Accepting request 653739 from Virtualization:containers
Docker 18.09 upgrade. OBS-URL: https://build.opensuse.org/request/show/653739 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=83
This commit is contained in:
commit
caf6995359
4
_service
4
_service
@ -3,8 +3,8 @@
|
||||
<param name="url">https://github.com/docker/docker-ce.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="exclude">.git</param>
|
||||
<param name="versionformat">18.06.1_ce</param>
|
||||
<param name="revision">v18.06.1-ce</param>
|
||||
<param name="versionformat">18.09.0_ce</param>
|
||||
<param name="revision">v18.09.0</param>
|
||||
<param name="filename">docker</param>
|
||||
</service>
|
||||
<service name="recompress" mode="disabled">
|
||||
|
@ -0,0 +1,66 @@
|
||||
From 244ae6114d89a495f1f2b4cf98eb5979fe1381b0 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Sun, 17 Jun 2018 17:05:54 +1000
|
||||
Subject: [PATCH 1/2] oci: include the domainname in "kernel.domainname"
|
||||
|
||||
The OCI doesn't have a specific field for an NIS domainname[1] (mainly
|
||||
because FreeBSD and Solaris appear to have a similar concept but it is
|
||||
configured entirely differently).
|
||||
|
||||
However, on Linux, the NIS domainname can be configured through both the
|
||||
setdomainname(2) syscall but also through the "kernel.domainname"
|
||||
sysctl. Since the OCI has a way of injecting sysctls this means we don't
|
||||
need to have any OCI changes to support NIS domainnames (and we can
|
||||
always switch if the OCI picks up such support in the future).
|
||||
|
||||
It should be noted that because we have to generate this each spec
|
||||
creation we also have to make sure that it's not clobbered by the
|
||||
HostConfig. I'm pretty sure making this change generic (so that
|
||||
HostConfig will not clobber any pre-set sysctls) will not cause other
|
||||
issues to crop up.
|
||||
|
||||
[1]: https://github.com/opencontainers/runtime-spec/issues/592
|
||||
|
||||
SUSE-Bugs: bsc#1001161
|
||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
---
|
||||
components/engine/daemon/oci_linux.go | 16 ++++++++++++++--
|
||||
1 file changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/components/engine/daemon/oci_linux.go b/components/engine/daemon/oci_linux.go
|
||||
index 7611fc054d13..d5838623528e 100644
|
||||
--- a/components/engine/daemon/oci_linux.go
|
||||
+++ b/components/engine/daemon/oci_linux.go
|
||||
@@ -679,7 +679,15 @@ func (daemon *Daemon) populateCommonSpec(s *specs.Spec, c *container.Container)
|
||||
s.Process.Cwd = cwd
|
||||
s.Process.Env = c.CreateDaemonEnvironment(c.Config.Tty, linkedEnv)
|
||||
s.Process.Terminal = c.Config.Tty
|
||||
- s.Hostname = c.FullHostname()
|
||||
+
|
||||
+ s.Hostname = c.Config.Hostname
|
||||
+ // There isn't a field in the OCI for the NIS domainname, but luckily there
|
||||
+ // is a sysctl which has an identical effect to setdomainname(2) so there's
|
||||
+ // no explicit need for runtime support.
|
||||
+ s.Linux.Sysctl = make(map[string]string)
|
||||
+ if c.Config.Domainname != "" {
|
||||
+ s.Linux.Sysctl["kernel.domainname"] = c.Config.Domainname
|
||||
+ }
|
||||
|
||||
return nil
|
||||
}
|
||||
@@ -715,7 +723,11 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
|
||||
if err := setResources(&s, c.HostConfig.Resources); err != nil {
|
||||
return nil, fmt.Errorf("linux runtime spec resources: %v", err)
|
||||
}
|
||||
- s.Linux.Sysctl = c.HostConfig.Sysctls
|
||||
+ // We merge the sysctls injected above with the HostConfig (latter takes
|
||||
+ // precedence for backwards-compatibility reasons).
|
||||
+ for k, v := range c.HostConfig.Sysctls {
|
||||
+ s.Linux.Sysctl[k] = v
|
||||
+ }
|
||||
|
||||
p := s.Linux.CgroupsPath
|
||||
if useSystemd {
|
||||
--
|
||||
2.19.2
|
||||
|
227
bsc1001161-0002-cli-add-a-separate-domainname-flag.patch
Normal file
227
bsc1001161-0002-cli-add-a-separate-domainname-flag.patch
Normal file
@ -0,0 +1,227 @@
|
||||
From 975d8efceb479c3d0994814cc5d488ac33d0d2d6 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Mon, 18 Jun 2018 21:58:23 +1000
|
||||
Subject: [PATCH 2/2] cli: add a separate --domainname flag
|
||||
|
||||
A while ago, Docker split the "Domainname" field out from the "Hostname"
|
||||
field for the container configuration. There was no real user-visible
|
||||
change associated with this (and under the hood "Domainname" was mostly
|
||||
left unused from the command-line point of view). We now add this flag
|
||||
in order to match other proposed changes to allow for setting the NIS
|
||||
domainname of a container.
|
||||
|
||||
This also includes a fix for the --hostname parsing tests (they would
|
||||
not error out if only one of .Hostname and .Domainname were incorrectly
|
||||
set -- which is not correct).
