- Update to 1.10.0 version

Add usernamespace support
  Add support for custom seccomp profiles
  Improvements in network and volume management
detailed changelog in
590d5108bb/CHANGELOG.md

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=58
This commit is contained in:
Jordi Massaguer 2016-02-05 09:21:26 +00:00 committed by Git OBS Bridge
parent 9dce1f84b9
commit 64062d332d
15 changed files with 75 additions and 290 deletions

View File

@ -3,8 +3,8 @@
<param name="url">https://github.com/docker/docker.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">1.9.1</param>
<param name="revision">v1.9.1</param>
<param name="versionformat">1.10.0</param>
<param name="revision">v1.10.0</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">docker-*.tar</param>

View File

@ -1,20 +0,0 @@
From: Michel Normand <normand@linux.vnet.ibm.com>
Subject: add bolt arm64
Date: Fri, 04 Dec 2015 17:07:22 +0100
add bolt arm64
Signed-off-by: Michel Normand <normand@linux.vnet.ibm.com>
---
vendor/src/github.com/boltdb/bolt/bolt_arm64.go | 4 ++++
1 file changed, 4 insertions(+)
Index: docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_arm64.go
===================================================================
--- /dev/null
+++ docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_arm64.go
@@ -0,0 +1,4 @@
+package bolt
+
+// maxMapSize represents the largest mmap size supported by Bolt.
+const maxMapSize = 0xFFFFFFFFFFFF // 256TB

View File

@ -1,23 +0,0 @@
---
vendor/src/github.com/boltdb/bolt/bolt_ppc64.go | 4 ++++
vendor/src/github.com/boltdb/bolt/bolt_ppc64le.go | 4 ++++
2 files changed, 8 insertions(+)
Index: docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go
===================================================================
--- /dev/null
+++ docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go
@@ -0,0 +1,4 @@
+package bolt
+
+// maxMapSize represents the largest mmap size supported by Bolt.
+const maxMapSize = 0xFFFFFFFFFFFF // 256TB
Index: docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_ppc64le.go
===================================================================
--- /dev/null
+++ docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_ppc64le.go
@@ -0,0 +1,4 @@
+package bolt
+
+// maxMapSize represents the largest mmap size supported by Bolt.
+const maxMapSize = 0xFFFFFFFFFFFF // 256TB

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:edb9bdbcce529e4170b6ad8a14643b12f176c8d2b1690f182f29bc79e3dde3c0
size 6283244

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Fri Feb 5 09:14:15 UTC 2016 - jmassaguerpla@suse.com
- Update to 1.10.0 version
Add usernamespace support
Add support for custom seccomp profiles
Improvements in network and volume management
detailed changelog in
https://github.com/docker/docker/blob/590d5108bbdaabb05af590f76c9757daceb6d02e/CHANGELOG.md
-------------------------------------------------------------------
Wed Jan 27 23:40:09 UTC 2016 - asarai@suse.com

