pool/docker
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 632984 from Virtualization:containers

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/632984
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=80
This commit is contained in:
Dominique Leuenberger 2018-09-05 11:46:40 +00:00 committed by Git OBS Bridge
commit 4e61c95de6
19 changed files with 1573 additions and 464 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
_multibuild Normal file
View File

@ -0,0 +1,3 @@
<multibuild>
<package>kubic</package>
</multibuild>

4
_service
View File

@ -3,8 +3,8 @@
<param name="url">https://github.com/docker/docker-ce.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">17.09.1_ce</param>
<param name="revision">v17.09.1-ce</param>
<param name="versionformat">18.06.1_ce</param>
<param name="revision">v18.06.1-ce</param>
<param name="filename">docker</param>
</service>
<service name="recompress" mode="disabled">

243
bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
View File

@ -1,243 +0,0 @@
From e57d7270deb50c31ac1f732d8f28812e5b809062 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Thu, 16 Nov 2017 17:09:16 +1100
Subject: [PATCH] pkg: devmapper: dynamically load dm_task_deferred_remove
dm_task_deferred_remove is not supported by all distributions, due to
out-dated versions of devicemapper. However, in the case where the
devicemapper library was updated without rebuilding Docker (which can
happen in some distributions) then we should attempt to dynamically load
the relevant object rather than try to link to it.
This can only be done if Docker was built dynamically, for obvious
reasons.
In order to avoid having issues arise when dlsym(3) was unnecessary,
gate the whole dlsym(3) logic behind a buildflag that we disable by
default (libdm_dlsym_deferred_remove).
SUSE-Bugs: bsc#1021227 bsc#1029320 bsc#1058173
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/engine/hack/make.sh | 12 +-
...> devmapper_wrapper_dynamic_deferred_remove.go} | 10 +-
...mapper_wrapper_dynamic_dlsym_deferred_remove.go | 128 +++++++++++++++++++++
.../devmapper_wrapper_no_deferred_remove.go | 6 +-
4 files changed, 149 insertions(+), 7 deletions(-)
rename components/engine/pkg/devicemapper/{devmapper_wrapper_deferred_remove.go => devmapper_wrapper_dynamic_deferred_remove.go} (78%)
create mode 100644 components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh
index 58e0d8cd628a..3b78ddef30b0 100755
--- a/components/engine/hack/make.sh
+++ b/components/engine/hack/make.sh
@@ -112,6 +112,12 @@ if [ ! "$GOPATH" ]; then
exit 1
fi
+# Adds $1_$2 to DOCKER_BUILDTAGS unless it already
+# contains a word starting from $1_
+add_buildtag() {
+ [[ " $DOCKER_BUILDTAGS" == *" $1_"* ]] || DOCKER_BUILDTAGS+=" $1_$2"
+}
+
if ${PKG_CONFIG} 'libsystemd >= 209' 2> /dev/null ; then
DOCKER_BUILDTAGS+=" journald"
elif ${PKG_CONFIG} 'libsystemd-journal' 2> /dev/null ; then
@@ -127,12 +133,14 @@ if \
fi
# test whether "libdevmapper.h" is new enough to support deferred remove
-# functionality.
+# functionality. We favour libdm_dlsym_deferred_remove over
+# libdm_no_deferred_remove in dynamic cases because the binary could be shipped
+# with a newer libdevmapper than the one it was built wih.
if \
command -v gcc &> /dev/null \
&& ! ( echo -e '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null ) \
; then
- DOCKER_BUILDTAGS+=' libdm_no_deferred_remove'
+ add_buildtag libdm dlsym_deferred_remove
fi
# Use these flags when compiling the tests and final binary
diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
similarity index 78%
rename from components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go
rename to components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
index 7f793c270868..bf57371ff4cf 100644
--- a/components/engine/pkg/devicemapper/devmapper_wrapper_deferred_remove.go
+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
@@ -1,11 +1,15 @@
-// +build linux,cgo,!libdm_no_deferred_remove
+// +build linux,cgo,!static_build
+// +build !libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
package devicemapper
-// #include <libdevmapper.h>
+/*
+#include <libdevmapper.h>
+*/
import "C"
-// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
+// current Docker invocation.
const LibraryDeferredRemovalSupport = true
func dmTaskDeferredRemoveFct(task *cdmTask) int {
diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
new file mode 100644
index 000000000000..5dfb369f1ff8
--- /dev/null
+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
@@ -0,0 +1,128 @@
+// +build linux,cgo,!static_build
+// +build libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
+
+package devicemapper
+
+/*
+#cgo LDFLAGS: -ldl
+#include <stdlib.h>
+#include <dlfcn.h>