|
||||
|
||||
SUSE-Bugs: bsc#1001161
|
||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
---
|
||||
components/cli/cli/command/container/opts.go | 3 ++
|
||||
.../cli/cli/command/container/opts_test.go | 31 ++++++++++++++++---
|
||||
components/cli/contrib/completion/bash/docker | 5 +--
|
||||
components/cli/contrib/completion/zsh/_docker | 1 +
|
||||
.../cli/docs/reference/commandline/create.md | 1 +
|
||||
.../cli/docs/reference/commandline/run.md | 1 +
|
||||
.../reference/commandline/service_create.md | 2 +-
|
||||
components/cli/docs/reference/run.md | 6 ++--
|
||||
components/cli/man/docker-run.1.md | 7 +++++
|
||||
9 files changed, 46 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/components/cli/cli/command/container/opts.go b/components/cli/cli/command/container/opts.go
|
||||
index 97906b672252..7cd9ce998c8b 100644
|
||||
--- a/components/cli/cli/command/container/opts.go
|
||||
+++ b/components/cli/cli/command/container/opts.go
|
||||
@@ -74,6 +74,7 @@ type containerOptions struct {
|
||||
containerIDFile string
|
||||
entrypoint string
|
||||
hostname string
|
||||
+ domainname string
|
||||
memory opts.MemBytes
|
||||
memoryReservation opts.MemBytes
|
||||
memorySwap opts.MemSwapBytes
|
||||
@@ -169,6 +170,7 @@ func addFlags(flags *pflag.FlagSet) *containerOptions {
|
||||
flags.StringVar(&copts.entrypoint, "entrypoint", "", "Overwrite the default ENTRYPOINT of the image")
|
||||
flags.Var(&copts.groupAdd, "group-add", "Add additional groups to join")
|
||||
flags.StringVarP(&copts.hostname, "hostname", "h", "", "Container host name")
|
||||
+ flags.StringVar(&copts.domainname, "domainname", "", "Container NIS domain name")
|
||||
flags.BoolVarP(&copts.stdin, "interactive", "i", false, "Keep STDIN open even if not attached")
|
||||
flags.VarP(&copts.labels, "label", "l", "Set meta data on a container")
|
||||
flags.Var(&copts.labelsFile, "label-file", "Read in a line delimited file of labels")
|
||||
@@ -546,6 +548,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
|
||||
|
||||
config := &container.Config{
|
||||
Hostname: copts.hostname,
|
||||
+ Domainname: copts.domainname,
|
||||
ExposedPorts: ports,
|
||||
User: copts.user,
|
||||
Tty: copts.tty,
|
||||
diff --git a/components/cli/cli/command/container/opts_test.go b/components/cli/cli/command/container/opts_test.go
|
||||
index 6d7c95a5ddb8..70bedc661751 100644
|
||||
--- a/components/cli/cli/command/container/opts_test.go
|
||||
+++ b/components/cli/cli/command/container/opts_test.go
|
||||
@@ -265,14 +265,35 @@ func TestParseHostname(t *testing.T) {
|
||||
hostnameWithDomainTld := "--hostname=hostname.domainname.tld"
|
||||
for hostname, expectedHostname := range validHostnames {
|
||||
if config, _ := mustParse(t, fmt.Sprintf("--hostname=%s", hostname)); config.Hostname != expectedHostname {
|
||||
- t.Fatalf("Expected the config to have 'hostname' as hostname, got '%v'", config.Hostname)
|
||||
+ t.Fatalf("Expected the config to have 'hostname' as %q, got %q", expectedHostname, config.Hostname)
|
||||
}
|
||||
}
|
||||
- if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" && config.Domainname != "" {
|
||||
- t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got '%v'", config.Hostname)
|
||||
+ if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" || config.Domainname != "" {
|
||||
+ t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got %q", config.Hostname)
|
||||
}
|
||||
- if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" && config.Domainname != "" {
|
||||
- t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got '%v'", config.Hostname)
|
||||
+ if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" || config.Domainname != "" {
|
||||
+ t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got %q", config.Hostname)
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+func TestParseHostnameDomainname(t *testing.T) {
|
||||
+ validDomainnames := map[string]string{
|
||||
+ "domainname": "domainname",
|
||||
+ "domain-name": "domain-name",
|
||||
+ "domainname123": "domainname123",
|
||||
+ "123domainname": "123domainname",
|
||||
+ "domainname-63-bytes-long-should-be-valid-and-without-any-errors": "domainname-63-bytes-long-should-be-valid-and-without-any-errors",
|
||||
+ }
|
||||
+ for domainname, expectedDomainname := range validDomainnames {
|
||||
+ if config, _ := mustParse(t, "--domainname="+domainname); config.Domainname != expectedDomainname {
|
||||
+ t.Fatalf("Expected the config to have 'domainname' as %q, got %q", expectedDomainname, config.Domainname)
|
||||
+ }
|
||||
+ }
|
||||
+ if config, _ := mustParse(t, "--hostname=some.prefix --domainname=domainname"); config.Hostname != "some.prefix" || config.Domainname != "domainname" {
|
||||
+ t.Fatalf("Expected the config to have 'hostname' as 'some.prefix' and 'domainname' as 'domainname', got %q and %q", config.Hostname, config.Domainname)
|
||||
+ }
|
||||
+ if config, _ := mustParse(t, "--hostname=another-prefix --domainname=domainname.tld"); config.Hostname != "another-prefix" || config.Domainname != "domainname.tld" {
|
||||
+ t.Fatalf("Expected the config to have 'hostname' as 'another-prefix' and 'domainname' as 'domainname.tld', got %q and %q", config.Hostname, config.Domainname)
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/components/cli/contrib/completion/bash/docker b/components/cli/contrib/completion/bash/docker
