name)) ++ endpoints, err := imagePullConfig.RegistryService.LookupPullEndpoints(ref.Name()) + if err != nil { + return err + } +diff --git a/components/engine/distribution/pull_v2.go b/components/engine/distribution/pull_v2.go +index 8f05cfa0b289..a562477ea6cd 100644 +--- a/components/engine/distribution/pull_v2.go ++++ b/components/engine/distribution/pull_v2.go +@@ -379,7 +379,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform + // the other side speaks the v2 protocol. + p.confirmedV2 = true + +- logrus.Debugf("Pulling ref from V2 registry: %s", reference.FamiliarString(ref)) ++ logrus.Infof("Pulling ref %s from V2 registry %s", reference.FamiliarString(ref), p.endpoint.URL) + progress.Message(p.config.ProgressOutput, tagOrDigest, "Pulling from "+reference.FamiliarName(p.repo.Named())) + + var ( +diff --git a/components/engine/distribution/push.go b/components/engine/distribution/push.go +index eb3bc5597462..a4624dee9482 100644 +--- a/components/engine/distribution/push.go ++++ b/components/engine/distribution/push.go +@@ -64,7 +64,7 @@ func Push(ctx context.Context, ref reference.Named, imagePushConfig *ImagePushCo + return err + } + +- endpoints, err := imagePushConfig.RegistryService.LookupPushEndpoints(reference.Domain(repoInfo.Name)) ++ endpoints, err := imagePushConfig.RegistryService.LookupPushEndpoints(ref.Name()) + if err != nil { + return err + } +diff --git a/components/engine/registry/config.go b/components/engine/registry/config.go +index de5a526b694d..cf90abb8be04 100644 +--- a/components/engine/registry/config.go ++++ b/components/engine/registry/config.go +@@ -14,7 +14,7 @@ import ( + "github.com/sirupsen/logrus" + ) + +-// ServiceOptions holds command line options. ++// ServiceOptions holds the user-specified configuration options. + type ServiceOptions struct { + AllowNondistributableArtifacts []string `json:"allow-nondistributable-artifacts,omitempty"` + Mirrors []string `json:"registry-mirrors,omitempty"` +@@ -23,6 +23,9 @@ type ServiceOptions struct { + // V2Only controls access to legacy registries. If it is set to true via the + // command line flag the daemon will not attempt to contact v1 legacy registries + V2Only bool `json:"disable-legacy-registry,omitempty"` ++ ++ // Registries holds information associated with the specified registries. ++ Registries []registrytypes.Registry `json:"registries,omitempty"` + } + + // serviceConfig holds daemon configuration for the registry service. +@@ -67,8 +70,21 @@ var ( + // for mocking in unit tests + var lookupIP = net.LookupIP + ++// CompatCheck performs some compatibility checks among the config options and ++// returns an error in case of conflicts. ++func (options *ServiceOptions) CompatCheck() error { ++ if len(options.InsecureRegistries) > 0 && len(options.Registries) > 0 { ++ return fmt.Errorf("usage of \"registries\" with deprecated option \"insecure-registries\" is not supported") ++ } ++ return nil ++} ++ + // newServiceConfig returns a new instance of ServiceConfig + func newServiceConfig(options ServiceOptions) (*serviceConfig, error) { ++ if err := options.CompatCheck(); err != nil { ++ panic(fmt.Sprintf("error loading config: %v", err)) ++ } ++ + config := &serviceConfig{ + ServiceConfig: registrytypes.ServiceConfig{ + InsecureRegistryCIDRs: make([]*registrytypes.NetIPNet, 0), +@@ -87,10 +103,104 @@ func newServiceConfig(options ServiceOptions) (*serviceConfig, error) { + if err := config.LoadInsecureRegistries(options.InsecureRegistries); err != nil { + return nil, err + } ++ if err := config.LoadRegistries(options.Registries); err != nil { ++ return nil, fmt.Errorf("error loading registries: %v", err) ++ } + + return config, nil + } + ++// checkRegistries makes sure that no mirror serves more than one registry and ++// that no host is used as a registry and as a mirror simultaneously. Notice ++// that different registry prefixes can share a mirror as long as they point to ++// the same registry. It also warns if the URI schemes of a given registry and ++// one of its mirrors differ. ++func (config *serviceConfig) checkRegistries() error { ++ inUse := make(map[string]string) // key: host, value: user ++ ++ // make sure that each mirror serves only one registry ++ for _, reg := range config.Registries { ++ for _, mirror := range reg.Mirrors { ++ if used, conflict := inUse[mirror.URL.Host()]; conflict { ++ if used != reg.URL.Host() { ++ return fmt.Errorf("mirror '%s' can only serve one registry host", mirror.URL.Host()) ++ } ++ } ++ // docker.io etc. is reserved ++ if mirror.URL.IsOfficial() { ++ return fmt.Errorf("mirror '%s' cannot be used (reserved host)", mirror.URL.Host()) ++ } ++ inUse[mirror.URL.Host()] = reg.URL.Host() ++ // also warnf if seucurity levels differ ++ if reg.URL.IsSecure() != mirror.URL.IsSecure() { ++ logrus.Warnf("registry '%s' and mirror '%s' have different security levels", reg.URL.URL(), mirror.URL.URL()) ++ } ++ } ++ if reg.URL.IsSecure() && len(reg.Mirrors) == 0 { ++ logrus.Warnf("specifying secure registry '%s' without mirrors has no effect", reg.URL.Prefix()) ++ } ++ } ++ ++ // make sure that no registry host is used as a mirror ++ for _, reg := range config.Registries { ++ if _, conflict := inUse[reg.URL.Host()]; conflict { ++ return fmt.Errorf("registry '%s' cannot simultaneously serve as a mirror for '%s'", reg.URL.Host(), inUse[reg.URL.Host()]) ++ } ++ } ++ return nil ++} ++ ++// FindRegistry returns a Registry pointer based on the passed reference. If ++// more than one index-prefix match the reference, the longest index is ++// returned. In case of no match, nil is returned. ++func (config *serviceConfig) FindRegistry(reference string) *registrytypes.Registry { ++ prefixStr := "" ++ prefixLen := 0 ++ for _, reg := range config.Registries { ++ if strings.HasPrefix(reference, reg.URL.Prefix()) { ++ length := len(reg.URL.Prefix()) ++ if length > prefixLen { ++ prefixStr = reg.URL.Prefix() ++ prefixLen = length ++ } ++ } ++ } ++ if prefixLen > 0 { ++ reg := config.Registries[prefixStr] ++ return ® ++ } ++ return nil ++} ++ ++// LoadRegistries loads the user-specified configuration options for registries. ++func (config *serviceConfig) LoadRegistries(registries []registrytypes.Registry) error { ++ config.Registries = make(map[string]registrytypes.Registry) ++ ++ for _, reg := range registries { ++ config.Registries[reg.URL.Prefix()] = reg ++ } ++ ++ // backwards compatability to the "registry-mirrors" config ++ if len(config.Mirrors) > 0 { ++ reg := registrytypes.Registry{} ++ if officialReg, exists := config.Registries[IndexName]; exists { ++ reg = officialReg ++ } else { ++ var err error ++ reg, err = registrytypes.NewRegistry(IndexName) ++ if err != nil { ++ return err ++ } ++ } ++ for _, mirrorStr := range config.Mirrors { ++ reg.AddMirror(mirrorStr) ++ } ++ config.Registries[IndexName] = reg ++ } ++ ++ return config.checkRegistries() ++} ++ + // LoadAllowNondistributableArtifacts loads allow-nondistributable-artifacts registries into config. + func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []string) error { + cidrs := map[string]*registrytypes.NetIPNet{} +@@ -131,6 +241,10 @@ func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []str + // LoadMirrors loads mirrors to config, after removing duplicates. + // Returns an error if mirrors contains an invalid mirror. + func (config *serviceConfig) LoadMirrors(mirrors []string) error { ++ if len(mirrors) > 0 { ++ logrus.Infof("usage of deprecated 'registry-mirrors' option: please use 'registries' instead") ++ } ++ + mMap := map[string]struct{}{} + unique := []string{} + +@@ -160,6 +274,10 @@ func (config *serviceConfig) LoadMirrors(mirrors []string) error { + + // LoadInsecureRegistries loads insecure registries to config + func (config *serviceConfig) LoadInsecureRegistries(registries []string) error { ++ if len(registries) > 0 { ++ logrus.Info("usage of deprecated 'insecure-registries' option: please use 'registries' instead") ++ } ++ + // Localhost is by default considered as an insecure registry + // This is a stop-gap for people who are running a private registry on localhost (especially on Boot2docker). + // +diff --git a/components/engine/registry/config_test.go b/components/engine/registry/config_test.go +index 30a257e32556..78a4fadd733f 100644 +--- a/components/engine/registry/config_test.go ++++ b/components/engine/registry/config_test.go +@@ -6,10 +6,146 @@ import ( + "strings" + "testing" + ++ registrytypes "github.com/docker/docker/api/types/registry" + "gotest.tools/assert" + is "gotest.tools/assert/cmp" + ) + ++func TestLoadValidRegistries(t *testing.T) { ++ var ( ++ secReg registrytypes.Registry ++ insecReg registrytypes.Registry ++ config *serviceConfig ++ err error ++ ) ++ // secure with mirrors ++ secReg, err = registrytypes.NewRegistry("https://secure.registry.com") ++ secMirrors := []string{"https://secure.mirror1.com", "https://secure.mirror2.com"} ++ if err != nil { ++ t.Fatal(err) ++ } ++ if err := secReg.AddMirror(secMirrors[0]); err != nil { ++ t.Fatal(err) ++ } ++ if err := secReg.AddMirror(secMirrors[1]); err != nil { ++ t.Fatal(err) ++ } ++ ++ // insecure without mirrors ++ insecReg, err = registrytypes.NewRegistry("http://insecure.registry.com") ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ // docker.io mirrors to test backwards compatibility ++ officialMirrors := []string{"https://official.mirror1.com", "https://official.mirror2.com"} ++ ++ // create serciveConfig ++ config = newServiceConfig( ++ ServiceOptions{ ++ Mirrors: officialMirrors, ++ Registries: []registrytypes.Registry{secReg, insecReg}, ++ }) ++ ++ // now test if the config looks as expected ++ getMirrors := func(reg registrytypes.Registry) []string { ++ mirrors := []string{} ++ for _, mir := range reg.Mirrors { ++ mirrors = append(mirrors, mir.URL.String()) ++ } ++ return mirrors ++ } ++ ++ if reg, loaded := config.Registries["secure.registry.com"]; !loaded { ++ t.Fatalf("registry not loaded") ++ } else { ++ assert.Equal(t, true, reg.URL.IsSecure()) ++ assert.Equal(t, false, reg.URL.IsOfficial()) ++ mirrors := getMirrors(reg) ++ assert.Equal(t, len(secMirrors), len(mirrors)) ++ sort.Strings(mirrors) ++ sort.Strings(secMirrors) ++ assert.Equal(t, secMirrors[0], mirrors[0]) ++ assert.Equal(t, secMirrors[1], mirrors[1]) ++ } ++ ++ if reg, loaded := config.Registries["insecure.registry.com"]; !loaded { ++ t.Fatalf("registry not loaded") ++ } else { ++ assert.Equal(t, false, reg.URL.IsSecure()) ++ assert.Equal(t, false, reg.URL.IsOfficial()) ++ mirrors := getMirrors(reg) ++ assert.Equal(t, 0, len(mirrors)) ++ } ++ ++ // backwards compatibility: "docker.io" will be loaded due to the config.Mirrors ++ if reg, loaded := config.Registries["docker.io"]; !loaded { ++ t.Fatalf("registry not loaded") ++ } else { ++ assert.Equal(t, true, reg.URL.IsSecure()) ++ assert.Equal(t, true, reg.URL.IsOfficial()) ++ mirrors := getMirrors(reg) ++ assert.Equal(t, len(officialMirrors), len(mirrors)) ++ sort.Strings(mirrors) ++ sort.Strings(officialMirrors) ++ // append '/' (see ValidateMirror()) ++ assert.Equal(t, officialMirrors[0]+"/", mirrors[0]) ++ assert.Equal(t, officialMirrors[1]+"/", mirrors[1]) ++ } ++} ++ ++//func TestLoadInvalidRegistries(t *testing.T) { ++// XXX: this has to be tested manually as the v17.09.X doesn't have a proper ++// error handling for service configs (errors are silently ignored), so ++// the backported patch panics() instead. ++//} ++ ++func TestFindRegistry(t *testing.T) { ++ var ( ++ regA registrytypes.Registry ++ regB registrytypes.Registry ++ config *serviceConfig ++ err error ++ ) ++ ++ regA, err = registrytypes.NewRegistry("https://registry-a.com/my-prefix") ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ regB, err = registrytypes.NewRegistry("http://registry-b.com") ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ // create serciveConfig ++ config = newServiceConfig( ++ ServiceOptions{ ++ Registries: []registrytypes.Registry{regA, regB}, ++ }) ++ ++ // no match -> nil ++ reg := config.FindRegistry("foo") ++ assert.Nil(t, reg) ++ ++ // prefix match -> registry ++ reg = config.FindRegistry("registry-a.com/my-prefix/image:latest") ++ assert.NotNil(t, reg) ++ assert.Equal(t, "registry-a.com", reg.URL.Host()) ++ // no prefix match -> nil ++ reg = config.FindRegistry("registry-a.com/not-my-prefix/image:42") ++ assert.Nil(t, reg) ++ ++ // prefix match -> registry ++ reg = config.FindRegistry("registry-b.com/image:latest") ++ assert.NotNil(t, reg) ++ assert.Equal(t, "registry-b.com", reg.URL.Host()) ++ // prefix match -> registry ++ reg = config.FindRegistry("registry-b.com/also-in-namespaces/image:latest") ++ assert.NotNil(t, reg) ++ assert.Equal(t, "registry-b.com", reg.URL.Host()) ++} ++ + func TestLoadAllowNondistributableArtifacts(t *testing.T) { + testCases := []struct { + registries []string +diff --git a/components/engine/registry/registry_test.go b/components/engine/registry/registry_test.go +index b7459471b3f6..1e0d53e7dc21 100644 +--- a/components/engine/registry/registry_test.go ++++ b/components/engine/registry/registry_test.go +@@ -665,7 +665,32 @@ func TestNewIndexInfo(t *testing.T) { + } + + func TestMirrorEndpointLookup(t *testing.T) { ++ var ( ++ secReg registrytypes.Registry ++ config *serviceConfig ++ pushAPIEndpoints []APIEndpoint ++ pullAPIEndpoints []APIEndpoint ++ err error ++ ) ++ + skip.If(t, os.Getuid() != 0, "skipping test that requires root") ++ ++ // secure with mirrors ++ secReg, err = registrytypes.NewRegistry("https://secure.registry.com/test-prefix/") ++ secMirrors := []string{"https://secure.mirror1.com/", "https://secure.mirror2.com/"} ++ if err != nil { ++ t.Fatal(err) ++ } ++ if err := secReg.AddMirror(secMirrors[0]); err != nil { ++ t.Fatal(err) ++ } ++ if err := secReg.AddMirror(secMirrors[1]); err != nil { ++ t.Fatal(err) ++ } ++ ++ // docker.io mirrors to test backwards compatibility ++ officialMirrors := []string{"https://official.mirror1.com/", "https://official.mirror2.com/"} ++ + containsMirror := func(endpoints []APIEndpoint) bool { + for _, pe := range endpoints { + if pe.URL.Host == "my.mirror" { +@@ -674,31 +699,83 @@ func TestMirrorEndpointLookup(t *testing.T) { + } + return false + } +- cfg, err := makeServiceConfig([]string{"https://my.mirror"}, nil) ++ cfg, err := makeServiceConfig(officialMirrors, nil) + if err != nil { + t.Fatal(err) + } + s := DefaultService{config: cfg} + +- imageName, err := reference.WithName(IndexName + "/test/image") ++ // lookups for "docker.io" ++ officialRef := "docker.io/test/image:latest" ++ pushAPIEndpoints, err = s.LookupPushEndpoints(officialRef) + if err != nil { +- t.Error(err) ++ t.Fatal(err) ++ } ++ if containsMirror(officialMirrors[0], pushAPIEndpoints) { ++ t.Fatal("Push endpoint should not contain mirror") + } +- pushAPIEndpoints, err := s.LookupPushEndpoints(reference.Domain(imageName)) ++ if containsMirror(officialMirrors[1], pushAPIEndpoints) { ++ t.Fatal("Push endpoint should not contain mirror") ++ } ++ ++ pullAPIEndpoints, err = s.LookupPullEndpoints(officialRef) + if err != nil { + t.Fatal(err) + } +- if containsMirror(pushAPIEndpoints) { ++ if !containsMirror(officialMirrors[0], pullAPIEndpoints) { ++ t.Fatal("Pull endpoint should contain mirror") ++ } ++ if !containsMirror(officialMirrors[1], pullAPIEndpoints) { ++ t.Fatal("Pull endpoint should contain mirror") ++ } ++ ++ // prefix lookups ++ prefixRef := "secure.registry.com/test-prefix/foo:latest" ++ pushAPIEndpoints, err = s.LookupPushEndpoints(prefixRef) ++ if err != nil { ++ t.Fatal(err) ++ } ++ if containsMirror(secMirrors[0], pushAPIEndpoints) { ++ t.Fatal("Push endpoint should not contain mirror") ++ } ++ if containsMirror(secMirrors[1], pushAPIEndpoints) { + t.Fatal("Push endpoint should not contain mirror") + } + +- pullAPIEndpoints, err := s.LookupPullEndpoints(reference.Domain(imageName)) ++ pullAPIEndpoints, err = s.LookupPullEndpoints(prefixRef) + if err != nil { + t.Fatal(err) + } +- if !containsMirror(pullAPIEndpoints) { ++ if !containsMirror(secMirrors[0], pullAPIEndpoints) { + t.Fatal("Pull endpoint should contain mirror") + } ++ if !containsMirror(secMirrors[1], pullAPIEndpoints) { ++ t.Fatal("Pull endpoint should contain mirror") ++ } ++ ++ // lookups without matching prefix -> no mirrors ++ noPrefixRef := "secure.registry.com/no-matching-prefix/foo:latest" ++ pushAPIEndpoints, err = s.LookupPushEndpoints(noPrefixRef) ++ if err != nil { ++ t.Fatal(err) ++ } ++ if containsMirror(secMirrors[0], pushAPIEndpoints) { ++ t.Fatal("Push endpoint should not contain mirror") ++ } ++ if containsMirror(secMirrors[1], pushAPIEndpoints) { ++ t.Fatal("Push endpoint should not contain mirror") ++ } ++ ++ pullAPIEndpoints, err = s.LookupPullEndpoints(noPrefixRef) ++ if err != nil { ++ t.Fatal(err) ++ } ++ if containsMirror(secMirrors[0], pullAPIEndpoints) { ++ t.Fatal("Pull endpoint should not contain mirror") ++ } ++ if containsMirror(secMirrors[1], pullAPIEndpoints) { ++ t.Fatal("Pull endpoint should not contain mirror") ++ } + } + + func TestPushRegistryTag(t *testing.T) { +diff --git a/components/engine/registry/service.go b/components/engine/registry/service.go +index b441970ff170..b3c1ee21f383 100644 +--- a/components/engine/registry/service.go ++++ b/components/engine/registry/service.go +@@ -8,7 +8,7 @@ import ( + "strings" + "sync" + +- "github.com/docker/distribution/reference" ++ dref "github.com/docker/distribution/reference" + "github.com/docker/distribution/registry/client/auth" + "github.com/docker/docker/api/types" + registrytypes "github.com/docker/docker/api/types/registry" +@@ -25,14 +25,15 @@ const ( + // Service is the interface defining what a registry service should implement. + type Service interface { + Auth(ctx context.Context, authConfig *types.AuthConfig, userAgent string) (status, token string, err error) +- LookupPullEndpoints(hostname string) (endpoints []APIEndpoint, err error) +- LookupPushEndpoints(hostname string) (endpoints []APIEndpoint, err error) +- ResolveRepository(name reference.Named) (*RepositoryInfo, error) ++ LookupPullEndpoints(reference string) (endpoints []APIEndpoint, err error) ++ LookupPushEndpoints(reference string) (endpoints []APIEndpoint, err error) ++ ResolveRepository(name dref.Named) (*RepositoryInfo, error) + Search(ctx context.Context, term string, limit int, authConfig *types.AuthConfig, userAgent string, headers map[string][]string) (*registrytypes.SearchResults, error) + ServiceConfig() *registrytypes.ServiceConfig + TLSConfig(hostname string) (*tls.Config, error) + LoadAllowNondistributableArtifacts([]string) error + LoadMirrors([]string) error ++ LoadRegistries([]registrytypes.Registry) error + LoadInsecureRegistries([]string) error + } + +@@ -61,6 +62,7 @@ func (s *DefaultService) ServiceConfig() *registrytypes.ServiceConfig { + AllowNondistributableArtifactsHostnames: make([]string, 0), + InsecureRegistryCIDRs: make([]*(registrytypes.NetIPNet), 0), + IndexConfigs: make(map[string]*(registrytypes.IndexInfo)), ++ Registries: make(map[string]registrytypes.Registry), + Mirrors: make([]string, 0), + } + +@@ -76,6 +78,10 @@ func (s *DefaultService) ServiceConfig() *registrytypes.ServiceConfig { + + servConfig.Mirrors = append(servConfig.Mirrors, s.config.ServiceConfig.Mirrors...) + ++ for key, value := range s.config.ServiceConfig.Registries { ++ servConfig.Registries[key] = value ++ } ++ + return &servConfig + } + +@@ -103,6 +109,14 @@ func (s *DefaultService) LoadInsecureRegistries(registries []string) error { + return s.config.LoadInsecureRegistries(registries) + } + ++// LoadRegistries loads registries for Service ++func (s *DefaultService) LoadRegistries(registries []registrytypes.Registry) error { ++ s.mu.Lock() ++ defer s.mu.Unlock() ++ ++ return s.config.LoadRegistries(registries) ++} ++ + // Auth contacts the public registry with the provided credentials, + // and returns OK if authentication was successful. + // It can be used to verify the validity of a client's credentials. +@@ -241,7 +255,7 @@ func (s *DefaultService) Search(ctx context.Context, term string, limit int, aut + + // ResolveRepository splits a repository name into its components + // and configuration of the associated registry. +-func (s *DefaultService) ResolveRepository(name reference.Named) (*RepositoryInfo, error) { ++func (s *DefaultService) ResolveRepository(name dref.Named) (*RepositoryInfo, error) { + s.mu.Lock() + defer s.mu.Unlock() + return newRepositoryInfo(s.config, name) +@@ -280,24 +294,25 @@ func (s *DefaultService) tlsConfigForMirror(mirrorURL *url.URL) (*tls.Config, er + return s.tlsConfig(mirrorURL.Host) + } + +-// LookupPullEndpoints creates a list of endpoints to try to pull from, in order of preference. +-// It gives preference to v2 endpoints over v1, mirrors over the actual +-// registry, and HTTPS over plain HTTP. +-func (s *DefaultService) LookupPullEndpoints(hostname string) (endpoints []APIEndpoint, err error) { ++// LookupPullEndpoints creates a list of endpoints based on the provided ++// reference to try to pull from, in order of preference. It gives preference ++// to v2 endpoints over v1, mirrors over the actual registry, and HTTPS over ++// plain HTTP. ++func (s *DefaultService) LookupPullEndpoints(reference string) (endpoints []APIEndpoint, err error) { + s.mu.Lock() + defer s.mu.Unlock() + +- return s.lookupEndpoints(hostname) ++ return s.lookupEndpoints(reference) + } + +-// LookupPushEndpoints creates a list of endpoints to try to push to, in order of preference. +-// It gives preference to v2 endpoints over v1, and HTTPS over plain HTTP. +-// Mirrors are not included. +-func (s *DefaultService) LookupPushEndpoints(hostname string) (endpoints []APIEndpoint, err error) { ++// LookupPushEndpoints creates a list of endpoints based on the provided ++// reference to try to push to, in order of preference. It gives preference to ++// v2 endpoints over v1, and HTTPS over plain HTTP. Mirrors are not included. ++func (s *DefaultService) LookupPushEndpoints(reference string) (endpoints []APIEndpoint, err error) { + s.mu.Lock() + defer s.mu.Unlock() + +- allEndpoints, err := s.lookupEndpoints(hostname) ++ allEndpoints, err := s.lookupEndpoints(reference) + if err == nil { + for _, endpoint := range allEndpoints { + if !endpoint.Mirror { +@@ -308,8 +323,8 @@ func (s *DefaultService) LookupPushEndpoints(hostname string) (endpoints []APIEn + return endpoints, err + } + +-func (s *DefaultService) lookupEndpoints(hostname string) (endpoints []APIEndpoint, err error) { +- endpoints, err = s.lookupV2Endpoints(hostname) ++func (s *DefaultService) lookupEndpoints(reference string) (endpoints []APIEndpoint, err error) { ++ endpoints, err = s.lookupV2Endpoints(reference) + if err != nil { + return nil, err + } +@@ -318,6 +333,13 @@ func (s *DefaultService) lookupEndpoints(hostname string) (endpoints []APIEndpoi + return endpoints, nil + } + ++ // When falling back to V1 endpoints, switch to the hostname ++ ref, err := dref.ParseNamed(reference) ++ if err != nil { ++ return nil, err ++ } ++ hostname := dref.Domain(ref) ++ + legacyEndpoints, err := s.lookupV1Endpoints(hostname) + if err != nil { + return nil, err +diff --git a/components/engine/registry/service_v2.go b/components/engine/registry/service_v2.go +index 3a56dc91145a..9de221cf2aa0 100644 +--- a/components/engine/registry/service_v2.go ++++ b/components/engine/registry/service_v2.go +@@ -1,30 +1,51 @@ + package registry // import "github.com/docker/docker/registry" + + import ( ++ "fmt" + "net/url" + "strings" + ++ registrytypes "github.com/docker/docker/api/types/registry" + "github.com/docker/go-connections/tlsconfig" + ) + +-func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndpoint, err error) { ++func (s *DefaultService) lookupV2Endpoints(reference string) (endpoints []APIEndpoint, err error) { + tlsConfig := tlsconfig.ServerDefault() +- if hostname == DefaultNamespace || hostname == IndexHostname { +- // v2 mirrors +- for _, mirror := range s.config.Mirrors { +- if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") { +- mirror = "https://" + mirror +- } +- mirrorURL, err := url.Parse(mirror) +- if err != nil { +- return nil, err +- } +- mirrorTLSConfig, err := s.tlsConfigForMirror(mirrorURL) ++ ++ // extraxt the hostname from the reference ++ refURL := reference ++ if !strings.HasPrefix(refURL, "http://") && !strings.HasPrefix(refURL, "https://") { ++ refURL = "https://" + refURL ++ } ++ u, err := url.Parse(refURL) ++ if err != nil { ++ return nil, fmt.Errorf("SUSE PATCH [lookupV2Endpoints]: error parsing reference %s: %s", reference, err) ++ } ++ hostname := u.Host // hostname + port (if present) ++ if hostname == "" { ++ return nil, fmt.Errorf("SUSE PATCH [lookupV2Endpoints]: cannot determine hostname of reference %s", reference) ++ } ++ ++ // create endpoints for official and configured registries ++ official := false ++ if hostname == "docker.io" { ++ official = true ++ } ++ reg := s.config.FindRegistry(reference) ++ ++ if reg != nil || official { ++ if reg == nil { ++ reg = ®istrytypes.Registry{} ++ } ++ // if present, add mirrors prior to the registry ++ for _, mirror := range reg.Mirrors { ++ mURL := mirror.URL.URL() ++ mirrorTLSConfig, err := s.tlsConfigForMirror(&mURL) + if err != nil { +- return nil, err ++ return nil, fmt.Errorf("SUSE PATCH [lookupV2Endpoints]: %s", err) + } + endpoints = append(endpoints, APIEndpoint{ +- URL: mirrorURL, ++ URL: &mURL, + // guess mirrors are v2 + Version: APIVersion2, + Mirror: true, +@@ -32,11 +53,20 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp + TLSConfig: mirrorTLSConfig, + }) + } +- // v2 registry ++ // add the registry ++ var endpointURL *url.URL ++ if official { ++ endpointURL = DefaultV2Registry ++ } else { ++ endpointURL = &url.URL{ ++ Scheme: reg.URL.Scheme(), ++ Host: reg.URL.Host(), ++ } ++ } + endpoints = append(endpoints, APIEndpoint{ +- URL: DefaultV2Registry, ++ URL: endpointURL, + Version: APIVersion2, +- Official: true, ++ Official: official, + TrimHostname: true, + TLSConfig: tlsConfig, + }) +@@ -48,7 +78,7 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp + + tlsConfig, err = s.tlsConfig(hostname) + if err != nil { +- return nil, err ++ return nil, fmt.Errorf("SUSE PATCH [lookupV2Enpoints]: %s", err) + } + + endpoints = []APIEndpoint{ +-- +2.18.0 + From b184f95d9f50abf786fe5da4f09d4f4a9246fb065938733e66bd54dcdf759f86 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Tue, 21 Aug 2018 10:12:51 +0000 Subject: [PATCH 3/8] Accepting request 630733 from home:RBrownSUSE:branches:Virtualization:containers Please stage with incoming cri-o, kubernetes, skelcd-control-kubic and patterns-caasp OBS-URL: https://build.opensuse.org/request/show/630733 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=260 --- docker.changes | 8 ++++++++ docker.spec | 33 +++++++++++++++++++++++++++++++++ kubelet.env | 1 + 3 files changed, 42 insertions(+) create mode 100644 kubelet.env diff --git a/docker.changes b/docker.changes index 727147e..db8d4ea 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Aug 21 09:39:57 UTC 2018 - rbrown@suse.com + +- Kubic: Make crio default, docker as alternative runtime + (boo#1104821) +- Provide kubernetes CRI config with docker-kubic-kubeadm-criconfig + subpackage + ------------------------------------------------------------------- Thu Aug 16 02:00:31 UTC 2018 - asarai@suse.com diff --git a/docker.spec b/docker.spec index a007cd9..a0fb187 100644 --- a/docker.spec +++ b/docker.spec @@ -65,6 +65,7 @@ Source1: docker.service Source2: docker-kubic-service.conf Source3: 80-docker.rules Source4: sysconfig.docker +Source5: kubelet.env Source6: docker-rpmlintrc Source7: README_SUSE.md Source8: docker-audit.rules @@ -147,6 +148,8 @@ Obsoletes: %{realname}_1_12_6 # Conflict with non-kubic package, and provide equivalent Conflicts: %{realname} Provides: %{realname} = %{version} +# Kubernetes requires cri-runtime, which should be provided only by the -kubic flavour of this package +Provides: cri-runtime %endif %description @@ -229,6 +232,20 @@ Provides: %{realname}-test = %{version} %description test Test package for docker. It contains the source code and the tests. +%if "%flavour" == "kubic" +%package kubeadm-criconfig +Summary: docker container runtime configuration for kubeadm +Group: System/Management +Requires: kubernetes-kubeadm +Requires(post): %fillup_prereq +Supplements: docker-kubic +Provides: kubernetes-kubeadm-criconfig +Conflicts: cri-o-kubeadm-criconfig + +%description kubeadm-criconfig +docker container runtime configuration for kubeadm +%endif + %prep %setup -q -n %{realname}-%{version} %if 0%{?is_opensuse} @@ -368,6 +385,11 @@ install -p -m 644 components/cli/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/ma install -d %{buildroot}%{_mandir}/man8 install -p -m 644 components/cli/man/man8/*.8 %{buildroot}%{_mandir}/man8 +%if "%flavour" == "kubic" +# place kubelet.env in fillupdir (for kubeadm-criconfig) +install -D -m 0644 %{SOURCE5} %{buildroot}%{_fillupdir}/sysconfig.kubelet +%endif + %fdupes %{buildroot} %pre @@ -389,6 +411,11 @@ getent group docker >/dev/null || groupadd -r docker %service_del_postun containerd.service containerd.socket ) +%if "%flavour" == "kubic" +%post kubeadm-criconfig +%fillup_only -n kubelet +%endif + %preun %service_del_preun %{realname}.service @@ -436,4 +463,10 @@ getent group docker >/dev/null || groupadd -r docker %exclude %{_prefix}/src/docker/engine/contrib/init/sysvinit-redhat %exclude %{_prefix}/src/docker/engine/contrib/init/upstart +%if "%flavour" == "kubic" +%files kubeadm-criconfig +%defattr(-,root,root) +%{_fillupdir}/sysconfig.kubelet +%endif + %changelog diff --git a/kubelet.env b/kubelet.env new file mode 100644 index 0000000..d790137 --- /dev/null +++ b/kubelet.env @@ -0,0 +1 @@ +KUBELET_EXTRA_ARGS="--cni-bin-dir=/usr/lib/cni" From 060769c15c9b8830ee571b02a22932493852b19364e648400240c8dfe4cb5480 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Tue, 21 Aug 2018 11:26:57 +0000 Subject: [PATCH 4/8] Accepting request 630750 from home:cyphar:containers:docker_18.06_security_bugfix - Add a backport of https://github.com/docker/engine/pull/29 for the 18.06.0-ce upgrade. This is a potential security issue (the CRI plugin was enabled by default, which listens on a TCP port bound to 0.0.0.0) that will be fixed upstream in the 18.06.1-ce upgrade. bsc#1102522 + bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch OBS-URL: https://build.opensuse.org/request/show/630750 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=261 --- ...