- Allow users to disable SUSE secrets support by setting

DOCKER_SUSE_SECRETS_ENABLE=0 in /etc/sysconfig/docker. bsc#1231348
- Mark docker-buildx as required since classic "docker build" has been
  deprecated since Docker 23.0. bsc#1230331
- Import docker-buildx v0.16.2 as a subpackage. Previously this was a separate
  package, but with docker-stable it will be necessary to maintain the packages
  together and it makes more sense to have them live in the same OBS package.
  bsc#1230333
- Make some minor name macro updates to help with the docker-stable package
  fork.

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=411
This commit is contained in:
Aleksa Sarai 2024-10-15 05:59:40 +00:00 committed by Git OBS Bridge
parent 84b4bc3b21
commit 81aaf8950a
5 changed files with 176 additions and 55 deletions

View File

@ -1,4 +1,4 @@
From 759482e941bde2b67d39b52c803e3390555ff9e9 Mon Sep 17 00:00:00 2001
From c804f6484cb59db827d2b6be6f343a3ca9213a22 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 2/7] SECRETS: SUSE: implement SUSE container secrets
@ -6,6 +6,10 @@ Subject: [PATCH 2/7] SECRETS: SUSE: implement SUSE container secrets
This allows for us to pass in host credentials to a container, allowing
for SUSEConnect to work with containers.
Users can disable this by setting DOCKER_SUSE_SECRETS_ENABLE=0 in
/etc/sysconfig/docker or by adding that setting to docker.service's
Environment using a drop-in file.
THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
@ -14,15 +18,15 @@ SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
daemon/start.go | 5 +
daemon/suse_secrets.go | 415 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 420 insertions(+)
daemon/suse_secrets.go | 439 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 444 insertions(+)
create mode 100644 daemon/suse_secrets.go
diff --git a/daemon/start.go b/daemon/start.go
index b967947af2ce..09e79e410310 100644
index b967947af2ce..e1a1218eb016 100644
--- a/daemon/start.go
+++ b/daemon/start.go
@@ -123,6 +123,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
@@ -118,6 +118,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
return err
}
@ -31,15 +35,15 @@ index b967947af2ce..09e79e410310 100644
+ return err
+ }
+
m, cleanup, err := daemon.setupMounts(ctx, container)
mnts, err := daemon.setupContainerDirs(container)
if err != nil {
return err
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
new file mode 100644
index 000000000000..32b0ece91b59
index 000000000000..f003299522df
--- /dev/null
+++ b/daemon/suse_secrets.go
@@ -0,0 +1,415 @@
@@ -0,0 +1,439 @@
+/*
+ * suse-secrets: patch for Docker to implement SUSE secrets
+ * Copyright (C) 2017-2021 SUSE LLC.
@ -84,7 +88,11 @@ index 000000000000..32b0ece91b59
+
+func init() {
+ // Output to tell us in logs that SUSE:secrets is enabled.
+ logrus.Infof("SUSE:secrets :: enabled")
+ if isSuseSecretEnabled() {
+ logrus.Infof("SUSE:secrets :: enabled")
+ } else {
+ logrus.Infof("SUSE:secrets :: disabled by DOCKER_SUSE_SECRETS_ENABLE=0")
+ }
+}
+
+// Creating a fake file.
@ -408,7 +416,27 @@ index 000000000000..32b0ece91b59
+ c.SecretReferences = without
+}
+
+func isSuseSecretEnabled() bool {
+ env := os.Getenv("DOCKER_SUSE_SECRETS_ENABLE")
+ switch env {
+ case "0", "no":
+ return false
+ default:
+ logrus.Errorf("SUSE:secrets :: DOCKER_SUSE_SECRETS_ENABLE=%q is an invalid value, keeping SUSE secrets enabled", env)
+ fallthrough
+ case "", "1", "yes":
+ return true
+ }
+}
+
+func (daemon *Daemon) injectSuseSecretStore(c *container.Container) error {
+ // Allow users to disable SUSE secrets in cases where they don't need it
+ // (in principle you only really need containers-suseconnect when you're
+ // building images). bsc#1231348
+ if !isSuseSecretEnabled() {
+ return nil
+ }
+
+ newDependencyStore := &suseDependencyStore{
+ dfl: c.DependencyStore,
+ secrets: make(map[string]*swarmapi.Secret),
@ -456,5 +484,5 @@ index 000000000000..32b0ece91b59
+ return nil
+}
--
2.45.2
2.47.0

