Accepting request 653739 from Virtualization:containers

Docker 18.09 upgrade.

OBS-URL: https://build.opensuse.org/request/show/653739
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=83
This commit is contained in:
Dominique Leuenberger 2018-12-05 08:39:04 +00:00 committed by Git OBS Bridge
commit caf6995359
16 changed files with 613 additions and 84 deletions

View File

@ -3,8 +3,8 @@
<param name="url">https://github.com/docker/docker-ce.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">18.06.1_ce</param>
<param name="revision">v18.06.1-ce</param>
<param name="versionformat">18.09.0_ce</param>
<param name="revision">v18.09.0</param>
<param name="filename">docker</param>
</service>
<service name="recompress" mode="disabled">

View File

@ -0,0 +1,66 @@
From 244ae6114d89a495f1f2b4cf98eb5979fe1381b0 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 17 Jun 2018 17:05:54 +1000
Subject: [PATCH 1/2] oci: include the domainname in "kernel.domainname"
The OCI doesn't have a specific field for an NIS domainname[1] (mainly
because FreeBSD and Solaris appear to have a similar concept but it is
configured entirely differently).
However, on Linux, the NIS domainname can be configured through both the
setdomainname(2) syscall but also through the "kernel.domainname"
sysctl. Since the OCI has a way of injecting sysctls this means we don't
need to have any OCI changes to support NIS domainnames (and we can
always switch if the OCI picks up such support in the future).
It should be noted that because we have to generate this each spec
creation we also have to make sure that it's not clobbered by the
HostConfig. I'm pretty sure making this change generic (so that
HostConfig will not clobber any pre-set sysctls) will not cause other
issues to crop up.
[1]: https://github.com/opencontainers/runtime-spec/issues/592
SUSE-Bugs: bsc#1001161
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/engine/daemon/oci_linux.go | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/components/engine/daemon/oci_linux.go b/components/engine/daemon/oci_linux.go
index 7611fc054d13..d5838623528e 100644
--- a/components/engine/daemon/oci_linux.go
+++ b/components/engine/daemon/oci_linux.go
@@ -679,7 +679,15 @@ func (daemon *Daemon) populateCommonSpec(s *specs.Spec, c *container.Container)
s.Process.Cwd = cwd
s.Process.Env = c.CreateDaemonEnvironment(c.Config.Tty, linkedEnv)
s.Process.Terminal = c.Config.Tty
- s.Hostname = c.FullHostname()
+
+ s.Hostname = c.Config.Hostname
+ // There isn't a field in the OCI for the NIS domainname, but luckily there
+ // is a sysctl which has an identical effect to setdomainname(2) so there's
+ // no explicit need for runtime support.
+ s.Linux.Sysctl = make(map[string]string)
+ if c.Config.Domainname != "" {
+ s.Linux.Sysctl["kernel.domainname"] = c.Config.Domainname
+ }
return nil
}
@@ -715,7 +723,11 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
if err := setResources(&s, c.HostConfig.Resources); err != nil {
return nil, fmt.Errorf("linux runtime spec resources: %v", err)
}
- s.Linux.Sysctl = c.HostConfig.Sysctls
+ // We merge the sysctls injected above with the HostConfig (latter takes
+ // precedence for backwards-compatibility reasons).
+ for k, v := range c.HostConfig.Sysctls {
+ s.Linux.Sysctl[k] = v
+ }
p := s.Linux.CgroupsPath
if useSystemd {
--
2.19.2

