Accepting request 653739 from Virtualization:containers

Docker 18.09 upgrade.

OBS-URL: https://build.opensuse.org/request/show/653739
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=83

_service

@@ -3,8 +3,8 @@
     <param name="url">https://github.com/docker/docker-ce.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">18.06.1_ce</param>
-    <param name="revision">v18.06.1-ce</param>
+    <param name="versionformat">18.09.0_ce</param>
+    <param name="revision">v18.09.0</param>
     <param name="filename">docker</param>
   </service>
   <service name="recompress" mode="disabled">

bsc1001161-0001-oci-include-the-domainname-in-kernel.domainname.patch

@@ -0,0 +1,66 @@
+From 244ae6114d89a495f1f2b4cf98eb5979fe1381b0 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Sun, 17 Jun 2018 17:05:54 +1000
+Subject: [PATCH 1/2] oci: include the domainname in "kernel.domainname"
+
+The OCI doesn't have a specific field for an NIS domainname[1] (mainly
+because FreeBSD and Solaris appear to have a similar concept but it is
+configured entirely differently).
+
+However, on Linux, the NIS domainname can be configured through both the
+setdomainname(2) syscall but also through the "kernel.domainname"
+sysctl. Since the OCI has a way of injecting sysctls this means we don't
+need to have any OCI changes to support NIS domainnames (and we can
+always switch if the OCI picks up such support in the future).
+
+It should be noted that because we have to generate this each spec
+creation we also have to make sure that it's not clobbered by the
+HostConfig. I'm pretty sure making this change generic (so that
+HostConfig will not clobber any pre-set sysctls) will not cause other
+issues to crop up.
+
+[1]: https://github.com/opencontainers/runtime-spec/issues/592
+
+SUSE-Bugs: bsc#1001161
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ components/engine/daemon/oci_linux.go | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/components/engine/daemon/oci_linux.go b/components/engine/daemon/oci_linux.go
+index 7611fc054d13..d5838623528e 100644
+--- a/components/engine/daemon/oci_linux.go
++++ b/components/engine/daemon/oci_linux.go
+@@ -679,7 +679,15 @@ func (daemon *Daemon) populateCommonSpec(s *specs.Spec, c *container.Container)
+ 	s.Process.Cwd = cwd
+ 	s.Process.Env = c.CreateDaemonEnvironment(c.Config.Tty, linkedEnv)
+ 	s.Process.Terminal = c.Config.Tty
+-	s.Hostname = c.FullHostname()
++
++	s.Hostname = c.Config.Hostname
++	// There isn't a field in the OCI for the NIS domainname, but luckily there
++	// is a sysctl which has an identical effect to setdomainname(2) so there's
++	// no explicit need for runtime support.
++	s.Linux.Sysctl = make(map[string]string)
++	if c.Config.Domainname != "" {
++		s.Linux.Sysctl["kernel.domainname"] = c.Config.Domainname
++	}
+ 
+ 	return nil
+ }
+@@ -715,7 +723,11 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
+ 	if err := setResources(&s, c.HostConfig.Resources); err != nil {
+ 		return nil, fmt.Errorf("linux runtime spec resources: %v", err)
+ 	}
+-	s.Linux.Sysctl = c.HostConfig.Sysctls
++	// We merge the sysctls injected above with the HostConfig (latter takes
++	// precedence for backwards-compatibility reasons).
++	for k, v := range c.HostConfig.Sysctls {
++		s.Linux.Sysctl[k] = v
++	}
+ 
+ 	p := s.Linux.CgroupsPath
+ 	if useSystemd {
+-- 
+2.19.2
+