|
||||
index 44ac8f3e0ed9..c532f5142c3d 100644
|
||||
--- a/components/cli/contrib/completion/bash/docker
|
||||
+++ b/components/cli/contrib/completion/bash/docker
|
||||
@@ -5,8 +5,8 @@
|
||||
# - SC2016: Expressions don't expand in single quotes, use double quotes for that.
|
||||
# - SC2119: Use foo "$@" if function's $1 should mean script's $1.
|
||||
# - SC2155: Declare and assign separately to avoid masking return values.
|
||||
-#
|
||||
-# You can find more details for each warning at the following page:
|
||||
+#
|
||||
+# You can find more details for each warning at the following page:
|
||||
# https://github.com/koalaman/shellcheck/wiki/<SCXXXX>
|
||||
#
|
||||
# bash completion file for core docker commands
|
||||
@@ -1785,6 +1785,7 @@ _docker_container_run_and_create() {
|
||||
--dns
|
||||
--dns-option
|
||||
--dns-search
|
||||
+ --domainname
|
||||
--entrypoint
|
||||
--env -e
|
||||
--env-file
|
||||
diff --git a/components/cli/contrib/completion/zsh/_docker b/components/cli/contrib/completion/zsh/_docker
|
||||
index 94f042204dfb..9a502db0886f 100644
|
||||
--- a/components/cli/contrib/completion/zsh/_docker
|
||||
+++ b/components/cli/contrib/completion/zsh/_docker
|
||||
@@ -617,6 +617,7 @@ __docker_container_subcommand() {
|
||||
"($help)*--dns=[Custom DNS servers]:DNS server: "
|
||||
"($help)*--dns-option=[Custom DNS options]:DNS option: "
|
||||
"($help)*--dns-search=[Custom DNS search domains]:DNS domains: "
|
||||
+ "($help)*--domainname=[Container NIS domain name]:domainname:_hosts"
|
||||
"($help)*"{-e=,--env=}"[Environment variables]:environment variable: "
|
||||
"($help)--entrypoint=[Overwrite the default entrypoint of the image]:entry point: "
|
||||
"($help)*--env-file=[Read environment variables from a file]:environment file:_files"
|
||||
diff --git a/components/cli/docs/reference/commandline/create.md b/components/cli/docs/reference/commandline/create.md
|
||||
index d585da40ae1e..c829dbb3e5b9 100644
|
||||
--- a/components/cli/docs/reference/commandline/create.md
|
||||
+++ b/components/cli/docs/reference/commandline/create.md
|
||||
@@ -53,6 +53,7 @@ Options:
|
||||
--dns value Set custom DNS servers (default [])
|
||||
--dns-option value Set DNS options (default [])
|
||||
--dns-search value Set custom DNS search domains (default [])
|
||||
+ --domainname string Container NIS domain name
|
||||
--entrypoint string Overwrite the default ENTRYPOINT of the image
|
||||
-e, --env value Set environment variables (default [])
|
||||
--env-file value Read in a file of environment variables (default [])
|
||||
diff --git a/components/cli/docs/reference/commandline/run.md b/components/cli/docs/reference/commandline/run.md
|
||||
index 08b9f18d68ac..f448e1acf89b 100644
|
||||
--- a/components/cli/docs/reference/commandline/run.md
|
||||
+++ b/components/cli/docs/reference/commandline/run.md
|
||||
@@ -57,6 +57,7 @@ Options:
|
||||
--dns value Set custom DNS servers (default [])
|
||||
--dns-option value Set DNS options (default [])
|
||||
--dns-search value Set custom DNS search domains (default [])
|
||||
+ --domainname string Container NIS domain name
|
||||
--entrypoint string Overwrite the default ENTRYPOINT of the image
|
||||
-e, --env value Set environment variables (default [])
|
||||
--env-file value Read in a file of environment variables (default [])
|
||||
diff --git a/components/cli/docs/reference/commandline/service_create.md b/components/cli/docs/reference/commandline/service_create.md
|
||||
index 8fdb5297a102..c55c77b52d77 100644
|
||||
--- a/components/cli/docs/reference/commandline/service_create.md
|
||||
+++ b/components/cli/docs/reference/commandline/service_create.md
|
||||
@@ -755,7 +755,7 @@ The swarm extends my-network to each node running the service.
|
||||
Containers on the same network can access each other using
|
||||
[service discovery](https://docs.docker.com/engine/swarm/networking/#use-swarm-mode-service-discovery).
|
||||
|
||||
-Long form syntax of `--network` allows to specify list of aliases and driver options:
|
||||
+Long form syntax of `--network` allows to specify list of aliases and driver options:
|
||||
`--network name=my-network,alias=web1,driver-opt=field1=value1`
|
||||
|
||||
### Publish service ports externally to the swarm (-p, --publish)
|
||||
diff --git a/components/cli/docs/reference/run.md b/components/cli/docs/reference/run.md
|
||||
index a59a30525554..695974fe533c 100644
|
||||
--- a/components/cli/docs/reference/run.md
|
||||
+++ b/components/cli/docs/reference/run.md
|
||||
@@ -256,7 +256,7 @@ The UTS namespace is for setting the hostname and the domain that is visible
|
||||
to running processes in that namespace. By default, all containers, including
|
||||
those with `--network=host`, have their own UTS namespace. The `host` setting will
|
||||
result in the container using the same UTS namespace as the host. Note that
|
||||
-`--hostname` is invalid in `host` UTS mode.
|
||||
+`--hostname` and `--domainname` are invalid in `host` UTS mode.
|
||||
|
||||
You may wish to share the UTS namespace with the host if you would like the
|
||||
hostname of the container to change as the hostname of the host changes. A
|
||||
@@ -396,8 +396,8 @@ network stack and all interfaces from the host will be available to the
|
||||
container. The container's hostname will match the hostname on the host
|
||||
system. Note that `--mac-address` is invalid in `host` netmode. Even in `host`
|
||||
network mode a container has its own UTS namespace by default. As such
|
||||
-`--hostname` is allowed in `host` network mode and will only change the
|
||||
-hostname inside the container.
|
||||
+`--hostname` and `--domainname` are allowed in `host` network mode and will
|
||||
+only change the hostname and domain name inside the container.
|
||||
Similar to `--hostname`, the `--add-host`, `--dns`, `--dns-search`, and
|
||||
`--dns-option` options can be used in `host` network mode. These options update
|
||||
`/etc/hosts` or `/etc/resolv.conf` inside the container. No change are made to
|
||||
diff --git a/components/cli/man/docker-run.1.md b/components/cli/man/docker-run.1.md
|
||||
index e03377001d4e..4a1464a74200 100644
|
||||
--- a/components/cli/man/docker-run.1.md
|
||||
+++ b/components/cli/man/docker-run.1.md
|
||||
@@ -35,6 +35,7 @@ docker-run - Run a command in a new container
|
||||
[**--dns**[=*[]*]]
|
||||
[**--dns-option**[=*[]*]]
|
||||
[**--dns-search**[=*[]*]]
|
||||
+[**--domainname**[=*DOMAINNAME*]]
|
||||
[**-e**|**--env**[=*[]*]]
|
||||
[**--entrypoint**[=*ENTRYPOINT*]]
|
||||
[**--env-file**[=*[]*]]
|
||||
@@ -285,6 +286,12 @@ configuration passed to the container. Typically this is necessary when the
|
||||
host DNS configuration is invalid for the container (e.g., 127.0.0.1). When this
|
||||
is the case the **--dns** flags is necessary for every run.