View File

@ -16,10 +16,10 @@
#
%define git_version a34a1d5
%define git_version 590d510
%define go_arches %ix86 x86_64
Name: docker
Version: 1.9.1
Version: 1.10.0
Release: 0
Summary: The Linux container runtime
License: Apache-2.0
@ -41,34 +41,16 @@ Source7: README_SUSE.md
Source8: docker-audit.rules
# TODO: remove once we figure out what is wrong with iptables on ppc64le
Source100: sysconfig.docker.ppc64le
Patch0: fix-docker-init.patch
# PATCH-FIX-OPENSUSE libcontainer-apparmor-fixes.patch -- mount rules aren't supported in our apparmor
Patch1: libcontainer-apparmor-fixes.patch
# fix regexp in apparmor default profile. This is already fixed upstream so in version > 1.9.1 it should be already fixed
Patch2: fix_bnc_958255.patch
# fix default cgroups. This is fixed upstream, too.
Patch3: use_fs_cgroups_by_default.patch
# fix an issue with cgroups. This is fixed upstream, too.
Patch4: fix_cgroup.parent_path_sanitisation.patch
# fix an issue with JSON and containers not starting. This is fixed upstream, too.
Patch5: fix_json_econnreset_bug.patch
# Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
# Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time
# We cannot do that, right now a quick and really dirty way to get it running is
# to simply disable this check
# Required to overcome some limitations of gcc-go: https://groups.google.com/forum/# !msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
Patch6: gcc5_socket_workaround.patch
Patch100: ignore-dockerinit-checksum.patch
Patch101: gcc-go-patches.patch
Patch102: add_bolt_ppc64.patch
Patch105: add_bolt_arm64.patch
Patch108: fix-ppc64le.patch
Patch0: fix_platform_type_arm.patch
Patch1: gcc5_socket_workaround.patch
Patch100: gcc-go-patches.patch
Patch101: fix-ppc64le.patch
BuildRequires: audit
BuildRequires: bash-completion
BuildRequires: device-mapper-devel >= 1.2.68
BuildRequires: glibc-devel-static
%ifarch %go_arches
BuildRequires: go >= 1.4
BuildRequires: go >= 1.5
BuildRequires: go-go-md2man
%else
BuildRequires: gcc5-go >= 5.0
@ -156,11 +138,6 @@ Test package for docker. It contains the source code and the tests.
%prep
%setup -q -n docker-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
# 1330 is Tumbleweed after leap has been released
# gcc5-go in Tumbleweed includes this commit
# https://github.com/golang/gofrontend/commit/a850225433a66a58613c22185c3b09626f5545eb
@ -169,14 +146,11 @@ Test package for docker. It contains the source code and the tests.
# for that issue.
# Thus, we need to workaround the workaroundn in tumbleweed
%if 0%{?suse_version} >= 1330 && 0%{?is_opensuse} == 1
%patch6 -p1
%patch1 -p1
%endif
%ifnarch %go_arches
%patch100 -p1
%patch101 -p0
%patch102 -p1
%patch105 -p1
%patch108 -p1
%patch101 -p1
%endif
cp %{SOURCE7} .
@ -213,10 +187,8 @@ install -d %{buildroot}%{go_contribdir}
install -d %{buildroot}%{_bindir}
%ifarch %go_arches
install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit
%else
install -D -m755 bundles/%{version}/dyngccgo/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
install -D -m755 bundles/%{version}/dyngccgo/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit
%endif
install -d %{buildroot}/%{_prefix}/lib/docker
install -Dd -m 0755 \
@ -284,7 +256,6 @@ groupadd -r docker 2>/dev/null || :
%{_bindir}/docker
%{_sbindir}/rcdocker
%{_prefix}/lib/docker/
%{_prefix}/lib/docker/dockerinit
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}.socket
%config %{_sysconfdir}/audit/rules.d/%{name}.rules

View File

@ -1,10 +0,0 @@
diff -Naur a/hack/make/.dockerinit b/hack/make/.dockerinit
--- a/hack/make/.dockerinit 2015-08-11 18:35:27.000000000 +0200
+++ b/hack/make/.dockerinit 2015-08-12 18:14:25.743452565 +0200
@@ -29,5 +29,6 @@
exit 1
fi
+/usr/bin/strip -s $DEST/dockerinit-$VERSION
# sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another
export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1)

View File

@ -1,3 +1,4 @@
Index: docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
===================================================================
--- docker-1.9.1.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
@ -17,4 +18,3 @@ Index: docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netli
+// +build !arm,!ppc64 ppc64le
package bridge

View File

@ -1,13 +0,0 @@
diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go
index 3aaba98..06babd3 100644
--- a/daemon/execdriver/native/apparmor.go
+++ b/daemon/execdriver/native/apparmor.go
@@ -40,7 +40,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
file,
umount,
- deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
+ deny @{PROC}/{*,**^[0-9]*,sys/kernel/shm*} wkx,
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,