+#include <libdevmapper.h>
+
+// Yes, I know this looks scary. In order to be able to fill our own internal
+// dm_info with deferred_remove we need to have a struct definition that is
+// correct (regardless of the version of libdm that was used to compile it). To
+// this end, we define struct_backport_dm_info. This code comes from lvm2, and
+// I have verified that the structure has only ever had elements *appended* to
+// it (since 2001).
+//
+// It is also important that this structure be _larger_ than the dm_info that
+// libdevmapper expected. Otherwise libdm might try to write to memory it
+// shouldn't (they don't have a "known size" API).
+struct backport_dm_info {
+ int exists;
+ int suspended;
+ int live_table;
+ int inactive_table;
+ int32_t open_count;
+ uint32_t event_nr;
+ uint32_t major;
+ uint32_t minor;
+ int read_only;
+
+ int32_t target_count;
+
+ int deferred_remove;
+ int internal_suspend;
+
+ // Padding, purely for our own safety. This is to avoid cases where libdm
+ // was updated underneath us and we call into dm_task_get_info() with too
+ // small of a buffer.
+ char _[512];
+};
+
+// We have to wrap this in CGo, because Go really doesn't like function pointers.
+int call_dm_task_deferred_remove(void *fn, struct dm_task *task)
+{
+ int (*_dm_task_deferred_remove)(struct dm_task *task) = fn;
+ return _dm_task_deferred_remove(task);
+}
+*/
+import "C"
+
+import (
+ "unsafe"
+
+ "github.com/sirupsen/logrus"
+)
+
+// dm_task_deferred_remove is not supported by all distributions, due to
+// out-dated versions of devicemapper. However, in the case where the
+// devicemapper library was updated without rebuilding Docker (which can happen
+// in some distributions) then we should attempt to dynamically load the
+// relevant object rather than try to link to it.
+
+// dmTaskDeferredRemoveFct is a "bound" version of dm_task_deferred_remove.
+// It is nil if dm_task_deferred_remove was not found in the libdevmapper that
+// is currently loaded.
+var dmTaskDeferredRemovePtr unsafe.Pointer
+
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
+// current Docker invocation. This value is fixed during init.
+var LibraryDeferredRemovalSupport bool
+
+func init() {
+ // Clear any errors.
+ var err *C.char
+ C.dlerror()
+
+ // The symbol we want to fetch.
+ symName := C.CString("dm_task_deferred_remove")
+ defer C.free(unsafe.Pointer(symName))
+
+ // See if we can find dm_task_deferred_remove. Since we already are linked
+ // to libdevmapper, we can search our own address space (rather than trying
+ // to guess what libdevmapper is called). We use NULL here, as RTLD_DEFAULT
+ // is not available in CGO (even if you set _GNU_SOURCE for some reason).
+ // The semantics are identical on glibc.
+ sym := C.dlsym(nil, symName)
+ err = C.dlerror()
+ if err != nil {
+ logrus.Debugf("devmapper: could not load dm_task_deferred_remove: %s", C.GoString(err))
+ return
+ }
+
+ logrus.Debugf("devmapper: found dm_task_deferred_remove at %x", uintptr(sym))
+ dmTaskDeferredRemovePtr = sym
+ LibraryDeferredRemovalSupport = true
+}
+
+func dmTaskDeferredRemoveFct(task *cdmTask) int {
+ sym := dmTaskDeferredRemovePtr
+ if sym == nil || !LibraryDeferredRemovalSupport {
+ return -1
+ }
+ return int(C.call_dm_task_deferred_remove(sym, (*C.struct_dm_task)(task)))
+}
+
+func dmTaskGetInfoWithDeferredFct(task *cdmTask, info *Info) int {
+ if !LibraryDeferredRemovalSupport {
+ return -1
+ }
+
+ Cinfo := C.struct_backport_dm_info{}
+ defer func() {
+ info.Exists = int(Cinfo.exists)
+ info.Suspended = int(Cinfo.suspended)
+ info.LiveTable = int(Cinfo.live_table)
+ info.InactiveTable = int(Cinfo.inactive_table)
+ info.OpenCount = int32(Cinfo.open_count)
+ info.EventNr = uint32(Cinfo.event_nr)
+ info.Major = uint32(Cinfo.major)
+ info.Minor = uint32(Cinfo.minor)
+ info.ReadOnly = int(Cinfo.read_only)
+ info.TargetCount = int32(Cinfo.target_count)
+ info.DeferredRemove = int(Cinfo.deferred_remove)
+ }()
+ return int(C.dm_task_get_info((*C.struct_dm_task)(task), (*C.struct_dm_info)(unsafe.Pointer(&Cinfo))))
+}
diff --git a/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go b/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
index a880fec8c499..80b034b3ff17 100644
--- a/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
+++ b/components/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
@@ -1,8 +1,10 @@
-// +build linux,cgo,libdm_no_deferred_remove
+// +build linux,cgo
+// +build !libdm_dlsym_deferred_remove,libdm_no_deferred_remove
package devicemapper
-// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
+// current Docker invocation.
const LibraryDeferredRemovalSupport = false
func dmTaskDeferredRemoveFct(task *cdmTask) int {
--
2.16.1

