From ba2f6637f87ccb65130e3c6f2808bd58960e21bee2fa5b061bc5b9a5fe3a2fca Mon Sep 17 00:00:00 2001
From: Miquel Sabate Sola <msabate@suse.com>
Date: Wed, 17 May 2017 15:18:13 +0000
Subject: [PATCH] Accepting request 495639 from home:cyphar:containers

- Fix bsc#1037607 which was causing read-only issues on Kubic, this is a
  backport of https://github.com/moby/moby/pull/33250.
  + bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch

OBS-URL: https://build.opensuse.org/request/show/495639
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=185
---
 ...-pkg-aaparser-work-on-read-only-root.patch | 60 +++++++++++++++++++
 docker.changes                                |  7 +++
 docker.spec                                   |  3 +
 3 files changed, 70 insertions(+)
 create mode 100644 bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch

diff --git a/bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch b/bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch
new file mode 100644
index 0000000..ac5da10
--- /dev/null
+++ b/bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch
@@ -0,0 +1,60 @@
+From 9783e1791fc438751b327023b0cd7d392e54084f Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Thu, 18 May 2017 00:02:00 +1000
+Subject: [PATCH] apparmor: make pkg/aaparser work on read-only root
+
+This is necessary because normally `apparmor_parser -r` will try to
+create a temporary directory on the host (which is not allowed if the
+host has a rootfs). However, the -K option bypasses saving things to the
+cache (which avoids this issue).
+
+  % apparmor_parser -r /tmp/docker-profile
+  mkstemp: Read-only file system
+  % apparmor_parser -Kr /tmp/docker-profile
+  %
+
+In addition, add extra information to the ensureDefaultAppArmorProfile
+errors so that problems like this are easier to debug.
+
+Fixes: 2f7596aaef3a ("apparmor: do not save profile to /etc/apparmor.d")
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ daemon/apparmor_default.go | 2 +-
+ pkg/aaparser/aaparser.go   | 7 ++++---
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
+index 09dd0541b872..2a418b25c241 100644
+--- a/daemon/apparmor_default.go
++++ b/daemon/apparmor_default.go
+@@ -28,7 +28,7 @@ func ensureDefaultAppArmorProfile() error {
+ 
+ 		// Load the profile.
+ 		if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil {
+-			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", defaultApparmorProfile)
++			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err)
+ 		}
+ 	}
+ 
+diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
+index e794c4c729e2..5de4a4d79b35 100644
+--- a/pkg/aaparser/aaparser.go
++++ b/pkg/aaparser/aaparser.go
+@@ -22,10 +22,11 @@ func GetVersion() (int, error) {
+ 	return parseVersion(output)
+ }
+ 
+-// LoadProfile runs `apparmor_parser -r` on a specified apparmor profile to
+-// replace the profile.
++// LoadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to
++// replace the profile. The `-K` is necessary to make sure that apparmor_parser
++// doesn't try to write to a read-only filesystem.
+ func LoadProfile(profilePath string) error {
+-	_, err := cmd("", "-r", profilePath)
++	_, err := cmd("", "-Kr", profilePath)
+ 	return err
+ }
+ 
+-- 
+2.12.2
+
diff --git a/docker.changes b/docker.changes
index d4c97f0..35016e2 100644
--- a/docker.changes
+++ b/docker.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed May 17 14:41:29 UTC 2017 - asarai@suse.com
+
+- Fix bsc#1037607 which was causing read-only issues on Kubic, this is a
+  backport of https://github.com/moby/moby/pull/33250.
+  + bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch
+
 -------------------------------------------------------------------
 Wed May 10 13:54:44 UTC 2017 - asarai@suse.com
 
diff --git a/docker.spec b/docker.spec
index 3334881..ef39fc6 100644
--- a/docker.spec
+++ b/docker.spec
@@ -56,6 +56,8 @@ Patch201:       secrets-0002-SUSE-implement-SUSE-container-secrets.patch
 Patch300:       integration-cli-fix-TestInfoEnsureSucceeds.patch
 # PATCH-FIX-UPSTREAM: Backport of https://github.com/docker/cli/pull/52 (bsc#1037436).
 Patch400:       bsc1037436-0001-client-check-tty-before-creating-exec-job.patch
+# PATCH-FIX-UPSTREAM: Backport of https://github.com/moby/moby/pull/33250 (bsc#1037607).
+Patch401:       bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@@ -168,6 +170,7 @@ Test package for docker. It contains the source code and the tests.
 %endif
 %patch300 -p1
 %patch400 -p1
+%patch401 -p1
 cp %{SOURCE7} .
 cp %{SOURCE10} .