Accepting request 653739 from Virtualization:containers
Docker 18.09 upgrade. OBS-URL: https://build.opensuse.org/request/show/653739 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=83
This commit is contained in:
commit
caf6995359
4
_service
4
_service
@ -3,8 +3,8 @@
|
|||||||
<param name="url">https://github.com/docker/docker-ce.git</param>
|
<param name="url">https://github.com/docker/docker-ce.git</param>
|
||||||
<param name="scm">git</param>
|
<param name="scm">git</param>
|
||||||
<param name="exclude">.git</param>
|
<param name="exclude">.git</param>
|
||||||
<param name="versionformat">18.06.1_ce</param>
|
<param name="versionformat">18.09.0_ce</param>
|
||||||
<param name="revision">v18.06.1-ce</param>
|
<param name="revision">v18.09.0</param>
|
||||||
<param name="filename">docker</param>
|
<param name="filename">docker</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="recompress" mode="disabled">
|
<service name="recompress" mode="disabled">
|
||||||
|
@ -0,0 +1,66 @@
|
|||||||
|
From 244ae6114d89a495f1f2b4cf98eb5979fe1381b0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
|
Date: Sun, 17 Jun 2018 17:05:54 +1000
|
||||||
|
Subject: [PATCH 1/2] oci: include the domainname in "kernel.domainname"
|
||||||
|
|
||||||
|
The OCI doesn't have a specific field for an NIS domainname[1] (mainly
|
||||||
|
because FreeBSD and Solaris appear to have a similar concept but it is
|
||||||
|
configured entirely differently).
|
||||||
|
|
||||||
|
However, on Linux, the NIS domainname can be configured through both the
|
||||||
|
setdomainname(2) syscall but also through the "kernel.domainname"
|
||||||
|
sysctl. Since the OCI has a way of injecting sysctls this means we don't
|
||||||
|
need to have any OCI changes to support NIS domainnames (and we can
|
||||||
|
always switch if the OCI picks up such support in the future).
|
||||||
|
|
||||||
|
It should be noted that because we have to generate this each spec
|
||||||
|
creation we also have to make sure that it's not clobbered by the
|
||||||
|
HostConfig. I'm pretty sure making this change generic (so that
|
||||||
|
HostConfig will not clobber any pre-set sysctls) will not cause other
|
||||||
|
issues to crop up.
|
||||||
|
|
||||||
|
[1]: https://github.com/opencontainers/runtime-spec/issues/592
|
||||||
|
|
||||||
|
SUSE-Bugs: bsc#1001161
|
||||||
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||||
|
---
|
||||||
|
components/engine/daemon/oci_linux.go | 16 ++++++++++++++--
|
||||||
|
1 file changed, 14 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/components/engine/daemon/oci_linux.go b/components/engine/daemon/oci_linux.go
|
||||||
|
index 7611fc054d13..d5838623528e 100644
|
||||||
|
--- a/components/engine/daemon/oci_linux.go
|
||||||
|
+++ b/components/engine/daemon/oci_linux.go
|
||||||
|
@@ -679,7 +679,15 @@ func (daemon *Daemon) populateCommonSpec(s *specs.Spec, c *container.Container)
|
||||||
|
s.Process.Cwd = cwd
|
||||||
|
s.Process.Env = c.CreateDaemonEnvironment(c.Config.Tty, linkedEnv)
|
||||||
|
s.Process.Terminal = c.Config.Tty
|
||||||
|
- s.Hostname = c.FullHostname()
|
||||||
|
+
|
||||||
|
+ s.Hostname = c.Config.Hostname
|
||||||
|
+ // There isn't a field in the OCI for the NIS domainname, but luckily there
|
||||||
|
+ // is a sysctl which has an identical effect to setdomainname(2) so there's
|
||||||
|
+ // no explicit need for runtime support.
|
||||||
|
+ s.Linux.Sysctl = make(map[string]string)
|
||||||
|
+ if c.Config.Domainname != "" {
|
||||||
|
+ s.Linux.Sysctl["kernel.domainname"] = c.Config.Domainname
|
||||||
|
+ }
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
@@ -715,7 +723,11 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
|
||||||
|
if err := setResources(&s, c.HostConfig.Resources); err != nil {
|
||||||
|
return nil, fmt.Errorf("linux runtime spec resources: %v", err)
|
||||||
|
}
|
||||||
|
- s.Linux.Sysctl = c.HostConfig.Sysctls
|
||||||
|
+ // We merge the sysctls injected above with the HostConfig (latter takes
|
||||||
|
+ // precedence for backwards-compatibility reasons).