58
bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch Normal file
View File

@ -0,0 +1,58 @@
From d84d2f13c475bf5ff0ce7b080b759b0239d5d345 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Thu, 23 Aug 2018 19:53:55 +1000
Subject: [PATCH] man: obey SOURCE_DATE_EPOCH when generating man pages
Previously our man pages included the current time each time they were
generated. This causes an issue for reproducible builds, since each
re-build of a package that includes the man pages will have different
times listed in the man pages.
To fix this, add support for SOURCE_DATE_EPOCH (which is a standardised
packaging environment variable, designed to be used specifically for
this purpose[1]). spf13/cobra doesn't support this natively yet (though
I will push a patch for that as well), but it's simpler to fix it
directly in docker/cli.
[1]: https://reproducible-builds.org/specs/source-date-epoch/
SUSE-Bugs: boo#1047218
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/cli/man/generate.go | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/components/cli/man/generate.go b/components/cli/man/generate.go
index 4197558a2225..4a3e98fb22c1 100644
--- a/components/cli/man/generate.go
+++ b/components/cli/man/generate.go
@@ -6,6 +6,8 @@ import (
"log"
"os"
"path/filepath"
+ "strconv"
+ "time"
"github.com/docker/cli/cli/command"
"github.com/docker/cli/cli/command/commands"
@@ -24,6 +26,17 @@ func generateManPages(opts *options) error {
Source: "Docker Community",
}
+ // If SOURCE_DATE_EPOCH is set, in order to allow reproducible package
+ // builds, we explicitly set the build time to SOURCE_DATE_EPOCH.
+ if epoch := os.Getenv("SOURCE_DATE_EPOCH"); epoch != "" {
+ unixEpoch, err := strconv.ParseInt(epoch, 10, 64)
+ if err != nil {
+ return fmt.Errorf("invalid SOURCE_DATE_EPOCH: %v", err)
+ }
+ now := time.Unix(unixEpoch, 0)
+ header.Date = &now
+ }
+
stdin, stdout, stderr := term.StdStreams()
dockerCli := command.NewDockerCli(stdin, stdout, stderr, false)
cmd := &cobra.Command{Use: "docker"}
--
2.18.0