bsc1001161-0002-cli-add-a-separate-domainname-flag.patch

@@ -0,0 +1,227 @@
+From 975d8efceb479c3d0994814cc5d488ac33d0d2d6 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Mon, 18 Jun 2018 21:58:23 +1000
+Subject: [PATCH 2/2] cli: add a separate --domainname flag
+
+A while ago, Docker split the "Domainname" field out from the "Hostname"
+field for the container configuration. There was no real user-visible
+change associated with this (and under the hood "Domainname" was mostly
+left unused from the command-line point of view). We now add this flag
+in order to match other proposed changes to allow for setting the NIS
+domainname of a container.
+
+This also includes a fix for the --hostname parsing tests (they would
+not error out if only one of .Hostname and .Domainname were incorrectly
+set -- which is not correct).
+
+SUSE-Bugs: bsc#1001161
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ components/cli/cli/command/container/opts.go  |  3 ++
+ .../cli/cli/command/container/opts_test.go    | 31 ++++++++++++++++---
+ components/cli/contrib/completion/bash/docker |  5 +--
+ components/cli/contrib/completion/zsh/_docker |  1 +
+ .../cli/docs/reference/commandline/create.md  |  1 +
+ .../cli/docs/reference/commandline/run.md     |  1 +
+ .../reference/commandline/service_create.md   |  2 +-
+ components/cli/docs/reference/run.md          |  6 ++--
+ components/cli/man/docker-run.1.md            |  7 +++++
+ 9 files changed, 46 insertions(+), 11 deletions(-)
+
+diff --git a/components/cli/cli/command/container/opts.go b/components/cli/cli/command/container/opts.go
+index 97906b672252..7cd9ce998c8b 100644
+--- a/components/cli/cli/command/container/opts.go
++++ b/components/cli/cli/command/container/opts.go
+@@ -74,6 +74,7 @@ type containerOptions struct {
+ 	containerIDFile    string
+ 	entrypoint         string
+ 	hostname           string
++	domainname         string
+ 	memory             opts.MemBytes
+ 	memoryReservation  opts.MemBytes
+ 	memorySwap         opts.MemSwapBytes
+@@ -169,6 +170,7 @@ func addFlags(flags *pflag.FlagSet) *containerOptions {
+ 	flags.StringVar(&copts.entrypoint, "entrypoint", "", "Overwrite the default ENTRYPOINT of the image")
+ 	flags.Var(&copts.groupAdd, "group-add", "Add additional groups to join")
+ 	flags.StringVarP(&copts.hostname, "hostname", "h", "", "Container host name")
++	flags.StringVar(&copts.domainname, "domainname", "", "Container NIS domain name")
+ 	flags.BoolVarP(&copts.stdin, "interactive", "i", false, "Keep STDIN open even if not attached")
+ 	flags.VarP(&copts.labels, "label", "l", "Set meta data on a container")
+ 	flags.Var(&copts.labelsFile, "label-file", "Read in a line delimited file of labels")
+@@ -546,6 +548,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
+ 
+ 	config := &container.Config{
+ 		Hostname:     copts.hostname,
++		Domainname:   copts.domainname,
+ 		ExposedPorts: ports,
+ 		User:         copts.user,
+ 		Tty:          copts.tty,
+diff --git a/components/cli/cli/command/container/opts_test.go b/components/cli/cli/command/container/opts_test.go
+index 6d7c95a5ddb8..70bedc661751 100644
+--- a/components/cli/cli/command/container/opts_test.go
++++ b/components/cli/cli/command/container/opts_test.go
+@@ -265,14 +265,35 @@ func TestParseHostname(t *testing.T) {
+ 	hostnameWithDomainTld := "--hostname=hostname.domainname.tld"
+ 	for hostname, expectedHostname := range validHostnames {
+ 		if config, _ := mustParse(t, fmt.Sprintf("--hostname=%s", hostname)); config.Hostname != expectedHostname {
+-			t.Fatalf("Expected the config to have 'hostname' as hostname, got '%v'", config.Hostname)
++			t.Fatalf("Expected the config to have 'hostname' as %q, got %q", expectedHostname, config.Hostname)
+ 		}
+ 	}
+-	if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" && config.Domainname != "" {
+-		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got '%v'", config.Hostname)
++	if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" || config.Domainname != "" {
++		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got %q", config.Hostname)
+ 	}
+-	if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" && config.Domainname != "" {
+-		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got '%v'", config.Hostname)
++	if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" || config.Domainname != "" {
++		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got %q", config.Hostname)
++	}
++}
++
++func TestParseHostnameDomainname(t *testing.T) {
++	validDomainnames := map[string]string{
++		"domainname":    "domainname",
++		"domain-name":   "domain-name",
++		"domainname123": "domainname123",
++		"123domainname": "123domainname",
++		"domainname-63-bytes-long-should-be-valid-and-without-any-errors": "domainname-63-bytes-long-should-be-valid-and-without-any-errors",
++	}
++	for domainname, expectedDomainname := range validDomainnames {
++		if config, _ := mustParse(t, "--domainname="+domainname); config.Domainname != expectedDomainname {
++			t.Fatalf("Expected the config to have 'domainname' as %q, got %q", expectedDomainname, config.Domainname)
++		}
++	}
++	if config, _ := mustParse(t, "--hostname=some.prefix --domainname=domainname"); config.Hostname != "some.prefix" || config.Domainname != "domainname" {
++		t.Fatalf("Expected the config to have 'hostname' as 'some.prefix' and 'domainname' as 'domainname', got %q and %q", config.Hostname, config.Domainname)
++	}
++	if config, _ := mustParse(t, "--hostname=another-prefix --domainname=domainname.tld"); config.Hostname != "another-prefix" || config.Domainname != "domainname.tld" {
++		t.Fatalf("Expected the config to have 'hostname' as 'another-prefix' and 'domainname' as 'domainname.tld', got %q and %q", config.Hostname, config.Domainname)
+ 	}
+ }
+ 
+diff --git a/components/cli/contrib/completion/bash/docker b/components/cli/contrib/completion/bash/docker
+index 44ac8f3e0ed9..c532f5142c3d 100644
+--- a/components/cli/contrib/completion/bash/docker
++++ b/components/cli/contrib/completion/bash/docker
+@@ -5,8 +5,8 @@
+ #  - SC2016: Expressions don't expand in single quotes, use double quotes for that.
+ #  - SC2119: Use foo "$@" if function's $1 should mean script's $1.
+ #  - SC2155: Declare and assign separately to avoid masking return values.
+-# 
+-# You can find more details for each warning at the following page: 
++#