-18.06-disable-containerd-CRI-plugin.patch | 36 +++++++++++++++++++ docker.changes | 9 +++++ docker.spec | 4 +++ 3 files changed, 49 insertions(+) create mode 100644 bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch diff --git a/bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch b/bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch new file mode 100644 index 0000000..eb29911 --- /dev/null +++ b/bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch @@ -0,0 +1,36 @@ +From 7ed2f5078916c4addd321d12bce49f40bf32680e Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Tue, 21 Aug 2018 19:42:53 +1000 +Subject: [PATCH] 18.06: disable containerd CRI plugin + +Docker 18.06 does not have a configuration option to disable the CRI +plugin, and this plugin is not very useful if containerd is not running +standalone. + +This patch disables the plugin if containerd is running as child-process +of dockerd. + +Signed-off-by: Sebastiaan van Stijn +Signed-off-by: Aleksa Sarai +--- + components/engine/libcontainerd/remote_daemon_linux.go | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/components/engine/libcontainerd/remote_daemon_linux.go b/components/engine/libcontainerd/remote_daemon_linux.go +index dc59eb8c14f0..34b04e299acd 100644 +--- a/components/engine/libcontainerd/remote_daemon_linux.go ++++ b/components/engine/libcontainerd/remote_daemon_linux.go +@@ -37,6 +37,10 @@ func (r *remote) setDefaults() { + if r.snapshotter == "" { + r.snapshotter = "overlay" + } ++ // Disable CRI plugin by default if containerd is managed as child-process ++ // of dockerd. See https://github.com/moby/moby/issues/37507 ++ r.DisabledPlugins = append(r.DisabledPlugins, "cri") ++ delete(r.pluginConfs.Plugins, "cri") + } + + func (r *remote) stopDaemon() { +-- +2.18.0 + diff --git a/docker.changes b/docker.changes index db8d4ea..c94cdf0 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Aug 21 09:50:01 UTC 2018 - asarai@suse.com + +- Add a backport of https://github.com/docker/engine/pull/29 for the 18.06.0-ce + upgrade. This is a potential security issue (the CRI plugin was enabled by + default, which listens on a TCP port bound to 0.0.0.0) that will be fixed + upstream in the 18.06.1-ce upgrade. bsc#1102522 + + bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch + ------------------------------------------------------------------- Tue Aug 21 09:39:57 UTC 2018 - rbrown@suse.com diff --git a/docker.spec b/docker.spec index a0fb187..95ec63f 100644 --- a/docker.spec +++ b/docker.spec @@ -82,6 +82,8 @@ Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker- Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727 Patch402: bsc1100727-0001-build-add-buildmode-pie.patch +# SUSE-BACKPORT: Backport of https://github.com/docker/engine/pull/29. bsc#1102522 +Patch403: bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch # SUSE-FEATURE: Add support to mirror inofficial/private registries # (https://github.com/moby/moby/pull/34319) Patch500: private-registry-0001-Add-private-registry-mirror-support.patch @@ -261,6 +263,8 @@ docker container runtime configuration for kubeadm %patch401 -p1 # bsc#1100727 %patch402 -p1 +# bsc#1102522 +%patch403 -p1 %if "%flavour" == "kubic" # PATCH-SUSE: Mirror patch. %patch500 -p1 From 9e5d7d746497308e481a0edb30d0639164edf6df0f516a06c1a909249d5dbf10 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 24 Aug 2018 08:10:15 +0000 Subject: [PATCH 5/8] - Upgrade to docker-ce v18.06.1-ce. Upstream changelog: https://github.com/docker/docker-ce/releases/tag/v18.06.1-ce bsc#1102522 - Remove patches that were merged upstream: - bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=262 --- _service | 4 +-- ...eceiving-of-signals-from-docker-kill.patch | 2 +- ...bber-docker-default-profile-on-start.patch | 2 +- bsc1100727-0001-build-add-buildmode-pie.patch | 2 +- ...-18.06-disable-containerd-CRI-plugin.patch | 36 ------------------- docker-18.06.0_ce.tar.xz | 3 -- docker-18.06.1_ce.tar.xz | 3 ++ docker.changes | 8 +++++ docker.spec | 12 +++---- ...-Add-private-registry-mirror-support.patch | 2 +- ...ow-directory-creation-in-run-secrets.patch | 2 +- ...USE-implement-SUSE-container-secrets.patch | 2 +- 12 files changed, 23 insertions(+), 55 deletions(-) delete mode 100644 bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch delete mode 100644 docker-18.06.0_ce.tar.xz create mode 100644 docker-18.06.1_ce.tar.xz diff --git a/_service b/_service index 0458f97..661ed9d 100644 --- a/_service +++ b/_service @@ -3,8 +3,8 @@ https://github.com/docker/docker-ce.git git .git - 18.06.0_ce - v18.06.0-ce + 18.06.1_ce + v18.06.1-ce docker diff --git a/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch b/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch index 12c3bbb..71a5aad 100644 --- a/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch +++ b/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch @@ -1,4 +1,4 @@ -From 690b89f58f34dc03333988577d49bae04a11a27c Mon Sep 17 00:00:00 2001 +From 3464bd58d266b0640774952e825558044ffc64e2 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sun, 8 Apr 2018 20:21:30 +1000 Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill' diff --git a/bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch b/bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch index ca1dc05..2755e61 100644 --- a/bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch +++ b/bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch @@ -1,4 +1,4 @@ -From 45d68c6f85da51dc6e292ce09855e79794fd8984 Mon Sep 17 00:00:00 2001 +From 0954810e947abf0b4e5d8f6c78598c5d66b43952 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 29 Jun 2018 17:59:30 +1000 Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start diff --git a/bsc1100727-0001-build-add-buildmode-pie.patch b/bsc1100727-0001-build-add-buildmode-pie.patch index 310059d..ec9271e 100644 --- a/bsc1100727-0001-build-add-buildmode-pie.patch +++ b/bsc1100727-0001-build-add-buildmode-pie.patch @@ -1,4 +1,4 @@ -From 6cba061d6d42e2e40267dbf8628480ec0c5d376a Mon Sep 17 00:00:00 2001 +From 547870ff2904a75fa3e0ee96fa264d53a81d4c01 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Mon, 30 Jul 2018 19:34:01 +1000 Subject: [PATCH] build: add -buildmode=pie diff --git a/bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch b/bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch deleted file mode 100644 index eb29911..0000000 --- a/bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 7ed2f5078916c4addd321d12bce49f40bf32680e Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Tue, 21 Aug 2018 19:42:53 +1000 -Subject: [PATCH] 18.06: disable containerd CRI plugin - -Docker 18.06 does not have a configuration option to disable the CRI -plugin, and this plugin is not very useful if containerd is