95
bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
View File

@ -1,95 +0,0 @@
From ff7b94c76f343931463b5916fb3fbd2610869a1a Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 15 Oct 2017 17:06:20 +1100
Subject: [PATCH] daemon: oci: obey CL_UNPRIVILEGED for user namespaced daemon
When runc is bind-mounting a particular path "with options", it has to
do so by first creating a bind-mount and the modifying the options of
said bind-mount via remount. However, in a user namespace, there are
restrictions on which flags you can change with a remount (due to
CL_UNPRIVILEGED being set in this instance). Docker historically has
ignored this, and as a result, internal Docker mounts (such as secrets)
haven't worked with --userns-remap. Fix this by preserving
CL_UNPRIVILEGED mount flags when Docker is spawning containers with user
namespaces enabled.
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1055676
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/engine/daemon/oci_linux.go | 46 +++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
diff --git a/components/engine/daemon/oci_linux.go b/components/engine/daemon/oci_linux.go
index 6917b4841429..936cb8f998ca 100644
--- a/components/engine/daemon/oci_linux.go
+++ b/components/engine/daemon/oci_linux.go
@@ -27,6 +27,7 @@ import (
"github.com/opencontainers/runc/libcontainer/user"
specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
)
var (
@@ -469,6 +470,38 @@ func ensureSharedOrSlave(path string) error {
return nil
}
+// Get the set of mount flags that are set on the mount that contains the given
+// path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that
+// bind-mounting "with options" will not fail with user namespaces, due to
+// kernel restrictions that require user namespace mounts to preserve
+// CL_UNPRIVILEGED locked flags.
+func getUnprivilegedMountFlags(path string) ([]string, error) {
+ var statfs unix.Statfs_t
+ if err := unix.Statfs(path, &statfs); err != nil {
+ return nil, err
+ }
+
+ // The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048.
+ unprivilegedFlags := map[uint64]string{
+ unix.MS_RDONLY: "ro",
+ unix.MS_NODEV: "nodev",
+ unix.MS_NOEXEC: "noexec",
+ unix.MS_NOSUID: "nosuid",
+ unix.MS_NOATIME: "noatime",
+ unix.MS_RELATIME: "relatime",
+ unix.MS_NODIRATIME: "nodiratime",
+ }
+
+ var flags []string
+ for mask, flag := range unprivilegedFlags {
+ if uint64(statfs.Flags)&mask == mask {
+ flags = append(flags, flag)
+ }
+ }
+
+ return flags, nil
+}
+
var (
mountPropagationMap = map[string]int{
"private": mount.PRIVATE,
@@ -586,6 +619,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c
opts = append(opts, mountPropagationReverseMap[pFlag])
}
+ // If we are using user namespaces, then we must make sure that we
+ // don't drop any of the CL_UNPRIVILEGED "locked" flags of the source
+ // "mount" when we bind-mount. The reason for this is that at the point
+ // when runc sets up the root filesystem, it is already inside a user
+ // namespace, and thus cannot change any flags that are locked.
+ if daemon.configStore.RemappedRoot != "" {
+ unprivOpts, err := getUnprivilegedMountFlags(m.Source)
+ if err != nil {
+ return err
+ }
+ opts = append(opts, unprivOpts...)
+ }
+
mt.Options = opts
s.Mounts = append(s.Mounts, mt)
}
--
2.16.1

6
bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
View File

@ -1,4 +1,4 @@
From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001
From 3464bd58d266b0640774952e825558044ffc64e2 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 8 Apr 2018 20:21:30 +1000
Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
@ -15,7 +15,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
1 file changed, 6 insertions(+)
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
index c5ea4584de6b..082638e85903 100644
index c00a3f70e993..772c4a4873f6 100644
--- a/components/engine/profiles/apparmor/template.go
+++ b/components/engine/profiles/apparmor/template.go
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
@ -32,5 +32,5 @@ index c5ea4584de6b..082638e85903 100644
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/**
--
2.17.1
2.18.0

14
bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
View File

@ -1,4 +1,4 @@
From 8edc54753ab5ea9294c55ec32b49c9eb7cdf3892 Mon Sep 17 00:00:00 2001
From 0954810e947abf0b4e5d8f6c78598c5d66b43952 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 29 Jun 2018 17:59:30 +1000
Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start
@ -21,7 +21,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
3 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/components/engine/daemon/apparmor_default.go b/components/engine/daemon/apparmor_default.go
index 2a418b25c241..c3e271ee4774 100644
index 461f5c7f96b2..8f21c5c0c566 100644
--- a/components/engine/daemon/apparmor_default.go
+++ b/components/engine/daemon/apparmor_default.go
@@ -14,6 +14,15 @@ const (
@ -53,12 +53,12 @@ index 2a418b25c241..c3e271ee4774 100644
return nil
}
diff --git a/components/engine/daemon/apparmor_default_unsupported.go b/components/engine/daemon/apparmor_default_unsupported.go
index cd2dd9702ef2..17584063c711 100644
index 51f9c526b350..97d7758442ee 100644
--- a/components/engine/daemon/apparmor_default_unsupported.go
+++ b/components/engine/daemon/apparmor_default_unsupported.go
@@ -2,6 +2,10 @@
package daemon
package daemon // import "github.com/docker/docker/daemon"
+func clobberDefaultAppArmorProfile() error {
+ return nil
@ -68,10 +68,10 @@ index cd2dd9702ef2..17584063c711 100644
return nil
}
diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
index a11a1f8691cc..6f8846b19f57 100644
index 5e5f586ae085..6ca6a7aaa268 100644
--- a/components/engine/daemon/daemon.go
+++ b/components/engine/daemon/daemon.go
@@ -594,7 +594,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
@@ -660,7 +660,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
}
@ -83,5 +83,5 @@ index a11a1f8691cc..6f8846b19f57 100644
}
--
2.17.1
2.18.0

