Review patches:

- remove docker_remove_jornald....patch because we suse dyngccgo instead of dynbinary
- replace gcc-go-bulid-static-libgo.patch by gcc-go-patches which patches dyngccgo instea of dynbinary
- add fix-ppc64le.patch to fix ppc64le build
- fix_bnc_958255.patch: fix Docker creates strange apparmor profile
  (bnc#958255)
- use_fs_cgroups_by_default.patch: Use fs cgroups by default:
   419fd7449f
- fix_cgroup.parent_path_sanitisation.patch: fix cgroup.Parent path
  sanitisation:
   bf899fef45

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=51
This commit is contained in:
Jordi Massaguer 2016-01-20 18:58:55 +00:00 committed by Git OBS Bridge
parent f75a1e668a
commit 91c98f7c10
10 changed files with 210 additions and 178 deletions

View File

@ -1,7 +1,7 @@
#
# spec file for package docker
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -44,17 +44,21 @@ Source100: sysconfig.docker.ppc64le
Patch0: fix-docker-init.patch
# PATCH-FIX-OPENSUSE libcontainer-apparmor-fixes.patch -- mount rules aren't supported in our apparmor
Patch1: libcontainer-apparmor-fixes.patch
# fix regexp in apparmor default profile. This is already fixed upstream so in version > 1.9.1 it should be already fixed
Patch2: fix_bnc_958255.patch
# fix default cgroups. This is fixed upstream, too.
Patch3: use_fs_cgroups_by_default.patch
# fix an issue with cgroups. This is fixed upstream, too.
Patch4: fix_cgroup.parent_path_sanitisation.patch
# Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
# Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time
# We cannot do that, right now a quick and really dirty way to get it running is
# to simply disable this check
Patch100: ignore-dockerinit-checksum.patch
Patch101: gcc-go-build-static-libgo.patch
Patch101: gcc-go-patches.patch
Patch102: add_bolt_ppc64.patch
Patch103: docker_remove_journald_to_fix_dynbinary_build_on_arm.patch
Patch104: docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch
Patch105: add_bolt_arm64.patch
Patch106: docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch
Patch108: fix-ppc64le.patch
BuildRequires: audit
BuildRequires: bash-completion
BuildRequires: device-mapper-devel >= 1.2.68
@ -140,6 +144,8 @@ Requires: procps
Requires: sqlite3-devel
BuildArch: noarch
%global __requires_exclude ^libgo.so.*$
%description test
Test package for docker. It contains the source code and the tests.
@ -147,14 +153,15 @@ Test package for docker. It contains the source code and the tests.
%setup -q -n docker-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%ifnarch %go_arches
%patch100 -p1
%patch101 -p0
%patch102 -p1
%patch103 -p1
%patch104 -p1
%patch105 -p1
%patch106 -p1
%patch108 -p1
%endif
cp %{SOURCE7} .
@ -174,10 +181,14 @@ export DOCKER_GITCOMMIT=%{git_version}
EOF
) > docker_build_env
. ./docker_build_env
./hack/make.sh dynbinary
%ifarch %go_arches
./hack/make.sh dynbinary
man/md2man-all.sh
%else
./hack/make.sh dyngccgo
%endif
# remove other than systemd
# otherwise the resulting package will have extra requires
rm -rf hack/make/.build-deb
@ -185,7 +196,13 @@ rm -rf hack/make/.build-deb
%install
install -d %{buildroot}%{go_contribdir}
install -d %{buildroot}%{_bindir}
%ifarch %go_arches
install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit
%else
install -D -m755 bundles/%{version}/dyngccgo/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
install -D -m755 bundles/%{version}/dyngccgo/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit
%endif
install -d %{buildroot}/%{_prefix}/lib/docker
install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit
install -Dd -m 0755 \

