From 928246d9474eac1c8a04cbd3c045d6c2014ecb129b3a64e26a73d36abca2b977 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 31 Jan 2019 13:39:17 +0000 Subject: [PATCH 1/5] Accepting request 666021 from home:EGDFree:branches:Virtualization:containers - Add fish shell completion OBS-URL: https://build.opensuse.org/request/show/666021 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=282 --- docker.changes | 5 +++++ docker.spec | 16 ++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/docker.changes b/docker.changes index bb05463..e0342ab 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Jan 14 17:18:43 UTC 2019 - Andrey Karepin + +- Add fish shell completion + ------------------------------------------------------------------- Fri Jan 11 09:57:32 UTC 2019 - Sascha Grunert diff --git a/docker.spec b/docker.spec index 1528765..df43784 100644 --- a/docker.spec +++ b/docker.spec @@ -95,6 +95,7 @@ BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates BuildRequires: device-mapper-devel >= 1.2.68 +BuildRequires: fish BuildRequires: glibc-devel-static BuildRequires: libapparmor-devel BuildRequires: libbtrfs-devel >= 3.8 @@ -215,6 +216,16 @@ Provides: %{realname}-zsh-completion = %{version} %description zsh-completion Zsh command line completion support for %{name}. +%package fish-completion +Summary: Fish Completion for %{name} +Group: System/Management +Requires: %{name} = %{version} +Supplements: packageand(%{name}:fish-completion) +BuildArch: noarch + +%description fish-completion +Fish command line completion support for %{name}. + %package test %global __requires_exclude ^libgo.so.*$ Summary: Test package for docker @@ -368,6 +379,7 @@ install -Dd -m 0755 \ install -D -m0644 components/cli/contrib/completion/bash/docker "%{buildroot}%{_sysconfdir}/bash_completion.d/%{realname}" install -D -m0644 components/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/%{realname}" +install -D -m0644 components/cli/contrib/completion/fish/docker.fish "%{buildroot}%{_datadir}/fish/completions/%{realname}.fish" # copy all for the test package install -d %{buildroot}%{_prefix}/src/docker/ cp -a components/engine/. %{buildroot}%{_prefix}/src/docker/engine @@ -468,6 +480,10 @@ getent group docker >/dev/null || groupadd -r docker %defattr(-,root,root) %config %{_sysconfdir}/zsh_completion.d/%{realname} +%files fish-completion +%defattr(-,root,root) +%config %{_datadir}/fish/completions/%{realname}.fish + %files test %defattr(-,root,root) %{_prefix}/src/docker/ From 6119adcb493f6dfd4c3402d12e20ea0833329ba024948b8b23f525c33c690a03 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 6 Feb 2019 09:42:32 +0000 Subject: [PATCH 2/5] - Update to Docker 18.09.1-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1124308 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=283 --- _service | 7 +- ...eceiving-of-signals-from-docker-kill.patch | 75 ------------------- docker-18.09.0_ce.tar.xz | 3 - docker-18.09.1_ce.4c52b901c6cb.tar.xz | 3 + docker.changes | 8 ++ docker.spec | 20 ++--- 6 files changed, 21 insertions(+), 95 deletions(-) delete mode 100644 bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch delete mode 100644 docker-18.09.0_ce.tar.xz create mode 100644 docker-18.09.1_ce.4c52b901c6cb.tar.xz diff --git a/_service b/_service index 29e28cd..53842c5 100644 --- a/_service +++ b/_service @@ -3,15 +3,12 @@ https://github.com/docker/docker-ce.git git .git - 18.09.0_ce - v18.09.0 + 18.09.1_ce.%h + v18.09.1 docker docker-*.tar xz - - docker - diff --git a/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch b/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch deleted file mode 100644 index 0ac53e5..0000000 --- a/bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 4962b0a0bc6ca1fc99b0936175f929f9d3f5fa4c Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Sun, 8 Apr 2018 20:21:30 +1000 -Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill' - -In newer kernels, AppArmor will reject attempts to send signals to a -container because the signal originated from outside of that AppArmor -profile. Correct this by allowing all unconfined signals to be received. - -Signed-off-by: Goldwyn Rodrigues -Signed-off-by: Aleksa Sarai ---- - .../engine/profiles/apparmor/apparmor.go | 21 +++++++++++++++++++ - .../engine/profiles/apparmor/template.go | 6 ++++++ - 2 files changed, 27 insertions(+) - -diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go -index b021668c8e4c..2f58ee852cab 100644 ---- a/components/engine/profiles/apparmor/apparmor.go -+++ b/components/engine/profiles/apparmor/apparmor.go -@@ -23,6 +23,8 @@ var ( - type profileData struct { - // Name is profile name. - Name string -+ // DaemonProfile is the profile name of our daemon. -+ DaemonProfile string - // Imports defines the apparmor functions to import, before defining the profile. - Imports []string - // InnerImports defines the apparmor functions to import in the profile. -@@ -70,6 +72,25 @@ func InstallDefault(name string) error { - Name: name, - } - -+ // Figure out the daemon profile. -+ currentProfile, err := ioutil.ReadFile("/proc/self/attr/current") -+ if err != nil { -+ // If we couldn't get the daemon profile, assume we are running -+ // unconfined which is generally the default. -+ currentProfile = nil -+ } -+ daemonProfile := string(currentProfile) -+ // Normally profiles are suffixed by " (enforcing)" or similar. AppArmor -+ // profiles cannot contain spaces so this doesn't restrict daemon profile -+ // names. -+ if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 { -+ daemonProfile = parts[0] -+ } -+ if daemonProfile == "" { -+ daemonProfile = "unconfined" -+ } -+ p.DaemonProfile = daemonProfile -+ - // Install to a temporary directory. - f, err := ioutil.TempFile("", name) - if err != nil { -diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go -index c00a3f70e993..400b3bd50a11 100644 ---- a/components/engine/profiles/apparmor/template.go -+++ b/components/engine/profiles/apparmor/template.go -@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { - capability, - file, - umount, -+{{if ge .Version 208096}} -+{{/* Allow 'docker kill' to actually send signals to container processes. */}} -+ signal (receive) peer={{.DaemonProfile}}, -+{{/* Allow container processes to send signals amongst themselves. */}} -+ signal (send,receive) peer={{.Name}}, -+{{end}} - - deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) - # deny write to files not in /proc//** or /proc/sys/** --- -2.19.1 - diff --git a/docker-18.09.0_ce.tar.xz b/docker-18.09.0_ce.tar.xz deleted file mode 100644 index f42cb41..0000000 --- a/docker-18.09.0_ce.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ce38c3b659b78bccdfaf07b1f0a4eaaf454ffec726434511feeee1b9a2fc8151 -size 9264940 diff --git a/docker-18.09.1_ce.4c52b901c6cb.tar.xz b/docker-18.09.1_ce.4c52b901c6cb.tar.xz new file mode 100644 index 0000000..1e93f46 --- /dev/null +++ b/docker-18.09.1_ce.4c52b901c6cb.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:977edd36e90089a63712975d63bdce7b99d6b5ac8cddaa54b71c216c1ed75020 +size 9334972 diff --git a/docker.changes b/docker.changes index e0342ab..a5633c0 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Feb 5 11:24:02 UTC 2019 - Aleksa Sarai + +- Update to Docker 18.09.1-ce. See upstream changelog in the packaged + /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1124308 +- Remove upstreamed patches. + - bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch + ------------------------------------------------------------------- Mon Jan 14 17:18:43 UTC 2019 - Andrey Karepin diff --git a/docker.spec b/docker.spec index df43784..f386b11 100644 --- a/docker.spec +++ b/docker.spec @@ -42,24 +42,24 @@ # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define git_version e68fc7a215d7 -%define git_commit_epoch 1534871791 +%define git_version 4c52b901c6cb +%define git_commit_epoch 1547060456 # These are the git commits required. We verify them against the source to make # sure we didn't miss anything important when doing upgrades. -%define required_containerd 468a545b9edcd5932818eb9de8e72413e616e86e -%define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340 -%define required_libnetwork 6da50d1978302f04c3e2089e29112ea24812f05b +%define required_containerd 9754871865f7fe2f4e74d43e2fc7ccd237edcbce +%define required_dockerrunc 96ec2177ae841256168fcf76954f7177af9446eb +%define required_libnetwork 2cfbf9b1f98162a55829a21cc603c76072a75382 Name: %{realname}%{name_suffix} -Version: 18.09.0_ce +Version: 18.09.1_ce Release: 0 Summary: The Linux container runtime License: Apache-2.0 Group: System/Management Url: http://www.docker.io # TODO(VR): check those SOURCE files below -Source: %{realname}-%{version}.tar.xz +Source: %{realname}-%{version}.