++# You can find more details for each warning at the following page:
+ #    https://github.com/koalaman/shellcheck/wiki/<SCXXXX>
+ #
+ # bash completion file for core docker commands
+@@ -1785,6 +1785,7 @@ _docker_container_run_and_create() {
+ 		--dns
+ 		--dns-option
+ 		--dns-search
++		--domainname
+ 		--entrypoint
+ 		--env -e
+ 		--env-file
+diff --git a/components/cli/contrib/completion/zsh/_docker b/components/cli/contrib/completion/zsh/_docker
+index 94f042204dfb..9a502db0886f 100644
+--- a/components/cli/contrib/completion/zsh/_docker
++++ b/components/cli/contrib/completion/zsh/_docker
+@@ -617,6 +617,7 @@ __docker_container_subcommand() {
+         "($help)*--dns=[Custom DNS servers]:DNS server: "
+         "($help)*--dns-option=[Custom DNS options]:DNS option: "
+         "($help)*--dns-search=[Custom DNS search domains]:DNS domains: "
++        "($help)*--domainname=[Container NIS domain name]:domainname:_hosts"
+         "($help)*"{-e=,--env=}"[Environment variables]:environment variable: "
+         "($help)--entrypoint=[Overwrite the default entrypoint of the image]:entry point: "
+         "($help)*--env-file=[Read environment variables from a file]:environment file:_files"
+diff --git a/components/cli/docs/reference/commandline/create.md b/components/cli/docs/reference/commandline/create.md
+index d585da40ae1e..c829dbb3e5b9 100644
+--- a/components/cli/docs/reference/commandline/create.md
++++ b/components/cli/docs/reference/commandline/create.md
+@@ -53,6 +53,7 @@ Options:
+       --dns value                     Set custom DNS servers (default [])
+       --dns-option value              Set DNS options (default [])
+       --dns-search value              Set custom DNS search domains (default [])
++      --domainname string             Container NIS domain name
+       --entrypoint string             Overwrite the default ENTRYPOINT of the image
+   -e, --env value                     Set environment variables (default [])
+       --env-file value                Read in a file of environment variables (default [])
+diff --git a/components/cli/docs/reference/commandline/run.md b/components/cli/docs/reference/commandline/run.md
+index 08b9f18d68ac..f448e1acf89b 100644
+--- a/components/cli/docs/reference/commandline/run.md
++++ b/components/cli/docs/reference/commandline/run.md
+@@ -57,6 +57,7 @@ Options:
+       --dns value                     Set custom DNS servers (default [])
+       --dns-option value              Set DNS options (default [])
+       --dns-search value              Set custom DNS search domains (default [])
++      --domainname string             Container NIS domain name
+       --entrypoint string             Overwrite the default ENTRYPOINT of the image
+   -e, --env value                     Set environment variables (default [])
+       --env-file value                Read in a file of environment variables (default [])
+diff --git a/components/cli/docs/reference/commandline/service_create.md b/components/cli/docs/reference/commandline/service_create.md
+index 8fdb5297a102..c55c77b52d77 100644
+--- a/components/cli/docs/reference/commandline/service_create.md
++++ b/components/cli/docs/reference/commandline/service_create.md
+@@ -755,7 +755,7 @@ The swarm extends my-network to each node running the service.
+ Containers on the same network can access each other using
+ [service discovery](https://docs.docker.com/engine/swarm/networking/#use-swarm-mode-service-discovery).
+ 
+-Long form syntax of `--network` allows to specify list of aliases and driver options:  
++Long form syntax of `--network` allows to specify list of aliases and driver options:
+ `--network name=my-network,alias=web1,driver-opt=field1=value1`
+ 
+ ### Publish service ports externally to the swarm (-p, --publish)
+diff --git a/components/cli/docs/reference/run.md b/components/cli/docs/reference/run.md
+index a59a30525554..695974fe533c 100644
+--- a/components/cli/docs/reference/run.md
++++ b/components/cli/docs/reference/run.md
+@@ -256,7 +256,7 @@ The UTS namespace is for setting the hostname and the domain that is visible
+ to running processes in that namespace.  By default, all containers, including
+ those with `--network=host`, have their own UTS namespace.  The `host` setting will
+ result in the container using the same UTS namespace as the host.  Note that
+-`--hostname` is invalid in `host` UTS mode.
++`--hostname` and `--domainname` are invalid in `host` UTS mode.
+ 
+ You may wish to share the UTS namespace with the host if you would like the
+ hostname of the container to change as the hostname of the host changes.  A
+@@ -396,8 +396,8 @@ network stack and all interfaces from the host will be available to the
+ container.  The container's hostname will match the hostname on the host
+ system. Note that `--mac-address` is invalid in `host` netmode. Even in `host`
+ network mode a container has its own UTS namespace by default. As such
+-`--hostname` is allowed in `host` network mode and will only change the
+-hostname inside the container.
++`--hostname` and `--domainname` are allowed in `host` network mode and will
++only change the hostname and domain name inside the container.
+ Similar to `--hostname`, the `--add-host`, `--dns`, `--dns-search`, and
+ `--dns-option` options can be used in `host` network mode. These options update
+ `/etc/hosts` or `/etc/resolv.conf` inside the container. No change are made to
+diff --git a/components/cli/man/docker-run.1.md b/components/cli/man/docker-run.1.md
+index e03377001d4e..4a1464a74200 100644
+--- a/components/cli/man/docker-run.1.md
++++ b/components/cli/man/docker-run.1.md
+@@ -35,6 +35,7 @@ docker-run - Run a command in a new container
+ [**--dns**[=*[]*]]
+ [**--dns-option**[=*[]*]]
+ [**--dns-search**[=*[]*]]
++[**--domainname**[=*DOMAINNAME*]]
+ [**-e**|**--env**[=*[]*]]
+ [**--entrypoint**[=*ENTRYPOINT*]]
+ [**--env-file**[=*[]*]]
+@@ -285,6 +286,12 @@ configuration passed to the container. Typically this is necessary when the
+ host DNS configuration is invalid for the container (e.g., 127.0.0.1). When this
+ is the case the **--dns** flags is necessary for every run.
+ 
++**--domainname**=""
++   Container NIS domain name
++
++   Sets the container's NIS domain name (see also **setdomainname(2)**) that is
++   available inside the container.
++
+ **-e**, **--env**=[]
+    Set environment variables
+ 
+-- 
+2.19.2
+

bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch

@@ -1,4 +1,4 @@
-From d84d2f13c475bf5ff0ce7b080b759b0239d5d345 Mon Sep 17 00:00:00 2001
+From 0a2ba19d51fef679d2a695fd14c30facd5f901f1 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Thu, 23 Aug 2018 19:53:55 +1000
 Subject: [PATCH] man: obey SOURCE_DATE_EPOCH when generating man pages
@@ -23,7 +23,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  1 file changed, 13 insertions(+)
 
 diff --git a/components/cli/man/generate.go b/components/cli/man/generate.go
-index 4197558a2225..4a3e98fb22c1 100644
+index 2d940e31fd10..e5e480be3f32 100644
 --- a/components/cli/man/generate.go
 +++ b/components/cli/man/generate.go
 @@ -6,6 +6,8 @@ import (
@@ -51,8 +51,8 @@ index 4197558a2225..4a3e98fb22c1 100644
 +	}
 +
  	stdin, stdout, stderr := term.StdStreams()
- 	dockerCli := command.NewDockerCli(stdin, stdout, stderr, false)
+ 	dockerCli := command.NewDockerCli(stdin, stdout, stderr, false, nil)
  	cmd := &cobra.Command{Use: "docker"}
 -- 
-2.18.0
+2.19.1
 

bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch

@@ -1,4 +1,4 @@
-From 3464bd58d266b0640774952e825558044ffc64e2 Mon Sep 17 00:00:00 2001
+From 4962b0a0bc6ca1fc99b0936175f929f9d3f5fa4c Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Sun, 8 Apr 2018 20:21:30 +1000
 Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
@@ -7,15 +7,54 @@ In newer kernels, AppArmor will reject attempts to send signals to a
 container because the signal originated from outside of that AppArmor
 profile. Correct this by allowing all unconfined signals to be received.
 
-SUSE-Bugs: bsc#1073877 boo#1089732
 Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
- components/engine/profiles/apparmor/template.go | 6 ++++++
- 1 file changed, 6 insertions(+)
+ .../engine/profiles/apparmor/apparmor.go      | 21 +++++++++++++++++++
+ .../engine/profiles/apparmor/template.go      |  6 ++++++
+ 2 files changed, 27 insertions(+)
 
+diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go
+index b021668c8e4c..2f58ee852cab 100644
+--- a/components/engine/profiles/apparmor/apparmor.go
++++ b/components/engine/profiles/apparmor/apparmor.go
+@@ -23,6 +23,8 @@ var (
+ type profileData struct {
+ 	// Name is profile name.
+ 	Name string
++	// DaemonProfile is the profile name of our daemon.
++	DaemonProfile string
+ 	// Imports defines the apparmor functions to import, before defining the profile.
+ 	Imports []string
+ 	// InnerImports defines the apparmor functions to import in the profile.
+@@ -70,6 +72,25 @@ func InstallDefault(name string) error {
+ 		Name: name,
+ 	}
+ 
++	// Figure out the daemon profile.
++	currentProfile, err := ioutil.ReadFile("/proc/self/attr/current")
++	if err != nil {
++		// If we couldn't get the daemon profile, assume we are running
++		// unconfined which is generally the default.
++		currentProfile = nil
++	}
++	daemonProfile := string(currentProfile)
++	// Normally profiles are suffixed by " (enforcing)" or similar. AppArmor
++	// profiles cannot contain spaces so this doesn't restrict daemon profile
++	// names.
++	if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 {
++		daemonProfile = parts[0]
++	}
++	if daemonProfile == "" {
++		daemonProfile = "unconfined"
++	}
++	p.DaemonProfile = daemonProfile
++
+ 	// Install to a temporary directory.
+ 	f, err := ioutil.TempFile("", name)
+ 	if err != nil {
 diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
-index c00a3f70e993..772c4a4873f6 100644
+index c00a3f70e993..400b3bd50a11 100644
 --- a/components/engine/profiles/apparmor/template.go
 +++ b/components/engine/profiles/apparmor/template.go
 @@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
@@ -24,13 +63,13 @@ index c00a3f70e993..772c4a4873f6 100644
    umount,
 +{{if ge .Version 208096}}
 +{{/* Allow 'docker kill' to actually send signals to container processes. */}}
-+  signal (receive) peer=unconfined,
-+{{/* And allow signals to be sent inside the container. */}}
++  signal (receive) peer={{.DaemonProfile}},
++{{/* Allow container processes to send signals amongst themselves. */}}
 +  signal (send,receive) peer={{.Name}},
 +{{end}}
  
    deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
    # deny write to files not in /proc/<number>/** or /proc/sys/**
 -- 
-2.18.0
+2.19.1
 

bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch

@@ -1,4 +1,4 @@
-From 0954810e947abf0b4e5d8f6c78598c5d66b43952 Mon Sep 17 00:00:00 2001
+From 04f594765577163a26f24d0fe3fc7a2283f1e018 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
 Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start
@@ -68,10 +68,10 @@ index 51f9c526b350..97d7758442ee 100644
  	return nil
  }
 diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
-index 5e5f586ae085..6ca6a7aaa268 100644
+index a307863017ab..67cd286002bf 100644
 --- a/components/engine/daemon/daemon.go
 +++ b/components/engine/daemon/daemon.go
-@@ -660,7 +660,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
+@@ -735,7 +735,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
  		logrus.Warnf("Failed to configure golang's threads limit: %v", err)
  	}
  
