Accepting request 495655 from Virtualization:containers

1

OBS-URL: https://build.opensuse.org/request/show/495655
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=54
This commit is contained in:
Dominique Leuenberger 2017-05-23 08:18:53 +00:00 committed by Git OBS Bridge
commit 7e47b9bdcc
14 changed files with 222 additions and 274 deletions

View File

@ -3,8 +3,8 @@
<param name="url">https://github.com/docker/docker.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">1.13.0</param>
<param name="revision">v1.13.0</param>
<param name="versionformat">17.04.0_ce</param>
<param name="revision">v17.04.0-ce</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">docker-*.tar</param>

View File

@ -1,27 +0,0 @@
From: Michel Normand <normand@linux.vnet.ibm.com>
Subject: boltdb bolt add brokenUnaligned for ppc64
Date: Tue, 20 Dec 2016 10:19:01 +0100
boltdb bolt add brokenUnaligned for ppc64
as already done for bolt_ppc64le.go
Correction already submitted upstream as
https://github.com/boltdb/bolt/pull/635
Signed-off-by: Michel Normand <normand@linux.vnet.ibm.com>
---
vendor/src/github.com/boltdb/bolt/bolt_ppc64.go | 3 +++
1 file changed, 3 insertions(+)
Index: docker-1.12.3/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go
===================================================================
--- docker-1.12.3.orig/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go
+++ docker-1.12.3/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go
@@ -7,3 +7,6 @@ const maxMapSize = 0xFFFFFFFFFFFF // 256
// maxAllocSize is the size used when creating array pointers.
const maxAllocSize = 0x7FFFFFFF
+
+// Are unaligned load/stores broken on this arch?
+var brokenUnaligned = false

View File

@ -0,0 +1,69 @@
From c117441b1a74affb013a42ee8225d69ecfaf4d72 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Tue, 9 May 2017 23:31:46 +1000
Subject: [PATCH] client: check tty before creating exec job
This is necessary in order to avoid execId leaks in the case where a
`docker exec -it` is run without a terminal available for the client.
You can reproduce this issue by running the following command many
times.
% nohup docker exec -it some_container true
The container `some_container` will have execIDs that will never
normally be cleaned up (because the client died before they were
started).
In addition, this patch adds a docker-inspect step to ensure that we
give "container does not exist" errors consistently.
[SUSE: Fixes bsc#1037436.]
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
cli/command/container/exec.go | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/cli/command/container/exec.go b/cli/command/container/exec.go
index 676708c77b91..d85113259242 100644
--- a/cli/command/container/exec.go
+++ b/cli/command/container/exec.go
@@ -79,6 +79,19 @@ func runExec(dockerCli *command.DockerCli, opts *execOptions, container string,
ctx := context.Background()
client := dockerCli.Client()
+ // We need to check the tty _before_ we do the ContainerExecCreate, because
+ // otherwise if we error out we will leak execIDs on the server (and
+ // there's no easy way to clean those up). But also in order to make "not
+ // exist" errors take precedence we do a dummy inspect first.
+ if _, err := client.ContainerInspect(ctx, container); err != nil {
+ return err
+ }
+ if !execConfig.Detach {
+ if err := dockerCli.In().CheckTty(execConfig.AttachStdin, execConfig.Tty); err != nil {
+ return err
+ }
+ }
+
response, err := client.ContainerExecCreate(ctx, container, *execConfig)
if err != nil {
return err
@@ -90,12 +103,8 @@ func runExec(dockerCli *command.DockerCli, opts *execOptions, container string,
return nil
}
- //Temp struct for execStart so that we don't need to transfer all the execConfig
- if !execConfig.Detach {
- if err := dockerCli.In().CheckTty(execConfig.AttachStdin, execConfig.Tty); err != nil {
- return err
- }
- } else {
+ // Temp struct for execStart so that we don't need to transfer all the execConfig.
+ if execConfig.Detach {
execStartCheck := types.ExecStartCheck{
Detach: execConfig.Detach,
Tty: execConfig.Tty,
--
2.12.2