View File

@ -1,53 +0,0 @@
From 6f6f10a75f8b447637e8a89d685452871899e9c0 Mon Sep 17 00:00:00 2001
From: Stefan Scherer <scherer_stefan@icloud.com>
Date: Thu, 19 Nov 2015 17:09:20 +0100
Subject: [PATCH] prevent journald from being built on ARM
Signed-off-by: Govinda Fichtner <govinda.fichtner@googlemail.com>
---
daemon/logger/journald/journald.go | 2 +-
daemon/logger/journald/journald_unsupported.go | 2 +-
daemon/logger/journald/read.go | 2 +-
daemon/logger/journald/read_unsupported.go | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
Index: docker-1.9.1/daemon/logger/journald/journald.go
===================================================================
--- docker-1.9.1.orig/daemon/logger/journald/journald.go
+++ docker-1.9.1/daemon/logger/journald/journald.go
@@ -1,4 +1,4 @@
-// +build linux
+// +build linux,!arm
// Package journald provides the log driver for forwarding server logs
// to endpoints that receive the systemd format.
Index: docker-1.9.1/daemon/logger/journald/journald_unsupported.go
===================================================================
--- docker-1.9.1.orig/daemon/logger/journald/journald_unsupported.go
+++ docker-1.9.1/daemon/logger/journald/journald_unsupported.go
@@ -1,3 +1,3 @@
-// +build !linux
+// +build !linux linux,arm
package journald
Index: docker-1.9.1/daemon/logger/journald/read.go
===================================================================
--- docker-1.9.1.orig/daemon/logger/journald/read.go
+++ docker-1.9.1/daemon/logger/journald/read.go
@@ -1,4 +1,4 @@
-// +build linux,cgo,!static_build,journald
+// +build linux,cgo,!static_build,journald,!arm
package journald
Index: docker-1.9.1/daemon/logger/journald/read_unsupported.go
===================================================================
--- docker-1.9.1.orig/daemon/logger/journald/read_unsupported.go
+++ docker-1.9.1/daemon/logger/journald/read_unsupported.go
@@ -1,4 +1,4 @@
-// +build !linux !cgo static_build !journald
+// +build !linux !cgo static_build !journald linux,arm
package journald

View File

@ -1,53 +0,0 @@
From: Michel Normand <normand@linux.vnet.ibm.com>
Subject: docker remove journald to fix dynbinary build on arm64
Date: Fri, 04 Dec 2015 17:07:12 +0100
docker remove journald to fix dynbinary build on arm64
Signed-off-by: Michel Normand <normand@linux.vnet.ibm.com>
---
daemon/logger/journald/journald.go | 2 +-
daemon/logger/journald/journald_unsupported.go | 2 +-
daemon/logger/journald/read.go | 2 +-
daemon/logger/journald/read_unsupported.go | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
Index: docker-1.9.1/daemon/logger/journald/journald.go
===================================================================
--- docker-1.9.1.orig/daemon/logger/journald/journald.go
+++ docker-1.9.1/daemon/logger/journald/journald.go
@@ -1,4 +1,4 @@
-// +build linux,!arm linux,!ppc64 linux,!ppc64le
+// +build linux,!arm linux,!arm64 linux,!ppc64 linux,!ppc64le
// Package journald provides the log driver for forwarding server logs
// to endpoints that receive the systemd format.
Index: docker-1.9.1/daemon/logger/journald/journald_unsupported.go
===================================================================
--- docker-1.9.1.orig/daemon/logger/journald/journald_unsupported.go
+++ docker-1.9.1/daemon/logger/journald/journald_unsupported.go
@@ -1,3 +1,3 @@
-// +build !linux linux,arm linux,ppc64 linux,ppc64le
+// +build !linux linux,arm linux,arm64 linux,ppc64 linux,ppc64le
package journald
Index: docker-1.9.1/daemon/logger/journald/read.go
===================================================================
--- docker-1.9.1.orig/daemon/logger/journald/read.go
+++ docker-1.9.1/daemon/logger/journald/read.go
@@ -1,4 +1,4 @@
-// +build linux,cgo,!static_build,journald,!arm,!ppc64,!ppc64le
+// +build linux,cgo,!static_build,journald,!arm,!arm64,!ppc64,!ppc64le
package journald
Index: docker-1.9.1/daemon/logger/journald/read_unsupported.go
===================================================================
--- docker-1.9.1.orig/daemon/logger/journald/read_unsupported.go
+++ docker-1.9.1/daemon/logger/journald/read_unsupported.go
@@ -1,4 +1,4 @@
-// +build !linux !cgo static_build !journald linux,arm linux,ppc64 linux,ppc64le
+// +build !linux !cgo static_build !journald linux,arm linux,arm64 linux,ppc64 linux,ppc64le
package journald