@@ -83,5 +83,5 @@ index 5e5f586ae085..6ca6a7aaa268 100644
  	}
  
 -- 
-2.18.0
+2.19.1
 

bsc1100727-0001-build-add-buildmode-pie.patch

@@ -1,30 +0,0 @@
-From 547870ff2904a75fa3e0ee96fa264d53a81d4c01 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai@suse.de>
-Date: Mon, 30 Jul 2018 19:34:01 +1000
-Subject: [PATCH] build: add -buildmode=pie
-
-Make all dynbinary builds be position-independent (this adds both
-security benefits and can help with flaky builds on POWER
-architectures).
-
-SUSE-Bugs: bsc#1100727
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
----
- components/cli/scripts/build/dynbinary | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/components/cli/scripts/build/dynbinary b/components/cli/scripts/build/dynbinary
-index 3c32ed342ef7..4feb7e71d852 100755
---- a/components/cli/scripts/build/dynbinary
-+++ b/components/cli/scripts/build/dynbinary
-@@ -9,6 +9,6 @@ source ./scripts/build/.variables
- 
- echo "Building dynamically linked $TARGET"
- export CGO_ENABLED=1
--go build -o "${TARGET}" -tags pkcs11 --ldflags "${LDFLAGS}" "${SOURCE}"
-+go build -o "${TARGET}" -tags pkcs11 --ldflags "${LDFLAGS}" -buildmode=pie "${SOURCE}"
- 
- ln -sf "$(basename "${TARGET}")" build/docker
--- 
-2.18.0
-

docker-18.06.1_ce.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:061ae523be13dbe05ff5377626113a299327cc39fc145f801cd674c67b8c7fe0
-size 8561132

docker-18.09.0_ce.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ce38c3b659b78bccdfaf07b1f0a4eaaf454ffec726434511feeee1b9a2fc8151
+size 9264940

docker.changes

@@ -1,3 +1,31 @@
+-------------------------------------------------------------------
+Mon Dec  3 16:14:22 UTC 2018 - Aleksa Sarai <asarai@suse.com>
+
+- Add backports of https://github.com/docker/docker/pull/37302 and
+  https://github.com/docker/cli/pull/1130, which allow for users to explicitly
+  specify the NIS domainname of a container. bsc#1001161
+  + bsc1001161-0001-oci-include-the-domainname-in-kernel.domainname.patch
+  + bsc1001161-0002-cli-add-a-separate-domainname-flag.patch
+
+-------------------------------------------------------------------
+Thu Nov 29 09:41:11 UTC 2018 - Aleksa Sarai <asarai@suse.com>
+
+- Update docker.service to match upstream and avoid rlimit problems.
+  bsc#1112980
+- Upgrade to Docker 18.09.0-ce. See upstream changelog in the packaged
+  /usr/share/doc/packages/docker/CHANGELOG.md. boo#1115464
+- Add revert of an upstream patch to fix docker-* handling.
+  + packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
+- Rebase patches:
+  * bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
+  * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
+  * bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
+  * private-registry-0001-Add-private-registry-mirror-support.patch
+  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
+  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
+- Remove upstreamed patches:
+  - bsc1100727-0001-build-add-buildmode-pie.patch
+
 -------------------------------------------------------------------
 Mon Oct  8 06:41:21 UTC 2018 - Valentin Rothberg <vrothberg@suse.com>
 

docker.service

@@ -15,7 +15,7 @@ ExecReload=/bin/kill -s HUP $MAINPID
 
 # Having non-zero Limit*s causes performance problems due to accounting overhead
 # in the kernel. We recommend using cgroups to do container-local accounting.
-LimitNOFILE=infinity
+LimitNOFILE=1048576
 LimitNPROC=infinity
 LimitCORE=infinity
 
@@ -27,9 +27,13 @@ TasksMax=infinity
 # Only systemd 218 and above support this property.
 Delegate=yes
 
-# This is not necessary because of how we set up containerd.
-#KillMode=process
+# Kill only the docker process, not all processes in the cgroup.
+KillMode=process
+
+# Restart the docker process if it exits prematurely.
+Restart=on-failure
+StartLimitBurst=3
+StartLimitInterval=60s
 
 [Install]
 WantedBy=multi-user.target
-

docker.spec

@@ -49,10 +49,10 @@
 # sure we didn't miss anything important when doing upgrades.
 %define required_containerd 468a545b9edcd5932818eb9de8e72413e616e86e
 %define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340
-%define required_libnetwork 3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b
+%define required_libnetwork 6da50d1978302f04c3e2089e29112ea24812f05b
 