3
bsc1100727-0001-build-add-buildmode-pie.patch
View File

@ -1,4 +1,4 @@
From d39172ffc6b245f02da1898793ccaef20bb6858a Mon Sep 17 00:00:00 2001
From 547870ff2904a75fa3e0ee96fa264d53a81d4c01 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Mon, 30 Jul 2018 19:34:01 +1000
Subject: [PATCH] build: add -buildmode=pie
@ -7,6 +7,7 @@ Make all dynbinary builds be position-independent (this adds both
security benefits and can help with flaky builds on POWER
architectures).
SUSE-Bugs: bsc#1100727
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/cli/scripts/build/dynbinary | 2 +-

3
docker-17.09.1_ce.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dd19ad9900aaabb9eb5870be6271262aebbd4f86fa12f7c59677d47876492bf9
size 6237800

3
docker-18.06.1_ce.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:061ae523be13dbe05ff5377626113a299327cc39fc145f801cd674c67b8c7fe0
size 8561132

4
docker-kubic-service.conf Normal file
View File

@ -0,0 +1,4 @@
[Service]
# Put docker under the podruntime slice. This the recommended
# deployment to allow fine resource control on Kubernetes.
Slice=podruntime.slice

16
docker-rpmlintrc
View File

@ -1,7 +1,9 @@
addFilter ("^docker.x86_64: W: statically-linked-binary /usr/lib64/docker/dockerinit")
addFilter ("^docker-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash")
addFilter ("^docker.x86_64: W: statically-linked-binary /usr/lib/docker/dockerinit")
addFilter ("^docker.x86_64: W: unstripped-binary-or-object /usr/lib/docker/dockerinit")
addFilter ("^docker.x86_64: W: no-manual-page-for-binary docker")
addFilter ("^docker.x86_64: W: no-manual-page-for-binary nsinit")
addFilter ("^docker-test.*")
# This is intentional, since we use _multibuild for the flavours.
addFilter ("^docker-kubic.src: W: invalid-spec-name")
# The #! comes from upstream.
addFilter ("^docker(-kubic)?-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash")
addFilter ("^docker(-kubic)?-zsh-completion.noarch: W: sourced-script-with-shebang /etc/zsh_completion.d/docker zsh")
# -test is something that is used internally and isn't actually shipped -- it's a pseduo-source package.
addFilter ("^docker(-kubic)?-test.*")

133
docker.changes
View File

@ -1,3 +1,76 @@
-------------------------------------------------------------------
Tue Sep 4 08:32:43 UTC 2018 - rbrown@suse.com
- ExcludeArch i586 for entire docker-kubic flavour
-------------------------------------------------------------------
Tue Sep 4 07:32:47 UTC 2018 - rbrown@suse.com
- ExcludeArch i586 for docker-kubic-kubeadm-criconfig subpackage
-------------------------------------------------------------------
Fri Aug 24 08:17:41 UTC 2018 - asarai@suse.com
- Add patch to make package reproducible, which is a backport of
https://github.com/docker/cli/pull/1306. boo#1047218
+ bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
-------------------------------------------------------------------
Wed Aug 22 09:54:57 UTC 2018 - asarai@suse.com
- Upgrade to docker-ce v18.06.1-ce. Upstream changelog:
https://github.com/docker/docker-ce/releases/tag/v18.06.1-ce bsc#1102522
- Remove patches that were merged upstream:
- bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch
-------------------------------------------------------------------
Tue Aug 21 09:50:01 UTC 2018 - asarai@suse.com
- Add a backport of https://github.com/docker/engine/pull/29 for the 18.06.0-ce
upgrade. This is a potential security issue (the CRI plugin was enabled by
default, which listens on a TCP port bound to 0.0.0.0) that will be fixed
upstream in the 18.06.1-ce upgrade. bsc#1102522
+ bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch
-------------------------------------------------------------------
Tue Aug 21 09:39:57 UTC 2018 - rbrown@suse.com
- Kubic: Make crio default, docker as alternative runtime
(boo#1104821)
- Provide kubernetes CRI config with docker-kubic-kubeadm-criconfig
subpackage
-------------------------------------------------------------------
Thu Aug 16 02:00:31 UTC 2018 - asarai@suse.com
- Merge -kubic packages back into the main Virtualization:containers packages.
This is done using _multibuild to add a "kubic" flavour, which is then used
to conditionally compile patches and other kubic-specific features.
bsc#1105000
- Rework docker-rpmlintrc with the new _multibuild setup.
-------------------------------------------------------------------
Wed Aug 1 09:40:59 UTC 2018 - asarai@suse.com
- Enable seccomp support on SLE12, since libseccomp is now a new enough vintage
to work with Docker and containerd. fate#325877
-------------------------------------------------------------------
Tue Jul 31 09:48:16 UTC 2018 - asarai@suse.com
- Upgrade to docker-ce v18.06.0-ce. bsc#1102522
- Remove systemd-service dependency on containerd, which is now being started
by dockerd to align with upstream defaults.
- Removed the following patches as they are merged upstream:
- bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
- bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
- Rebased the following patches:
* bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
* bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
* bsc1100727-0001-build-add-buildmode-pie.patch
* secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
* secrets-0002-SUSE-implement-SUSE-container-secrets.patch
-------------------------------------------------------------------
Mon Jul 30 09:44:47 UTC 2018 - asarai@suse.com
@ -14,11 +87,6 @@ Fri Jun 29 08:35:56 UTC 2018 - asarai@suse.com
* bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
+ bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
-------------------------------------------------------------------
Wed Jun 13 10:19:23 UTC 2018 - dcassany@suse.com
- Make use of %license macro
-------------------------------------------------------------------
Tue Jun 5 11:24:35 UTC 2018 - asarai@suse.com
@ -26,6 +94,11 @@ Tue Jun 5 11:24:35 UTC 2018 - asarai@suse.com
between in-container processes. bsc#1073877
* bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
-------------------------------------------------------------------
Tue Jun 5 08:41:07 UTC 2018 - dcassany@suse.com
- Make use of %license macro
-------------------------------------------------------------------
Tue Jun 5 06:38:40 UTC 2018 - asarai@suse.com
@ -41,6 +114,18 @@ Tue May 29 08:10:48 UTC 2018 - asarai@suse.com
* secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
* secrets-0002-SUSE-implement-SUSE-container-secrets.patch
-------------------------------------------------------------------
Wed May 16 10:12:56 UTC 2018 - jmassaguerpla@suse.com
- Review Obsoletes to fix bsc#1080978
-------------------------------------------------------------------
Thu Apr 12 12:49:25 UTC 2018 - fcastelli@suse.com
- Put docker under the podruntime slice. This the recommended
deployment to allow fine resource control on Kubernetes.
bsc#1086185
-------------------------------------------------------------------
Tue Apr 10 09:25:43 UTC 2018 - mmeister@suse.com
@ -66,6 +151,13 @@ Tue Mar 27 10:13:41 UTC 2018 - asarai@suse.com
- Add requirement for catatonit, which provides a docker-init implementation.
fate#324652 bsc#1085380
-------------------------------------------------------------------
Thu Mar 8 13:14:54 UTC 2018 - vrothberg@suse.com
- Fix private-registry-0001-Add-private-registry-mirror-support.patch to
deal corretly with TLS configs of 3rd party registries.
fix bsc#1084533
-------------------------------------------------------------------
Tue Feb 13 10:45:58 UTC 2018 - asarai@suse.com
@ -75,9 +167,40 @@ Tue Feb 13 10:45:58 UTC 2018 - asarai@suse.com
patch maintenance is much simpler.
* bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
* bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
* private-registry-0001-Add-private-registry-mirror-support.patch
* secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
* secrets-0002-SUSE-implement-SUSE-container-secrets.patch
-------------------------------------------------------------------
Mon Feb 12 10:52:33 UTC 2018 - rbrown@suse.com
- Add ${version} to equivalent non-kubic package provides
-------------------------------------------------------------------
Thu Feb 8 12:34:51 UTC 2018 - rbrown@suse.com
- Add Provides for equivalent non-kubic packages
-------------------------------------------------------------------
Tue Jan 30 12:27:44 UTC 2018 - vrothberg@suse.com
- Disable all tests for docker/client and docker/pkg/discovery. The unit tests
of those packages broke reproducibly the builds in IBS.
-------------------------------------------------------------------
Mon Jan 29 14:39:02 UTC 2018 - vrothberg@suse.com
- Disable flaky tests github.com/docker/docker/pkg/discovery/kv.
-------------------------------------------------------------------
Fri Jan 26 07:15:53 UTC 2018 - vrothberg@suse.com
- Add patch to support mirroring of private/non-upstream registries. As soon as
the upstream PR (https://github.com/moby/moby/pull/34319) is merged, this
patch will be replaced by the backported one from upstream.
+ private-registry-0001-Add-private-registry-mirror-support.patch
fix bsc#1074971
-------------------------------------------------------------------
Fri Jan 19 14:12:32 UTC 2018 - asarai@suse.com

