From 96b81887cedf8e79ba2a9cb1b20aa24fc7190ffc00760dfd20100c511a15daec Mon Sep 17 00:00:00 2001 From: Miquel Sabate Sola Date: Tue, 11 Oct 2016 10:30:52 +0000 Subject: [PATCH] Accepting request 434284 from home:cyphar:branches:Virtualization:containers This just fixes the docker-mount-secrets.patch to assist in bsc#999582. OBS-URL: https://build.opensuse.org/request/show/434284 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=146 --- docker-mount-secrets.patch | 65 ++++++++++++++++---------------------- docker.changes | 9 +++++- docker.spec | 4 +++ 3 files changed, 39 insertions(+), 39 deletions(-) diff --git a/docker-mount-secrets.patch b/docker-mount-secrets.patch index 552a437..f0e9c78 100644 --- a/docker-mount-secrets.patch +++ b/docker-mount-secrets.patch @@ -1,31 +1,23 @@ -From fb84d5a3fbc3f1fad7dfc961b5dace3915eae7f9 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Mon, 11 Apr 2016 22:54:35 +1000 -Subject: [PATCH] SUSE: implement SUSE container secrets +commit 7726422774cf8dda6766cb268b4e9110e4f68945 +Author: Aleksa Sarai +Date: Mon Apr 11 22:54:35 2016 +1000 -This allows for us to pass in host credentials to a container, allowing -for SUSEConnect to work with containers. - -THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS -SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT -MAKES BUILDS NOT ENTIRELY REPRODUCIBLE. - -Signed-off-by: Aleksa Sarai ---- - container/container_unix.go | 63 ++++++++++++ - daemon/container_operations_unix.go | 50 ++++++++++ - daemon/daemon_unix.go | 6 +- - daemon/oci_linux.go | 7 ++ - daemon/start.go | 6 ++ - daemon/suse_secrets.go | 184 ++++++++++++++++++++++++++++++++++++ - 6 files changed, 314 insertions(+), 2 deletions(-) - create mode 100644 daemon/suse_secrets.go + SUSE: implement SUSE container secrets + + This allows for us to pass in host credentials to a container, allowing + for SUSEConnect to work with containers. + + THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS + SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT + MAKES BUILDS NOT ENTIRELY REPRODUCIBLE. + + Signed-off-by: Aleksa Sarai diff --git a/container/container_unix.go b/container/container_unix.go -index 8273bdb..d86d783 100644 +index 2727b818f542..07a07102f031 100644 --- a/container/container_unix.go +++ b/container/container_unix.go -@@ -34,6 +34,8 @@ type Container struct { +@@ -35,6 +35,8 @@ type Container struct { HostsPath string ShmPath string ResolvConfPath string @@ -34,14 +26,14 @@ index 8273bdb..d86d783 100644 SeccompProfile string NoNewPrivileges bool } -@@ -243,6 +245,67 @@ func (container *Container) IpcMounts() []Mount { +@@ -256,6 +258,67 @@ func (container *Container) IpcMounts() []Mount { return mounts } +// SUSE:secrets :: SuseSecretsResourcePath returns the path to the container's +// personal /run/secrets tmpfs. +func (container *Container) SuseSecretsResourcePath() (string, error) { -+ return container.GetRootResourcePath("suse:secrets") ++ return container.GetRootResourcePath("suse.secrets") +} + +// SUSE:secrets :: SuseSecretMounts returns the list of mounts required for the @@ -103,10 +95,10 @@ index 8273bdb..d86d783 100644 func (container *Container) UpdateContainer(hostConfig *containertypes.HostConfig) error { container.Lock() diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go -index c8a0b93..036c65a 100644 +index 55bd3fc8392d..a3ab7fbd83d1 100644 --- a/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go -@@ -168,6 +168,56 @@ func (daemon *Daemon) getIpcContainer(container *container.Container) (*containe +@@ -184,6 +184,56 @@ func (daemon *Daemon) getPidContainer(container *container.Container) (*containe return c, nil } @@ -164,10 +156,10 @@ index c8a0b93..036c65a 100644 var err error diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go -index 9e231c5..1138c9a 100644 +index f26691226f91..2ced1b869b81 100644 --- a/daemon/daemon_unix.go +++ b/daemon/daemon_unix.go -@@ -795,8 +795,10 @@ func initBridgeDriver(controller libnetwork.NetworkController, config *Config) e +@@ -809,8 +809,10 @@ func initBridgeDriver(controller libnetwork.NetworkController, config *Config) e // the container from unwanted side-effects on the rw layer. func setupInitLayer(initLayer string, rootUID, rootGID int) error { for pth, typ := range map[string]string{ @@ -181,10 +173,10 @@ index 9e231c5..1138c9a 100644 "/sys": "dir", "/.dockerenv": "file", diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go -index e238640..0d8bb47 100644 +index 4459d02fcad3..6af7d351ccc0 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go -@@ -655,6 +655,10 @@ func (daemon *Daemon) createSpec(c *container.Container) (*libcontainerd.Spec, e +@@ -656,6 +656,10 @@ func (daemon *Daemon) createSpec(c *container.Container) (*libcontainerd.Spec, e if err := daemon.setupIpcDirs(c); err != nil { return nil, err } @@ -195,7 +187,7 @@ index e238640..0d8bb47 100644 ms, err := daemon.setupMounts(c) if err != nil { -@@ -662,6 +666,8 @@ func (daemon *Daemon) createSpec(c *container.Container) (*libcontainerd.Spec, e +@@ -663,6 +667,8 @@ func (daemon *Daemon) createSpec(c *container.Container) (*libcontainerd.Spec, e } ms = append(ms, c.IpcMounts()...) ms = append(ms, c.TmpfsMounts()...) @@ -205,10 +197,10 @@ index e238640..0d8bb47 100644 if err := setMounts(daemon, &s, c, ms); err != nil { return nil, fmt.Errorf("linux mounts: %v", err) diff --git a/daemon/start.go b/daemon/start.go -index 4862969..6d3b56e 100644 +index 7a0bc2121c83..30b75ee2a616 100644 --- a/daemon/start.go +++ b/daemon/start.go -@@ -164,6 +164,12 @@ func (daemon *Daemon) Cleanup(container *container.Container) { +@@ -173,6 +173,12 @@ func (daemon *Daemon) Cleanup(container *container.Container) { container.UnmountIpcMounts(detachMounted) @@ -223,7 +215,7 @@ index 4862969..6d3b56e 100644 // Ensure that all the mounts are gone diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go new file mode 100644 -index 0000000..417a1a9 +index 000000000000..417a1a9e5b61 --- /dev/null +++ b/daemon/suse_secrets.go @@ -0,0 +1,184 @@ @@ -411,6 +403,3 @@ index 0000000..417a1a9 + + return secrets, nil +} --- -2.8.1 - diff --git a/docker.changes b/docker.changes index 2db6fcf..4b73673 100644 --- a/docker.changes +++ b/docker.changes @@ -1,8 +1,15 @@ +------------------------------------------------------------------- +Tue Oct 11 09:36:23 UTC 2016 - asarai@suse.com + +- docker-mount-secrets.patch: change the internal mountpoint name to not use + ":" as that character can be considered a special character by other tools. + bsc#999582 + ------------------------------------------------------------------- Mon Sep 19 11:56:15 UTC 2016 - jmassaguerpla@suse.com - fix go_arches definition: use global instead of define, otherwise - it fails to build + it fails to build ------------------------------------------------------------------- Wed Sep 14 09:41:57 UTC 2016 - asarai@suse.com diff --git a/docker.spec b/docker.spec index ce69d26..15e9944 100644 --- a/docker.spec +++ b/docker.spec @@ -64,6 +64,10 @@ Source10: tests.sh Patch100: gcc-go-patches.patch Patch101: netlink_gcc_go.patch Patch102: netlink_netns_powerpc.patch +# SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers +# which is not snapshotted when images are committed. Note that if you modify +# this patch, please also modify the patch in the suse-secrets-v +# branch in http://github.com/suse/docker.mirror. Patch200: docker-mount-secrets.patch Patch300: integration-cli-fix-TestInfoEnsureSucceeds.patch BuildRequires: audit