View File

@ -0,0 +1,227 @@
From 975d8efceb479c3d0994814cc5d488ac33d0d2d6 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Mon, 18 Jun 2018 21:58:23 +1000
Subject: [PATCH 2/2] cli: add a separate --domainname flag
A while ago, Docker split the "Domainname" field out from the "Hostname"
field for the container configuration. There was no real user-visible
change associated with this (and under the hood "Domainname" was mostly
left unused from the command-line point of view). We now add this flag
in order to match other proposed changes to allow for setting the NIS
domainname of a container.
This also includes a fix for the --hostname parsing tests (they would
not error out if only one of .Hostname and .Domainname were incorrectly
set -- which is not correct).
SUSE-Bugs: bsc#1001161
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/cli/cli/command/container/opts.go | 3 ++
.../cli/cli/command/container/opts_test.go | 31 ++++++++++++++++---
components/cli/contrib/completion/bash/docker | 5 +--
components/cli/contrib/completion/zsh/_docker | 1 +
.../cli/docs/reference/commandline/create.md | 1 +
.../cli/docs/reference/commandline/run.md | 1 +
.../reference/commandline/service_create.md | 2 +-
components/cli/docs/reference/run.md | 6 ++--
components/cli/man/docker-run.1.md | 7 +++++
9 files changed, 46 insertions(+), 11 deletions(-)
diff --git a/components/cli/cli/command/container/opts.go b/components/cli/cli/command/container/opts.go
index 97906b672252..7cd9ce998c8b 100644
--- a/components/cli/cli/command/container/opts.go
+++ b/components/cli/cli/command/container/opts.go
@@ -74,6 +74,7 @@ type containerOptions struct {
containerIDFile string
entrypoint string
hostname string
+ domainname string
memory opts.MemBytes
memoryReservation opts.MemBytes
memorySwap opts.MemSwapBytes
@@ -169,6 +170,7 @@ func addFlags(flags *pflag.FlagSet) *containerOptions {
flags.StringVar(&copts.entrypoint, "entrypoint", "", "Overwrite the default ENTRYPOINT of the image")
flags.Var(&copts.groupAdd, "group-add", "Add additional groups to join")
flags.StringVarP(&copts.hostname, "hostname", "h", "", "Container host name")
+ flags.StringVar(&copts.domainname, "domainname", "", "Container NIS domain name")
flags.BoolVarP(&copts.stdin, "interactive", "i", false, "Keep STDIN open even if not attached")
flags.VarP(&copts.labels, "label", "l", "Set meta data on a container")
flags.Var(&copts.labelsFile, "label-file", "Read in a line delimited file of labels")
@@ -546,6 +548,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
config := &container.Config{
Hostname: copts.hostname,
+ Domainname: copts.domainname,
ExposedPorts: ports,
User: copts.user,
Tty: copts.tty,
diff --git a/components/cli/cli/command/container/opts_test.go b/components/cli/cli/command/container/opts_test.go
index 6d7c95a5ddb8..70bedc661751 100644
--- a/components/cli/cli/command/container/opts_test.go
+++ b/components/cli/cli/command/container/opts_test.go
@@ -265,14 +265,35 @@ func TestParseHostname(t *testing.T) {
hostnameWithDomainTld := "--hostname=hostname.domainname.tld"
for hostname, expectedHostname := range validHostnames {
if config, _ := mustParse(t, fmt.Sprintf("--hostname=%s", hostname)); config.Hostname != expectedHostname {
- t.Fatalf("Expected the config to have 'hostname' as hostname, got '%v'", config.Hostname)
+ t.Fatalf("Expected the config to have 'hostname' as %q, got %q", expectedHostname, config.Hostname)
}
}
- if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" && config.Domainname != "" {
- t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got '%v'", config.Hostname)
+ if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" || config.Domainname != "" {
+ t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got %q", config.Hostname)
}
- if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" && config.Domainname != "" {
- t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got '%v'", config.Hostname)
+ if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" || config.Domainname != "" {
+ t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got %q", config.Hostname)
+ }
+}
+
+func TestParseHostnameDomainname(t *testing.T) {
+ validDomainnames := map[string]string{
+ "domainname": "domainname",
+ "domain-name": "domain-name",
+ "domainname123": "domainname123",
+ "123domainname": "123domainname",
+ "domainname-63-bytes-long-should-be-valid-and-without-any-errors": "domainname-63-bytes-long-should-be-valid-and-without-any-errors",
+ }
+ for domainname, expectedDomainname := range validDomainnames {
+ if config, _ := mustParse(t, "--domainname="+domainname); config.Domainname != expectedDomainname {
+ t.Fatalf("Expected the config to have 'domainname' as %q, got %q", expectedDomainname, config.Domainname)
+ }
+ }
+ if config, _ := mustParse(t, "--hostname=some.prefix --domainname=domainname"); config.Hostname != "some.prefix" || config.Domainname != "domainname" {
+ t.Fatalf("Expected the config to have 'hostname' as 'some.prefix' and 'domainname' as 'domainname', got %q and %q", config.Hostname, config.Domainname)
+ }
+ if config, _ := mustParse(t, "--hostname=another-prefix --domainname=domainname.tld"); config.Hostname != "another-prefix" || config.Domainname != "domainname.tld" {
+ t.Fatalf("Expected the config to have 'hostname' as 'another-prefix' and 'domainname' as 'domainname.tld', got %q and %q", config.Hostname, config.Domainname)
}
}
diff --git a/components/cli/contrib/completion/bash/docker b/components/cli/contrib/completion/bash/docker
index 44ac8f3e0ed9..c532f5142c3d 100644
--- a/components/cli/contrib/completion/bash/docker
+++ b/components/cli/contrib/completion/bash/docker
@@ -5,8 +5,8 @@
# - SC2016: Expressions don't expand in single quotes, use double quotes for that.
# - SC2119: Use foo "$@" if function's $1 should mean script's $1.
# - SC2155: Declare and assign separately to avoid masking return values.
-#
