Accepting request 614829 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/614829
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=76

bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch

@@ -1,4 +1,4 @@
-From fb59d17b2617ebee34f91786428f63571a19bb74 Mon Sep 17 00:00:00 2001
+From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Sun, 8 Apr 2018 20:21:30 +1000
 Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill'
@@ -11,20 +11,22 @@ SUSE-Bugs: bsc#1073877 boo#1089732
 Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
- components/engine/profiles/apparmor/template.go | 4 ++++
+ components/engine/profiles/apparmor/template.go | 6 ++++++
- 1 file changed, 4 insertions(+)
+ 1 file changed, 6 insertions(+)
 
 diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
-index c5ea4584de6b..47c1b0659a15 100644
+index c5ea4584de6b..082638e85903 100644
 --- a/components/engine/profiles/apparmor/template.go
 +++ b/components/engine/profiles/apparmor/template.go
-@@ -17,6 +17,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
    capability,
    file,
    umount,
 +{{if ge .Version 208096}}
 +{{/* Allow 'docker kill' to actually send signals to container processes. */}}
 +  signal (receive) peer=unconfined,
++{{/* And allow signals to be sent inside the container. */}}
++  signal (send,receive) peer={{.Name}},
 +{{end}}
  
    deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)

docker.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Tue Jun  5 11:24:35 UTC 2018 - asarai@suse.com
+
+- Update to AppArmor patch so that signal mediation also works for signals
+  between in-container processes. bsc#1073877
+  * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
+
+-------------------------------------------------------------------
+Tue Jun  5 06:38:40 UTC 2018 - asarai@suse.com
+
+- Remove 'go test' from %check section, as it has only ever caused us problems
+  and hasn't (as far as I remember) ever caught a release-blocking issue. Smoke
+  testing has been far more useful. boo#1095817
+
 -------------------------------------------------------------------
 Tue May 29 08:10:48 UTC 2018 - asarai@suse.com
 

docker.spec

@@ -261,106 +261,20 @@ go build -buildmode=pie -o gen-manpages github.com/docker/cli/man
 cd ../..
 
 %check
-. ./docker_build_env
+# We used to run 'go test' here, however we found that this actually didn't
+# catch any issues that were caught by smoke testing, and %check would
+# continually cause package builds to fail due to flaky tests. If you ever need
+# to know how the testing was done, you can always look in the package history.
+# boo#1095817
 
-# DOCKER ENGINE
+# We verify that all of our -git requires are correct, and match the contents
-# go test will look in github.com/docker/docker/vendor for vendored packages but
+# of the upstream vendoring scripts. This is done on-build to make sure that
-# Docker keeps them in github.com/docker/docker/vendor/src. Let's do it like
+# someone doing an update didn't miss anything.
-# Docker does it and append github.com/docker/docker/vendor to the GOPATH so the
+cd components/engine
-# packages are found by go test.
-export GOPATH=$HOME/go/src/github.com/docker/docker/vendor:$GOPATH
-
-# Create or dir if it doesn't exist already
-mkdir -p $HOME/go/src/github.com/docker
-
-# Remove any existing symlinks.
-rm -rf $HOME/go/src/github.com/docker/*
-
-# go list -e ... doesn't seem to work with symlinks so do a full copy instead.
-cp -ar %{buildroot}/usr/src/docker/engine $HOME/go/src/github.com/docker/docker
-
-cd $HOME/go/src/github.com/docker/docker
-
-# We verify that all of our -git requires are correct. This is done on-build to
-# make sure that someone doing an update didn't miss anything.
 grep 'RUNC_COMMIT=%{required_dockerrunc}'       hack/dockerfile/binaries-commits
 grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits
 grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits
 