View File

@ -0,0 +1,60 @@
From 9783e1791fc438751b327023b0cd7d392e54084f Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Thu, 18 May 2017 00:02:00 +1000
Subject: [PATCH] apparmor: make pkg/aaparser work on read-only root
This is necessary because normally `apparmor_parser -r` will try to
create a temporary directory on the host (which is not allowed if the
host has a rootfs). However, the -K option bypasses saving things to the
cache (which avoids this issue).
% apparmor_parser -r /tmp/docker-profile
mkstemp: Read-only file system
% apparmor_parser -Kr /tmp/docker-profile
%
In addition, add extra information to the ensureDefaultAppArmorProfile
errors so that problems like this are easier to debug.
Fixes: 2f7596aaef3a ("apparmor: do not save profile to /etc/apparmor.d")
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
daemon/apparmor_default.go | 2 +-
pkg/aaparser/aaparser.go | 7 ++++---
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
index 09dd0541b872..2a418b25c241 100644
--- a/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go
@@ -28,7 +28,7 @@ func ensureDefaultAppArmorProfile() error {
// Load the profile.
if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil {
- return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", defaultApparmorProfile)
+ return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err)
}
}
diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
index e794c4c729e2..5de4a4d79b35 100644
--- a/pkg/aaparser/aaparser.go
+++ b/pkg/aaparser/aaparser.go
@@ -22,10 +22,11 @@ func GetVersion() (int, error) {
return parseVersion(output)
}
-// LoadProfile runs `apparmor_parser -r` on a specified apparmor profile to
-// replace the profile.
+// LoadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to
+// replace the profile. The `-K` is necessary to make sure that apparmor_parser
+// doesn't try to write to a read-only filesystem.
func LoadProfile(profilePath string) error {
- _, err := cmd("", "-r", profilePath)
+ _, err := cmd("", "-Kr", profilePath)
return err
}
--
2.12.2

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1da90f2f637d55c7bef034761f0781a7cc4facdefc50b9d77f0c6a78185efe0a
size 5130016

3
docker-17.04.0_ce.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c192552cebebba3e5af60af995fb7fd6f6423b8df71574e8a1f188878ae21913
size 4574004

View File

@ -1,3 +1,66 @@
-------------------------------------------------------------------
Wed May 17 14:41:29 UTC 2017 - asarai@suse.com
- Fix bsc#1037607 which was causing read-only issues on Kubic, this is a
backport of https://github.com/moby/moby/pull/33250.
+ bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch
-------------------------------------------------------------------
Wed May 10 13:54:44 UTC 2017 - asarai@suse.com
- Add a partial fix for boo#1038493.
- Fixed bsc#1037436 where execids were being leaked due to bad error handling.
This is a backport of https://github.com/docker/cli/pull/52.
+ bsc1037436-0001-client-check-tty-before-creating-exec-job.patch
-------------------------------------------------------------------
Thu May 4 19:03:40 UTC 2017 - jmassaguerpla@suse.com
- Fix golang requirements in the subpackages
-------------------------------------------------------------------
Mon May 1 07:57:35 UTC 2017 - fcastelli@suse.com
- Update golang build requirements to use golang(API) symbol: this is
needed to solve a conflict between multiple versions of Go being available
-------------------------------------------------------------------
Tue Apr 18 15:38:11 UTC 2017 - jmassaguerpla@suse.com
- Fix secrets-0002-SUSE-implement-SUSE-container-secrets.patch:
substitute docker/distribution/digest by opencontainers/digest
-------------------------------------------------------------------
Thu Apr 13 14:34:35 UTC 2017 - jmassaguerpla@suse.com
- Update to version 17.04.0-ce (fix bsc#1034053 )
- Patches removed because have been merged into this version:
* pr31549-cmd-docker-fix-TestDaemonCommand.patch
* pr31773-daemon-also-ensureDefaultApparmorProfile-in-exec-pat.patch
- Patches rebased:
* integration-cli-fix-TestInfoEnsureSucceeds.patch
- Build man pages for all archs (bsc#953182)
- Containers cannot resolve DNS if docker host uses 127.0.0.1 as resolver (bsc#1034063)
see /usr/share/doc/packages/docker/CHANGELOG.md
-------------------------------------------------------------------
Wed Apr 12 09:54:18 UTC 2017 - jmassaguerpla@suse.com
- Make sure this is being built with go 1.7
-------------------------------------------------------------------
Wed Apr 12 09:14:35 UTC 2017 - jmassaguerpla@suse.com
- remove the go_arches macro because we are using go1.7 which
is available in all archs
- remove gcc specific patches
* gcc-go-patches.patch
* netlink_netns_powerpc.patch
* boltdb_bolt_add_brokenUnaligned.patch
-------------------------------------------------------------------
Wed Apr 12 07:58:08 UTC 2017 - asarai@suse.com