|
||||
|
||||
+**--domainname**=""
|
||||
+ Container NIS domain name
|
||||
+
|
||||
+ Sets the container's NIS domain name (see also **setdomainname(2)**) that is
|
||||
+ available inside the container.
|
||||
+
|
||||
**-e**, **--env**=[]
|
||||
Set environment variables
|
||||
|
||||
--
|
||||
2.19.2
|
||||
|
@ -1,4 +1,4 @@
|
||||
From d84d2f13c475bf5ff0ce7b080b759b0239d5d345 Mon Sep 17 00:00:00 2001
|
||||
From 0a2ba19d51fef679d2a695fd14c30facd5f901f1 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Thu, 23 Aug 2018 19:53:55 +1000
|
||||
Subject: [PATCH] man: obey SOURCE_DATE_EPOCH when generating man pages
|
||||
@ -23,7 +23,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
1 file changed, 13 insertions(+)
|
||||
|
||||
diff --git a/components/cli/man/generate.go b/components/cli/man/generate.go
|
||||
index 4197558a2225..4a3e98fb22c1 100644
|
||||
index 2d940e31fd10..e5e480be3f32 100644
|
||||
--- a/components/cli/man/generate.go
|
||||
+++ b/components/cli/man/generate.go
|
||||
@@ -6,6 +6,8 @@ import (
|
||||
@ -51,8 +51,8 @@ index 4197558a2225..4a3e98fb22c1 100644
|
||||
+ }
|
||||
+
|
||||
stdin, stdout, stderr := term.StdStreams()
|
||||
dockerCli := command.NewDockerCli(stdin, stdout, stderr, false)
|
||||
dockerCli := command.NewDockerCli(stdin, stdout, stderr, false, nil)
|
||||
cmd := &cobra.Command{Use: "docker"}
|
||||
--
|
||||
2.18.0
|
||||
2.19.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 3464bd58d266b0640774952e825558044ffc64e2 Mon Sep 17 00:00:00 2001
|
||||
From 4962b0a0bc6ca1fc99b0936175f929f9d3f5fa4c Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Sun, 8 Apr 2018 20:21:30 +1000
|
||||
Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
|
||||
@ -7,15 +7,54 @@ In newer kernels, AppArmor will reject attempts to send signals to a
|
||||
container because the signal originated from outside of that AppArmor
|
||||
profile. Correct this by allowing all unconfined signals to be received.
|
||||
|
||||
SUSE-Bugs: bsc#1073877 boo#1089732
|
||||
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
|
||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
---
|
||||
components/engine/profiles/apparmor/template.go | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
.../engine/profiles/apparmor/apparmor.go | 21 +++++++++++++++++++
|
||||
.../engine/profiles/apparmor/template.go | 6 ++++++
|
||||
2 files changed, 27 insertions(+)
|
||||
|
||||
diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go
|
||||
index b021668c8e4c..2f58ee852cab 100644
|
||||
--- a/components/engine/profiles/apparmor/apparmor.go
|
||||
+++ b/components/engine/profiles/apparmor/apparmor.go
|
||||
@@ -23,6 +23,8 @@ var (
|
||||
type profileData struct {
|
||||
// Name is profile name.
|
||||
Name string
|
||||
+ // DaemonProfile is the profile name of our daemon.
|
||||
+ DaemonProfile string
|
||||
// Imports defines the apparmor functions to import, before defining the profile.
|
||||
Imports []string
|
||||
// InnerImports defines the apparmor functions to import in the profile.
|
||||
@@ -70,6 +72,25 @@ func InstallDefault(name string) error {
|
||||
Name: name,
|
||||
}
|
||||
|
||||
+ // Figure out the daemon profile.
|
||||
+ currentProfile, err := ioutil.ReadFile("/proc/self/attr/current")
|
||||
+ if err != nil {
|
||||
+ // If we couldn't get the daemon profile, assume we are running
|
||||
+ // unconfined which is generally the default.
|
||||
+ currentProfile = nil
|
||||
+ }
|
||||
+ daemonProfile := string(currentProfile)
|
||||
+ // Normally profiles are suffixed by " (enforcing)" or similar. AppArmor
|
||||
+ // profiles cannot contain spaces so this doesn't restrict daemon profile
|
||||
+ // names.
|
||||
+ if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 {
|
||||
+ daemonProfile = parts[0]
|
||||
+ }
|
||||
+ if daemonProfile == "" {
|
||||
+ daemonProfile = "unconfined"
|
||||
+ }
|
||||
+ p.DaemonProfile = daemonProfile
|
||||
+
|
||||
// Install to a temporary directory.
|
||||
f, err := ioutil.TempFile("", name)
|
||||
if err != nil {
|
||||
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
|
||||
index c00a3f70e993..772c4a4873f6 100644
|
||||
index c00a3f70e993..400b3bd50a11 100644
|
||||
--- a/components/engine/profiles/apparmor/template.go
|
||||
+++ b/components/engine/profiles/apparmor/template.go
|
||||
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||
@ -24,13 +63,13 @@ index c00a3f70e993..772c4a4873f6 100644
|
||||
umount,
|
||||
+{{if ge .Version 208096}}
|
||||
+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
|
||||
+ signal (receive) peer=unconfined,
|
||||
+{{/* And allow signals to be sent inside the container. */}}
|
||||
+ signal (receive) peer={{.DaemonProfile}},
|
||||
+{{/* Allow container processes to send signals amongst themselves. */}}
|
||||
+ signal (send,receive) peer={{.Name}},
|
||||
+{{end}}
|
||||
|
||||
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
||||
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
||||
--
|
||||
2.18.0
|
||||
2.19.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 0954810e947abf0b4e5d8f6c78598c5d66b43952 Mon Sep 17 00:00:00 2001
|
||||
From 04f594765577163a26f24d0fe3fc7a2283f1e018 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
||||
Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start
|
||||
@ -68,10 +68,10 @@ index 51f9c526b350..97d7758442ee 100644
|
||||
return nil
|
||||
}
|
||||
diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
|
||||
index 5e5f586ae085..6ca6a7aaa268 100644
|
||||
index a307863017ab..67cd286002bf 100644
|
||||
--- a/components/engine/daemon/daemon.go
|
||||
+++ b/components/engine/daemon/daemon.go
|
||||
@@ -660,7 +660,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
|
||||
@@ -735,7 +735,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
||||
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
|
||||
}
|
||||
|
||||
@ -83,5 +83,5 @@ index 5e5f586ae085..6ca6a7aaa268 100644
|
||||
}
|
||||
|
||||
--
|
||||
2.18.0
|
||||
2.19.1
|
||||
|
||||
|
@ -1,30 +0,0 @@
|
||||
From 547870ff2904a75fa3e0ee96fa264d53a81d4c01 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Mon, 30 Jul 2018 19:34:01 +1000
|
||||
Subject: [PATCH] build: add -buildmode=pie
|
||||
|
||||
Make all dynbinary builds be position-independent (this adds both
|
||||
security benefits and can help with flaky builds on POWER
|
||||
architectures).