View File

@ -15,6 +15,14 @@
<param name="revision">v26.1.5</param>
<param name="filename">docker-cli</param>
</service>
<service name="tar_scm" mode="manual">
<param name="url">https://github.com/docker/buildx.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">0.16.2</param>
<param name="revision">v0.16.2</param>
<param name="filename">docker-buildx</param>
</service>
<service name="recompress" mode="manual">
<param name="file">docker-*.tar</param>
<param name="compression">xz</param>

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2f94ef8f4021fb8139a4101e8bd747abd7048b2d02be6f88e567b4e688c3156c
size 6424216

View File

@ -1,7 +1,25 @@
-------------------------------------------------------------------
Tue Oct 15 04:58:46 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Allow users to disable SUSE secrets support by setting
DOCKER_SUSE_SECRETS_ENABLE=0 in /etc/sysconfig/docker. bsc#1231348
-------------------------------------------------------------------
Wed Sep 18 13:47:45 UTC 2024 - Ana Guerrero <ana.guerrero@suse.com>
- Add %{_sysconfdir}/audit/rules.d to filelist
- Add %{_sysconfdir}/audit/rules.d to filelist.
-------------------------------------------------------------------
Sat Sep 7 06:07:50 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Mark docker-buildx as required since classic "docker build" has been
deprecated since Docker 23.0. bsc#1230331
- Import docker-buildx v0.16.2 as a subpackage. Previously this was a separate
package, but with docker-stable it will be necessary to maintain the packages
together and it makes more sense to have them live in the same OBS package.
bsc#1230333
- Make some minor name macro updates to help with the docker-stable package
fork.
-------------------------------------------------------------------
Wed Jul 31 05:28:09 UTC 2024 - Aleksa Sarai <asarai@suse.com>