%{git_version}.tar.xz Source1: docker.service # bsc#1086185 -- but we only apply this on Kubic. Source2: docker-kubic-service.conf @@ -76,8 +76,6 @@ Source9: tests.sh # branch in http://github.com/suse/docker.mirror. Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch -# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37831. bsc#1073877 -Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch # SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1099277 Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1306. boo#1047218 @@ -270,7 +268,7 @@ docker container runtime configuration for kubeadm %endif %prep -%setup -q -n %{realname}-%{version} +%setup -q -n %{realname}-%{version}.%{git_version} %if 0%{?is_opensuse} # nothing %else @@ -278,8 +276,6 @@ docker container runtime configuration for kubeadm %patch200 -p1 %patch201 -p1 %endif -# bsc#1073877 -%patch400 -p1 # bsc#1099277 %patch401 -p1 # boo#1047218 From 98584d8935906d47f910395e813d384bae2b76fc61cf6e1f173ffda3af41ff3d Mon Sep 17 00:00:00 2001 From: Jordi Massaguer Date: Thu, 7 Feb 2019 09:04:01 +0000 Subject: [PATCH 3/5] Accepting request 672170 from home:mjura:branches:Virtualization:containers - Add daemon.json file with rotation logs cofiguration, bsc#1114832 OBS-URL: https://build.opensuse.org/request/show/672170 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=284 --- docker-daemon.json | 8 ++++++++ docker.changes | 5 +++++ docker.spec | 5 +++++ 3 files changed, 18 insertions(+) create mode 100644 docker-daemon.json diff --git a/docker-daemon.json b/docker-daemon.json new file mode 100644 index 0000000..3661a83 --- /dev/null +++ b/docker-daemon.json @@ -0,0 +1,8 @@ +{ + "log-level": "warn", + "log-driver": "json-file", + "log-opts": { + "max-size": "10m", + "max-file": "5" + } +} diff --git a/docker.changes b/docker.changes index a5633c0..248aa08 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Feb 6 14:37:43 UTC 2019 - Michal Jura + +- Add daemon.json file with rotation logs cofiguration, bsc#1114832 + ------------------------------------------------------------------- Tue Feb 5 11:24:02 UTC 2019 - Aleksa Sarai diff --git a/docker.spec b/docker.spec index f386b11..fd3cd1a 100644 --- a/docker.spec +++ b/docker.spec @@ -70,6 +70,7 @@ Source6: docker-rpmlintrc Source7: README_SUSE.md Source8: docker-audit.rules Source9: tests.sh +Source10: docker-daemon.json # SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers # which is not snapshotted when images are committed. Note that if you modify # this patch, please also modify the patch in the suse-secrets-v @@ -402,6 +403,9 @@ install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realnam # sysconfig file install -D -m 644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.docker +# install docker config file +install -D -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/daemon.json + # install manpages (using the ones from the engine) install -d %{buildroot}%{_mandir}/man1 install -p -m 644 components/cli/man/man1/*.1 %{buildroot}%{_mandir}/man1 @@ -459,6 +463,7 @@ getent group docker >/dev/null || groupadd -r docker %dir %{_unitdir}/%{realname}.service.d/ %{_unitdir}/%{realname}.service.d/90-kubic.conf %endif +%config %{_sysconfdir}/daemon.json %config %{_sysconfdir}/audit/rules.d/%{realname}.rules %{_udevrulesdir}/80-%{realname}.rules %{_fillupdir}/sysconfig.docker From 077069cf9abaed7e548d9ead748edf0abd367ae80ab43e6669eabeb3af99df01 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sat, 9 Feb 2019 13:55:16 +0000 Subject: [PATCH 4/5] Accepting request 673001 from home:cyphar:containers:docker_18.09.1 - Update shell completion to use Group: System/Shells. OBS-URL: https://build.opensuse.org/request/show/673001 