5
docker.service
View File

@ -1,8 +1,7 @@
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target containerd.socket containerd.service lvm2-monitor.service SuSEfirewall2.service
Requires=containerd.socket containerd.service
After=network.target lvm2-monitor.service SuSEfirewall2.service
[Service]
EnvironmentFile=/etc/sysconfig/docker
@ -11,7 +10,7 @@ EnvironmentFile=/etc/sysconfig/docker
# enabled by default because enabling socket activation means that on boot your
# containers won't start until someone tries to administer the Docker daemon.
Type=notify
ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead

230
docker.spec
View File

@ -26,32 +26,46 @@
%define _fillupdir /var/adm/fillup-templates
%endif
# Handle _multibuild magic.
%define flavour @BUILD_FLAVOR@%{nil}
# We split the Name: into "realname" and "name_suffix".
%define realname docker
%if "%flavour" == ""
%define name_suffix %{nil}
%else
%define name_suffix -%{flavour}
%endif
# Used when generating the "build" information for Docker version. The value of
# git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm
# helpfully injects into our build environment from the changelog). If you want
# to generate a new git_commit_epoch, use this:
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
%define git_version f4ffd2511ce9
%define git_commit_epoch 1508606827
%define git_version e68fc7a215d7
%define git_commit_epoch 1534871791
# These are the git commits required. We verify them against the source to make
# sure we didn't miss anything important when doing upgrades.
%define required_containerd 06b9cb35161009dcb7123345749fef02f7cea8e0
%define required_dockerrunc 3f2f8b84a77f73d38244dd690525642a72156c64
%define required_libnetwork 7b2b1feb1de4817d522cc372af149ff48d25028e
%define required_containerd 468a545b9edcd5932818eb9de8e72413e616e86e
%define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340
%define required_libnetwork 3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b
Name: docker
Version: 17.09.1_ce
Name: %{realname}%{name_suffix}
Version: 18.06.1_ce
Release: 0
Summary: The Linux container runtime
License: Apache-2.0
Group: System/Management
Url: http://www.docker.io
# TODO(VR): check those SOURCE files below
Source: %{name}-%{version}.tar.xz
Source: %{realname}-%{version}.tar.xz
Source1: docker.service
# bsc#1086185 -- but we only apply this on Kubic.
Source2: docker-kubic-service.conf
Source3: 80-docker.rules
Source4: sysconfig.docker
Source5: kubelet.env
Source6: docker-rpmlintrc
Source7: README_SUSE.md
Source8: docker-audit.rules
@ -62,16 +76,17 @@ Source9: tests.sh
# branch in http://github.com/suse/docker.mirror.
Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35205. bsc#1055676
Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173
Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877
Patch402: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277
Patch403: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727
Patch404: bsc1100727-0001-build-add-buildmode-pie.patch
Patch402: bsc1100727-0001-build-add-buildmode-pie.patch
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1306. boo#1047218
Patch403: bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
# SUSE-FEATURE: Add support to mirror inofficial/private registries
# (https://github.com/moby/moby/pull/34319)
Patch500: private-registry-0001-Add-private-registry-mirror-support.patch
BuildRequires: audit
BuildRequires: bash-completion
BuildRequires: ca-certificates
@ -79,21 +94,7 @@ BuildRequires: device-mapper-devel >= 1.2.68
BuildRequires: glibc-devel-static
BuildRequires: libapparmor-devel
BuildRequires: libbtrfs-devel >= 3.8
# enable libseccomp for sle >= sle12sp2
%if 0%{?sle_version} >= 120200
%define with_libseccomp 1
%endif
# enable libseccomp for leap >= 42.2
%if 0%{?leap_version} >= 420200
%define with_libseccomp 1
%endif
# enable libseccomp for Factory
%if 0%{?suse_version} > 1320
%define with_libseccomp 1
%endif
%if 0%{?with_libseccomp}
BuildRequires: libseccomp-devel
%endif
BuildRequires: libseccomp-devel >= 2.2
BuildRequires: libtool
BuildRequires: procps
BuildRequires: sqlite3-devel
@ -104,14 +105,14 @@ Requires: ca-certificates-mozilla
# Required in order for networking to work. fix_bsc_1057743 is a work-around
# for some old packaging issues (where rpm would delete a binary that was
# installed by docker-libnetwork). See bsc#1057743 for more details.
Requires: docker-libnetwork-git = %{required_libnetwork}
Requires: docker-libnetwork%{name_suffix}-git = %{required_libnetwork}
Requires: fix_bsc_1057743
# Containerd and runC are required as they are the only currently supported
# execdrivers of Docker. NOTE: The version pinning here matches upstream's
# vendor.conf to ensure that we don't use a slightly incompatible version of
# runC or containerd (which would be bad).
Requires: containerd-git = %{required_containerd}
Requires: docker-runc-git = %{required_dockerrunc}
Requires: containerd%{name_suffix}-git = %{required_containerd}
Requires: docker-runc%{name_suffix}-git = %{required_dockerrunc}
# Needed for --init support. We don't use "tini", we use our own implementation
# which handles edge-cases better.
Requires: catatonit
@ -134,11 +135,26 @@ Obsoletes: docker-image-migrator
# different storage-driver than devicemapper
Recommends: lvm2 >= 2.2.89
Conflicts: lxc < 1.0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExcludeArch: s390 ppc
# Make sure we build with go 1.8
# Make sure we build with go 1.10
BuildRequires: go-go-md2man
BuildRequires: golang(API) = 1.8
BuildRequires: golang(API) = 1.10
# KUBIC-SPECIFIC: This was required when upgrading from the original kubic
# packaging, when everything was renamed to -kubic. It also is
# used to ensure that nothing complains too much when using
# -kubic packages. Hopfully it can be removed one day.
%if "%flavour" == "kubic"
# Obsolete old packege without the -kubic suffix
Obsoletes: %{realname} = 1.12.6
Obsoletes: %{realname}_1_12_6
# Conflict with non-kubic package, and provide equivalent
Conflicts: %{realname}
Provides: %{realname} = %{version}
# Kubernetes requires cri-runtime, which should be provided only by the -kubic flavour of this package
Provides: cri-runtime
# No i586 Kubernetes, so docker-kubic must not be built for i586 also
ExcludeArch: i586
%endif
%description
Docker complements LXC with a high-level API which operates at the process
@ -153,8 +169,19 @@ service-oriented architectures, etc.
Summary: Bash Completion for %{name}
Group: System/Management
Requires: %{name} = %{version}
Supplements: packageand(docker:bash-completion)
Supplements: packageand(%{name}:bash-completion)
BuildArch: noarch
# KUBIC-SPECIFIC: This was required when upgrading from the original kubic
# packaging, when everything was renamed to -kubic. It also is
# used to ensure that nothing complains too much when using
# -kubic packages. Hopfully it can be removed one day.
%if "%flavour" == "kubic"
# Obsolete old packege without the -kubic suffix
Obsoletes: %{realname}-bash-completion = 1.12.6
# Conflict with non-kubic package, and provide equivalent
Conflicts: %{realname}-bash-completion > 1.12.6
Provides: %{realname}-bash-completion = %{version}
%endif
%description bash-completion
Bash command line completion support for %{name}.
@ -163,8 +190,19 @@ Bash command line completion support for %{name}.
Summary: Zsh Completion for %{name}
Group: System/Management
Requires: %{name} = %{version}
Supplements: packageand(docker:zsh)
Supplements: packageand(%{name}:zsh)
BuildArch: noarch