not running -standalone. - -This patch disables the plugin if containerd is running as child-process -of dockerd. - -Signed-off-by: Sebastiaan van Stijn -Signed-off-by: Aleksa Sarai ---- - components/engine/libcontainerd/remote_daemon_linux.go | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/components/engine/libcontainerd/remote_daemon_linux.go b/components/engine/libcontainerd/remote_daemon_linux.go -index dc59eb8c14f0..34b04e299acd 100644 ---- a/components/engine/libcontainerd/remote_daemon_linux.go -+++ b/components/engine/libcontainerd/remote_daemon_linux.go -@@ -37,6 +37,10 @@ func (r *remote) setDefaults() { - if r.snapshotter == "" { - r.snapshotter = "overlay" - } -+ // Disable CRI plugin by default if containerd is managed as child-process -+ // of dockerd. See https://github.com/moby/moby/issues/37507 -+ r.DisabledPlugins = append(r.DisabledPlugins, "cri") -+ delete(r.pluginConfs.Plugins, "cri") - } - - func (r *remote) stopDaemon() { --- -2.18.0 - diff --git a/docker-18.06.0_ce.tar.xz b/docker-18.06.0_ce.tar.xz deleted file mode 100644 index fe2ff31..0000000 --- a/docker-18.06.0_ce.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:df4b5d33d8a1d17c4707fe9610a33bd8a1618ae7a7d3a0fa0b8c38ed1d1d53e1 -size 8550432 diff --git a/docker-18.06.1_ce.tar.xz b/docker-18.06.1_ce.tar.xz new file mode 100644 index 0000000..70bfb8b --- /dev/null +++ b/docker-18.06.1_ce.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:061ae523be13dbe05ff5377626113a299327cc39fc145f801cd674c67b8c7fe0 +size 8561132 diff --git a/docker.changes b/docker.changes index c94cdf0..e0f7cc9 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Aug 22 09:54:57 UTC 2018 - asarai@suse.com + +- Upgrade to docker-ce v18.06.1-ce. Upstream changelog: + https://github.com/docker/docker-ce/releases/tag/v18.06.1-ce bsc#1102522 +- Remove patches that were merged upstream: + - bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch + ------------------------------------------------------------------- Tue Aug 21 09:50:01 UTC 2018 - asarai@suse.com diff --git a/docker.spec b/docker.spec index 95ec63f..9a3a122 100644 --- a/docker.spec +++ b/docker.spec @@ -42,17 +42,17 @@ # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define git_version f4ffd2511ce9 -%define git_commit_epoch 1508606827 +%define git_version e68fc7a215d7 +%define git_commit_epoch 1534871791 # These are the git commits required. We verify them against the source to make # sure we didn't miss anything important when doing upgrades. -%define required_containerd d64c661f1d51c48782c9cec8fda7604785f93587 +%define required_containerd 468a545b9edcd5932818eb9de8e72413e616e86e %define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340 %define required_libnetwork 3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b Name: %{realname}%{name_suffix} -Version: 18.06.0_ce +Version: 18.06.1_ce Release: 0 Summary: The Linux container runtime License: Apache-2.0 @@ -82,8 +82,6 @@ Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker- Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727 Patch402: bsc1100727-0001-build-add-buildmode-pie.patch -# SUSE-BACKPORT: Backport of https://github.com/docker/engine/pull/29. bsc#1102522 -Patch403: bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch # SUSE-FEATURE: Add support to mirror inofficial/private registries # (https://github.com/moby/moby/pull/34319) Patch500: private-registry-0001-Add-private-registry-mirror-support.patch @@ -263,8 +261,6 @@ docker container runtime configuration for kubeadm %patch401 -p1 # bsc#1100727 %patch402 -p1 -# bsc#1102522 -%patch403 -p1 %if "%flavour" == "kubic" # PATCH-SUSE: Mirror patch. %patch500 -p1 diff --git a/private-registry-0001-Add-private-registry-mirror-support.patch b/private-registry-0001-Add-private-registry-mirror-support.patch index 5a88ed4..48fefa7 100644 --- a/private-registry-0001-Add-private-registry-mirror-support.patch +++ b/private-registry-0001-Add-private-registry-mirror-support.patch @@ -1,4 +1,4 @@ -From a709df0266457218086de2747c70a1b001fe745f Mon Sep 17 00:00:00 2001 +From 46c2590f7637dba208b3db7e44c04e24f33c436d Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Mon, 2 Jul 2018 13:37:34 +0200 Subject: [PATCH] Add private-registry mirror support diff --git a/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch b/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch index e11a185..18403e8 100644 --- a/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch +++ b/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch @@ -1,4 +1,4 @@ -From 72ca29ce89146ac0c9a47881ebfc10883ed8ed39 Mon Sep 17 00:00:00 2001 +From 95a40e4f18c80cce91f16c6dff08e13642de54da Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 12:41:54 +1100 Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets diff --git a/secrets-0002-SUSE-implement-SUSE-container-secrets.patch b/secrets-0002-SUSE-implement-SUSE-container-secrets.patch index 2ac6325..93b95fa 100644 --- a/secrets-0002-SUSE-implement-SUSE-container-secrets.patch +++ b/secrets-0002-SUSE-implement-SUSE-container-secrets.patch @@ -1,4 +1,4 @@ -From 4b300d3fabe2c8fa7292967c63a83eb82a30925a Mon Sep 17 00:00:00 2001 +From f178392f98b42bf36ff8d8c6a23c8caab9ac10f7 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 11:43:29 +1100 Subject: [PATCH 2/2] SUSE: implement SUSE container secrets From f46070fae3658e6136022fd18485d5463aac27bea8996ae318a2345dd1612589 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 24 Aug 2018 08:34:36 +0000 Subject: [PATCH 6/8] Accepting request 631254 from home:cyphar:containers:reproducible - Add patch to make package reproducible, which is a backport of https://github.com/docker/cli/pull/1306. boo#1047218 + bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch OBS-URL: https://build.opensuse.org/request/show/631254 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=263 --- ...DATE_EPOCH-when-generating-man-pages.patch | 58 +++++++++++++++++++ docker.changes | 7 +++ docker.spec | 4 ++ 3 files changed, 69 insertions(+) create mode 100644 bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch diff --git a/bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch b/bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch