Accepting request 673384 from Virtualization:containers
- Update to Docker 18.09.1-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1124308 OBS-URL: https://build.opensuse.org/request/show/673384 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=86
This commit is contained in:
commit
84c36336be
7
_service
7
_service
@ -3,15 +3,12 @@
|
|||||||
<param name="url">https://github.com/docker/docker-ce.git</param>
|
<param name="url">https://github.com/docker/docker-ce.git</param>
|
||||||
<param name="scm">git</param>
|
<param name="scm">git</param>
|
||||||
<param name="exclude">.git</param>
|
<param name="exclude">.git</param>
|
||||||
<param name="versionformat">18.09.0_ce</param>
|
<param name="versionformat">18.09.1_ce.%h</param>
|
||||||
<param name="revision">v18.09.0</param>
|
<param name="revision">v18.09.1</param>
|
||||||
<param name="filename">docker</param>
|
<param name="filename">docker</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="recompress" mode="disabled">
|
<service name="recompress" mode="disabled">
|
||||||
<param name="file">docker-*.tar</param>
|
<param name="file">docker-*.tar</param>
|
||||||
<param name="compression">xz</param>
|
<param name="compression">xz</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="set_version" mode="disabled">
|
|
||||||
<param name="basename">docker</param>
|
|
||||||
</service>
|
|
||||||
</services>
|
</services>
|
||||||
|
@ -1,75 +0,0 @@
|
|||||||
From 4962b0a0bc6ca1fc99b0936175f929f9d3f5fa4c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
|
||||||
Date: Sun, 8 Apr 2018 20:21:30 +1000
|
|
||||||
Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
|
|
||||||
|
|
||||||
In newer kernels, AppArmor will reject attempts to send signals to a
|
|
||||||
container because the signal originated from outside of that AppArmor
|
|
||||||
profile. Correct this by allowing all unconfined signals to be received.
|
|
||||||
|
|
||||||
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
|
|
||||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|
||||||
---
|
|
||||||
.../engine/profiles/apparmor/apparmor.go | 21 +++++++++++++++++++
|
|
||||||
.../engine/profiles/apparmor/template.go | 6 ++++++
|
|
||||||
2 files changed, 27 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go
|
|
||||||
index b021668c8e4c..2f58ee852cab 100644
|
|
||||||
--- a/components/engine/profiles/apparmor/apparmor.go
|
|
||||||
+++ b/components/engine/profiles/apparmor/apparmor.go
|
|
||||||
@@ -23,6 +23,8 @@ var (
|
|
||||||
type profileData struct {
|
|
||||||
// Name is profile name.
|
|
||||||
Name string
|
|
||||||
+ // DaemonProfile is the profile name of our daemon.
|
|
||||||
+ DaemonProfile string
|
|
||||||
// Imports defines the apparmor functions to import, before defining the profile.
|
|
||||||
Imports []string
|
|
||||||
// InnerImports defines the apparmor functions to import in the profile.
|
|
||||||
@@ -70,6 +72,25 @@ func InstallDefault(name string) error {
|
|
||||||
Name: name,
|
|
||||||
}
|
|
||||||
|
|
||||||
+ // Figure out the daemon profile.
|
|
||||||
+ currentProfile, err := ioutil.ReadFile("/proc/self/attr/current")
|
|
||||||
+ if err != nil {
|
|
||||||
+ // If we couldn't get the daemon profile, assume we are running
|
|
||||||
+ // unconfined which is generally the default.
|
|
||||||
+ currentProfile = nil
|
|
||||||
+ }
|
|
||||||
+ daemonProfile := string(currentProfile)
|
|
||||||
+ // Normally profiles are suffixed by " (enforcing)" or similar. AppArmor
|
|
||||||
+ // profiles cannot contain spaces so this doesn't restrict daemon profile
|
|
||||||
+ // names.
|
|
||||||
+ if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 {
|
|
||||||
+ daemonProfile = parts[0]
|
|
||||||
+ }
|
|
||||||
+ if daemonProfile == "" {
|
|
||||||
+ daemonProfile = "unconfined"
|
|
||||||
+ }
|
|
||||||
+ p.DaemonProfile = daemonProfile
|
|
||||||
+
|
|
||||||
// Install to a temporary directory.