|
||||
|
||||
SUSE-Bugs: bsc#1100727
|
||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
---
|
||||
components/cli/scripts/build/dynbinary | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/components/cli/scripts/build/dynbinary b/components/cli/scripts/build/dynbinary
|
||||
index 3c32ed342ef7..4feb7e71d852 100755
|
||||
--- a/components/cli/scripts/build/dynbinary
|
||||
+++ b/components/cli/scripts/build/dynbinary
|
||||
@@ -9,6 +9,6 @@ source ./scripts/build/.variables
|
||||
|
||||
echo "Building dynamically linked $TARGET"
|
||||
export CGO_ENABLED=1
|
||||
-go build -o "${TARGET}" -tags pkcs11 --ldflags "${LDFLAGS}" "${SOURCE}"
|
||||
+go build -o "${TARGET}" -tags pkcs11 --ldflags "${LDFLAGS}" -buildmode=pie "${SOURCE}"
|
||||
|
||||
ln -sf "$(basename "${TARGET}")" build/docker
|
||||
--
|
||||
2.18.0
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:061ae523be13dbe05ff5377626113a299327cc39fc145f801cd674c67b8c7fe0
|
||||
size 8561132
|
3
docker-18.09.0_ce.tar.xz
Normal file
3
docker-18.09.0_ce.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:ce38c3b659b78bccdfaf07b1f0a4eaaf454ffec726434511feeee1b9a2fc8151
|
||||
size 9264940
|
@ -1,3 +1,31 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 3 16:14:22 UTC 2018 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Add backports of https://github.com/docker/docker/pull/37302 and
|
||||
https://github.com/docker/cli/pull/1130, which allow for users to explicitly
|
||||
specify the NIS domainname of a container. bsc#1001161
|
||||
+ bsc1001161-0001-oci-include-the-domainname-in-kernel.domainname.patch
|
||||
+ bsc1001161-0002-cli-add-a-separate-domainname-flag.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 29 09:41:11 UTC 2018 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update docker.service to match upstream and avoid rlimit problems.
|
||||
bsc#1112980
|
||||
- Upgrade to Docker 18.09.0-ce. See upstream changelog in the packaged
|
||||
/usr/share/doc/packages/docker/CHANGELOG.md. boo#1115464
|
||||
- Add revert of an upstream patch to fix docker-* handling.
|
||||
+ packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
|
||||
- Rebase patches:
|
||||
* bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
|
||||
* bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
||||
* bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
|
||||
* private-registry-0001-Add-private-registry-mirror-support.patch
|
||||
* secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
|
||||
* secrets-0002-SUSE-implement-SUSE-container-secrets.patch
|
||||
- Remove upstreamed patches:
|
||||
- bsc1100727-0001-build-add-buildmode-pie.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 8 06:41:21 UTC 2018 - Valentin Rothberg <vrothberg@suse.com>
|
||||
|
||||
|
@ -15,7 +15,7 @@ ExecReload=/bin/kill -s HUP $MAINPID
|
||||
|
||||
# Having non-zero Limit*s causes performance problems due to accounting overhead
|
||||
# in the kernel. We recommend using cgroups to do container-local accounting.
|
||||
LimitNOFILE=infinity
|
||||
LimitNOFILE=1048576
|
||||
LimitNPROC=infinity
|
||||
LimitCORE=infinity
|
||||
|
||||
@ -27,9 +27,13 @@ TasksMax=infinity
|
||||
# Only systemd 218 and above support this property.
|
||||
Delegate=yes
|
||||
|
||||
# This is not necessary because of how we set up containerd.
|
||||
#KillMode=process
|
||||
# Kill only the docker process, not all processes in the cgroup.
|
||||
KillMode=process
|
||||
|
||||
# Restart the docker process if it exits prematurely.
|
||||
Restart=on-failure
|
||||
StartLimitBurst=3
|
||||
StartLimitInterval=60s
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
|
27
docker.spec
27
docker.spec
@ -49,10 +49,10 @@
|
||||
# sure we didn't miss anything important when doing upgrades.
|
||||
%define required_containerd 468a545b9edcd5932818eb9de8e72413e616e86e
|
||||
%define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340
|
||||
%define required_libnetwork 3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b