|
||||||
|
+ for k, v := range c.HostConfig.Sysctls {
|
||||||
|
+ s.Linux.Sysctl[k] = v
|
||||||
|
+ }
|
||||||
|
|
||||||
|
p := s.Linux.CgroupsPath
|
||||||
|
if useSystemd {
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
227
bsc1001161-0002-cli-add-a-separate-domainname-flag.patch
Normal file
227
bsc1001161-0002-cli-add-a-separate-domainname-flag.patch
Normal file
@ -0,0 +1,227 @@
|
|||||||
|
From 975d8efceb479c3d0994814cc5d488ac33d0d2d6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
|
Date: Mon, 18 Jun 2018 21:58:23 +1000
|
||||||
|
Subject: [PATCH 2/2] cli: add a separate --domainname flag
|
||||||
|
|
||||||
|
A while ago, Docker split the "Domainname" field out from the "Hostname"
|
||||||
|
field for the container configuration. There was no real user-visible
|
||||||
|
change associated with this (and under the hood "Domainname" was mostly
|
||||||
|
left unused from the command-line point of view). We now add this flag
|
||||||
|
in order to match other proposed changes to allow for setting the NIS
|
||||||
|
domainname of a container.
|
||||||
|
|
||||||
|
This also includes a fix for the --hostname parsing tests (they would
|
||||||
|
not error out if only one of .Hostname and .Domainname were incorrectly
|
||||||
|
set -- which is not correct).
|
||||||
|
|
||||||
|
SUSE-Bugs: bsc#1001161
|
||||||
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||||
|
---
|
||||||
|
components/cli/cli/command/container/opts.go | 3 ++
|
||||||
|
.../cli/cli/command/container/opts_test.go | 31 ++++++++++++++++---
|
||||||
|
components/cli/contrib/completion/bash/docker | 5 +--
|
||||||
|
components/cli/contrib/completion/zsh/_docker | 1 +
|
||||||
|
.../cli/docs/reference/commandline/create.md | 1 +
|
||||||
|
.../cli/docs/reference/commandline/run.md | 1 +
|
||||||
|
.../reference/commandline/service_create.md | 2 +-
|
||||||
|
components/cli/docs/reference/run.md | 6 ++--
|
||||||
|
components/cli/man/docker-run.1.md | 7 +++++
|
||||||
|
9 files changed, 46 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/components/cli/cli/command/container/opts.go b/components/cli/cli/command/container/opts.go
|
||||||
|
index 97906b672252..7cd9ce998c8b 100644
|
||||||
|
--- a/components/cli/cli/command/container/opts.go
|
||||||
|
+++ b/components/cli/cli/command/container/opts.go
|
||||||
|
@@ -74,6 +74,7 @@ type containerOptions struct {
|
||||||
|
containerIDFile string
|
||||||
|
entrypoint string
|
||||||
|
hostname string
|
||||||
|
+ domainname string
|
||||||
|
memory opts.MemBytes
|
||||||
|
memoryReservation opts.MemBytes
|
||||||
|
memorySwap opts.MemSwapBytes
|
||||||
|
@@ -169,6 +170,7 @@ func addFlags(flags *pflag.FlagSet) *containerOptions {
|
||||||
|
flags.StringVar(&copts.entrypoint, "entrypoint", "", "Overwrite the default ENTRYPOINT of the image")
|
||||||
|
flags.Var(&copts.groupAdd, "group-add", "Add additional groups to join")
|
||||||
|
flags.StringVarP(&copts.hostname, "hostname", "h", "", "Container host name")
|
||||||
|
+ flags.StringVar(&copts.domainname, "domainname", "", "Container NIS domain name")
|
||||||
|
flags.BoolVarP(&copts.stdin, "interactive", "i", false, "Keep STDIN open even if not attached")
|
||||||
|
flags.VarP(&copts.labels, "label", "l", "Set meta data on a container")
|
||||||
|
flags.Var(&copts.labelsFile, "label-file", "Read in a line delimited file of labels")
|
||||||
|
@@ -546,6 +548,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
|
||||||
|
|
||||||
|
config := &container.Config{