# KUBIC-SPECIFIC: This was required when upgrading from the original kubic
# packaging, when everything was renamed to -kubic. It also is
# used to ensure that nothing complains too much when using
# -kubic packages. Hopfully it can be removed one day.
%if "%flavour" == "kubic"
# Obsolete old packege without the -kubic suffix
Obsoletes: %{realname}-zsh-completion = 1.12.6
# Conflict with non-kubic package, and provide equivalent
Conflicts: %{realname}-zsh-completion > 1.12.6
Provides: %{realname}-zsh-completion = %{version}
%endif
%description zsh-completion
Zsh command line completion support for %{name}.
@ -183,12 +221,37 @@ Requires: libbtrfs-devel >= 3.8
Requires: procps
Requires: sqlite3-devel
Requires: golang(API) = 1.8
# KUBIC-SPECIFIC: This was required when upgrading from the original kubic
# packaging, when everything was renamed to -kubic. It also is
# used to ensure that nothing complains too much when using
# -kubic packages. Hopfully it can be removed one day.
%if "%flavour" == "kubic"
# Obsolete old packege without the -kubic suffix
Obsoletes: %{realname}-test = 1.12.6
# Conflict with non-kubic package, and provide equivalent
Conflicts: %{realname}-test > 1.12.6
Provides: %{realname}-test = %{version}
%endif
%description test
Test package for docker. It contains the source code and the tests.
%if "%flavour" == "kubic"
%package kubeadm-criconfig
Summary: docker container runtime configuration for kubeadm
Group: System/Management
Requires: kubernetes-kubeadm
Requires(post): %fillup_prereq
Supplements: docker-kubic
Provides: kubernetes-kubeadm-criconfig
Conflicts: cri-o-kubeadm-criconfig
%description kubeadm-criconfig
docker container runtime configuration for kubeadm
%endif
%prep
%setup -q
%setup -q -n %{realname}-%{version}
%if 0%{?is_opensuse}
# nothing
%else
@ -196,25 +259,24 @@ Test package for docker. It contains the source code and the tests.
%patch200 -p1
%patch201 -p1
%endif
# bsc#1055676
%patch400 -p1
# bsc#1021227 bsc#1029320 bsc#1058173
%patch401 -p1
# bsc#1073877
%patch402 -p1
%patch400 -p1
# bsc#1099277
%patch403 -p1
%patch401 -p1
# bsc#1100727
%patch404 -p1
%patch402 -p1
# boo#1047218
%patch403 -p1
%if "%flavour" == "kubic"
# PATCH-SUSE: Mirror patch.
%patch500 -p1
%endif
cp %{SOURCE7} .
cp %{SOURCE9} .
%build
BUILDTAGS="exclude_graphdriver_aufs apparmor selinux pkcs11"
%if 0%{?with_libseccomp}
BUILDTAGS="seccomp $BUILDTAGS"
%endif
BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
%if 0%{?sle_version} == 120000
# Provided by patch406, to allow us to build with older distros but still
# have deferred removal support at runtime. We only use this when building
@ -279,9 +341,9 @@ cd ../..
# of the upstream vendoring scripts. This is done on-build to make sure that
# someone doing an update didn't miss anything.
cd components/engine
grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/binaries-commits
grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits
grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits
grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/install/runc.installer
grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/install/containerd.installer
grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/install/proxy.installer
%install
install -d %{buildroot}%{go_contribdir}
@ -293,8 +355,8 @@ install -Dd -m 0755 \
%{buildroot}%{_sysconfdir}/init.d \
%{buildroot}%{_sbindir}
install -D -m0644 components/cli/contrib/completion/bash/docker "%{buildroot}%{_sysconfdir}/bash_completion.d/%{name}"
install -D -m0644 components/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/%{name}"
install -D -m0644 components/cli/contrib/completion/bash/docker "%{buildroot}%{_sysconfdir}/bash_completion.d/%{realname}"
install -D -m0644 components/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/%{realname}"
# copy all for the test package
install -d %{buildroot}%{_prefix}/src/docker/
cp -a components/engine/. %{buildroot}%{_prefix}/src/docker/engine
@ -303,17 +365,20 @@ cp -a components/cli/. %{buildroot}%{_prefix}/src/docker/cli
#
# systemd service
#
install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
install -D -m0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{realname}.service
%if "%flavour" == "kubic"
install -D -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf
%endif
ln -sf service %{buildroot}%{_sbindir}/rcdocker
#
# udev rules that prevents dolphin to show all docker devices and slows down
# upstream report https://bugs.kde.org/show_bug.cgi?id=329930
#
install -D -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}/80-%{name}.rules
install -D -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules
# audit rules
install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules
install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules
# sysconfig file
install -D -m 644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.docker
@ -326,21 +391,42 @@ install -p -m 644 components/cli/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/ma
install -d %{buildroot}%{_mandir}/man8
install -p -m 644 components/cli/man/man8/*.8 %{buildroot}%{_mandir}/man8
%if "%flavour" == "kubic"
# place kubelet.env in fillupdir (for kubeadm-criconfig)
install -D -m 0644 %{SOURCE5} %{buildroot}%{_fillupdir}/sysconfig.kubelet
%endif
%fdupes %{buildroot}
%pre
getent group docker >/dev/null || groupadd -r docker
%service_add_pre %{name}.service
%service_add_pre %{realname}.service
%post
%service_add_post %{name}.service
%service_add_post %{realname}.service
%{fillup_only -n docker}
# NOTE: This is a pretty hacky way of getting around the fact we've removed
# containerd.service and now everything is spawned underneath Docker. In
# order to force containerd.service to be stopped on the upgrade we need
# to trick the systemd macros into thinking that this is an "uninstall".
# Hopefully we can remove this soon.
(
FIRST_ARG=0
%service_del_preun containerd.service containerd.socket
%service_del_postun containerd.service containerd.socket
)
%if "%flavour" == "kubic"
%post kubeadm-criconfig
%fillup_only -n kubelet
%endif
%preun
%service_del_preun %{name}.service
%service_del_preun %{realname}.service
%postun
%service_del_postun %{name}.service
%service_del_postun %{realname}.service
%files
%defattr(-,root,root)
@ -349,9 +435,13 @@ getent group docker >/dev/null || groupadd -r docker
%{_bindir}/docker
%{_bindir}/dockerd
%{_sbindir}/rcdocker
%{_unitdir}/%{name}.service
%config %{_sysconfdir}/audit/rules.d/%{name}.rules
%{_udevrulesdir}/80-%{name}.rules
%{_unitdir}/%{realname}.service
%if "%flavour" == "kubic"
%dir %{_unitdir}/%{realname}.service.d/
%{_unitdir}/%{realname}.service.d/90-kubic.conf
%endif
%config %{_sysconfdir}/audit/rules.d/%{realname}.rules
%{_udevrulesdir}/80-%{realname}.rules
%{_fillupdir}/sysconfig.docker
%dir %{_localstatedir}/lib/docker/
%{_mandir}/man1/docker-*.1%{ext_man}
@ -361,11 +451,11 @@ getent group docker >/dev/null || groupadd -r docker
%files bash-completion
%defattr(-,root,root)
%config %{_sysconfdir}/bash_completion.d/%{name}
%config %{_sysconfdir}/bash_completion.d/%{realname}
%files zsh-completion
%defattr(-,root,root)
%config %{_sysconfdir}/zsh_completion.d/%{name}
%config %{_sysconfdir}/zsh_completion.d/%{realname}
%files test
%defattr(-,root,root)
@ -379,4 +469,10 @@ getent group docker >/dev/null || groupadd -r docker
%exclude %{_prefix}/src/docker/engine/contrib/init/sysvinit-redhat
%exclude %{_prefix}/src/docker/engine/contrib/init/upstart
%if "%flavour" == "kubic"
%files kubeadm-criconfig
%defattr(-,root,root)
%{_fillupdir}/sysconfig.kubelet
%endif
%changelog