View File

@ -1,53 +0,0 @@
From: Michel Normand <normand@linux.vnet.ibm.com>
Subject: docker remove journald to fix dynbinary build on powerpc
Date: Fri, 04 Dec 2015 14:45:43 +0100
docker remove journald to fix dynbinary build on powerpc
Signed-off-by: Michel Normand <normand@linux.vnet.ibm.com>
---
daemon/logger/journald/journald.go | 2 +-
daemon/logger/journald/journald_unsupported.go | 2 +-
daemon/logger/journald/read.go | 2 +-
daemon/logger/journald/read_unsupported.go | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
Index: docker-1.9.1/daemon/logger/journald/journald.go
===================================================================
--- docker-1.9.1.orig/daemon/logger/journald/journald.go
+++ docker-1.9.1/daemon/logger/journald/journald.go
@@ -1,4 +1,4 @@
-// +build linux,!arm
+// +build linux,!arm linux,!ppc64 linux,!ppc64le
// Package journald provides the log driver for forwarding server logs
// to endpoints that receive the systemd format.
Index: docker-1.9.1/daemon/logger/journald/journald_unsupported.go
===================================================================
--- docker-1.9.1.orig/daemon/logger/journald/journald_unsupported.go
+++ docker-1.9.1/daemon/logger/journald/journald_unsupported.go
@@ -1,3 +1,3 @@
-// +build !linux linux,arm
+// +build !linux linux,arm linux,ppc64 linux,ppc64le
package journald
Index: docker-1.9.1/daemon/logger/journald/read.go
===================================================================
--- docker-1.9.1.orig/daemon/logger/journald/read.go
+++ docker-1.9.1/daemon/logger/journald/read.go
@@ -1,4 +1,4 @@
-// +build linux,cgo,!static_build,journald,!arm
+// +build linux,cgo,!static_build,journald,!arm,!ppc64,!ppc64le
package journald
Index: docker-1.9.1/daemon/logger/journald/read_unsupported.go
===================================================================
--- docker-1.9.1.orig/daemon/logger/journald/read_unsupported.go
+++ docker-1.9.1/daemon/logger/journald/read_unsupported.go
@@ -1,4 +1,4 @@
-// +build !linux !cgo static_build !journald linux,arm
+// +build !linux !cgo static_build !journald linux,arm linux,ppc64 linux,ppc64le
package journald

20
fix-ppc64le.patch Normal file
View File

@ -0,0 +1,20 @@
Index: docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
===================================================================
--- docker-1.9.1.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
+++ docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
@@ -1,4 +1,4 @@
-// +build arm ppc64 ppc64le
+// +build arm ppc64,!ppc64le
package bridge
Index: docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go
===================================================================
--- docker-1.9.1.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go
+++ docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go
@@ -1,4 +1,4 @@
-// +build !arm,!ppc64,!ppc64le
+// +build !arm,!ppc64 ppc64le
package bridge

13
fix_bnc_958255.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go
index 3aaba98..06babd3 100644
--- a/daemon/execdriver/native/apparmor.go
+++ b/daemon/execdriver/native/apparmor.go
@@ -40,7 +40,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
file,
umount,
- deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
+ deny @{PROC}/{*,**^[0-9]*,sys/kernel/shm*} wkx,
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,

View File

@ -0,0 +1,67 @@
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
index a0a93a4..da31d06 100644
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
@@ -216,12 +216,39 @@ func (m *Manager) GetPids() ([]int, error) {
return cgroups.GetPids(dir)
}
+// pathClean makes a path safe for use with filepath.Join. This is done by not
+// only cleaning the path, but also (if the path is relative) adding a leading
+// '/' and cleaning it (then removing the leading '/'). This ensures that a
+// path resulting from prepending another path will always resolve to lexically
+// be a subdirectory of the prefixed path. This is all done lexically, so paths
+// that include symlinks won't be safe as a result of using pathClean.
+func pathClean(path string) string {
+ // Ensure that all paths are cleaned (especially problematic ones like
+ // "/../../../../../" which can cause lots of issues).
+ path = filepath.Clean(path)
+
+ // If the path isn't absolute, we need to do more processing to fix paths
+ // such as "../../../../<etc>/some/path". We also shouldn't convert absolute
+ // paths to relative ones.
+ if !filepath.IsAbs(path) {
+ path = filepath.Clean(string(os.PathSeparator) + path)
+ // This can't fail, as (by definition) all paths are relative to root.
+ path, _ = filepath.Rel(string(os.PathSeparator), path)
+ }
+
+ // Clean the path again for good measure.
+ return filepath.Clean(path)
+}
+
func getCgroupData(c *configs.Cgroup, pid int) (*data, error) {
root, err := getCgroupRoot()
if err != nil {
return nil, err
}
+ // Clean the parent slice path.
+ c.Parent = pathClean(c.Parent)
+
cgroup := c.Name
if c.Parent != "" {
cgroup = filepath.Join(c.Parent, cgroup)
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
index f3ec2c3..0b13115 100644
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
@@ -4,6 +4,7 @@ package fs
import (
"bytes"
+ "fmt"
"io/ioutil"
"os"
"path/filepath"
@@ -92,6 +93,10 @@ func (s *CpusetGroup) ensureParent(current, root string) error {
if filepath.Clean(parent) == root {
return nil
}
+ // Avoid infinite recursion.
+ if parent == current {
+ return fmt.Errorf("cpuset: cgroup parent path outside cgroup root")
+ }
if err := s.ensureParent(parent, root); err != nil {
return err
}