|
||||||
|
Hostname: copts.hostname,
|
||||||
|
+ Domainname: copts.domainname,
|
||||||
|
ExposedPorts: ports,
|
||||||
|
User: copts.user,
|
||||||
|
Tty: copts.tty,
|
||||||
|
diff --git a/components/cli/cli/command/container/opts_test.go b/components/cli/cli/command/container/opts_test.go
|
||||||
|
index 6d7c95a5ddb8..70bedc661751 100644
|
||||||
|
--- a/components/cli/cli/command/container/opts_test.go
|
||||||
|
+++ b/components/cli/cli/command/container/opts_test.go
|
||||||
|
@@ -265,14 +265,35 @@ func TestParseHostname(t *testing.T) {
|
||||||
|
hostnameWithDomainTld := "--hostname=hostname.domainname.tld"
|
||||||
|
for hostname, expectedHostname := range validHostnames {
|
||||||
|
if config, _ := mustParse(t, fmt.Sprintf("--hostname=%s", hostname)); config.Hostname != expectedHostname {
|
||||||
|
- t.Fatalf("Expected the config to have 'hostname' as hostname, got '%v'", config.Hostname)
|
||||||
|
+ t.Fatalf("Expected the config to have 'hostname' as %q, got %q", expectedHostname, config.Hostname)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" && config.Domainname != "" {
|
||||||
|
- t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got '%v'", config.Hostname)
|
||||||
|
+ if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" || config.Domainname != "" {
|
||||||
|
+ t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got %q", config.Hostname)
|
||||||
|
}
|
||||||
|
- if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" && config.Domainname != "" {
|
||||||
|
- t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got '%v'", config.Hostname)
|
||||||
|
+ if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" || config.Domainname != "" {
|
||||||
|
+ t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got %q", config.Hostname)
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+func TestParseHostnameDomainname(t *testing.T) {
|
||||||
|
+ validDomainnames := map[string]string{
|
||||||
|
+ "domainname": "domainname",
|
||||||
|
+ "domain-name": "domain-name",
|
||||||
|
+ "domainname123": "domainname123",
|
||||||
|
+ "123domainname": "123domainname",
|
||||||
|
+ "domainname-63-bytes-long-should-be-valid-and-without-any-errors": "domainname-63-bytes-long-should-be-valid-and-without-any-errors",
|
||||||
|
+ }
|
||||||
|
+ for domainname, expectedDomainname := range validDomainnames {
|
||||||
|
+ if config, _ := mustParse(t, "--domainname="+domainname); config.Domainname != expectedDomainname {
|
||||||
|
+ t.Fatalf("Expected the config to have 'domainname' as %q, got %q", expectedDomainname, config.Domainname)
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if config, _ := mustParse(t, "--hostname=some.prefix --domainname=domainname"); config.Hostname != "some.prefix" || config.Domainname != "domainname" {
|
||||||
|
+ t.Fatalf("Expected the config to have 'hostname' as 'some.prefix' and 'domainname' as 'domainname', got %q and %q", config.Hostname, config.Domainname)
|
||||||
|
+ }
|
||||||
|
+ if config, _ := mustParse(t, "--hostname=another-prefix --domainname=domainname.tld"); config.Hostname != "another-prefix" || config.Domainname != "domainname.tld" {
|
||||||
|
+ t.Fatalf("Expected the config to have 'hostname' as 'another-prefix' and 'domainname' as 'domainname.tld', got %q and %q", config.Hostname, config.Domainname)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/components/cli/contrib/completion/bash/docker b/components/cli/contrib/completion/bash/docker