1
kubelet.env Normal file
View File

@ -0,0 +1 @@
KUBELET_EXTRA_ARGS="--cni-bin-dir=/usr/lib/cni"

1163
private-registry-0001-Add-private-registry-mirror-support.patch Normal file
View File

File diff suppressed because it is too large Load Diff

16
secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
View File

@ -1,4 +1,4 @@
From c607825b73e5f850b3804a10e9f3c8684cb29d16 Mon Sep 17 00:00:00 2001
From 95a40e4f18c80cce91f16c6dff08e13642de54da Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
@ -14,26 +14,26 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go
index 954c194ea836..3ef1e0262edc 100644
index bc7ee452332b..d34129dfd80b 100644
--- a/components/engine/daemon/container_operations_unix.go
+++ b/components/engine/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@
package daemon
package daemon // import "github.com/docker/docker/daemon"
import (
+ "bytes"
"context"
"fmt"
"io/ioutil"
@@ -13,6 +14,7 @@ import (
@@ -14,6 +15,7 @@ import (
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/links"
"github.com/docker/docker/errdefs"
+ "github.com/docker/docker/pkg/archive"
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/mount"
"github.com/docker/docker/pkg/stringid"
@@ -216,9 +218,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
if err != nil {
return errors.Wrap(err, "unable to get secret from secret store")
}
@ -43,7 +43,7 @@ index 954c194ea836..3ef1e0262edc 100644
uid, err := strconv.Atoi(s.File.UID)
if err != nil {
@@ -229,6 +228,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
@@ -219,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
return err
}
@ -70,5 +70,5 @@ index 954c194ea836..3ef1e0262edc 100644
return errors.Wrap(err, "error setting ownership for secret")
}
--
2.17.0
2.18.0

37
secrets-0002-SUSE-implement-SUSE-container-secrets.patch
View File

@ -1,4 +1,4 @@
From a7533a3084e925eb478148ef30bec0d1f1b81ae3 Mon Sep 17 00:00:00 2001
From f178392f98b42bf36ff8d8c6a23c8caab9ac10f7 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
@ -10,36 +10,36 @@ THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
SUSE-Bugs: bsc#1057743 bsc#1055676 bsc#1030702
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/engine/daemon/start.go | 5 +
components/engine/daemon/suse_secrets.go | 399 +++++++++++++++++++++++
2 files changed, 404 insertions(+)
components/engine/daemon/suse_secrets.go | 396 +++++++++++++++++++++++
2 files changed, 401 insertions(+)
create mode 100644 components/engine/daemon/suse_secrets.go
diff --git a/components/engine/daemon/start.go b/components/engine/daemon/start.go
index 55438cf2c45f..7dfa6cd1d055 100644
index c00bd9ceb22b..aa705888df39 100644
--- a/components/engine/daemon/start.go
+++ b/components/engine/daemon/start.go
@@ -147,6 +147,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
return err
}
+ // SUSE:secrets -- inject the SUSE secret store
+ if err := daemon.injectSuseSecretStore(container); err != nil {
+ return err
+ return errdefs.System(err)
+ }
+
spec, err := daemon.createSpec(container)
if err != nil {
return systemError{err}
return errdefs.System(err)
diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go
new file mode 100644
index 000000000000..00e485368b47
index 000000000000..817cd5561023
--- /dev/null
+++ b/components/engine/daemon/suse_secrets.go
@@ -0,0 +1,399 @@
@@ -0,0 +1,396 @@
+/*
+ * suse-secrets: patch for Docker to implement SUSE secrets
+ * Copyright (C) 2017 SUSE LLC.
@ -143,10 +143,6 @@ index 000000000000..00e485368b47
+ var suseFiles []*SuseFakeFile
+
+ path := filepath.Join(prefix, dir)
+ if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) {
+ // If the path doesn't exist at all we don't inject anything.
+ return nil, nil
+ }
+ fi, err := os.Stat(path)
+ if err != nil {
+ // Ignore dangling symlinks.
@ -263,10 +259,6 @@ index 000000000000..00e485368b47
+// readFile returns a secret given a file under a given prefix.
+func readFile(prefix, file string) ([]*SuseFakeFile, error) {
+ path := filepath.Join(prefix, file)
+ if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) {
+ // If the path doesn't exist at all we don't inject anything.
+ return nil, nil
+ }
+ fi, err := os.Stat(path)
+ if err != nil {
+ // Ignore dangling symlinks.
@ -430,7 +422,12 @@ index 000000000000..00e485368b47
+ // to the mount list. This causes clashes because of duplicate namespaces.
+ // If we see an existing mount that will clash with the in-built secrets
+ // mount we assume it's our fault.
+ for _, intendedMount := range c.SecretMounts() {
+ intendedMounts, err := c.SecretMounts()
+ if err != nil {
+ logrus.Warnf("SUSE:secrets :: fetching old secret mounts: %v", err)
+ return err
+ }
+ for _, intendedMount := range intendedMounts {
+ mountPath := intendedMount.Destination
+ if volume, ok := c.MountPoints[mountPath]; ok {
+ logrus.Debugf("SUSE:secrets :: removing pre-existing %q mount: %#v", mountPath, volume)
@ -440,5 +437,5 @@ index 000000000000..00e485368b47
+ return nil
+}
--
2.17.0
2.18.0