View File

@ -1,7 +1,7 @@
#
# spec file for package docker
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -27,27 +27,33 @@
%define _fillupdir /var/adm/fillup-templates
%endif
# MANUAL: This needs to be updated with every docker update.
%define docker_real_version 26.1.5
%define docker_git_version 411e817ddf71
%define docker_version %{docker_real_version}_ce
# This "nice version" is so that docker --version gives a result that can be
# parsed by other people. boo#1182476
%define docker_nice_version %{docker_real_version}-ce
# MANUAL: This needs to be updated with every docker-buildx update.
%define buildx_version 0.16.2
# Used when generating the "build" information for Docker version. The value of
# git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm
# helpfully injects into our build environment from the changelog). If you want
# to generate a new git_commit_epoch, use this:
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
%define real_version 26.1.5
%define git_version 411e817ddf71
%define git_commit_epoch 1721763388
Name: docker
Version: %{real_version}_ce
# This "nice version" is so that docker --version gives a result that can be
# parsed by other people. boo#1182476
%define nice_version %{real_version}-ce
Version: %{docker_version}
Release: 0
Summary: The Moby-project Linux container runtime
License: Apache-2.0
Group: System/Management
URL: http://www.docker.io
Source: %{name}-%{version}_%{git_version}.tar.xz
Source1: %{name}-cli-%{version}.tar.xz
Source: docker-%{docker_version}_%{docker_git_version}.tar.xz
Source1: docker-cli-%{docker_version}.tar.xz
Source3: docker-rpmlintrc
# TODO: Move these source files to somewhere nicer.
Source100: docker.service
@ -58,6 +64,8 @@ Source130: README_SUSE.md
Source140: docker-audit.rules
Source150: docker-daemon.json
Source160: docker.sysusers
# docker-stable cannot be used alongside docker.
Conflicts: docker-stable
# NOTE: All of these patches are maintained in <https://github.com/suse/docker>
# in the suse-v<version> branch. Make sure you update the patches in that
# branch and then git-format-patch the patch here.
@ -119,7 +127,7 @@ Requires: ca-certificates-mozilla
# The docker-proxy binary used to be in a separate package. We obsolete it,
# since now docker-proxy is maintained as part of this package.
Obsoletes: docker-libnetwork < 0.7.0.2
Provides: docker-libnetwork = 0.7.0.2.%{version}
Provides: docker-libnetwork = 0.7.0.2.%{docker_version}
# Required to actually run containers. We require the minimum version that is
# pinned by Docker, but in order to avoid headaches we allow for updates.
Requires: runc >= 1.1.9
@ -134,6 +142,9 @@ Requires: iptables >= 1.4
Requires: procps
Requires: tar >= 1.26
Requires: xz >= 4.9
# Standard docker-build is deprecated, so require docker-buildx to avoid users
# hitting bugs that have long since been fixed by docker-buildx. bsc#1230331
Requires: %{name}-buildx
%?sysusers_requires
Requires(post): %fillup_prereq
Requires(post): udev
@ -143,8 +154,6 @@ Requires(post): shadow
# different storage-driver than devicemapper
Recommends: lvm2 >= 2.2.89
Recommends: git-core >= 1.7
# Required for "docker buildx" support.
Recommends: %{name}-buildx
Recommends: %{name}-rootless-extras
ExcludeArch: s390 ppc
@ -157,14 +166,39 @@ Docker is a great building block for automating distributed systems: large-scale
web deployments, database clusters, continuous deployment systems, private PaaS,
service-oriented architectures, etc.
%package buildx
Version: %{buildx_version}
Summary: Docker CLI plugin for extended build capabilities with BuildKit
License: Apache-2.0
URL: https://github.com/docker/buildx
Source500: docker-buildx-%{buildx_version}.tar.xz
Group: System/Management
Requires: %{name} >= 19.03.0_ce
# docker-stable cannot be used alongside docker.
Conflicts: docker-stable-buildx
%description buildx
buildx is a Docker CLI plugin for extended build capabilities with BuildKit.
Key features:
- Familiar UI from docker build
- Full BuildKit capabilities with container driver
- Multiple builder instance support
- Multi-node builds for cross-platform images
- Compose build support
- High-level build constructs (bake)