|
||||||
|
index 44ac8f3e0ed9..c532f5142c3d 100644
|
||||||
|
--- a/components/cli/contrib/completion/bash/docker
|
||||||
|
+++ b/components/cli/contrib/completion/bash/docker
|
||||||
|
@@ -5,8 +5,8 @@
|
||||||
|
# - SC2016: Expressions don't expand in single quotes, use double quotes for that.
|
||||||
|
# - SC2119: Use foo "$@" if function's $1 should mean script's $1.
|
||||||
|
# - SC2155: Declare and assign separately to avoid masking return values.
|
||||||
|
-#
|
||||||
|
-# You can find more details for each warning at the following page:
|
||||||
|
+#
|
||||||
|
+# You can find more details for each warning at the following page:
|
||||||
|
# https://github.com/koalaman/shellcheck/wiki/<SCXXXX>
|
||||||
|
#
|
||||||
|
# bash completion file for core docker commands
|
||||||
|
@@ -1785,6 +1785,7 @@ _docker_container_run_and_create() {
|
||||||
|
--dns
|
||||||
|
--dns-option
|
||||||
|
--dns-search
|
||||||
|
+ --domainname
|
||||||
|
--entrypoint
|
||||||
|
--env -e
|
||||||
|
--env-file
|
||||||
|
diff --git a/components/cli/contrib/completion/zsh/_docker b/components/cli/contrib/completion/zsh/_docker
|
||||||
|
index 94f042204dfb..9a502db0886f 100644
|
||||||
|
--- a/components/cli/contrib/completion/zsh/_docker
|
||||||
|
+++ b/components/cli/contrib/completion/zsh/_docker
|
||||||
|
@@ -617,6 +617,7 @@ __docker_container_subcommand() {
|
||||||
|
"($help)*--dns=[Custom DNS servers]:DNS server: "
|
||||||
|
"($help)*--dns-option=[Custom DNS options]:DNS option: "
|
||||||
|
"($help)*--dns-search=[Custom DNS search domains]:DNS domains: "
|
||||||
|
+ "($help)*--domainname=[Container NIS domain name]:domainname:_hosts"
|
||||||
|
"($help)*"{-e=,--env=}"[Environment variables]:environment variable: "
|
||||||
|
"($help)--entrypoint=[Overwrite the default entrypoint of the image]:entry point: "
|
||||||
|
"($help)*--env-file=[Read environment variables from a file]:environment file:_files"
|
||||||
|
diff --git a/components/cli/docs/reference/commandline/create.md b/components/cli/docs/reference/commandline/create.md
|
||||||
|
index d585da40ae1e..c829dbb3e5b9 100644
|
||||||
|
--- a/components/cli/docs/reference/commandline/create.md
|
||||||
|
+++ b/components/cli/docs/reference/commandline/create.md
|
||||||
|
@@ -53,6 +53,7 @@ Options:
|
||||||
|
--dns value Set custom DNS servers (default [])
|
||||||
|
--dns-option value Set DNS options (default [])
|
||||||
|
--dns-search value Set custom DNS search domains (default [])
|
||||||
|
+ --domainname string Container NIS domain name
|
||||||
|
--entrypoint string Overwrite the default ENTRYPOINT of the image
|
||||||
|
-e, --env value Set environment variables (default [])
|
||||||
|
--env-file value Read in a file of environment variables (default [])
|
||||||
|
diff --git a/components/cli/docs/reference/commandline/run.md b/components/cli/docs/reference/commandline/run.md
|
||||||
|
index 08b9f18d68ac..f448e1acf89b 100644
|
||||||
|
--- a/components/cli/docs/reference/commandline/run.md
|
||||||
|
+++ b/components/cli/docs/reference/commandline/run.md
|
||||||
|
@@ -57,6 +57,7 @@ Options:
|
||||||
|
--dns value Set custom DNS servers (default [])
|
||||||
|
--dns-option value Set DNS options (default [])
|
||||||
|
--dns-search value Set custom DNS search domains (default [])
|
||||||
|
+ --domainname string Container NIS domain name
|
||||||
|
--entrypoint string Overwrite the default ENTRYPOINT of the image
|
||||||
|
-e, --env value Set environment variables (default [])
|
||||||
|
--env-file value Read in a file of environment variables (default [])
|
||||||
|
diff --git a/components/cli/docs/reference/commandline/service_create.md b/components/cli/docs/reference/commandline/service_create.md
|
||||||
|
index 8fdb5297a102..c55c77b52d77 100644
|
||||||
|
--- a/components/cli/docs/reference/commandline/service_create.md
|
||||||
|
+++ b/components/cli/docs/reference/commandline/service_create.md
|
||||||
|
@@ -755,7 +755,7 @@ The swarm extends my-network to each node running the service.
|
||||||
|
Containers on the same network can access each other using
|
||||||
|
[service discovery](https://docs.docker.com/engine/swarm/networking/#use-swarm-mode-service-discovery).