View File

@ -17,26 +17,12 @@
# nodebuginfo
# Check if go_arches is defined in the project configuration
# Otherwise, define it here
# In order to define it in the project configuration, see
#
# https://en.opensuse.org/openSUSE:Build%20Service%20prjconf#Macros
#
# The Macros tag is the one that defines the go_arches variable to be used
# in the spec file.
# The "define" one is to help the specfile parser of the buildservice
# to see what packages are being built. You also want to define it here
# for keeping things consistent.
%{!?go_arches: %global go_arches %ix86 x86_64 aarch64 ppc64le}
%global docker_store %{_localstatedir}/lib/docker
%global docker_migration_testfile %{docker_store}/.suse-image-migration-v1to2-complete
%global docker_migration_warnfile %{docker_store}/docker-update-message.txt
%define docker_graph %{docker_store}/graph
%define git_version 78d1802
%define version_unconverted 1.13.0
%define version_unconverted 17.04.0_ce
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
# When upgrading to a new version requires the service not to be restarted
# Due to a long migration process update last_migration_version to the new version
@ -44,7 +30,7 @@
# 1.10.1
%global last_migration_version 1.10.1
Name: docker
Version: 1.13.0
Version: 17.04.0_ce
Release: 0
Summary: The Linux container runtime
License: Apache-2.0
@ -60,10 +46,6 @@ Source8: docker-audit.rules
Source9: docker-update-message.txt
Source10: tests.sh
Source11: docker_service_helper.sh
# Fixes for architecture-specific issues (gcc-go).
Patch100: gcc-go-patches.patch
Patch102: netlink_netns_powerpc.patch
Patch103: boltdb_bolt_add_brokenUnaligned.patch
# SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers
# which is not snapshotted when images are committed. Note that if you modify
# this patch, please also modify the patch in the suse-secrets-v<version>
@ -72,8 +54,10 @@ Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patc
Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
# PATCH-FIX-UPSTREAM: Backports.
Patch300: integration-cli-fix-TestInfoEnsureSucceeds.patch
Patch301: pr31549-cmd-docker-fix-TestDaemonCommand.patch
Patch302: pr31773-daemon-also-ensureDefaultApparmorProfile-in-exec-pat.patch
# PATCH-FIX-UPSTREAM: Backport of https://github.com/docker/cli/pull/52 (bsc#1037436).
Patch400: bsc1037436-0001-client-check-tty-before-creating-exec-job.patch
# PATCH-FIX-UPSTREAM: Backport of https://github.com/moby/moby/pull/33250 (bsc#1037607).
Patch401: bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch
BuildRequires: audit
BuildRequires: bash-completion
BuildRequires: ca-certificates
@ -97,13 +81,13 @@ BuildRequires: zsh
Requires: apparmor-parser
Requires: bridge-utils
Requires: ca-certificates-mozilla
Requires: docker-libnetwork = 0.0.0+git20161019.0f53435
Requires: docker-libnetwork = 0.0.0+git20170119.7b2b1fe
# Containerd and runC are required as they are the only currently supported
# execdrivers of Docker. NOTE: The version pinning here matches upstream's
# Dockerfile to ensure that we don't use a slightly incompatible version of
# runC or containerd (which would be bad).
Requires: containerd = 0.2.5+gitr608_03e5862
Requires: runc = 0.1.1+gitr2942_2f7393a
Requires: containerd = 0.2.5+gitr639_422e31c
Requires: runc = 0.1.1+gitr2947_9c2d8d1
# Provides mkfs.ext4 - used by Docker when devicemapper storage driver is used
Requires: e2fsprogs
Requires: git-core >= 1.7
@ -124,12 +108,9 @@ Recommends: lvm2 >= 2.2.89
Conflicts: lxc < 1.0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExcludeArch: %ix86 s390 ppc
%ifarch %{go_arches}
BuildRequires: go >= 1.5
# Make sure we build with go 1.7
BuildRequires: go-go-md2man
%else
BuildRequires: gcc6-go >= 6.1
%endif