-# You can find more details for each warning at the following page:
+#
+# You can find more details for each warning at the following page:
# https://github.com/koalaman/shellcheck/wiki/<SCXXXX>
#
# bash completion file for core docker commands
@@ -1785,6 +1785,7 @@ _docker_container_run_and_create() {
--dns
--dns-option
--dns-search
+ --domainname
--entrypoint
--env -e
--env-file
diff --git a/components/cli/contrib/completion/zsh/_docker b/components/cli/contrib/completion/zsh/_docker
index 94f042204dfb..9a502db0886f 100644
--- a/components/cli/contrib/completion/zsh/_docker
+++ b/components/cli/contrib/completion/zsh/_docker
@@ -617,6 +617,7 @@ __docker_container_subcommand() {
"($help)*--dns=[Custom DNS servers]:DNS server: "
"($help)*--dns-option=[Custom DNS options]:DNS option: "
"($help)*--dns-search=[Custom DNS search domains]:DNS domains: "
+ "($help)*--domainname=[Container NIS domain name]:domainname:_hosts"
"($help)*"{-e=,--env=}"[Environment variables]:environment variable: "
"($help)--entrypoint=[Overwrite the default entrypoint of the image]:entry point: "
"($help)*--env-file=[Read environment variables from a file]:environment file:_files"
diff --git a/components/cli/docs/reference/commandline/create.md b/components/cli/docs/reference/commandline/create.md
index d585da40ae1e..c829dbb3e5b9 100644
--- a/components/cli/docs/reference/commandline/create.md
+++ b/components/cli/docs/reference/commandline/create.md
@@ -53,6 +53,7 @@ Options:
--dns value Set custom DNS servers (default [])
--dns-option value Set DNS options (default [])
--dns-search value Set custom DNS search domains (default [])
+ --domainname string Container NIS domain name
--entrypoint string Overwrite the default ENTRYPOINT of the image
-e, --env value Set environment variables (default [])
--env-file value Read in a file of environment variables (default [])
diff --git a/components/cli/docs/reference/commandline/run.md b/components/cli/docs/reference/commandline/run.md
index 08b9f18d68ac..f448e1acf89b 100644
--- a/components/cli/docs/reference/commandline/run.md
+++ b/components/cli/docs/reference/commandline/run.md
@@ -57,6 +57,7 @@ Options:
--dns value Set custom DNS servers (default [])
--dns-option value Set DNS options (default [])
--dns-search value Set custom DNS search domains (default [])
+ --domainname string Container NIS domain name
--entrypoint string Overwrite the default ENTRYPOINT of the image
-e, --env value Set environment variables (default [])
--env-file value Read in a file of environment variables (default [])
diff --git a/components/cli/docs/reference/commandline/service_create.md b/components/cli/docs/reference/commandline/service_create.md
index 8fdb5297a102..c55c77b52d77 100644
--- a/components/cli/docs/reference/commandline/service_create.md
+++ b/components/cli/docs/reference/commandline/service_create.md
@@ -755,7 +755,7 @@ The swarm extends my-network to each node running the service.
Containers on the same network can access each other using
[service discovery](https://docs.docker.com/engine/swarm/networking/#use-swarm-mode-service-discovery).
-Long form syntax of `--network` allows to specify list of aliases and driver options:
+Long form syntax of `--network` allows to specify list of aliases and driver options:
`--network name=my-network,alias=web1,driver-opt=field1=value1`
### Publish service ports externally to the swarm (-p, --publish)
diff --git a/components/cli/docs/reference/run.md b/components/cli/docs/reference/run.md
index a59a30525554..695974fe533c 100644
--- a/components/cli/docs/reference/run.md
+++ b/components/cli/docs/reference/run.md
@@ -256,7 +256,7 @@ The UTS namespace is for setting the hostname and the domain that is visible
to running processes in that namespace. By default, all containers, including
those with `--network=host`, have their own UTS namespace. The `host` setting will
result in the container using the same UTS namespace as the host. Note that
-`--hostname` is invalid in `host` UTS mode.
+`--hostname` and `--domainname` are invalid in `host` UTS mode.
You may wish to share the UTS namespace with the host if you would like the
hostname of the container to change as the hostname of the host changes. A
@@ -396,8 +396,8 @@ network stack and all interfaces from the host will be available to the
container. The container's hostname will match the hostname on the host
system. Note that `--mac-address` is invalid in `host` netmode. Even in `host`
network mode a container has its own UTS namespace by default. As such
-`--hostname` is allowed in `host` network mode and will only change the
-hostname inside the container.
+`--hostname` and `--domainname` are allowed in `host` network mode and will
+only change the hostname and domain name inside the container.
Similar to `--hostname`, the `--add-host`, `--dns`, `--dns-search`, and
`--dns-option` options can be used in `host` network mode. These options update
`/etc/hosts` or `/etc/resolv.conf` inside the container. No change are made to
diff --git a/components/cli/man/docker-run.1.md b/components/cli/man/docker-run.1.md
index e03377001d4e..4a1464a74200 100644
--- a/components/cli/man/docker-run.1.md
+++ b/components/cli/man/docker-run.1.md
@@ -35,6 +35,7 @@ docker-run - Run a command in a new container
[**--dns**[=*[]*]]
[**--dns-option**[=*[]*]]
[**--dns-search**[=*[]*]]
+[**--domainname**[=*DOMAINNAME*]]
[**-e**|**--env**[=*[]*]]
[**--entrypoint**[=*ENTRYPOINT*]]
[**--env-file**[=*[]*]]
@@ -285,6 +286,12 @@ configuration passed to the container. Typically this is necessary when the
host DNS configuration is invalid for the container (e.g., 127.0.0.1). When this
is the case the **--dns** flags is necessary for every run.
+**--domainname**=""
+ Container NIS domain name
+
+ Sets the container's NIS domain name (see also **setdomainname(2)**) that is
+ available inside the container.
+
**-e**, **--env**=[]
Set environment variables
--
2.19.2