|
||||||
|
|
||||||
|
-Long form syntax of `--network` allows to specify list of aliases and driver options:
|
||||||
|
+Long form syntax of `--network` allows to specify list of aliases and driver options:
|
||||||
|
`--network name=my-network,alias=web1,driver-opt=field1=value1`
|
||||||
|
|
||||||
|
### Publish service ports externally to the swarm (-p, --publish)
|
||||||
|
diff --git a/components/cli/docs/reference/run.md b/components/cli/docs/reference/run.md
|
||||||
|
index a59a30525554..695974fe533c 100644
|
||||||
|
--- a/components/cli/docs/reference/run.md
|
||||||
|
+++ b/components/cli/docs/reference/run.md
|
||||||
|
@@ -256,7 +256,7 @@ The UTS namespace is for setting the hostname and the domain that is visible
|
||||||
|
to running processes in that namespace. By default, all containers, including
|
||||||
|
those with `--network=host`, have their own UTS namespace. The `host` setting will
|
||||||
|
result in the container using the same UTS namespace as the host. Note that
|
||||||
|
-`--hostname` is invalid in `host` UTS mode.
|
||||||
|
+`--hostname` and `--domainname` are invalid in `host` UTS mode.
|
||||||
|
|
||||||
|
You may wish to share the UTS namespace with the host if you would like the
|
||||||
|
hostname of the container to change as the hostname of the host changes. A
|
||||||
|
@@ -396,8 +396,8 @@ network stack and all interfaces from the host will be available to the
|
||||||
|
container. The container's hostname will match the hostname on the host
|
||||||
|
system. Note that `--mac-address` is invalid in `host` netmode. Even in `host`
|
||||||
|
network mode a container has its own UTS namespace by default. As such
|
||||||
|
-`--hostname` is allowed in `host` network mode and will only change the
|
||||||
|
-hostname inside the container.
|
||||||
|
+`--hostname` and `--domainname` are allowed in `host` network mode and will
|
||||||
|
+only change the hostname and domain name inside the container.
|
||||||
|
Similar to `--hostname`, the `--add-host`, `--dns`, `--dns-search`, and
|
||||||
|
`--dns-option` options can be used in `host` network mode. These options update
|
||||||
|
`/etc/hosts` or `/etc/resolv.conf` inside the container. No change are made to
|
||||||
|
diff --git a/components/cli/man/docker-run.1.md b/components/cli/man/docker-run.1.md
|
||||||
|
index e03377001d4e..4a1464a74200 100644
|
||||||
|
--- a/components/cli/man/docker-run.1.md
|
||||||
|
+++ b/components/cli/man/docker-run.1.md
|
||||||
|
@@ -35,6 +35,7 @@ docker-run - Run a command in a new container
|
||||||
|
[**--dns**[=*[]*]]
|
||||||
|
[**--dns-option**[=*[]*]]
|
||||||
|
[**--dns-search**[=*[]*]]
|
||||||
|
+[**--domainname**[=*DOMAINNAME*]]
|
||||||
|
[**-e**|**--env**[=*[]*]]
|
||||||
|
[**--entrypoint**[=*ENTRYPOINT*]]
|
||||||
|
[**--env-file**[=*[]*]]
|
||||||
|
@@ -285,6 +286,12 @@ configuration passed to the container. Typically this is necessary when the
|
||||||
|
host DNS configuration is invalid for the container (e.g., 127.0.0.1). When this
|
||||||
|
is the case the **--dns** flags is necessary for every run.
|
||||||
|
|
||||||
|
+**--domainname**=""
|
||||||
|
+ Container NIS domain name
|
||||||
|
+
|
||||||
|
+ Sets the container's NIS domain name (see also **setdomainname(2)**) that is
|
||||||
|
+ available inside the container.