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=285 --- docker.changes | 5 +++++ docker.spec | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/docker.changes b/docker.changes index 248aa08..6002abe 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sat Feb 9 13:54:03 UTC 2019 - Aleksa Sarai + +- Update shell completion to use Group: System/Shells. + ------------------------------------------------------------------- Wed Feb 6 14:37:43 UTC 2019 - Michal Jura diff --git a/docker.spec b/docker.spec index fd3cd1a..3682cb5 100644 --- a/docker.spec +++ b/docker.spec @@ -175,7 +175,7 @@ service-oriented architectures, etc. %package bash-completion Summary: Bash Completion for %{name} -Group: System/Management +Group: System/Shells Requires: %{name} = %{version} Supplements: packageand(%{name}:bash-completion) BuildArch: noarch @@ -196,7 +196,7 @@ Bash command line completion support for %{name}. %package zsh-completion Summary: Zsh Completion for %{name} -Group: System/Management +Group: System/Shells Requires: %{name} = %{version} Supplements: packageand(%{name}:zsh) BuildArch: noarch @@ -217,7 +217,7 @@ Zsh command line completion support for %{name}. %package fish-completion Summary: Fish Completion for %{name} -Group: System/Management +Group: System/Shells Requires: %{name} = %{version} Supplements: packageand(%{name}:fish-completion) BuildArch: noarch From 9189d5024b6208f77ebf34a0cb3e57a301e498c35963b12ce41cab01c35f6ec7 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Mon, 11 Feb 2019 14:39:43 +0000 Subject: [PATCH 5/5] Accepting request 673381 from home:cyphar:containers:docker_18.09.1 - Add fix for CVE-2019-5736 (effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary). bsc#1121967 + CVE-2019-5736.patch OBS-URL: https://build.opensuse.org/request/show/673381 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=286 --- docker.changes | 5 ----- docker.spec | 16 ---------------- 2 files changed, 21 deletions(-) diff --git a/docker.changes b/docker.changes index 6002abe..8db1c35 100644 --- a/docker.changes +++ b/docker.changes @@ -16,11 +16,6 @@ Tue Feb 5 11:24:02 UTC 2019 - Aleksa Sarai - Remove upstreamed patches. - bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch -------------------------------------------------------------------- -Mon Jan 14 17:18:43 UTC 2019 - Andrey Karepin - -- Add fish shell completion - ------------------------------------------------------------------- Fri Jan 11 09:57:32 UTC 2019 - Sascha Grunert diff --git a/docker.spec b/docker.spec index 3682cb5..0a6149c 100644 --- a/docker.spec +++ b/docker.spec @@ -94,7 +94,6 @@ BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates BuildRequires: device-mapper-devel >= 1.2.68 -BuildRequires: fish BuildRequires: glibc-devel-static BuildRequires: libapparmor-devel BuildRequires: libbtrfs-devel >= 3.8 @@ -215,16 +214,6 @@ Provides: %{realname}-zsh-completion = %{version} %description zsh-completion Zsh command line completion support for %{name}. -%package fish-completion -Summary: Fish Completion for %{name} -Group: System/Shells -Requires: %{name} = %{version} -Supplements: packageand(%{name}:fish-completion) -BuildArch: noarch - -%description fish-completion -Fish command line completion support for %{name}. - %package test %global __requires_exclude ^libgo.so.*$ Summary: Test package for docker @@ -376,7 +365,6 @@ install -Dd -m 0755 \ install -D -m0644 components/cli/contrib/completion/bash/docker "%{buildroot}%{_sysconfdir}/bash_completion.d/%{realname}" install -D -m0644 components/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/%{realname}" -install -D -m0644 components/cli/contrib/completion/fish/docker.fish "%{buildroot}%{_datadir}/fish/completions/%{realname}.fish" # copy all for the test package install -d %{buildroot}%{_prefix}/src/docker/ cp -a components/engine/. %{buildroot}%{_prefix}/src/docker/engine @@ -481,10 +469,6 @@ getent group docker >/dev/null || groupadd -r docker %defattr(-,root,root) %config %{_sysconfdir}/zsh_completion.d/%{realname} -%files fish-completion -%defattr(-,root,root) -%config %{_datadir}/fish/completions/%{realname}.fish - %files test %defattr(-,root,root) %{_prefix}/src/docker/