View File

@ -1,4 +1,4 @@
From d84d2f13c475bf5ff0ce7b080b759b0239d5d345 Mon Sep 17 00:00:00 2001
From 0a2ba19d51fef679d2a695fd14c30facd5f901f1 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Thu, 23 Aug 2018 19:53:55 +1000
Subject: [PATCH] man: obey SOURCE_DATE_EPOCH when generating man pages
@ -23,7 +23,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
1 file changed, 13 insertions(+)
diff --git a/components/cli/man/generate.go b/components/cli/man/generate.go
index 4197558a2225..4a3e98fb22c1 100644
index 2d940e31fd10..e5e480be3f32 100644
--- a/components/cli/man/generate.go
+++ b/components/cli/man/generate.go
@@ -6,6 +6,8 @@ import (
@ -51,8 +51,8 @@ index 4197558a2225..4a3e98fb22c1 100644
+ }
+
stdin, stdout, stderr := term.StdStreams()
dockerCli := command.NewDockerCli(stdin, stdout, stderr, false)
dockerCli := command.NewDockerCli(stdin, stdout, stderr, false, nil)
cmd := &cobra.Command{Use: "docker"}
--
2.18.0
2.19.1

View File

@ -1,4 +1,4 @@
From 3464bd58d266b0640774952e825558044ffc64e2 Mon Sep 17 00:00:00 2001
From 4962b0a0bc6ca1fc99b0936175f929f9d3f5fa4c Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 8 Apr 2018 20:21:30 +1000
Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
@ -7,15 +7,54 @@ In newer kernels, AppArmor will reject attempts to send signals to a
container because the signal originated from outside of that AppArmor
profile. Correct this by allowing all unconfined signals to be received.
SUSE-Bugs: bsc#1073877 boo#1089732
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/engine/profiles/apparmor/template.go | 6 ++++++
1 file changed, 6 insertions(+)
.../engine/profiles/apparmor/apparmor.go | 21 +++++++++++++++++++
.../engine/profiles/apparmor/template.go | 6 ++++++
2 files changed, 27 insertions(+)
diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go
index b021668c8e4c..2f58ee852cab 100644
--- a/components/engine/profiles/apparmor/apparmor.go
+++ b/components/engine/profiles/apparmor/apparmor.go
@@ -23,6 +23,8 @@ var (
type profileData struct {
// Name is profile name.
Name string
+ // DaemonProfile is the profile name of our daemon.
+ DaemonProfile string
// Imports defines the apparmor functions to import, before defining the profile.
Imports []string
// InnerImports defines the apparmor functions to import in the profile.
@@ -70,6 +72,25 @@ func InstallDefault(name string) error {
Name: name,
}
+ // Figure out the daemon profile.
+ currentProfile, err := ioutil.ReadFile("/proc/self/attr/current")
+ if err != nil {
+ // If we couldn't get the daemon profile, assume we are running
+ // unconfined which is generally the default.
+ currentProfile = nil
+ }
+ daemonProfile := string(currentProfile)
+ // Normally profiles are suffixed by " (enforcing)" or similar. AppArmor
+ // profiles cannot contain spaces so this doesn't restrict daemon profile
+ // names.
+ if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 {
+ daemonProfile = parts[0]
+ }
+ if daemonProfile == "" {
+ daemonProfile = "unconfined"
+ }
+ p.DaemonProfile = daemonProfile
+
// Install to a temporary directory.
f, err := ioutil.TempFile("", name)
if err != nil {
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
index c00a3f70e993..772c4a4873f6 100644
index c00a3f70e993..400b3bd50a11 100644
--- a/components/engine/profiles/apparmor/template.go
+++ b/components/engine/profiles/apparmor/template.go
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
@ -24,13 +63,13 @@ index c00a3f70e993..772c4a4873f6 100644
umount,
+{{if ge .Version 208096}}
+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
+ signal (receive) peer=unconfined,
+{{/* And allow signals to be sent inside the container. */}}
+ signal (receive) peer={{.DaemonProfile}},
+{{/* Allow container processes to send signals amongst themselves. */}}
+ signal (send,receive) peer={{.Name}},
+{{end}}
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/**
--
2.18.0
2.19.1