View File

@ -1,10 +0,0 @@
--- hack/make/binary
+++ hack/make/binary
@@ -9,6 +9,7 @@
echo "Building: $DEST/$BINARY_FULLNAME"
go build \
+ -gccgoflags="-static-libgo" \
-o "$DEST/$BINARY_FULLNAME" \
"${BUILDFLAGS[@]}" \
-ldflags "

33
gcc-go-patches.patch Normal file
View File

@ -0,0 +1,33 @@
Index: hack/make/.dockerinit-gccgo
===================================================================
--- hack/make/.dockerinit-gccgo.orig
+++ hack/make/.dockerinit-gccgo
@@ -1,5 +1,5 @@
#!/bin/bash
-set -e
+set -ex
IAMSTATIC="true"
source "${MAKEDIR}/.go-autogen"
Index: hack/make/gccgo
===================================================================
--- hack/make/gccgo.orig
+++ hack/make/gccgo
@@ -1,5 +1,5 @@
#!/bin/bash
-set -e
+set -ex
BINARY_NAME="docker-$VERSION"
BINARY_EXTENSION="$(binary_extension)"
@@ -17,6 +17,8 @@ go build -compiler=gccgo \
-g
+ -Wl,--add-needed -Wl,--no-as-needed
$EXTLDFLAGS_STATIC
+ -static-libgo
-Wl,--no-export-dynamic
- -ldl
+ -ldl -lselinux -lsystemd
" \
./docker

View File

@ -0,0 +1,51 @@
From 419fd7449fe1a984f582731fcd4d9455000846b0 Mon Sep 17 00:00:00 2001
From: Alexander Morozov <lk4d4@docker.com>
Date: Wed, 4 Nov 2015 13:51:46 -0800
Subject: [PATCH] Use fs cgroups by default
Our implementation of systemd cgroups is mixture of systemd api and
plain filesystem api. It's hard to keep it up to date with systemd and
it already contains some nasty bugs with new versions. Ideally it should
be replaced with some daemon flag which will allow to set parent systemd
slice.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
---
daemon/execdriver/native/driver.go | 3 ---
docs/reference/commandline/daemon.md | 8 ++++----
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/daemon/execdriver/native/driver.go b/daemon/execdriver/native/driver.go
index 09171c5..0b6cec3 100644
--- a/daemon/execdriver/native/driver.go
+++ b/daemon/execdriver/native/driver.go
@@ -74,9 +74,6 @@ func NewDriver(root, initPath string, options []string) (*Driver, error) {
// this makes sure there are no breaking changes to people
// who upgrade from versions without native.cgroupdriver opt
cgm := libcontainer.Cgroupfs
- if systemd.UseSystemd() {
- cgm = libcontainer.SystemdCgroups
- }
// parse the options
for _, option := range options {
diff --git a/docs/reference/commandline/daemon.md b/docs/reference/commandline/daemon.md
index 91fd3c6..0721538 100644
--- a/docs/reference/commandline/daemon.md
+++ b/docs/reference/commandline/daemon.md
@@ -452,11 +452,11 @@ single `native.cgroupdriver` option is available.
The `native.cgroupdriver` option specifies the management of the container's
cgroups. You can specify `cgroupfs` or `systemd`. If you specify `systemd` and
-it is not available, the system uses `cgroupfs`. By default, if no option is
-specified, the execdriver first tries `systemd` and falls back to `cgroupfs`.
-This example sets the execdriver to `cgroupfs`:
+it is not available, the system uses `cgroupfs`. If you omit the
+`native.cgroupdriver` option,` cgroupfs` is used.
+This example sets the `cgroupdriver` to `systemd`:
- $ sudo docker daemon --exec-opt native.cgroupdriver=cgroupfs
+ $ sudo docker daemon --exec-opt native.cgroupdriver=systemd
Setting this option applies to all containers the daemon launches.