View File

@ -1,67 +0,0 @@
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
index a0a93a4..da31d06 100644
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
@@ -216,12 +216,39 @@ func (m *Manager) GetPids() ([]int, error) {
return cgroups.GetPids(dir)
}
+// pathClean makes a path safe for use with filepath.Join. This is done by not
+// only cleaning the path, but also (if the path is relative) adding a leading
+// '/' and cleaning it (then removing the leading '/'). This ensures that a
+// path resulting from prepending another path will always resolve to lexically
+// be a subdirectory of the prefixed path. This is all done lexically, so paths
+// that include symlinks won't be safe as a result of using pathClean.
+func pathClean(path string) string {
+ // Ensure that all paths are cleaned (especially problematic ones like
+ // "/../../../../../" which can cause lots of issues).
+ path = filepath.Clean(path)
+
+ // If the path isn't absolute, we need to do more processing to fix paths
+ // such as "../../../../<etc>/some/path". We also shouldn't convert absolute
+ // paths to relative ones.
+ if !filepath.IsAbs(path) {
+ path = filepath.Clean(string(os.PathSeparator) + path)
+ // This can't fail, as (by definition) all paths are relative to root.
+ path, _ = filepath.Rel(string(os.PathSeparator), path)
+ }
+
+ // Clean the path again for good measure.
+ return filepath.Clean(path)
+}
+
func getCgroupData(c *configs.Cgroup, pid int) (*data, error) {
root, err := getCgroupRoot()
if err != nil {
return nil, err
}
+ // Clean the parent slice path.
+ c.Parent = pathClean(c.Parent)
+
cgroup := c.Name
if c.Parent != "" {
cgroup = filepath.Join(c.Parent, cgroup)
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
index f3ec2c3..0b13115 100644
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
@@ -4,6 +4,7 @@ package fs
import (
"bytes"
+ "fmt"
"io/ioutil"
"os"
"path/filepath"
@@ -92,6 +93,10 @@ func (s *CpusetGroup) ensureParent(current, root string) error {
if filepath.Clean(parent) == root {
return nil
}
+ // Avoid infinite recursion.
+ if parent == current {
+ return fmt.Errorf("cpuset: cgroup parent path outside cgroup root")
+ }
if err := s.ensureParent(parent, root); err != nil {
return err
}

View File

@ -0,0 +1,20 @@
diff --git a/pkg/platform/utsname_int8.go b/pkg/platform/utsname_int8.go
index 5dcbadf..a022a35 100644
--- a/pkg/platform/utsname_int8.go
+++ b/pkg/platform/utsname_int8.go
@@ -1,4 +1,4 @@
-// +build linux,386 linux,amd64 linux,arm64
+// +build linux,386 linux,amd64
// see golang's sources src/syscall/ztypes_linux_*.go that use int8
package platform
diff --git a/pkg/platform/utsname_uint8.go b/pkg/platform/utsname_uint8.go
index c9875cf..0ee937a 100644
--- a/pkg/platform/utsname_uint8.go
+++ b/pkg/platform/utsname_uint8.go
@@ -1,4 +1,4 @@
-// +build linux,arm linux,ppc64 linux,ppc64le s390x
+// +build linux,arm linux,ppc64 linux,ppc64le s390x linux,arm64 linux,aarch64
// see golang's sources src/syscall/ztypes_linux_*.go that use uint8
package platform

View File

@ -1,18 +1,7 @@
Index: hack/make/.dockerinit-gccgo
===================================================================
--- hack/make/.dockerinit-gccgo.orig
+++ hack/make/.dockerinit-gccgo
@@ -1,5 +1,5 @@
#!/bin/bash
-set -e
+set -ex
IAMSTATIC="true"
source "${MAKEDIR}/.go-autogen"
Index: hack/make/gccgo
===================================================================
--- hack/make/gccgo.orig
+++ hack/make/gccgo
diff --git a/hack/make/gccgo b/hack/make/gccgo
index 878c814..84b7f69 100644
--- a/hack/make/gccgo
+++ b/hack/make/gccgo
@@ -1,5 +1,5 @@
#!/bin/bash
-set -e
@ -20,14 +9,16 @@ Index: hack/make/gccgo
BINARY_NAME="docker-$VERSION"
BINARY_EXTENSION="$(binary_extension)"
@@ -17,6 +17,8 @@ go build -compiler=gccgo \
@@ -16,9 +16,11 @@ go build -compiler=gccgo \
"${BUILDFLAGS[@]}" \
-gccgoflags "
-g
+ -Wl,--add-needed -Wl,--no-as-needed
+ -Wl,--add-needed -Wl,--no-as-needed
$EXTLDFLAGS_STATIC
+ -static-libgo
+ -static-libgo
-Wl,--no-export-dynamic
- -ldl
+ -ldl -lselinux -lsystemd
-pthread
" \
./docker