|
||||
%define required_libnetwork 6da50d1978302f04c3e2089e29112ea24812f05b
|
||||
|
||||
Name: %{realname}%{name_suffix}
|
||||
Version: 18.06.1_ce
|
||||
Version: 18.09.0_ce
|
||||
Release: 0
|
||||
Summary: The Linux container runtime
|
||||
License: Apache-2.0
|
||||
@ -76,16 +76,20 @@ Source9: tests.sh
|
||||
# branch in http://github.com/suse/docker.mirror.
|
||||
Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
|
||||
Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
|
||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877
|
||||
# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37831. bsc#1073877
|
||||
Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277
|
||||
# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1099277
|
||||
Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
|
||||
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727
|
||||
Patch402: bsc1100727-0001-build-add-buildmode-pie.patch
|
||||
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1306. boo#1047218
|
||||
Patch403: bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
|
||||
Patch402: bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
|
||||
# SUSE-ISSUE: Revert of https://github.com/docker/docker/pull/37907.
|
||||
Patch403: packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
|
||||
# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37302. bsc#1001161
|
||||
Patch404: bsc1001161-0001-oci-include-the-domainname-in-kernel.domainname.patch
|
||||
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1130. bsc#1001161
|
||||
Patch405: bsc1001161-0002-cli-add-a-separate-domainname-flag.patch
|
||||
# SUSE-FEATURE: Add support to mirror inofficial/private registries
|
||||
# (https://github.com/moby/moby/pull/34319)
|
||||
# (https://github.com/docker/docker/pull/34319)
|
||||
Patch500: private-registry-0001-Add-private-registry-mirror-support.patch
|
||||
BuildRequires: audit
|
||||
BuildRequires: bash-completion
|
||||
@ -263,10 +267,13 @@ docker container runtime configuration for kubeadm
|
||||
%patch400 -p1
|
||||
# bsc#1099277
|
||||
%patch401 -p1
|
||||
# bsc#1100727
|
||||
%patch402 -p1
|
||||
# boo#1047218
|
||||
%patch402 -p1
|
||||
# revert upstream
|
||||
%patch403 -p1
|
||||
# bsc#1001161
|
||||
%patch404 -p1
|
||||
%patch405 -p1
|
||||
%if "%flavour" == "kubic"
|
||||
# PATCH-SUSE: Mirror patch.
|
||||
%patch500 -p1
|
||||
|
@ -0,0 +1,187 @@
|
||||
From 9236191a98a0e9b8aa4ac7da4d4b1c0c196344e2 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Thu, 29 Nov 2018 20:53:16 +1100
|
||||
Subject: [PATCH] revert "Remove 'docker-' prefix for containerd and runc
|
||||
binaries"
|
||||
|
||||
This reverts commit 34eede0296bce6a9c335cb429f10728ae3f4252d, as it
|
||||
would significantly break openSUSE's packaging (as well as causing
|
||||
conflicts between the very-outdated runc that Docker uses and the more
|
||||
up-to-date one available for Podman).
|
||||
|
||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
---
|
||||
components/engine/api/swagger.yaml | 4 +--
|
||||
.../builder/builder-next/executor_unix.go | 2 +-
|
||||
components/engine/cmd/dockerd/daemon.go | 36 +++++++------------
|
||||
components/engine/daemon/daemon_unix.go | 6 ++--
|
||||
.../libcontainerd/supervisor/remote_daemon.go | 4 +--
|
||||
.../supervisor/remote_daemon_linux.go | 4 +--
|
||||
.../supervisor/remote_daemon_windows.go | 4 +--
|
||||
7 files changed, 25 insertions(+), 35 deletions(-)
|
||||
|
||||
diff --git a/components/engine/api/swagger.yaml b/components/engine/api/swagger.yaml
|
||||
index f58a64f29ea3..d275f2ff49eb 100644
|
||||
--- a/components/engine/api/swagger.yaml
|
||||
+++ b/components/engine/api/swagger.yaml
|
||||
@@ -3852,10 +3852,10 @@ definitions:
|
||||
$ref: "#/definitions/Runtime"
|
||||
default:
|
||||
runc:
|
||||
- path: "runc"
|
||||
+ path: "docker-runc"
|
||||
example:
|
||||
runc:
|
||||
- path: "runc"
|
||||
+ path: "docker-runc"
|
||||
runc-master:
|
||||
path: "/go/bin/runc"
|
||||
custom:
|
||||
diff --git a/components/engine/builder/builder-next/executor_unix.go b/components/engine/builder/builder-next/executor_unix.go
|
||||
index b3ea33c05c71..94d8bb766045 100644
|
||||
--- a/components/engine/builder/builder-next/executor_unix.go
|
||||
+++ b/components/engine/builder/builder-next/executor_unix.go
|
||||
@@ -27,7 +27,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController) (e
|
||||
}
|
||||
return runcexecutor.New(runcexecutor.Opt{
|
||||
Root: filepath.Join(root, "executor"),
|
||||
- CommandCandidates: []string{"runc"},
|
||||
+ CommandCandidates: []string{"docker-runc", "runc"},
|
||||
DefaultCgroupParent: cgroupParent,
|
||||
}, networkProviders)
|
||||
}
|
||||
diff --git a/components/engine/cmd/dockerd/daemon.go b/components/engine/cmd/dockerd/daemon.go
|
||||
index 839537316af4..05922e6418d0 100644
|
||||
--- a/components/engine/cmd/dockerd/daemon.go
|
||||
+++ b/components/engine/cmd/dockerd/daemon.go
|
||||
@@ -10,7 +10,6 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
- containerddefaults "github.com/containerd/containerd/defaults"
|
||||
"github.com/docker/distribution/uuid"
|
||||
"github.com/docker/docker/api"
|
||||
apiserver "github.com/docker/docker/api/server"
|
||||
@@ -141,25 +140,21 @@ func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
|
||||
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
if cli.Config.ContainerdAddr == "" && runtime.GOOS != "windows" {
|
||||
- if !systemContainerdRunning() {
|
||||
- opts, err := cli.getContainerdDaemonOpts()
|
||||
- if err != nil {
|
||||
- cancel()
|
||||
- return fmt.Errorf("Failed to generate containerd options: %v", err)
|
||||
- }
|
||||
-
|
||||
- r, err := supervisor.Start(ctx, filepath.Join(cli.Config.Root, "containerd"), filepath.Join(cli.Config.ExecRoot, "containerd"), opts...)