new file mode 100644 index 0000000..c0a2216 --- /dev/null +++ b/bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch @@ -0,0 +1,58 @@ +From d84d2f13c475bf5ff0ce7b080b759b0239d5d345 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 23 Aug 2018 19:53:55 +1000 +Subject: [PATCH] man: obey SOURCE_DATE_EPOCH when generating man pages + +Previously our man pages included the current time each time they were +generated. This causes an issue for reproducible builds, since each +re-build of a package that includes the man pages will have different +times listed in the man pages. + +To fix this, add support for SOURCE_DATE_EPOCH (which is a standardised +packaging environment variable, designed to be used specifically for +this purpose[1]). spf13/cobra doesn't support this natively yet (though +I will push a patch for that as well), but it's simpler to fix it +directly in docker/cli. + +[1]: https://reproducible-builds.org/specs/source-date-epoch/ + +SUSE-Bugs: boo#1047218 +Signed-off-by: Aleksa Sarai +--- + components/cli/man/generate.go | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/components/cli/man/generate.go b/components/cli/man/generate.go +index 4197558a2225..4a3e98fb22c1 100644 +--- a/components/cli/man/generate.go ++++ b/components/cli/man/generate.go +@@ -6,6 +6,8 @@ import ( + "log" + "os" + "path/filepath" ++ "strconv" ++ "time" + + "github.com/docker/cli/cli/command" + "github.com/docker/cli/cli/command/commands" +@@ -24,6 +26,17 @@ func generateManPages(opts *options) error { + Source: "Docker Community", + } + ++ // If SOURCE_DATE_EPOCH is set, in order to allow reproducible package ++ // builds, we explicitly set the build time to SOURCE_DATE_EPOCH. ++ if epoch := os.Getenv("SOURCE_DATE_EPOCH"); epoch != "" { ++ unixEpoch, err := strconv.ParseInt(epoch, 10, 64) ++ if err != nil { ++ return fmt.Errorf("invalid SOURCE_DATE_EPOCH: %v", err) ++ } ++ now := time.Unix(unixEpoch, 0) ++ header.Date = &now ++ } ++ + stdin, stdout, stderr := term.StdStreams() + dockerCli := command.NewDockerCli(stdin, stdout, stderr, false) + cmd := &cobra.Command{Use: "docker"} +-- +2.18.0 + diff --git a/docker.changes b/docker.changes index e0f7cc9..43b0f03 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Aug 24 08:17:41 UTC 2018 - asarai@suse.com + +- Add patch to make package reproducible, which is a backport of + https://github.com/docker/cli/pull/1306. boo#1047218 + + bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch + ------------------------------------------------------------------- Wed Aug 22 09:54:57 UTC 2018 - asarai@suse.com diff --git a/docker.spec b/docker.spec index 9a3a122..a35e775 100644 --- a/docker.spec +++ b/docker.spec @@ -82,6 +82,8 @@ Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker- Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727 Patch402: bsc1100727-0001-build-add-buildmode-pie.patch +# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1306. boo#1047218 +Patch403: bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch # SUSE-FEATURE: Add support to mirror inofficial/private registries # (https://github.com/moby/moby/pull/34319) Patch500: private-registry-0001-Add-private-registry-mirror-support.patch @@ -261,6 +263,8 @@ docker container runtime configuration for kubeadm %patch401 -p1 # bsc#1100727 %patch402 -p1 +# boo#1047218 +%patch403 -p1 %if "%flavour" == "kubic" # PATCH-SUSE: Mirror patch. %patch500 -p1 From bf689df1d5744fbe531c4d683242353cb879bfc306dab1f28d67591d8fd145d6 Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Tue, 4 Sep 2018 07:47:12 +0000 Subject: [PATCH 7/8] Accepting request 632970 from home:RBrownSUSE:branches:Virtualization:containers Please accept and forward to factory quickly, needed for Staging H OBS-URL: https://build.opensuse.org/request/show/632970 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=264 --- docker.changes | 5 +++++ docker.spec | 1 + 2 files changed, 6 insertions(+) diff --git a/docker.changes b/docker.changes index 43b0f03..686139d 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Sep 4 07:32:47 UTC 2018 - rbrown@suse.com + +- ExcludeArch i586 for docker-kubic-kubeadm-criconfig subpackage + ------------------------------------------------------------------- Fri Aug 24 08:17:41 UTC 2018 - asarai@suse.com diff --git a/docker.spec b/docker.spec index a35e775..761c5a4 100644 --- a/docker.spec +++ b/docker.spec @@ -238,6 +238,7 @@ Test package for docker. It contains the source code and the tests. %package kubeadm-criconfig Summary: docker container runtime configuration for kubeadm Group: System/Management +ExcludeArch: i586 Requires: kubernetes-kubeadm Requires(post): %fillup_prereq Supplements: docker-kubic From 1754fa7fc7101b648c6535b4d97a70065d58928e0b351e322bee9068ba33cf1f Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Tue, 4 Sep 2018 08:34:39 +0000 Subject: [PATCH 8/8] Accepting request 632983 from home:RBrownSUSE:branches:Virtualization:containers attempt #2 OBS-URL: https://build.opensuse.org/request/show/632983 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=265 --- docker.changes | 5 +++++ docker.spec | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/docker.changes b/docker.changes index 686139d..9d6c117 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Sep 4 08:32:43 UTC 2018 - rbrown@suse.com + +- ExcludeArch i586 for entire docker-kubic flavour + ------------------------------------------------------------------- Tue Sep 4 07:32:47 UTC 2018 - rbrown@suse.com diff --git a/docker.spec b/docker.spec index 761c5a4..62d0a72 100644 --- a/docker.spec +++ b/docker.spec @@ -152,6 +152,8 @@ Conflicts: %{realname} Provides: %{realname} = %{version} # Kubernetes requires cri-runtime, which should be provided only by the -kubic flavour of this package Provides: cri-runtime +# No i586 Kubernetes, so docker-kubic must not be built for i586 also +ExcludeArch: i586 %endif %description @@ -238,7 +240,6 @@ Test package for docker. It contains the source code and the tests. %package kubeadm-criconfig Summary: docker container runtime configuration for kubeadm Group: System/Management -ExcludeArch: i586 Requires: kubernetes-kubeadm Requires(post): %fillup_prereq Supplements: docker-kubic