|
||||||
|
+
|
||||||
|
**-e**, **--env**=[]
|
||||||
|
Set environment variables
|
||||||
|
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From d84d2f13c475bf5ff0ce7b080b759b0239d5d345 Mon Sep 17 00:00:00 2001
|
From 0a2ba19d51fef679d2a695fd14c30facd5f901f1 Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Thu, 23 Aug 2018 19:53:55 +1000
|
Date: Thu, 23 Aug 2018 19:53:55 +1000
|
||||||
Subject: [PATCH] man: obey SOURCE_DATE_EPOCH when generating man pages
|
Subject: [PATCH] man: obey SOURCE_DATE_EPOCH when generating man pages
|
||||||
@ -23,7 +23,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|||||||
1 file changed, 13 insertions(+)
|
1 file changed, 13 insertions(+)
|
||||||
|
|
||||||
diff --git a/components/cli/man/generate.go b/components/cli/man/generate.go
|
diff --git a/components/cli/man/generate.go b/components/cli/man/generate.go
|
||||||
index 4197558a2225..4a3e98fb22c1 100644
|
index 2d940e31fd10..e5e480be3f32 100644
|
||||||
--- a/components/cli/man/generate.go
|
--- a/components/cli/man/generate.go
|
||||||
+++ b/components/cli/man/generate.go
|
+++ b/components/cli/man/generate.go
|
||||||
@@ -6,6 +6,8 @@ import (
|
@@ -6,6 +6,8 @@ import (
|
||||||
@ -51,8 +51,8 @@ index 4197558a2225..4a3e98fb22c1 100644
|
|||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
stdin, stdout, stderr := term.StdStreams()
|
stdin, stdout, stderr := term.StdStreams()
|
||||||
dockerCli := command.NewDockerCli(stdin, stdout, stderr, false)
|
dockerCli := command.NewDockerCli(stdin, stdout, stderr, false, nil)
|
||||||
cmd := &cobra.Command{Use: "docker"}
|
cmd := &cobra.Command{Use: "docker"}
|
||||||
--
|
--
|
||||||
2.18.0
|
2.19.1
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 3464bd58d266b0640774952e825558044ffc64e2 Mon Sep 17 00:00:00 2001
|
From 4962b0a0bc6ca1fc99b0936175f929f9d3f5fa4c Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Sun, 8 Apr 2018 20:21:30 +1000
|
Date: Sun, 8 Apr 2018 20:21:30 +1000
|
||||||
Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
|
Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill'
|
||||||
@ -7,15 +7,54 @@ In newer kernels, AppArmor will reject attempts to send signals to a
|
|||||||
container because the signal originated from outside of that AppArmor
|
container because the signal originated from outside of that AppArmor
|
||||||
profile. Correct this by allowing all unconfined signals to be received.
|
profile. Correct this by allowing all unconfined signals to be received.
|
||||||
|
|
||||||
SUSE-Bugs: bsc#1073877 boo#1089732
|
|
||||||
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
|
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
|
||||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||||
---
|
---
|
||||||
components/engine/profiles/apparmor/template.go | 6 ++++++
|
.../engine/profiles/apparmor/apparmor.go | 21 +++++++++++++++++++
|
||||||
1 file changed, 6 insertions(+)
|
.../engine/profiles/apparmor/template.go | 6 ++++++
|
||||||
|
2 files changed, 27 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/components/engine/profiles/apparmor/apparmor.go b/components/engine/profiles/apparmor/apparmor.go
|
||||||
|
index b021668c8e4c..2f58ee852cab 100644
|
||||||
|
--- a/components/engine/profiles/apparmor/apparmor.go
|
||||||
|
+++ b/components/engine/profiles/apparmor/apparmor.go
|
||||||
|
@@ -23,6 +23,8 @@ var (
|
||||||
|
type profileData struct {
|
||||||
|
// Name is profile name.
|
||||||
|
Name string
|
||||||
|
+ // DaemonProfile is the profile name of our daemon.
|
||||||
|
+ DaemonProfile string
|
||||||
|
// Imports defines the apparmor functions to import, before defining the profile.
|
||||||
|
Imports []string
|
||||||
|
// InnerImports defines the apparmor functions to import in the profile.
|
||||||
|
@@ -70,6 +72,25 @@ func InstallDefault(name string) error {
|
||||||
|
Name: name,
|
||||||
|
}
|
||||||
|
|
||||||
|
+ // Figure out the daemon profile.
|
||||||
|
+ currentProfile, err := ioutil.ReadFile("/proc/self/attr/current")
|
||||||
|
+ if err != nil {
|
||||||
|
+ // If we couldn't get the daemon profile, assume we are running
|
||||||
|
+ // unconfined which is generally the default.
|
||||||
|
+ currentProfile = nil
|
||||||
|
+ }
|
||||||
|
+ daemonProfile := string(currentProfile)
|
||||||
|
+ // Normally profiles are suffixed by " (enforcing)" or similar. AppArmor
|
||||||
|
+ // profiles cannot contain spaces so this doesn't restrict daemon profile
|
||||||
|
+ // names.