|
||||
- if err != nil {
|
||||
- cancel()
|
||||
- return fmt.Errorf("Failed to start containerd: %v", err)
|
||||
- }
|
||||
- cli.Config.ContainerdAddr = r.Address()
|
||||
+ opts, err := cli.getContainerdDaemonOpts()
|
||||
+ if err != nil {
|
||||
+ cancel()
|
||||
+ return fmt.Errorf("Failed to generate containerd options: %v", err)
|
||||
+ }
|
||||
|
||||
- // Try to wait for containerd to shutdown
|
||||
- defer r.WaitTimeout(10 * time.Second)
|
||||
- } else {
|
||||
- cli.Config.ContainerdAddr = containerddefaults.DefaultAddress
|
||||
+ r, err := supervisor.Start(ctx, filepath.Join(cli.Config.Root, "containerd"), filepath.Join(cli.Config.ExecRoot, "containerd"), opts...)
|
||||
+ if err != nil {
|
||||
+ cancel()
|
||||
+ return fmt.Errorf("Failed to start containerd: %v", err)
|
||||
}
|
||||
+ cli.Config.ContainerdAddr = r.Address()
|
||||
+
|
||||
+ // Try to wait for containerd to shutdown
|
||||
+ defer r.WaitTimeout(10 * time.Second)
|
||||
}
|
||||
defer cancel()
|
||||
|
||||
@@ -665,8 +660,3 @@ func validateAuthzPlugins(requestedPlugins []string, pg plugingetter.PluginGette
|
||||
}
|
||||
return nil
|
||||
}
|
||||
-
|
||||
-func systemContainerdRunning() bool {
|
||||
- _, err := os.Lstat(containerddefaults.DefaultAddress)
|
||||
- return err == nil
|
||||
-}
|
||||
diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go
|
||||
index b69eede21c44..77adba94a468 100644
|
||||
--- a/components/engine/daemon/daemon_unix.go
|
||||
+++ b/components/engine/daemon/daemon_unix.go
|
||||
@@ -54,11 +54,11 @@ import (
|
||||
const (
|
||||
// DefaultShimBinary is the default shim to be used by containerd if none
|
||||
// is specified
|
||||
- DefaultShimBinary = "containerd-shim"
|
||||
+ DefaultShimBinary = "docker-containerd-shim"
|
||||
|
||||
// DefaultRuntimeBinary is the default runtime to be used by
|
||||
// containerd if none is specified
|
||||
- DefaultRuntimeBinary = "runc"
|
||||
+ DefaultRuntimeBinary = "docker-runc"
|
||||
|
||||
// See https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/tree/kernel/sched/sched.h?id=8cd9234c64c584432f6992fe944ca9e46ca8ea76#n269
|
||||
linuxMinCPUShares = 2
|
||||
@@ -76,7 +76,7 @@ const (
|
||||
|
||||
// DefaultRuntimeName is the default runtime to be used by
|
||||
// containerd if none is specified
|
||||
- DefaultRuntimeName = "runc"
|
||||
+ DefaultRuntimeName = "docker-runc"
|
||||
)
|
||||
|
||||
type containerGetter interface {
|
||||
diff --git a/components/engine/libcontainerd/supervisor/remote_daemon.go b/components/engine/libcontainerd/supervisor/remote_daemon.go
|
||||
index 095300f753e9..1dcfbe176b0d 100644
|
||||
--- a/components/engine/libcontainerd/supervisor/remote_daemon.go
|
||||
+++ b/components/engine/libcontainerd/supervisor/remote_daemon.go
|
||||
@@ -27,8 +27,8 @@ const (
|
||||
shutdownTimeout = 15 * time.Second
|
||||
startupTimeout = 15 * time.Second
|
||||
configFile = "containerd.toml"
|
||||
- binaryName = "containerd"
|
||||
- pidFile = "containerd.pid"
|
||||
+ binaryName = "docker-containerd"
|
||||
+ pidFile = "docker-containerd.pid"
|
||||
)
|
||||
|
||||
type pluginConfigs struct {
|
||||
diff --git a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
|
||||
index 799399c07bc5..1ea91d2b5d0b 100644
|
||||
--- a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
|
||||
+++ b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
|
||||
@@ -11,8 +11,8 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
- sockFile = "containerd.sock"
|
||||
- debugSockFile = "containerd-debug.sock"
|
||||
+ sockFile = "docker-containerd.sock"
|
||||
+ debugSockFile = "docker-containerd-debug.sock"
|
||||
)
|
||||
|
||||
func (r *remote) setDefaults() {
|
||||
diff --git a/components/engine/libcontainerd/supervisor/remote_daemon_windows.go b/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
|
||||
index 9b254ef58a0a..bcdc9529e0f7 100644
|
||||
--- a/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
|
||||
+++ b/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
|
||||
@@ -7,8 +7,8 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
- grpcPipeName = `\\.\pipe\containerd-containerd`
|
||||
- debugPipeName = `\\.\pipe\containerd-debug`
|
||||
+ grpcPipeName = `\\.\pipe\docker-containerd-containerd`
|
||||
+ debugPipeName = `\\.\pipe\docker-containerd-debug`
|
||||
)
|
||||
|
||||
func (r *remote) setDefaults() {
|
||||
--
|
||||
2.19.2
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 46c2590f7637dba208b3db7e44c04e24f33c436d Mon Sep 17 00:00:00 2001
|
||||
From a2d285ef5de9537fe2dbf14c4671625aa3035b98 Mon Sep 17 00:00:00 2001
|
||||
From: Valentin Rothberg <vrothberg@suse.com>
|
||||
Date: Mon, 2 Jul 2018 13:37:34 +0200
|
||||
Subject: [PATCH] Add private-registry mirror support
|
||||
@ -63,6 +63,7 @@ http for security reasons.
|
||||
|
||||
Signed-off-by: Flavio Castelli <fcastelli@suse.com>
|
||||
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
|
||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
---
|
||||
.../engine/api/types/registry/registry.go | 144 ++++++++++++++++++
|
||||
components/engine/daemon/config/config.go | 4 +
|
||||
@ -242,10 +243,10 @@ index 8789ad3b3210..c663fec7d881 100644
|
||||
|
||||
// NetIPNet is the net.IPNet type, which can be marshalled and
|
||||
diff --git a/components/engine/daemon/config/config.go b/components/engine/daemon/config/config.go
|
||||
index 6cda223a1181..308eb83f2116 100644
|
||||
index 8b2c844a579f..e61940661c70 100644
|
||||
--- a/components/engine/daemon/config/config.go
|
||||
+++ b/components/engine/daemon/config/config.go
|
||||
@@ -439,6 +439,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag
|
||||
@@ -470,6 +470,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag
|
||||
// 1. Search keys from the file that we don't recognize as flags.