|
|
||||||
f, err := ioutil.TempFile("", name)
|
|
||||||
if err != nil {
|
|
||||||
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
|
|
||||||
index c00a3f70e993..400b3bd50a11 100644
|
|
||||||
--- a/components/engine/profiles/apparmor/template.go
|
|
||||||
+++ b/components/engine/profiles/apparmor/template.go
|
|
||||||
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
|
||||||
capability,
|
|
||||||
file,
|
|
||||||
umount,
|
|
||||||
+{{if ge .Version 208096}}
|
|
||||||
+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
|
|
||||||
+ signal (receive) peer={{.DaemonProfile}},
|
|
||||||
+{{/* Allow container processes to send signals amongst themselves. */}}
|
|
||||||
+ signal (send,receive) peer={{.Name}},
|
|
||||||
+{{end}}
|
|
||||||
|
|
||||||
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
|
||||||
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
|
||||||
--
|
|
||||||
2.19.1
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:ce38c3b659b78bccdfaf07b1f0a4eaaf454ffec726434511feeee1b9a2fc8151
|
|
||||||
size 9264940
|
|
3
docker-18.09.1_ce.4c52b901c6cb.tar.xz
Normal file
3
docker-18.09.1_ce.4c52b901c6cb.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:977edd36e90089a63712975d63bdce7b99d6b5ac8cddaa54b71c216c1ed75020
|
||||||
|
size 9334972
|
8
docker-daemon.json
Normal file
8
docker-daemon.json
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
{
|
||||||
|
"log-level": "warn",
|
||||||
|
"log-driver": "json-file",
|
||||||
|
"log-opts": {
|
||||||
|
"max-size": "10m",
|
||||||
|
"max-file": "5"
|
||||||
|
}
|
||||||
|
}
|
@ -1,3 +1,21 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Feb 9 13:54:03 UTC 2019 - Aleksa Sarai <asarai@suse.com>
|
||||||
|
|
||||||
|
- Update shell completion to use Group: System/Shells.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Feb 6 14:37:43 UTC 2019 - Michal Jura <mjura@suse.com>
|
||||||
|
|
||||||
|
- Add daemon.json file with rotation logs cofiguration, bsc#1114832
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Feb 5 11:24:02 UTC 2019 - Aleksa Sarai <asarai@suse.com>
|
||||||
|
|
||||||
|
- Update to Docker 18.09.1-ce. See upstream changelog in the packaged
|
||||||
|
/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1124308
|
||||||
|
- Remove upstreamed patches.
|
||||||
|
- bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Jan 11 09:57:32 UTC 2019 - Sascha Grunert <sgrunert@suse.com>
|
Fri Jan 11 09:57:32 UTC 2019 - Sascha Grunert <sgrunert@suse.com>
|
||||||
|
|
||||||
|
29
docker.spec
29
docker.spec
@ -42,24 +42,24 @@
|
|||||||
# helpfully injects into our build environment from the changelog). If you want
|
# helpfully injects into our build environment from the changelog). If you want
|
||||||
# to generate a new git_commit_epoch, use this:
|
# to generate a new git_commit_epoch, use this:
|
||||||
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
|
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
|
||||||
%define git_version e68fc7a215d7
|
%define git_version 4c52b901c6cb
|
||||||
%define git_commit_epoch 1534871791
|
%define git_commit_epoch 1547060456
|
||||||
|
|
||||||
# These are the git commits required. We verify them against the source to make
|
# These are the git commits required. We verify them against the source to make
|
||||||
# sure we didn't miss anything important when doing upgrades.
|
# sure we didn't miss anything important when doing upgrades.
|
||||||
%define required_containerd 468a545b9edcd5932818eb9de8e72413e616e86e
|
%define required_containerd 9754871865f7fe2f4e74d43e2fc7ccd237edcbce
|
||||||
%define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340
|
%define required_dockerrunc 96ec2177ae841256168fcf76954f7177af9446eb
|
||||||
%define required_libnetwork 6da50d1978302f04c3e2089e29112ea24812f05b
|
%define required_libnetwork 2cfbf9b1f98162a55829a21cc603c76072a75382
|
||||||
|
|
||||||
Name: %{realname}%{name_suffix}
|
Name: %{realname}%{name_suffix}
|
||||||
Version: 18.09.0_ce
|
Version: 18.09.1_ce
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: The Linux container runtime
