pool/docker
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 614829 from Virtualization:containers

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/614829
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=76
This commit is contained in:
Dominique Leuenberger 2018-06-08 21:11:45 +00:00 committed by Git OBS Bridge
commit 80b49b5d23
3 changed files with 30 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
View File

@ -1,4 +1,4 @@
From fb59d17b2617ebee34f91786428f63571a19bb74 Mon Sep 17 00:00:00 2001
From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 8 Apr 2018 20:21:30 +1000
Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill'
@ -11,20 +11,22 @@ SUSE-Bugs: bsc#1073877 boo#1089732
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/engine/profiles/apparmor/template.go | 4 ++++
1 file changed, 4 insertions(+)
components/engine/profiles/apparmor/template.go | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
index c5ea4584de6b..47c1b0659a15 100644
index c5ea4584de6b..082638e85903 100644
--- a/components/engine/profiles/apparmor/template.go
+++ b/components/engine/profiles/apparmor/template.go
@@ -17,6 +17,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
capability,
file,
umount,
+{{if ge .Version 208096}}
+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
+ signal (receive) peer=unconfined,
+{{/* And allow signals to be sent inside the container. */}}
+ signal (send,receive) peer={{.Name}},
+{{end}}
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)

14
docker.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Tue Jun 5 11:24:35 UTC 2018 - asarai@suse.com
- Update to AppArmor patch so that signal mediation also works for signals
between in-container processes. bsc#1073877
* bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
-------------------------------------------------------------------
Tue Jun 5 06:38:40 UTC 2018 - asarai@suse.com
- Remove 'go test' from %check section, as it has only ever caused us problems
and hasn't (as far as I remember) ever caught a release-blocking issue. Smoke
testing has been far more useful. boo#1095817
-------------------------------------------------------------------
Tue May 29 08:10:48 UTC 2018 - asarai@suse.com

104
docker.spec
View File

@ -261,106 +261,20 @@ go build -buildmode=pie -o gen-manpages github.com/docker/cli/man
cd ../..
%check
. ./docker_build_env
# We used to run 'go test' here, however we found that this actually didn't
# catch any issues that were caught by smoke testing, and %check would
# continually cause package builds to fail due to flaky tests. If you ever need
# to know how the testing was done, you can always look in the package history.
# boo#1095817
# DOCKER ENGINE
# go test will look in github.com/docker/docker/vendor for vendored packages but
# Docker keeps them in github.com/docker/docker/vendor/src. Let's do it like
# Docker does it and append github.com/docker/docker/vendor to the GOPATH so the
# packages are found by go test.
export GOPATH=$HOME/go/src/github.com/docker/docker/vendor:$GOPATH
# Create or dir if it doesn't exist already
mkdir -p $HOME/go/src/github.com/docker
# Remove any existing symlinks.
rm -rf $HOME/go/src/github.com/docker/*
# go list -e ... doesn't seem to work with symlinks so do a full copy instead.
cp -ar %{buildroot}/usr/src/docker/engine $HOME/go/src/github.com/docker/docker
cd $HOME/go/src/github.com/docker/docker
# We verify that all of our -git requires are correct. This is done on-build to
# make sure that someone doing an update didn't miss anything.
# We verify that all of our -git requires are correct, and match the contents
# of the upstream vendoring scripts. This is done on-build to make sure that
# someone doing an update didn't miss anything.
cd components/engine
grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/binaries-commits
grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits
grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits
# The command is taken from hack/make/test-unit and various test runs.
# Everything that follows github.com/docker/pkg/integration-cli are packages
# containing tests that cannot run in an obs build context. Some tests must be
# excluded as they will always fail in our build environments.
PKG_LIST=$(go list -e \
-f '{{if ne .Name "github.com/docker/docker"}} {{.ImportPath}}
{{end}}' \
-tags "$DOCKER_BUILDTAGS" \
-a "${BUILDFLAGS[@]}" ... \
| grep 'github.com/docker/docker' \
| grep -Ev 'vendor/(.+/)?github.com/docker/docker' \
| grep -v 'github.com/docker/docker/vendor' \
| grep -v 'github.com/docker/docker/builder$' \
| grep -v 'github.com/docker/docker/builder/dockerfile$' \
| grep -v 'github.com/docker/docker/builder/dockerfile/parser$' \
| grep -v 'github.com/docker/docker/builder/remotecontext' \
| grep -v 'github.com/docker/docker/cmd/dockerd$' \
%ifarch s390x
| grep -v 'github.com/docker/docker/container' \
%endif
| grep -v 'github.com/docker/docker/daemon$' \
| grep -v 'github.com/docker/docker/daemon/graphdriver' \
| grep -Pv 'github.com/docker/docker/daemon/logger(?!/gelf)' \
| grep -v 'github.com/docker/docker/integration' \
| grep -v 'github.com/docker/docker/integration-cli' \
| grep -v 'github.com/docker/docker/man$' \
| grep -v 'github.com/docker/docker/pkg/archive$' \
| grep -v 'github.com/docker/docker/pkg/chrootarchive$' \
%if 0%{?sle_version} == 120000
| grep -v 'github.com/docker/docker/pkg/devicemapper$' \
%endif
| grep -v 'github.com/docker/docker/pkg/gitutils$' \
| grep -v 'github.com/docker/docker/pkg/idtools$' \
| grep -v 'github.com/docker/docker/pkg/integration$' \
| grep -v 'github.com/docker/docker/pkg/jsonlog$' \
| grep -v 'github.com/docker/docker/pkg/mount$' \
| grep -v 'github.com/docker/docker/pkg/sysinfo$' \
| grep -v 'github.com/docker/docker/pkg/testutil' \
%if ! 0%{?with_libseccomp}
| grep -v 'github.com/docker/docker/profiles/seccomp$' \
%endif
| grep -v 'github.com/docker/docker/registry$' \
| grep -v 'github.com/docker/docker/volume/local$' \
)
# PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER!
rm ./pkg/system/rm_test.go
go test -buildmode=pie -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST
# DOCKER CLIENT
find $(go env GOROOT) -type d
cp -ar %{buildroot}/usr/src/docker/cli $HOME/go/src/github.com/docker/cli
cd $HOME/go/src/github.com/docker/cli
PKG_LIST=$(go list ./... \
| grep 'github.com/docker/cli' \
| grep -v 'github.com/docker/cli/vendor' \
| grep -Ev 'vendor/(.+/)?github.com/docker/cli' \
| grep -v 'github.com/docker/cli/cli/command/idresolver' \
| grep -v 'github.com/docker/cli/cli/command/image' \
| grep -v 'github.com/docker/cli/cli/image' \
| grep -v 'github.com/docker/cli/cmd/docker' \
| grep -v 'github.com/docker/cli/e2e' \
| grep -v 'github.com/docker/cli/cli/image' \
)
# PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER!
# We cannot use -buildmode=pie here becaue (for some reason) 'go test' will
# produce really odd errors about packages missing (this only happens if we
# have a lot of packages in the cmdline). So just avoid running these tests if
# we're on ppc64le (which requires -buildmode=pie).
%ifnarch ppc64le
go test -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST
%endif
%install
install -d %{buildroot}%{go_contribdir}
install -d %{buildroot}%{_bindir}