 Name:           %{realname}%{name_suffix}
-Version:        18.06.1_ce
+Version:        18.09.0_ce
 Release:        0
 Summary:        The Linux container runtime
 License:        Apache-2.0
@@ -76,16 +76,20 @@ Source9:        tests.sh
 # branch in http://github.com/suse/docker.mirror.
 Patch200:       secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
 Patch201:       secrets-0002-SUSE-implement-SUSE-container-secrets.patch
-# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877
+# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37831. bsc#1073877
 Patch400:       bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
-# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277
+# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1099277
 Patch401:       bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
-# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727
-Patch402:       bsc1100727-0001-build-add-buildmode-pie.patch
 # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1306. boo#1047218
-Patch403:       bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
+Patch402:       bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
+# SUSE-ISSUE: Revert of https://github.com/docker/docker/pull/37907.
+Patch403:       packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
+# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37302. bsc#1001161
+Patch404:       bsc1001161-0001-oci-include-the-domainname-in-kernel.domainname.patch
+# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1130. bsc#1001161
+Patch405:       bsc1001161-0002-cli-add-a-separate-domainname-flag.patch
 # SUSE-FEATURE: Add support to mirror inofficial/private registries
-#               (https://github.com/moby/moby/pull/34319)
+#               (https://github.com/docker/docker/pull/34319)
 Patch500:       private-registry-0001-Add-private-registry-mirror-support.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
@@ -263,10 +267,13 @@ docker container runtime configuration for kubeadm
 %patch400 -p1
 # bsc#1099277
 %patch401 -p1
-# bsc#1100727
-%patch402 -p1
 # boo#1047218
+%patch402 -p1
+# revert upstream
 %patch403 -p1
+# bsc#1001161
+%patch404 -p1
+%patch405 -p1
 %if "%flavour" == "kubic"
 # PATCH-SUSE: Mirror patch.
 %patch500 -p1

packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch

@@ -0,0 +1,187 @@
+From 9236191a98a0e9b8aa4ac7da4d4b1c0c196344e2 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Thu, 29 Nov 2018 20:53:16 +1100
+Subject: [PATCH] revert "Remove 'docker-' prefix for containerd and runc
+ binaries"
+
+This reverts commit 34eede0296bce6a9c335cb429f10728ae3f4252d, as it
+would significantly break openSUSE's packaging (as well as causing
+conflicts between the very-outdated runc that Docker uses and the more
+up-to-date one available for Podman).
+
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ components/engine/api/swagger.yaml            |  4 +--
+ .../builder/builder-next/executor_unix.go     |  2 +-
+ components/engine/cmd/dockerd/daemon.go       | 36 +++++++------------
+ components/engine/daemon/daemon_unix.go       |  6 ++--
+ .../libcontainerd/supervisor/remote_daemon.go |  4 +--
+ .../supervisor/remote_daemon_linux.go         |  4 +--
+ .../supervisor/remote_daemon_windows.go       |  4 +--
+ 7 files changed, 25 insertions(+), 35 deletions(-)
+
+diff --git a/components/engine/api/swagger.yaml b/components/engine/api/swagger.yaml
+index f58a64f29ea3..d275f2ff49eb 100644
+--- a/components/engine/api/swagger.yaml
++++ b/components/engine/api/swagger.yaml
+@@ -3852,10 +3852,10 @@ definitions:
+           $ref: "#/definitions/Runtime"
+         default:
+           runc:
+-            path: "runc"
++            path: "docker-runc"
+         example:
+           runc:
+-            path: "runc"
++            path: "docker-runc"
+           runc-master:
+             path: "/go/bin/runc"
+           custom:
+diff --git a/components/engine/builder/builder-next/executor_unix.go b/components/engine/builder/builder-next/executor_unix.go
+index b3ea33c05c71..94d8bb766045 100644
+--- a/components/engine/builder/builder-next/executor_unix.go
++++ b/components/engine/builder/builder-next/executor_unix.go
+@@ -27,7 +27,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController) (e
+ 	}
+ 	return runcexecutor.New(runcexecutor.Opt{
+ 		Root:                filepath.Join(root, "executor"),
+-		CommandCandidates:   []string{"runc"},
++		CommandCandidates:   []string{"docker-runc", "runc"},
+ 		DefaultCgroupParent: cgroupParent,
+ 	}, networkProviders)
+ }
+diff --git a/components/engine/cmd/dockerd/daemon.go b/components/engine/cmd/dockerd/daemon.go
+index 839537316af4..05922e6418d0 100644
+--- a/components/engine/cmd/dockerd/daemon.go
++++ b/components/engine/cmd/dockerd/daemon.go
+@@ -10,7 +10,6 @@ import (
+ 	"strings"
+ 	"time"
+ 
+-	containerddefaults "github.com/containerd/containerd/defaults"
+ 	"github.com/docker/distribution/uuid"
+ 	"github.com/docker/docker/api"
+ 	apiserver "github.com/docker/docker/api/server"
+@@ -141,25 +140,21 @@ func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
+ 
+ 	ctx, cancel := context.WithCancel(context.Background())
+ 	if cli.Config.ContainerdAddr == "" && runtime.GOOS != "windows" {
+-		if !systemContainerdRunning() {
+-			opts, err := cli.getContainerdDaemonOpts()
+-			if err != nil {
+-				cancel()
+-				return fmt.Errorf("Failed to generate containerd options: %v", err)
+-			}
+-
+-			r, err := supervisor.Start(ctx, filepath.Join(cli.Config.Root, "containerd"), filepath.Join(cli.Config.ExecRoot, "containerd"), opts...)
+-			if err != nil {
+-				cancel()
+-				return fmt.Errorf("Failed to start containerd: %v", err)
+-			}
+-			cli.Config.ContainerdAddr = r.Address()
++		opts, err := cli.getContainerdDaemonOpts()
++		if err != nil {
++			cancel()
++			return fmt.Errorf("Failed to generate containerd options: %v", err)
++		}
+ 
+-			// Try to wait for containerd to shutdown
+-			defer r.WaitTimeout(10 * time.Second)
+-		} else {
+-			cli.Config.ContainerdAddr = containerddefaults.DefaultAddress
++		r, err := supervisor.Start(ctx, filepath.Join(cli.Config.Root, "containerd"), filepath.Join(cli.Config.ExecRoot, "containerd"), opts...)
++		if err != nil {
++			cancel()
++			return fmt.Errorf("Failed to start containerd: %v", err)
+ 		}
++		cli.Config.ContainerdAddr = r.Address()
++
++		// Try to wait for containerd to shutdown
++		defer r.WaitTimeout(10 * time.Second)
+ 	}
+ 	defer cancel()
+ 
+@@ -665,8 +660,3 @@ func validateAuthzPlugins(requestedPlugins []string, pg plugingetter.PluginGette
+ 	}
+ 	return nil
+ }
+-
+-func systemContainerdRunning() bool {
+-	_, err := os.Lstat(containerddefaults.DefaultAddress)
+-	return err == nil
+-}
+diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go
+index b69eede21c44..77adba94a468 100644
+--- a/components/engine/daemon/daemon_unix.go
++++ b/components/engine/daemon/daemon_unix.go
+@@ -54,11 +54,11 @@ import (
+ const (
+ 	// DefaultShimBinary is the default shim to be used by containerd if none
+ 	// is specified
+-	DefaultShimBinary = "containerd-shim"
++	DefaultShimBinary = "docker-containerd-shim"
+ 
+ 	// DefaultRuntimeBinary is the default runtime to be used by
+ 	// containerd if none is specified
+-	DefaultRuntimeBinary = "runc"
++	DefaultRuntimeBinary = "docker-runc"
+ 
+ 	// See https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/tree/kernel/sched/sched.h?id=8cd9234c64c584432f6992fe944ca9e46ca8ea76#n269
+ 	linuxMinCPUShares = 2
+@@ -76,7 +76,7 @@ const (
+ 
+ 	// DefaultRuntimeName is the default runtime to be used by
+ 	// containerd if none is specified
+-	DefaultRuntimeName = "runc"
++	DefaultRuntimeName = "docker-runc"
+ )
+ 
+ type containerGetter interface {
+diff --git a/components/engine/libcontainerd/supervisor/remote_daemon.go b/components/engine/libcontainerd/supervisor/remote_daemon.go
+index 095300f753e9..1dcfbe176b0d 100644
+--- a/components/engine/libcontainerd/supervisor/remote_daemon.go
++++ b/components/engine/libcontainerd/supervisor/remote_daemon.go
+@@ -27,8 +27,8 @@ const (
+ 	shutdownTimeout         = 15 * time.Second
+ 	startupTimeout          = 15 * time.Second
+ 	configFile              = "containerd.toml"
+-	binaryName              = "containerd"
+-	pidFile                 = "containerd.pid"
++	binaryName              = "docker-containerd"
++	pidFile                 = "docker-containerd.pid"
+ )
+ 
+ type pluginConfigs struct {
+diff --git a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
+index 799399c07bc5..1ea91d2b5d0b 100644
+--- a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
++++ b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
+@@ -11,8 +11,8 @@ import (
+ )
+ 
+ const (
+-	sockFile      = "containerd.sock"
+-	debugSockFile = "containerd-debug.sock"
++	sockFile      = "docker-containerd.sock"
++	debugSockFile = "docker-containerd-debug.sock"
+ )
+ 
+ func (r *remote) setDefaults() {
+diff --git a/components/engine/libcontainerd/supervisor/remote_daemon_windows.go b/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
+index 9b254ef58a0a..bcdc9529e0f7 100644
+--- a/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
++++ b/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
+@@ -7,8 +7,8 @@ import (
+ )
+ 
+ const (
+-	grpcPipeName  = `\\.\pipe\containerd-containerd`
+-	debugPipeName = `\\.\pipe\containerd-debug`
++	grpcPipeName  = `\\.\pipe\docker-containerd-containerd`
++	debugPipeName = `\\.\pipe\docker-containerd-debug`
+ )
+ 
+ func (r *remote) setDefaults() {
+-- 
+2.19.2
+

private-registry-0001-Add-private-registry-mirror-support.patch

@@ -1,4 +1,4 @@
-From 46c2590f7637dba208b3db7e44c04e24f33c436d Mon Sep 17 00:00:00 2001
+From a2d285ef5de9537fe2dbf14c4671625aa3035b98 Mon Sep 17 00:00:00 2001
 From: Valentin Rothberg <vrothberg@suse.com>
 Date: Mon, 2 Jul 2018 13:37:34 +0200
 Subject: [PATCH] Add private-registry mirror support
@@ -63,6 +63,7 @@ http for security reasons.
 