BuildRequires: golang(API) = 1.7
%description
Docker complements LXC with a high-level API which operates at the process
@ -169,15 +150,12 @@ Requires: apparmor-parser
Requires: bash-completion
Requires: device-mapper-devel >= 1.2.68
Requires: glibc-devel-static
# Make sure we require go 1.7
Requires: libapparmor-devel
Requires: libbtrfs-devel >= 3.8
Requires: procps
Requires: sqlite3-devel
%ifarch %{go_arches}
Requires: go >= 1.4
%else
Requires: gcc6-go >= 6.1
%endif
Requires: golang(API) = 1.7
%description test
Test package for docker. It contains the source code and the tests.
@ -190,25 +168,13 @@ Test package for docker. It contains the source code and the tests.
%patch200 -p1
%patch201 -p1
%endif
%ifnarch %{go_arches}
%patch100 -p1
%patch102 -p1
%patch103 -p1
%endif
%patch300 -p1
%patch301 -p1
%patch302 -p1
%patch400 -p1
%patch401 -p1
cp %{SOURCE7} .
cp %{SOURCE10} .
%build
%ifnarch %{go_arches}
tmphack=/tmp/dirty-hack
[ -e $tmphack ] && rm -rf $tmphack
mkdir $tmphack
ln -s %{_bindir}/go-6 $tmphack/go
export PATH=$tmphack:$PATH
%endif
BUILDTAGS="exclude_graphdriver_aufs apparmor selinux pkcs11"
%if 0%{?with_libseccomp}
@ -226,16 +192,15 @@ BUILDTAGS="seccomp $BUILDTAGS"
export AUTO_GOPATH=1
export DOCKER_BUILDTAGS="$BUILDTAGS"
export DOCKER_GITCOMMIT=%{git_version}
# Until boo#1038493 is fixed properly we need to do this hack to get the
# compiled-into-the-binary GOROOT.
export GOROOT="$(GOROOT= go env GOROOT)"
EOF
) > docker_build_env
. ./docker_build_env
%ifarch %{go_arches}
./hack/make.sh dynbinary
man/md2man-all.sh
%else
./hack/make.sh dyngccgo
%endif
# build the tests binary
GOPATH=$(pwd)/vendor:$(pwd)/.gopath/ go test \
@ -246,7 +211,6 @@ GOPATH=$(pwd)/vendor:$(pwd)/.gopath/ go test \
# otherwise the resulting package will have extra requires
rm -rf hack/make/.build-deb
%ifarch %go_arches
%check
. ./docker_build_env
@ -304,18 +268,12 @@ PKG_LIST=$(go list -e \
%endif
go test -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST
%endif
%install
install -d %{buildroot}%{go_contribdir}
install -d %{buildroot}%{_bindir}
%ifarch %{go_arches}
install -D -m755 bundles/latest/dynbinary-client/%{name} %{buildroot}/%{_bindir}/%{name}
install -D -m755 bundles/latest/dynbinary-daemon/%{name}d %{buildroot}/%{_bindir}/%{name}d
%else
install -D -m755 bundles/latest/dyngccgo/%{name} %{buildroot}/%{_bindir}/%{name}
install -D -m755 bundles/latest/dyngccgo/%{name}d %{buildroot}/%{_bindir}/%{name}d
%endif
install -d %{buildroot}/%{_prefix}/lib/docker
install -Dd -m 0755 \
%{buildroot}%{_sysconfdir}/init.d \
@ -356,7 +314,6 @@ install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.r
# sysconfig file
install -D -m 644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.docker
%ifarch %{go_arches}
# install manpages
install -d %{buildroot}%{_mandir}/man1
install -p -m 644 man/man1/*.1 %{buildroot}%{_mandir}/man1
@ -364,7 +321,6 @@ install -d %{buildroot}%{_mandir}/man5
install -p -m 644 man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
install -d %{buildroot}%{_mandir}/man8
install -p -m 644 man/man8/*.8 %{buildroot}%{_mandir}/man8
%endif
install -D -m 0644 %{SOURCE9} %{buildroot}%{docker_migration_warnfile}
@ -424,7 +380,7 @@ fi
%files
%defattr(-,root,root)
%doc README.md LICENSE README_SUSE.md
%doc README.md LICENSE README_SUSE.md CHANGELOG.md
%{_bindir}/docker
%{_bindir}/dockerd
%{_sbindir}/rcdocker
@ -434,12 +390,10 @@ fi
%{_udevrulesdir}/80-%{name}.rules
%{_localstatedir}/adm/fillup-templates/sysconfig.docker
%{_localstatedir}/lib/docker/
%ifarch %{go_arches}
%{_mandir}/man1/docker-*.1%{ext_man}
%{_mandir}/man1/docker.1%{ext_man}
%{_mandir}/man5/Dockerfile.5%{ext_man}
%{_mandir}/man8/dockerd.8%{ext_man}
%endif
%files bash-completion
%defattr(-,root,root)