View File

@ -1,4 +1,4 @@
From 0954810e947abf0b4e5d8f6c78598c5d66b43952 Mon Sep 17 00:00:00 2001
From 04f594765577163a26f24d0fe3fc7a2283f1e018 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 29 Jun 2018 17:59:30 +1000
Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start
@ -68,10 +68,10 @@ index 51f9c526b350..97d7758442ee 100644
return nil
}
diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
index 5e5f586ae085..6ca6a7aaa268 100644
index a307863017ab..67cd286002bf 100644
--- a/components/engine/daemon/daemon.go
+++ b/components/engine/daemon/daemon.go
@@ -660,7 +660,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
@@ -735,7 +735,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
}
@ -83,5 +83,5 @@ index 5e5f586ae085..6ca6a7aaa268 100644
}
--
2.18.0
2.19.1

View File

@ -1,30 +0,0 @@
From 547870ff2904a75fa3e0ee96fa264d53a81d4c01 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Mon, 30 Jul 2018 19:34:01 +1000
Subject: [PATCH] build: add -buildmode=pie
Make all dynbinary builds be position-independent (this adds both
security benefits and can help with flaky builds on POWER
architectures).
SUSE-Bugs: bsc#1100727
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/cli/scripts/build/dynbinary | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/components/cli/scripts/build/dynbinary b/components/cli/scripts/build/dynbinary
index 3c32ed342ef7..4feb7e71d852 100755
--- a/components/cli/scripts/build/dynbinary
+++ b/components/cli/scripts/build/dynbinary
@@ -9,6 +9,6 @@ source ./scripts/build/.variables
echo "Building dynamically linked $TARGET"
export CGO_ENABLED=1
-go build -o "${TARGET}" -tags pkcs11 --ldflags "${LDFLAGS}" "${SOURCE}"
+go build -o "${TARGET}" -tags pkcs11 --ldflags "${LDFLAGS}" -buildmode=pie "${SOURCE}"
ln -sf "$(basename "${TARGET}")" build/docker
--
2.18.0

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:061ae523be13dbe05ff5377626113a299327cc39fc145f801cd674c67b8c7fe0
size 8561132

3
docker-18.09.0_ce.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ce38c3b659b78bccdfaf07b1f0a4eaaf454ffec726434511feeee1b9a2fc8151
size 9264940

View File

@ -1,3 +1,31 @@
-------------------------------------------------------------------
Mon Dec 3 16:14:22 UTC 2018 - Aleksa Sarai <asarai@suse.com>
- Add backports of https://github.com/docker/docker/pull/37302 and
https://github.com/docker/cli/pull/1130, which allow for users to explicitly
specify the NIS domainname of a container. bsc#1001161
+ bsc1001161-0001-oci-include-the-domainname-in-kernel.domainname.patch
+ bsc1001161-0002-cli-add-a-separate-domainname-flag.patch
-------------------------------------------------------------------
Thu Nov 29 09:41:11 UTC 2018 - Aleksa Sarai <asarai@suse.com>
- Update docker.service to match upstream and avoid rlimit problems.
bsc#1112980
- Upgrade to Docker 18.09.0-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. boo#1115464
- Add revert of an upstream patch to fix docker-* handling.
+ packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
- Rebase patches:
* bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
* bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
* bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
* private-registry-0001-Add-private-registry-mirror-support.patch
* secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
* secrets-0002-SUSE-implement-SUSE-container-secrets.patch
- Remove upstreamed patches:
- bsc1100727-0001-build-add-buildmode-pie.patch
-------------------------------------------------------------------
Mon Oct 8 06:41:21 UTC 2018 - Valentin Rothberg <vrothberg@suse.com>

View File

@ -15,7 +15,7 @@ ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNOFILE=1048576
LimitNPROC=infinity
LimitCORE=infinity
@ -27,9 +27,13 @@ TasksMax=infinity
# Only systemd 218 and above support this property.
Delegate=yes
# This is not necessary because of how we set up containerd.
#KillMode=process
# Kill only the docker process, not all processes in the cgroup.
KillMode=process
# Restart the docker process if it exits prematurely.
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target