|
||||||
|
+ if parts := strings.SplitN(daemonProfile, " ", 2); len(parts) >= 1 {
|
||||||
|
+ daemonProfile = parts[0]
|
||||||
|
+ }
|
||||||
|
+ if daemonProfile == "" {
|
||||||
|
+ daemonProfile = "unconfined"
|
||||||
|
+ }
|
||||||
|
+ p.DaemonProfile = daemonProfile
|
||||||
|
+
|
||||||
|
// Install to a temporary directory.
|
||||||
|
f, err := ioutil.TempFile("", name)
|
||||||
|
if err != nil {
|
||||||
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
|
diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go
|
||||||
index c00a3f70e993..772c4a4873f6 100644
|
index c00a3f70e993..400b3bd50a11 100644
|
||||||
--- a/components/engine/profiles/apparmor/template.go
|
--- a/components/engine/profiles/apparmor/template.go
|
||||||
+++ b/components/engine/profiles/apparmor/template.go
|
+++ b/components/engine/profiles/apparmor/template.go
|
||||||
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
@@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||||
@ -24,13 +63,13 @@ index c00a3f70e993..772c4a4873f6 100644
|
|||||||
umount,
|
umount,
|
||||||
+{{if ge .Version 208096}}
|
+{{if ge .Version 208096}}
|
||||||
+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
|
+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
|
||||||
+ signal (receive) peer=unconfined,
|
+ signal (receive) peer={{.DaemonProfile}},
|
||||||
+{{/* And allow signals to be sent inside the container. */}}
|
+{{/* Allow container processes to send signals amongst themselves. */}}
|
||||||
+ signal (send,receive) peer={{.Name}},
|
+ signal (send,receive) peer={{.Name}},
|
||||||
+{{end}}
|
+{{end}}
|
||||||
|
|
||||||
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
||||||
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
||||||
--
|
--
|
||||||
2.18.0
|
2.19.1
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 0954810e947abf0b4e5d8f6c78598c5d66b43952 Mon Sep 17 00:00:00 2001
|
From 04f594765577163a26f24d0fe3fc7a2283f1e018 Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
||||||
Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start
|
Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start
|
||||||
@ -68,10 +68,10 @@ index 51f9c526b350..97d7758442ee 100644
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
|
diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
|
||||||
index 5e5f586ae085..6ca6a7aaa268 100644
|
index a307863017ab..67cd286002bf 100644
|
||||||
--- a/components/engine/daemon/daemon.go
|
--- a/components/engine/daemon/daemon.go
|
||||||
+++ b/components/engine/daemon/daemon.go
|
+++ b/components/engine/daemon/daemon.go
|
||||||
@@ -660,7 +660,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
|
@@ -735,7 +735,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
||||||
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
|
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -83,5 +83,5 @@ index 5e5f586ae085..6ca6a7aaa268 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
--
|
--
|
||||||
2.18.0
|
2.19.1
|
||||||
|
|
||||||
|
@ -1,30 +0,0 @@
|
|||||||
From 547870ff2904a75fa3e0ee96fa264d53a81d4c01 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
|
||||||
Date: Mon, 30 Jul 2018 19:34:01 +1000
|
|
||||||
Subject: [PATCH] build: add -buildmode=pie
|
|
||||||
|
|
||||||
Make all dynbinary builds be position-independent (this adds both
|
|
||||||
security benefits and can help with flaky builds on POWER
|
|
||||||
architectures).