-# The command is taken from hack/make/test-unit and various test runs.
-# Everything that follows github.com/docker/pkg/integration-cli are packages
-# containing tests that cannot run in an obs build context. Some tests must be
-# excluded as they will always fail in our build environments.
-PKG_LIST=$(go list -e \
-		-f '{{if ne .Name "github.com/docker/docker"}} {{.ImportPath}}
-		{{end}}'  \
-		-tags "$DOCKER_BUILDTAGS" \
-		-a "${BUILDFLAGS[@]}" ... \
-		| grep    'github.com/docker/docker' \
-		| grep -Ev 'vendor/(.+/)?github.com/docker/docker' \
-		| grep -v 'github.com/docker/docker/vendor' \
-		| grep -v 'github.com/docker/docker/builder$' \
-		| grep -v 'github.com/docker/docker/builder/dockerfile$' \
-		| grep -v 'github.com/docker/docker/builder/dockerfile/parser$' \
-		| grep -v 'github.com/docker/docker/builder/remotecontext' \
-		| grep -v 'github.com/docker/docker/cmd/dockerd$' \
-%ifarch s390x
-		| grep -v 'github.com/docker/docker/container' \
-%endif
-		| grep -v 'github.com/docker/docker/daemon$' \
-		| grep -v 'github.com/docker/docker/daemon/graphdriver' \
-		| grep -Pv 'github.com/docker/docker/daemon/logger(?!/gelf)' \
-		| grep -v 'github.com/docker/docker/integration' \
-		| grep -v 'github.com/docker/docker/integration-cli' \
-		| grep -v 'github.com/docker/docker/man$' \
-		| grep -v 'github.com/docker/docker/pkg/archive$' \
-		| grep -v 'github.com/docker/docker/pkg/chrootarchive$' \
-%if 0%{?sle_version} == 120000
-		| grep -v 'github.com/docker/docker/pkg/devicemapper$' \
-%endif
-		| grep -v 'github.com/docker/docker/pkg/gitutils$' \
-		| grep -v 'github.com/docker/docker/pkg/idtools$' \
-		| grep -v 'github.com/docker/docker/pkg/integration$' \
-		| grep -v 'github.com/docker/docker/pkg/jsonlog$' \
-		| grep -v 'github.com/docker/docker/pkg/mount$' \
-		| grep -v 'github.com/docker/docker/pkg/sysinfo$' \
-		| grep -v 'github.com/docker/docker/pkg/testutil' \
-%if ! 0%{?with_libseccomp}
-		| grep -v 'github.com/docker/docker/profiles/seccomp$' \
-%endif
-		| grep -v 'github.com/docker/docker/registry$' \
-		| grep -v 'github.com/docker/docker/volume/local$' \
-		)
-# PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER!
-rm ./pkg/system/rm_test.go
-go test -buildmode=pie -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST
-
-# DOCKER CLIENT
-find $(go env GOROOT) -type d
-
-cp -ar %{buildroot}/usr/src/docker/cli $HOME/go/src/github.com/docker/cli
-cd $HOME/go/src/github.com/docker/cli
-PKG_LIST=$(go list ./... \
-		| grep    'github.com/docker/cli' \
-		| grep -v 'github.com/docker/cli/vendor' \
-		| grep -Ev 'vendor/(.+/)?github.com/docker/cli' \
-		| grep -v 'github.com/docker/cli/cli/command/idresolver' \
-		| grep -v 'github.com/docker/cli/cli/command/image' \
-		| grep -v 'github.com/docker/cli/cli/image' \
-		| grep -v 'github.com/docker/cli/cmd/docker' \
-		| grep -v 'github.com/docker/cli/e2e' \
-		| grep -v 'github.com/docker/cli/cli/image' \
-		)
-# PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER!
-
-# We cannot use -buildmode=pie here becaue (for some reason) 'go test' will
-# produce really odd errors about packages missing (this only happens if we
-# have a lot of packages in the cmdline). So just avoid running these tests if
-# we're on ppc64le (which requires -buildmode=pie).
-%ifnarch ppc64le
-go test -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST
-%endif
-
 %install
 install -d %{buildroot}%{go_contribdir}
 install -d %{buildroot}%{_bindir}