View File

@ -49,10 +49,10 @@
# sure we didn't miss anything important when doing upgrades.
%define required_containerd 468a545b9edcd5932818eb9de8e72413e616e86e
%define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340
%define required_libnetwork 3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b
%define required_libnetwork 6da50d1978302f04c3e2089e29112ea24812f05b
Name: %{realname}%{name_suffix}
Version: 18.06.1_ce
Version: 18.09.0_ce
Release: 0
Summary: The Linux container runtime
License: Apache-2.0
@ -76,16 +76,20 @@ Source9: tests.sh
# branch in http://github.com/suse/docker.mirror.
Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877
# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37831. bsc#1073877
Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277
# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1099277
Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727
Patch402: bsc1100727-0001-build-add-buildmode-pie.patch
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1306. boo#1047218
Patch403: bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
Patch402: bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
# SUSE-ISSUE: Revert of https://github.com/docker/docker/pull/37907.
Patch403: packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37302. bsc#1001161
Patch404: bsc1001161-0001-oci-include-the-domainname-in-kernel.domainname.patch
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1130. bsc#1001161
Patch405: bsc1001161-0002-cli-add-a-separate-domainname-flag.patch
# SUSE-FEATURE: Add support to mirror inofficial/private registries
# (https://github.com/moby/moby/pull/34319)
# (https://github.com/docker/docker/pull/34319)
Patch500: private-registry-0001-Add-private-registry-mirror-support.patch
BuildRequires: audit
BuildRequires: bash-completion
@ -263,10 +267,13 @@ docker container runtime configuration for kubeadm
%patch400 -p1
# bsc#1099277
%patch401 -p1
# bsc#1100727
%patch402 -p1
# boo#1047218
%patch402 -p1
# revert upstream
%patch403 -p1
# bsc#1001161
%patch404 -p1
%patch405 -p1
%if "%flavour" == "kubic"
# PATCH-SUSE: Mirror patch.
%patch500 -p1