 Signed-off-by: Flavio Castelli <fcastelli@suse.com>
 Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
  .../engine/api/types/registry/registry.go     | 144 ++++++++++++++++++
  components/engine/daemon/config/config.go     |   4 +
@@ -242,10 +243,10 @@ index 8789ad3b3210..c663fec7d881 100644
  
  // NetIPNet is the net.IPNet type, which can be marshalled and
 diff --git a/components/engine/daemon/config/config.go b/components/engine/daemon/config/config.go
-index 6cda223a1181..308eb83f2116 100644
+index 8b2c844a579f..e61940661c70 100644
 --- a/components/engine/daemon/config/config.go
 +++ b/components/engine/daemon/config/config.go
-@@ -439,6 +439,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag
+@@ -470,6 +470,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag
  	// 1. Search keys from the file that we don't recognize as flags.
  	unknownKeys := make(map[string]interface{})
  	for key, value := range config {
@@ -253,11 +254,11 @@ index 6cda223a1181..308eb83f2116 100644
 +		if key == "registries" {
 +			continue
 +		}
- 		if flag := flags.Lookup(key); flag == nil {
+ 		if flag := flags.Lookup(key); flag == nil && !skipValidateOptions[key] {
  			unknownKeys[key] = value
  		}
 diff --git a/components/engine/daemon/reload.go b/components/engine/daemon/reload.go
-index 210864ff879d..5e744c5dcf8d 100644
+index 026d7dd517f7..924c3982cd2a 100644
 --- a/components/engine/daemon/reload.go
 +++ b/components/engine/daemon/reload.go
 @@ -21,8 +21,14 @@ import (
@@ -275,7 +276,7 @@ index 210864ff879d..5e744c5dcf8d 100644
  	daemon.configStore.Lock()
  	attributes := map[string]string{}
  
-@@ -64,6 +70,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) {
+@@ -65,6 +71,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) {
  	if err := daemon.reloadLiveRestore(conf, attributes); err != nil {
  		return err
  	}
@@ -285,7 +286,7 @@ index 210864ff879d..5e744c5dcf8d 100644
  	return daemon.reloadNetworkDiagnosticPort(conf, attributes)
  }
  
-@@ -293,6 +302,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[
+@@ -294,6 +303,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[
  	return nil
  }
  
@@ -1159,5 +1160,5 @@ index 3a56dc91145a..9de221cf2aa0 100644
  
  	endpoints = []APIEndpoint{
 -- 
-2.18.0
+2.19.1
 

secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch

@@ -1,4 +1,4 @@
-From 95a40e4f18c80cce91f16c6dff08e13642de54da Mon Sep 17 00:00:00 2001
+From 4eba91df3257644105ef344949705651507eb2bd Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
 Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
@@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  1 file changed, 21 insertions(+), 3 deletions(-)
 
 diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go
-index bc7ee452332b..d34129dfd80b 100644
+index 9953c7f3fddc..e8f6784ca19a 100644
 --- a/components/engine/daemon/container_operations_unix.go
 +++ b/components/engine/daemon/container_operations_unix.go
 @@ -3,6 +3,7 @@
@@ -55,8 +55,8 @@ index bc7ee452332b..d34129dfd80b 100644
 +				// If the "file" is a directory, then s.File.Data is actually a tar
 +				// archive of the directory. So we just do a tar extraction here.
 +				if err := archive.UntarUncompressed(bytes.NewBuffer(secret.Spec.Data), fPath, &archive.TarOptions{
-+					UIDMaps: daemon.idMappings.UIDs(),
-+					GIDMaps: daemon.idMappings.GIDs(),
++					UIDMaps: daemon.idMapping.UIDs(),
++					GIDMaps: daemon.idMapping.GIDs(),
 +				}); err != nil {
 +					return errors.Wrap(err, "error injecting secretdir")
 +				}
@@ -70,5 +70,5 @@ index bc7ee452332b..d34129dfd80b 100644
  			return errors.Wrap(err, "error setting ownership for secret")
  		}
 -- 
-2.18.0
+2.19.2
 

secrets-0002-SUSE-implement-SUSE-container-secrets.patch

@@ -1,4 +1,4 @@
-From f178392f98b42bf36ff8d8c6a23c8caab9ac10f7 Mon Sep 17 00:00:00 2001
+From 229a891b45b996a2cd10f5a71541d124e884556e Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
 Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
@@ -36,7 +36,7 @@ index c00bd9ceb22b..aa705888df39 100644
  		return errdefs.System(err)
 diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go
 new file mode 100644
-index 000000000000..817cd5561023
+index 000000000000..087c877015a7
 --- /dev/null
 +++ b/components/engine/daemon/suse_secrets.go
 @@ -0,0 +1,396 @@
@@ -112,11 +112,11 @@ index 000000000000..817cd5561023
 +	}
 +}
 +
-+func (s SuseFakeFile) toSecretReference(idMaps *idtools.IDMappings) *swarmtypes.SecretReference {
++func (s SuseFakeFile) toSecretReference(idMaps *idtools.IdentityMapping) *swarmtypes.SecretReference {
 +	// Figure out the host-facing {uid,gid} based on the provided maps. Fall
 +	// back to root if the UID/GID don't match (we are guaranteed that root is
 +	// mapped).
-+	ctrUser := idtools.IDPair{UID: s.Uid, GID: s.Gid}
++	ctrUser := idtools.Identity{UID: s.Uid, GID: s.Gid}
 +	hostUser := idMaps.RootPair()
 +	if user, err := idMaps.ToHost(ctrUser); err == nil {
 +		hostUser = user
@@ -410,7 +410,7 @@ index 000000000000..817cd5561023
 +		return err
 +	}
 +
-+	idMaps := daemon.IDMappings()
++	idMaps := daemon.idMapping
 +	for _, secret := range secrets {
 +		newDependencyStore.secrets[secret.id()] = secret.toSecret()
 +		c.SecretReferences = append(c.SecretReferences, secret.toSecretReference(idMaps))
@@ -437,5 +437,5 @@ index 000000000000..817cd5561023
 +	return nil
 +}
 -- 
-2.18.0
+2.19.2