|
Summary: The Linux container runtime
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
Group: System/Management
|
Group: System/Management
|
||||||
Url: http://www.docker.io
|
Url: http://www.docker.io
|
||||||
# TODO(VR): check those SOURCE files below
|
# TODO(VR): check those SOURCE files below
|
||||||
Source: %{realname}-%{version}.tar.xz
|
Source: %{realname}-%{version}.%{git_version}.tar.xz
|
||||||
Source1: docker.service
|
Source1: docker.service
|
||||||
# bsc#1086185 -- but we only apply this on Kubic.
|
# bsc#1086185 -- but we only apply this on Kubic.
|
||||||
Source2: docker-kubic-service.conf
|
Source2: docker-kubic-service.conf
|
||||||
@ -70,14 +70,13 @@ Source6: docker-rpmlintrc
|
|||||||
Source7: README_SUSE.md
|
Source7: README_SUSE.md
|
||||||
Source8: docker-audit.rules
|
Source8: docker-audit.rules
|
||||||
Source9: tests.sh
|
Source9: tests.sh
|
||||||
|
Source10: docker-daemon.json
|
||||||
# SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers
|
# SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers
|
||||||
# which is not snapshotted when images are committed. Note that if you modify
|
# which is not snapshotted when images are committed. Note that if you modify
|
||||||
# this patch, please also modify the patch in the suse-secrets-v<version>
|
# this patch, please also modify the patch in the suse-secrets-v<version>
|
||||||
# branch in http://github.com/suse/docker.mirror.
|
# branch in http://github.com/suse/docker.mirror.
|
||||||
Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
|
Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
|
||||||
Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
|
Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
|
||||||
# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37831. bsc#1073877
|
|
||||||
Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
|
||||||
# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1099277
|
# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1099277
|
||||||
Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
|
Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
|
||||||
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1306. boo#1047218
|
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1306. boo#1047218
|
||||||
@ -175,7 +174,7 @@ service-oriented architectures, etc.
|
|||||||
|
|
||||||
%package bash-completion
|
%package bash-completion
|
||||||
Summary: Bash Completion for %{name}
|
Summary: Bash Completion for %{name}
|
||||||
Group: System/Management
|
Group: System/Shells
|
||||||
Requires: %{name} = %{version}
|
Requires: %{name} = %{version}
|
||||||
Supplements: packageand(%{name}:bash-completion)
|
Supplements: packageand(%{name}:bash-completion)
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
@ -196,7 +195,7 @@ Bash command line completion support for %{name}.
|
|||||||
|
|
||||||
%package zsh-completion
|
%package zsh-completion
|
||||||
Summary: Zsh Completion for %{name}
|
Summary: Zsh Completion for %{name}
|
||||||
Group: System/Management
|
Group: System/Shells
|
||||||
Requires: %{name} = %{version}
|
Requires: %{name} = %{version}
|
||||||
Supplements: packageand(%{name}:zsh)
|
Supplements: packageand(%{name}:zsh)
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
@ -259,7 +258,7 @@ docker container runtime configuration for kubeadm
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{realname}-%{version}
|
%setup -q -n %{realname}-%{version}.%{git_version}
|
||||||
%if 0%{?is_opensuse}
|
%if 0%{?is_opensuse}
|
||||||
# nothing
|
# nothing
|
||||||
%else
|
%else
|
||||||
@ -267,8 +266,6 @@ docker container runtime configuration for kubeadm
|
|||||||
%patch200 -p1
|
%patch200 -p1
|
||||||
%patch201 -p1
|
%patch201 -p1
|
||||||
%endif
|
%endif
|
||||||
# bsc#1073877
|
|
||||||
%patch400 -p1
|
|
||||||
# bsc#1099277
|
# bsc#1099277
|
||||||
%patch401 -p1
|
%patch401 -p1
|
||||||
# boo#1047218
|
# boo#1047218
|
||||||
@ -394,6 +391,9 @@ install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realnam
|
|||||||
# sysconfig file
|
# sysconfig file
|
||||||
install -D -m 644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.docker
|
install -D -m 644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.docker
|
||||||
|
|
||||||
|
# install docker config file
|
||||||
|
install -D -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/daemon.json
|
||||||
|
|
||||||
# install manpages (using the ones from the engine)
|
# install manpages (using the ones from the engine)
|
||||||
install -d %{buildroot}%{_mandir}/man1
|
install -d %{buildroot}%{_mandir}/man1
|
||||||
install -p -m 644 components/cli/man/man1/*.1 %{buildroot}%{_mandir}/man1
|
install -p -m 644 components/cli/man/man1/*.1 %{buildroot}%{_mandir}/man1
|
||||||
@ -451,6 +451,7 @@ getent group docker >/dev/null || groupadd -r docker
|
|||||||
%dir %{_unitdir}/%{realname}.service.d/
|
%dir %{_unitdir}/%{realname}.service.d/
|
||||||
%{_unitdir}/%{realname}.service.d/90-kubic.conf
|
%{_unitdir}/%{realname}.service.d/90-kubic.conf
|
||||||
%endif
|
%endif
|
||||||
|
%config %{_sysconfdir}/daemon.json
|
||||||
%config %{_sysconfdir}/audit/rules.d/%{realname}.rules
|
%config %{_sysconfdir}/audit/rules.d/%{realname}.rules
|
||||||
%{_udevrulesdir}/80-%{realname}.rules
|
%{_udevrulesdir}/80-%{realname}.rules
|
||||||
%{_fillupdir}/sysconfig.docker
|
%{_fillupdir}/sysconfig.docker
|
||||||
|
Loading…
Reference in New Issue
Block a user