- In-container driver support (both Docker and Kubernetes)
%package rootless-extras
Summary: Rootless support for Docker
Group: System/Management
Requires: %{name} = %{version}
Requires: %{name} = %{docker_version}
Requires: slirp4netns >= 0.4
Requires: fuse-overlayfs >= 0.7
Requires: rootlesskit
BuildArch: noarch
# docker-stable cannot be used alongside docker.
Conflicts: docker-stable-rootless-extras
%description rootless-extras
Rootless support for Docker.
@ -174,10 +208,12 @@ Use dockerd-rootless-setuptool.sh to setup systemd for dockerd-rootless.sh.
%package bash-completion
Summary: Bash Completion for %{name}
Group: System/Shells
Requires: %{name} = %{version}
Requires: %{name} = %{docker_version}
Requires: bash-completion
Supplements: packageand(%{name}:bash-completion)
BuildArch: noarch
# docker-stable cannot be used alongside docker.
Conflicts: docker-stable-bash-completion
%description bash-completion
Bash command line completion support for %{name}.
@ -185,10 +221,12 @@ Bash command line completion support for %{name}.
%package zsh-completion
Summary: Zsh Completion for %{name}
Group: System/Shells
Requires: %{name} = %{version}
Requires: %{name} = %{docker_version}
Requires: zsh
Supplements: packageand(%{name}:zsh)
BuildArch: noarch
# docker-stable cannot be used alongside docker.
Conflicts: docker-stable-zsh-completion
%description zsh-completion
Zsh command line completion support for %{name}.
@ -196,25 +234,32 @@ Zsh command line completion support for %{name}.
%package fish-completion
Summary: Fish completion for %{name}
Group: System/Shells
Requires: %{name} = %{version}
Requires: %{name} = %{docker_version}
Requires: fish
Supplements: packageand(%{name}:fish)
BuildArch: noarch
# docker-stable cannot be used alongside docker.
Conflicts: docker-stable-fish-completion
%description fish-completion
Fish command line completion support for %{name}.
%prep
# docker-cli
%define cli_builddir %{_builddir}/%{name}-cli-%{version}
%setup -q -T -b 1 -n %{name}-cli-%{version}
%define cli_builddir %{_builddir}/docker-cli-%{docker_version}
%setup -q -T -b 1 -n docker-cli-%{docker_version}
[ "%{cli_builddir}" = "$PWD" ]
# offline manpages
%patch -P900 -p1
# docker-buildx
%define buildx_builddir %{_builddir}/docker-buildx-%{buildx_version}
%setup -q -T -b 500 -n docker-buildx-%{buildx_version}
[ "%{buildx_builddir}" = "$PWD" ]
# docker
%define docker_builddir %{_builddir}/%{name}-%{version}_%{git_version}
%setup -q -n %{name}-%{version}_%{git_version}
%define docker_builddir %{_builddir}/docker-%{docker_version}_%{docker_git_version}
%setup -q -n docker-%{docker_version}_%{docker_git_version}
[ "%{docker_builddir}" = "$PWD" ]
# README_SUSE.md for documentation.
cp %{SOURCE130} .
@ -238,7 +283,7 @@ cp %{SOURCE130} .
%patch -P204 -p1
%build
%sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf
%sysusers_generate_pre %{SOURCE160} %{name} docker.conf
BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
%if 0%{?sle_version} == 120000
@ -255,9 +300,9 @@ export BUILDFLAGS="-buildmode=pie"
# Specify all of the versioning information. We use SOURCE_DATE_EPOCH if it's
# been injected by rpmbuild, otherwise we use the hardcoded git_commit_epoch
# generated above. boo#1064781
export VERSION="%{nice_version}"
export DOCKER_GITCOMMIT="%{git_version}"
export GITCOMMIT="%{git_version}"
export VERSION="%{docker_nice_version}"
export DOCKER_GITCOMMIT="%{docker_git_version}"
export GITCOMMIT="%{docker_git_version}"
export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-%{git_commit_epoch}}"
export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null | sed -e 's/ /T/')"
@ -283,6 +328,19 @@ ln -s {vendor,go}.sum
make DISABLE_WARN_OUTSIDE_CONTAINER=1 dynbinary manpages
popd
###################
## DOCKER BUILDX ##
###################
pushd "%{buildx_builddir}"
make \
CGO_ENABLED=1 \
VERSION="%{buildx_version}" \
REVISION="v%{buildx_version}" \
GO_EXTRA_FLAGS="-buildmode=pie" \
build
popd
%install
install -Dd -m0755 \
%{buildroot}%{_sysconfdir}/init.d \
@ -296,6 +354,8 @@ install -D -m0755 %{docker_builddir}/bundles/dynbinary-daemon/docker-proxy %{bui