View File

@ -0,0 +1,187 @@
From 9236191a98a0e9b8aa4ac7da4d4b1c0c196344e2 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Thu, 29 Nov 2018 20:53:16 +1100
Subject: [PATCH] revert "Remove 'docker-' prefix for containerd and runc
binaries"
This reverts commit 34eede0296bce6a9c335cb429f10728ae3f4252d, as it
would significantly break openSUSE's packaging (as well as causing
conflicts between the very-outdated runc that Docker uses and the more
up-to-date one available for Podman).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
components/engine/api/swagger.yaml | 4 +--
.../builder/builder-next/executor_unix.go | 2 +-
components/engine/cmd/dockerd/daemon.go | 36 +++++++------------
components/engine/daemon/daemon_unix.go | 6 ++--
.../libcontainerd/supervisor/remote_daemon.go | 4 +--
.../supervisor/remote_daemon_linux.go | 4 +--
.../supervisor/remote_daemon_windows.go | 4 +--
7 files changed, 25 insertions(+), 35 deletions(-)
diff --git a/components/engine/api/swagger.yaml b/components/engine/api/swagger.yaml
index f58a64f29ea3..d275f2ff49eb 100644
--- a/components/engine/api/swagger.yaml
+++ b/components/engine/api/swagger.yaml
@@ -3852,10 +3852,10 @@ definitions:
$ref: "#/definitions/Runtime"
default:
runc:
- path: "runc"
+ path: "docker-runc"
example:
runc:
- path: "runc"
+ path: "docker-runc"
runc-master:
path: "/go/bin/runc"
custom:
diff --git a/components/engine/builder/builder-next/executor_unix.go b/components/engine/builder/builder-next/executor_unix.go
index b3ea33c05c71..94d8bb766045 100644
--- a/components/engine/builder/builder-next/executor_unix.go
+++ b/components/engine/builder/builder-next/executor_unix.go
@@ -27,7 +27,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController) (e
}
return runcexecutor.New(runcexecutor.Opt{
Root: filepath.Join(root, "executor"),
- CommandCandidates: []string{"runc"},
+ CommandCandidates: []string{"docker-runc", "runc"},
DefaultCgroupParent: cgroupParent,
}, networkProviders)
}
diff --git a/components/engine/cmd/dockerd/daemon.go b/components/engine/cmd/dockerd/daemon.go
index 839537316af4..05922e6418d0 100644
--- a/components/engine/cmd/dockerd/daemon.go
+++ b/components/engine/cmd/dockerd/daemon.go
@@ -10,7 +10,6 @@ import (
"strings"
"time"
- containerddefaults "github.com/containerd/containerd/defaults"
"github.com/docker/distribution/uuid"
"github.com/docker/docker/api"
apiserver "github.com/docker/docker/api/server"
@@ -141,25 +140,21 @@ func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
ctx, cancel := context.WithCancel(context.Background())
if cli.Config.ContainerdAddr == "" && runtime.GOOS != "windows" {
- if !systemContainerdRunning() {
- opts, err := cli.getContainerdDaemonOpts()
- if err != nil {
- cancel()
- return fmt.Errorf("Failed to generate containerd options: %v", err)
- }
-
- r, err := supervisor.Start(ctx, filepath.Join(cli.Config.Root, "containerd"), filepath.Join(cli.Config.ExecRoot, "containerd"), opts...)
- if err != nil {
- cancel()
- return fmt.Errorf("Failed to start containerd: %v", err)
- }
- cli.Config.ContainerdAddr = r.Address()
+ opts, err := cli.getContainerdDaemonOpts()
+ if err != nil {
+ cancel()
+ return fmt.Errorf("Failed to generate containerd options: %v", err)
+ }
- // Try to wait for containerd to shutdown
- defer r.WaitTimeout(10 * time.Second)
- } else {
- cli.Config.ContainerdAddr = containerddefaults.DefaultAddress
+ r, err := supervisor.Start(ctx, filepath.Join(cli.Config.Root, "containerd"), filepath.Join(cli.Config.ExecRoot, "containerd"), opts...)
+ if err != nil {
+ cancel()
+ return fmt.Errorf("Failed to start containerd: %v", err)
}
+ cli.Config.ContainerdAddr = r.Address()
+
+ // Try to wait for containerd to shutdown
+ defer r.WaitTimeout(10 * time.Second)
}
defer cancel()
@@ -665,8 +660,3 @@ func validateAuthzPlugins(requestedPlugins []string, pg plugingetter.PluginGette
}
return nil
}
-
-func systemContainerdRunning() bool {
- _, err := os.Lstat(containerddefaults.DefaultAddress)
- return err == nil
-}
diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go
index b69eede21c44..77adba94a468 100644
--- a/components/engine/daemon/daemon_unix.go
+++ b/components/engine/daemon/daemon_unix.go
@@ -54,11 +54,11 @@ import (
const (
// DefaultShimBinary is the default shim to be used by containerd if none
// is specified
- DefaultShimBinary = "containerd-shim"
+ DefaultShimBinary = "docker-containerd-shim"
// DefaultRuntimeBinary is the default runtime to be used by
// containerd if none is specified
- DefaultRuntimeBinary = "runc"
+ DefaultRuntimeBinary = "docker-runc"
// See https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/tree/kernel/sched/sched.h?id=8cd9234c64c584432f6992fe944ca9e46ca8ea76#n269
linuxMinCPUShares = 2
@@ -76,7 +76,7 @@ const (
// DefaultRuntimeName is the default runtime to be used by
// containerd if none is specified
- DefaultRuntimeName = "runc"
+ DefaultRuntimeName = "docker-runc"
)
type containerGetter interface {
diff --git a/components/engine/libcontainerd/supervisor/remote_daemon.go b/components/engine/libcontainerd/supervisor/remote_daemon.go
index 095300f753e9..1dcfbe176b0d 100644
--- a/components/engine/libcontainerd/supervisor/remote_daemon.go
+++ b/components/engine/libcontainerd/supervisor/remote_daemon.go
@@ -27,8 +27,8 @@ const (
shutdownTimeout = 15 * time.Second
startupTimeout = 15 * time.Second
configFile = "containerd.toml"
- binaryName = "containerd"
- pidFile = "containerd.pid"
+ binaryName = "docker-containerd"
+ pidFile = "docker-containerd.pid"
)
type pluginConfigs struct {
diff --git a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
index 799399c07bc5..1ea91d2b5d0b 100644
--- a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
+++ b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
@@ -11,8 +11,8 @@ import (
)
const (
- sockFile = "containerd.sock"
- debugSockFile = "containerd-debug.sock"
+ sockFile = "docker-containerd.sock"
+ debugSockFile = "docker-containerd-debug.sock"
)
func (r *remote) setDefaults() {
diff --git a/components/engine/libcontainerd/supervisor/remote_daemon_windows.go b/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
index 9b254ef58a0a..bcdc9529e0f7 100644
--- a/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
+++ b/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
@@ -7,8 +7,8 @@ import (
)
const (
- grpcPipeName = `\\.\pipe\containerd-containerd`
- debugPipeName = `\\.\pipe\containerd-debug`
+ grpcPipeName = `\\.\pipe\docker-containerd-containerd`
+ debugPipeName = `\\.\pipe\docker-containerd-debug`
)
func (r *remote) setDefaults() {
--
2.19.2