View File

@ -1,47 +0,0 @@
diff --git a/hack/make/gccgo b/hack/make/gccgo
index 54c983e..1c11bbf 100644
--- a/hack/make/gccgo
+++ b/hack/make/gccgo
@@ -1,5 +1,5 @@
#!/bin/bash
-set -e
+set -ex
BINARY_NAME="dockerd-$VERSION"
BINARY_EXTENSION="$(binary_extension)"
@@ -22,9 +22,11 @@ go build -compiler=gccgo \
"${BUILDFLAGS[@]}" \
-gccgoflags "
-g
+ -Wl,--add-needed -Wl,--no-as-needed
$EXTLDFLAGS_STATIC
+ -static-libgo
-Wl,--no-export-dynamic
- -ldl
+ -ldl -lselinux -lsystemd
-pthread
" \
./cmd/dockerd
@@ -37,7 +39,9 @@ go build -compiler=gccgo \
"${BUILDFLAGS[@]}" \
-gccgoflags "
-g
+ -Wl,--add-needed -Wl,--no-as-needed
$EXTLDFLAGS_STATIC
+ -static-libgo
-Wl,--no-export-dynamic
-ldl
-pthread
@@ -55,9 +59,11 @@ go build -compiler=gccgo \
"${BUILDFLAGS[@]}" \
-gccgoflags "
-g
+ -Wl,--add-needed -Wl,--no-as-needed
$EXTLDFLAGS_STATIC
+ -static-libgo
-Wl,--no-export-dynamic
- -ldl
+ -ldl -lselinux -lsystemd
-pthread
" \
./cmd/docker

View File

@ -1,13 +1,13 @@
diff --git a/integration-cli/docker_cli_info_test.go b/integration-cli/docker_cli_info_test.go
index 62ce7e2..46516f9 100644
index 5eb2f0f..39f93bd 100644
--- a/integration-cli/docker_cli_info_test.go
+++ b/integration-cli/docker_cli_info_test.go
@@ -40,7 +40,7 @@ func (s *DockerSuite) TestInfoEnsureSucceeds(c *check.C) {
@@ -41,7 +41,7 @@ func (s *DockerSuite) TestInfoEnsureSucceeds(c *check.C) {
}
if DaemonIsLinux.Condition() {
if DaemonIsLinux() {
- stringsToCheck = append(stringsToCheck, "Runtimes:", "Default Runtime: runc")
+ stringsToCheck = append(stringsToCheck, "Runtimes:", "Default Runtime: oci")
}
if experimentalDaemon {
if testEnv.ExperimentalDaemon() {

View File

@ -1,16 +0,0 @@
---
vendor/src/github.com/vishvananda/netns/netns_linux_ppc64.go | 7 +++++++
1 file changed, 7 insertions(+)
Index: docker-1.10.2/vendor/src/github.com/vishvananda/netns/netns_linux_ppc64.go
===================================================================
--- /dev/null
+++ docker-1.10.2/vendor/src/github.com/vishvananda/netns/netns_linux_ppc64.go
@@ -0,0 +1,7 @@
+// +build linux,ppc64
+
+package netns
+
+const (
+ SYS_SETNS = 350
+)