View File

@ -1,12 +0,0 @@
diff -Naur a/utils/utils.go b/utils/utils.go
--- a/utils/utils.go 2015-08-11 18:35:27.000000000 +0200
+++ b/utils/utils.go 2015-08-12 18:06:47.930445696 +0200
@@ -76,7 +76,7 @@
}
return os.SameFile(targetFileInfo, selfPathFileInfo)
}
- return dockerversion.INITSHA1 != "" && dockerInitSha1(target) == dockerversion.INITSHA1
+ return true
}
// DockerInitPath figures out the path of our dockerinit (which may be SelfPath())

View File

@ -1,11 +0,0 @@
diff -Naur a/contrib/apparmor/docker-engine b/contrib/apparmor/docker-engine
--- a/contrib/apparmor/docker-engine 2015-08-11 18:35:27.000000000 +0200
+++ b/contrib/apparmor/docker-engine 2015-08-12 18:05:07.608444190 +0200
@@ -13,7 +13,6 @@
mount -> /sys/**,
mount -> /run/docker/netns/**,
- umount,
pivot_root,
signal (receive) peer=@{profile_name},
signal (receive) peer=unconfined,

View File

@ -1,51 +0,0 @@
From 419fd7449fe1a984f582731fcd4d9455000846b0 Mon Sep 17 00:00:00 2001
From: Alexander Morozov <lk4d4@docker.com>
Date: Wed, 4 Nov 2015 13:51:46 -0800
Subject: [PATCH] Use fs cgroups by default
Our implementation of systemd cgroups is mixture of systemd api and
plain filesystem api. It's hard to keep it up to date with systemd and
it already contains some nasty bugs with new versions. Ideally it should
be replaced with some daemon flag which will allow to set parent systemd
slice.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
---
daemon/execdriver/native/driver.go | 3 ---
docs/reference/commandline/daemon.md | 8 ++++----
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/daemon/execdriver/native/driver.go b/daemon/execdriver/native/driver.go
index 09171c5..0b6cec3 100644
--- a/daemon/execdriver/native/driver.go
+++ b/daemon/execdriver/native/driver.go
@@ -74,9 +74,6 @@ func NewDriver(root, initPath string, options []string) (*Driver, error) {
// this makes sure there are no breaking changes to people
// who upgrade from versions without native.cgroupdriver opt
cgm := libcontainer.Cgroupfs
- if systemd.UseSystemd() {
- cgm = libcontainer.SystemdCgroups
- }
// parse the options
for _, option := range options {
diff --git a/docs/reference/commandline/daemon.md b/docs/reference/commandline/daemon.md
index 91fd3c6..0721538 100644
--- a/docs/reference/commandline/daemon.md
+++ b/docs/reference/commandline/daemon.md
@@ -452,11 +452,11 @@ single `native.cgroupdriver` option is available.
The `native.cgroupdriver` option specifies the management of the container's
cgroups. You can specify `cgroupfs` or `systemd`. If you specify `systemd` and
-it is not available, the system uses `cgroupfs`. By default, if no option is
-specified, the execdriver first tries `systemd` and falls back to `cgroupfs`.
-This example sets the execdriver to `cgroupfs`:
+it is not available, the system uses `cgroupfs`. If you omit the
+`native.cgroupdriver` option,` cgroupfs` is used.
+This example sets the `cgroupdriver` to `systemd`:
- $ sudo docker daemon --exec-opt native.cgroupdriver=cgroupfs
+ $ sudo docker daemon --exec-opt native.cgroupdriver=systemd
Setting this option applies to all containers the daemon launches.