View File

@ -1,4 +1,4 @@
From 46c2590f7637dba208b3db7e44c04e24f33c436d Mon Sep 17 00:00:00 2001
From a2d285ef5de9537fe2dbf14c4671625aa3035b98 Mon Sep 17 00:00:00 2001
From: Valentin Rothberg <vrothberg@suse.com>
Date: Mon, 2 Jul 2018 13:37:34 +0200
Subject: [PATCH] Add private-registry mirror support
@ -63,6 +63,7 @@ http for security reasons.
Signed-off-by: Flavio Castelli <fcastelli@suse.com>
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
.../engine/api/types/registry/registry.go | 144 ++++++++++++++++++
components/engine/daemon/config/config.go | 4 +
@ -242,10 +243,10 @@ index 8789ad3b3210..c663fec7d881 100644
// NetIPNet is the net.IPNet type, which can be marshalled and
diff --git a/components/engine/daemon/config/config.go b/components/engine/daemon/config/config.go
index 6cda223a1181..308eb83f2116 100644
index 8b2c844a579f..e61940661c70 100644
--- a/components/engine/daemon/config/config.go
+++ b/components/engine/daemon/config/config.go
@@ -439,6 +439,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag
@@ -470,6 +470,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag
// 1. Search keys from the file that we don't recognize as flags.
unknownKeys := make(map[string]interface{})
for key, value := range config {
@ -253,11 +254,11 @@ index 6cda223a1181..308eb83f2116 100644
+ if key == "registries" {
+ continue
+ }
if flag := flags.Lookup(key); flag == nil {
if flag := flags.Lookup(key); flag == nil && !skipValidateOptions[key] {
unknownKeys[key] = value
}
diff --git a/components/engine/daemon/reload.go b/components/engine/daemon/reload.go
index 210864ff879d..5e744c5dcf8d 100644
index 026d7dd517f7..924c3982cd2a 100644
--- a/components/engine/daemon/reload.go
+++ b/components/engine/daemon/reload.go
@@ -21,8 +21,14 @@ import (
@ -275,7 +276,7 @@ index 210864ff879d..5e744c5dcf8d 100644
daemon.configStore.Lock()
attributes := map[string]string{}
@@ -64,6 +70,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) {
@@ -65,6 +71,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) {
if err := daemon.reloadLiveRestore(conf, attributes); err != nil {
return err
}
@ -285,7 +286,7 @@ index 210864ff879d..5e744c5dcf8d 100644
return daemon.reloadNetworkDiagnosticPort(conf, attributes)
}
@@ -293,6 +302,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[
@@ -294,6 +303,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[
return nil
}
@ -1159,5 +1160,5 @@ index 3a56dc91145a..9de221cf2aa0 100644
endpoints = []APIEndpoint{
--
2.18.0
2.19.1

View File

@ -1,4 +1,4 @@
From 95a40e4f18c80cce91f16c6dff08e13642de54da Mon Sep 17 00:00:00 2001
From 4eba91df3257644105ef344949705651507eb2bd Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go
index bc7ee452332b..d34129dfd80b 100644
index 9953c7f3fddc..e8f6784ca19a 100644
--- a/components/engine/daemon/container_operations_unix.go
+++ b/components/engine/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@
@ -55,8 +55,8 @@ index bc7ee452332b..d34129dfd80b 100644
+ // If the "file" is a directory, then s.File.Data is actually a tar
+ // archive of the directory. So we just do a tar extraction here.
+ if err := archive.UntarUncompressed(bytes.NewBuffer(secret.Spec.Data), fPath, &archive.TarOptions{
+ UIDMaps: daemon.idMappings.UIDs(),
+ GIDMaps: daemon.idMappings.GIDs(),
+ UIDMaps: daemon.idMapping.UIDs(),
+ GIDMaps: daemon.idMapping.GIDs(),
+ }); err != nil {
+ return errors.Wrap(err, "error injecting secretdir")
+ }
@ -70,5 +70,5 @@ index bc7ee452332b..d34129dfd80b 100644
return errors.Wrap(err, "error setting ownership for secret")
}
--
2.18.0
2.19.2

View File

@ -1,4 +1,4 @@
From f178392f98b42bf36ff8d8c6a23c8caab9ac10f7 Mon Sep 17 00:00:00 2001
From 229a891b45b996a2cd10f5a71541d124e884556e Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
@ -36,7 +36,7 @@ index c00bd9ceb22b..aa705888df39 100644
return errdefs.System(err)
diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go
new file mode 100644
index 000000000000..817cd5561023
index 000000000000..087c877015a7
--- /dev/null
+++ b/components/engine/daemon/suse_secrets.go
@@ -0,0 +1,396 @@
@ -112,11 +112,11 @@ index 000000000000..817cd5561023
+ }
+}
+
+func (s SuseFakeFile) toSecretReference(idMaps *idtools.IDMappings) *swarmtypes.SecretReference {
+func (s SuseFakeFile) toSecretReference(idMaps *idtools.IdentityMapping) *swarmtypes.SecretReference {
+ // Figure out the host-facing {uid,gid} based on the provided maps. Fall
+ // back to root if the UID/GID don't match (we are guaranteed that root is
+ // mapped).
+ ctrUser := idtools.IDPair{UID: s.Uid, GID: s.Gid}
+ ctrUser := idtools.Identity{UID: s.Uid, GID: s.Gid}
+ hostUser := idMaps.RootPair()
+ if user, err := idMaps.ToHost(ctrUser); err == nil {
+ hostUser = user
@ -410,7 +410,7 @@ index 000000000000..817cd5561023
+ return err
+ }
+
+ idMaps := daemon.IDMappings()
+ idMaps := daemon.idMapping
+ for _, secret := range secrets {
+ newDependencyStore.secrets[secret.id()] = secret.toSecret()
+ c.SecretReferences = append(c.SecretReferences, secret.toSecretReference(idMaps))
@ -437,5 +437,5 @@ index 000000000000..817cd5561023
+ return nil
+}
--
2.18.0
2.19.2