View File

@ -1,49 +0,0 @@
From dd7159060f60ea04007c069df189a29fda2c655f Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 5 Mar 2017 15:25:11 +1100
Subject: [PATCH] cmd: docker: fix TestDaemonCommand
In more recent versions of Cobra, `--help` parsing is done before
anything else resulting in TestDaemonCommand not actually passing. I'm
actually unsure if this test ever passed since it appears that !daemon
is not being run as part of the test suite.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
cmd/docker/daemon_none.go | 6 ++++--
cmd/docker/daemon_none_test.go | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/cmd/docker/daemon_none.go b/cmd/docker/daemon_none.go
index 65f9f37be22f..6fbd00012526 100644
--- a/cmd/docker/daemon_none.go
+++ b/cmd/docker/daemon_none.go
@@ -12,8 +12,10 @@ import (
func newDaemonCommand() *cobra.Command {
return &cobra.Command{
- Use: "daemon",
- Hidden: true,
+ Use: "daemon",
+ Hidden: true,
+ Args: cobra.ArbitraryArgs,
+ DisableFlagParsing: true,
RunE: func(cmd *cobra.Command, args []string) error {
return runDaemon()
},
diff --git a/cmd/docker/daemon_none_test.go b/cmd/docker/daemon_none_test.go
index 32032fe1b344..bd42add98696 100644
--- a/cmd/docker/daemon_none_test.go
+++ b/cmd/docker/daemon_none_test.go
@@ -10,7 +10,7 @@ import (
func TestDaemonCommand(t *testing.T) {
cmd := newDaemonCommand()
- cmd.SetArgs([]string{"--help"})
+ cmd.SetArgs([]string{"--version"})
err := cmd.Execute()
assert.Error(t, err, "Please run `dockerd`")
--
2.12.0

View File

@ -1,59 +0,0 @@
From 790a81ea9acce318d0e037771c253951b874140b Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Mon, 13 Mar 2017 14:57:35 +1100
Subject: [PATCH] daemon: also ensureDefaultApparmorProfile in exec path
When 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor
profiles") was merged, it didn't correctly handle the exec path if
AppArmor profiles were deleted. Fix this by duplicating the
ensureDefaultApparmorProfile code in the exec code.
Fixes: 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles")
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
daemon/exec_linux.go | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/daemon/exec_linux.go b/daemon/exec_linux.go
index 5aeedc347027..bb11c11e447c 100644
--- a/daemon/exec_linux.go
+++ b/daemon/exec_linux.go
@@ -5,6 +5,7 @@ import (
"github.com/docker/docker/daemon/caps"
"github.com/docker/docker/daemon/exec"
"github.com/docker/docker/libcontainerd"
+ "github.com/opencontainers/runc/libcontainer/apparmor"
"github.com/opencontainers/runtime-spec/specs-go"
)
@@ -23,5 +24,27 @@ func execSetPlatformOpt(c *container.Container, ec *exec.Config, p *libcontainer
if ec.Privileged {
p.Capabilities = caps.GetAllCapabilities()
}
+ if apparmor.IsEnabled() {
+ var appArmorProfile string
+ if c.AppArmorProfile != "" {
+ appArmorProfile = c.AppArmorProfile
+ } else if c.HostConfig.Privileged {
+ appArmorProfile = "unconfined"
+ } else {
+ appArmorProfile = "docker-default"
+ }
+
+ if appArmorProfile == "docker-default" {
+ // Unattended upgrades and other fun services can unload AppArmor
+ // profiles inadvertently. Since we cannot store our profile in
+ // /etc/apparmor.d, nor can we practically add other ways of
+ // telling the system to keep our profile loaded, in order to make
+ // sure that we keep the default profile enabled we dynamically
+ // reload it if necessary.
+ if err := ensureDefaultAppArmorProfile(); err != nil {
+ return err
+ }
+ }
+ }
return nil
}
--
2.12.0

View File

@ -66,7 +66,7 @@ index 000000000000..591abc998e67
+ "syscall"
+
+ "github.com/Sirupsen/logrus"
+ "github.com/docker/distribution/digest"
+ "github.com/opencontainers/go-digest"
+ "github.com/docker/docker/container"
+
+ swarmtypes "github.com/docker/docker/api/types/swarm"