# cli-plugins/
install -d %{buildroot}/usr/lib/docker/cli-plugins
# buildx plugin
install -D -m0755 %{buildx_builddir}/bin/build/docker-buildx %{buildroot}/usr/lib/docker/cli-plugins/docker-buildx
# /var/lib/docker
install -d %{buildroot}/%{_localstatedir}/lib/docker
@ -304,21 +364,21 @@ install -D -m0644 %{SOURCE150} %{buildroot}%{_sysconfdir}/docker/daemon.json
# docker cli
install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{name}"
install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{name}"
install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{name}.fish"
install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/docker"
install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_docker"
install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/docker.fish"
# systemd service
install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{name}.service
install -D -m0644 %{SOURCE101} %{buildroot}%{_unitdir}/%{name}.socket
install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/docker.service
install -D -m0644 %{SOURCE101} %{buildroot}%{_unitdir}/docker.socket
ln -sf service %{buildroot}%{_sbindir}/rcdocker
# udev rules that prevents dolphin to show all docker devices and slows down
# upstream report https://bugs.kde.org/show_bug.cgi?id=329930
install -D -m0644 %{SOURCE110} %{buildroot}%{_udevrulesdir}/80-%{name}.rules
install -D -m0644 %{SOURCE110} %{buildroot}%{_udevrulesdir}/80-docker.rules
# audit rules
install -D -m0640 %{SOURCE140} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules
install -D -m0640 %{SOURCE140} %{buildroot}%{_sysconfdir}/audit/rules.d/docker.rules
# sysconfig file
install -D -m0644 %{SOURCE120} %{buildroot}%{_fillupdir}/sysconfig.docker
@ -332,7 +392,7 @@ install -d %{buildroot}%{_mandir}/man8
install -p -m0644 %{cli_builddir}/man/man8/*.8 %{buildroot}%{_mandir}/man8
# sysusers.d
install -D -m0644 %{SOURCE160} %{buildroot}%{_sysusersdir}/%{name}.conf
install -D -m0644 %{SOURCE160} %{buildroot}%{_sysusersdir}/docker.conf
# rootless extras
install -D -p -m 0755 contrib/dockerd-rootless.sh %{buildroot}/%{_bindir}/dockerd-rootless.sh
@ -356,17 +416,17 @@ grep -q '^dockremap:' /etc/subgid || \
usermod -w 100000000-200000000 dockremap &>/dev/null || \
echo "dockremap:100000000:100000001" >>/etc/subgid ||:
%service_add_pre %{name}.service %{name}.socket
%service_add_pre docker.service docker.socket
%post
%service_add_post %{name}.service %{name}.socket
%service_add_post docker.service docker.socket
%{fillup_only -n docker}
%preun
%service_del_preun %{name}.service %{name}.socket
%service_del_preun docker.service docker.socket
%postun
%service_del_postun %{name}.service %{name}.socket
%service_del_postun docker.service docker.socket
%files
%defattr(-,root,root)
@ -381,23 +441,27 @@ grep -q '^dockremap:' /etc/subgid || \
%dir /usr/lib/docker
%dir /usr/lib/docker/cli-plugins
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}.socket
%{_sysusersdir}/%{name}.conf
%{_unitdir}/docker.service
%{_unitdir}/docker.socket
%{_sysusersdir}/docker.conf
%dir %{_sysconfdir}/docker
%config(noreplace) %{_sysconfdir}/docker/daemon.json
%{_fillupdir}/sysconfig.docker
%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d
%config %{_sysconfdir}/audit/rules.d/%{name}.rules
%{_udevrulesdir}/80-%{name}.rules
%config %{_sysconfdir}/audit/rules.d/docker.rules
%{_udevrulesdir}/80-docker.rules
%{_mandir}/man1/docker-*.1%{ext_man}
%{_mandir}/man1/docker.1%{ext_man}
%{_mandir}/man5/Dockerfile.5%{ext_man}
%{_mandir}/man8/dockerd.8%{ext_man}
%files buildx
%defattr(-,root,root)
/usr/lib/docker/cli-plugins/docker-buildx
%files rootless-extras
%defattr(-,root,root)
%{_bindir}/dockerd-rootless.sh
@ -405,14 +469,14 @@ grep -q '^dockremap:' /etc/subgid || \
%files bash-completion
%defattr(-,root,root)
%{_datarootdir}/bash-completion/completions/%{name}
%{_datarootdir}/bash-completion/completions/docker
%files zsh-completion
%defattr(-,root,root)
%{_sysconfdir}/zsh_completion.d/_%{name}
%{_sysconfdir}/zsh_completion.d/_docker
%files fish-completion
%defattr(-,root,root)
%{_datadir}/fish/vendor_completions.d/%{name}.fish
%{_datadir}/fish/vendor_completions.d/docker.fish
%changelog