|
||||
unknownKeys := make(map[string]interface{})
|
||||
for key, value := range config {
|
||||
@ -253,11 +254,11 @@ index 6cda223a1181..308eb83f2116 100644
|
||||
+ if key == "registries" {
|
||||
+ continue
|
||||
+ }
|
||||
if flag := flags.Lookup(key); flag == nil {
|
||||
if flag := flags.Lookup(key); flag == nil && !skipValidateOptions[key] {
|
||||
unknownKeys[key] = value
|
||||
}
|
||||
diff --git a/components/engine/daemon/reload.go b/components/engine/daemon/reload.go
|
||||
index 210864ff879d..5e744c5dcf8d 100644
|
||||
index 026d7dd517f7..924c3982cd2a 100644
|
||||
--- a/components/engine/daemon/reload.go
|
||||
+++ b/components/engine/daemon/reload.go
|
||||
@@ -21,8 +21,14 @@ import (
|
||||
@ -275,7 +276,7 @@ index 210864ff879d..5e744c5dcf8d 100644
|
||||
daemon.configStore.Lock()
|
||||
attributes := map[string]string{}
|
||||
|
||||
@@ -64,6 +70,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) {
|
||||
@@ -65,6 +71,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) {
|
||||
if err := daemon.reloadLiveRestore(conf, attributes); err != nil {
|
||||
return err
|
||||
}
|
||||
@ -285,7 +286,7 @@ index 210864ff879d..5e744c5dcf8d 100644
|
||||
return daemon.reloadNetworkDiagnosticPort(conf, attributes)
|
||||
}
|
||||
|
||||
@@ -293,6 +302,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[
|
||||
@@ -294,6 +303,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -1159,5 +1160,5 @@ index 3a56dc91145a..9de221cf2aa0 100644
|
||||
|
||||
endpoints = []APIEndpoint{
|
||||
--
|
||||
2.18.0
|
||||
2.19.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 95a40e4f18c80cce91f16c6dff08e13642de54da Mon Sep 17 00:00:00 2001
|
||||
From 4eba91df3257644105ef344949705651507eb2bd Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
||||
Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
|
||||
@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
1 file changed, 21 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go
|
||||
index bc7ee452332b..d34129dfd80b 100644
|
||||
index 9953c7f3fddc..e8f6784ca19a 100644
|
||||
--- a/components/engine/daemon/container_operations_unix.go
|
||||
+++ b/components/engine/daemon/container_operations_unix.go
|
||||
@@ -3,6 +3,7 @@
|
||||
@ -55,8 +55,8 @@ index bc7ee452332b..d34129dfd80b 100644
|
||||
+ // If the "file" is a directory, then s.File.Data is actually a tar
|
||||
+ // archive of the directory. So we just do a tar extraction here.
|
||||
+ if err := archive.UntarUncompressed(bytes.NewBuffer(secret.Spec.Data), fPath, &archive.TarOptions{
|
||||
+ UIDMaps: daemon.idMappings.UIDs(),
|
||||
+ GIDMaps: daemon.idMappings.GIDs(),
|
||||
+ UIDMaps: daemon.idMapping.UIDs(),
|
||||
+ GIDMaps: daemon.idMapping.GIDs(),
|
||||
+ }); err != nil {
|
||||
+ return errors.Wrap(err, "error injecting secretdir")
|
||||
+ }
|
||||
@ -70,5 +70,5 @@ index bc7ee452332b..d34129dfd80b 100644
|
||||
return errors.Wrap(err, "error setting ownership for secret")
|
||||
}
|
||||
--
|
||||
2.18.0
|
||||
2.19.2
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From f178392f98b42bf36ff8d8c6a23c8caab9ac10f7 Mon Sep 17 00:00:00 2001
|
||||
From 229a891b45b996a2cd10f5a71541d124e884556e Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
||||
Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
|
||||
@ -36,7 +36,7 @@ index c00bd9ceb22b..aa705888df39 100644
|
||||
return errdefs.System(err)
|
||||
diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go
|
||||
new file mode 100644
|
||||
index 000000000000..817cd5561023
|
||||
index 000000000000..087c877015a7
|
||||
--- /dev/null
|
||||
+++ b/components/engine/daemon/suse_secrets.go
|
||||
@@ -0,0 +1,396 @@
|
||||
@ -112,11 +112,11 @@ index 000000000000..817cd5561023
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+func (s SuseFakeFile) toSecretReference(idMaps *idtools.IDMappings) *swarmtypes.SecretReference {
|
||||
+func (s SuseFakeFile) toSecretReference(idMaps *idtools.IdentityMapping) *swarmtypes.SecretReference {
|
||||
+ // Figure out the host-facing {uid,gid} based on the provided maps. Fall
|
||||
+ // back to root if the UID/GID don't match (we are guaranteed that root is
|
||||
+ // mapped).
|
||||
+ ctrUser := idtools.IDPair{UID: s.Uid, GID: s.Gid}
|
||||
+ ctrUser := idtools.Identity{UID: s.Uid, GID: s.Gid}
|
||||
+ hostUser := idMaps.RootPair()
|
||||
+ if user, err := idMaps.ToHost(ctrUser); err == nil {
|
||||
+ hostUser = user
|
||||
@ -410,7 +410,7 @@ index 000000000000..817cd5561023
|
||||
+ return err
|
||||
+ }
|
||||
+
|
||||
+ idMaps := daemon.IDMappings()
|
||||
+ idMaps := daemon.idMapping
|
||||
+ for _, secret := range secrets {
|
||||
+ newDependencyStore.secrets[secret.id()] = secret.toSecret()
|
||||
+ c.SecretReferences = append(c.SecretReferences, secret.toSecretReference(idMaps))
|
||||
@ -437,5 +437,5 @@ index 000000000000..817cd5561023
|
||||
+ return nil
|
||||
+}
|
||||
--
|
||||
2.18.0
|
||||
2.19.2
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user