|
|
||||||
|
|
||||||
SUSE-Bugs: bsc#1100727
|
|
||||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|
||||||
---
|
|
||||||
components/cli/scripts/build/dynbinary | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/components/cli/scripts/build/dynbinary b/components/cli/scripts/build/dynbinary
|
|
||||||
index 3c32ed342ef7..4feb7e71d852 100755
|
|
||||||
--- a/components/cli/scripts/build/dynbinary
|
|
||||||
+++ b/components/cli/scripts/build/dynbinary
|
|
||||||
@@ -9,6 +9,6 @@ source ./scripts/build/.variables
|
|
||||||
|
|
||||||
echo "Building dynamically linked $TARGET"
|
|
||||||
export CGO_ENABLED=1
|
|
||||||
-go build -o "${TARGET}" -tags pkcs11 --ldflags "${LDFLAGS}" "${SOURCE}"
|
|
||||||
+go build -o "${TARGET}" -tags pkcs11 --ldflags "${LDFLAGS}" -buildmode=pie "${SOURCE}"
|
|
||||||
|
|
||||||
ln -sf "$(basename "${TARGET}")" build/docker
|
|
||||||
--
|
|
||||||
2.18.0
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:061ae523be13dbe05ff5377626113a299327cc39fc145f801cd674c67b8c7fe0
|
|
||||||
size 8561132
|
|
3
docker-18.09.0_ce.tar.xz
Normal file
3
docker-18.09.0_ce.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:ce38c3b659b78bccdfaf07b1f0a4eaaf454ffec726434511feeee1b9a2fc8151
|
||||||
|
size 9264940
|
@ -1,3 +1,31 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Dec 3 16:14:22 UTC 2018 - Aleksa Sarai <asarai@suse.com>
|
||||||
|
|
||||||
|
- Add backports of https://github.com/docker/docker/pull/37302 and
|
||||||
|
https://github.com/docker/cli/pull/1130, which allow for users to explicitly
|
||||||
|
specify the NIS domainname of a container. bsc#1001161
|
||||||
|
+ bsc1001161-0001-oci-include-the-domainname-in-kernel.domainname.patch
|
||||||
|
+ bsc1001161-0002-cli-add-a-separate-domainname-flag.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 29 09:41:11 UTC 2018 - Aleksa Sarai <asarai@suse.com>
|
||||||
|
|
||||||
|
- Update docker.service to match upstream and avoid rlimit problems.
|
||||||
|
bsc#1112980
|
||||||
|
- Upgrade to Docker 18.09.0-ce. See upstream changelog in the packaged
|
||||||
|
/usr/share/doc/packages/docker/CHANGELOG.md. boo#1115464
|
||||||
|
- Add revert of an upstream patch to fix docker-* handling.
|
||||||
|
+ packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
|
||||||
|
- Rebase patches:
|
||||||
|
* bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
|
||||||
|
* bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
||||||
|
* bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
|
||||||
|
* private-registry-0001-Add-private-registry-mirror-support.patch
|
||||||
|
* secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
|
||||||
|
* secrets-0002-SUSE-implement-SUSE-container-secrets.patch
|
||||||
|
- Remove upstreamed patches:
|
||||||
|
- bsc1100727-0001-build-add-buildmode-pie.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Oct 8 06:41:21 UTC 2018 - Valentin Rothberg <vrothberg@suse.com>
|
Mon Oct 8 06:41:21 UTC 2018 - Valentin Rothberg <vrothberg@suse.com>
|
||||||
|
|
||||||
|
@ -15,7 +15,7 @@ ExecReload=/bin/kill -s HUP $MAINPID
|
|||||||
|
|
||||||
# Having non-zero Limit*s causes performance problems due to accounting overhead
|
# Having non-zero Limit*s causes performance problems due to accounting overhead
|
||||||
# in the kernel. We recommend using cgroups to do container-local accounting.
|
# in the kernel. We recommend using cgroups to do container-local accounting.
|
||||||
LimitNOFILE=infinity
|
LimitNOFILE=1048576
|
||||||
LimitNPROC=infinity
|
LimitNPROC=infinity
|
||||||
LimitCORE=infinity
|
LimitCORE=infinity
|
||||||
|
|
||||||
@ -27,9 +27,13 @@ TasksMax=infinity
|
|||||||
# Only systemd 218 and above support this property.
|
# Only systemd 218 and above support this property.
|
||||||
Delegate=yes
|
Delegate=yes
|
||||||
|
|
||||||
# This is not necessary because of how we set up containerd.
|
# Kill only the docker process, not all processes in the cgroup.
|
||||||
#KillMode=process
|
KillMode=process
|
||||||
|
|
||||||
|
# Restart the docker process if it exits prematurely.
|
||||||
|
Restart=on-failure
|
||||||
|
StartLimitBurst=3
|
||||||
|
StartLimitInterval=60s
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
||||||
|
27
docker.spec
27
docker.spec
@ -49,10 +49,10 @@
|
|||||||
# sure we didn't miss anything important when doing upgrades.
|
# sure we didn't miss anything important when doing upgrades.
|
||||||
%define required_containerd 468a545b9edcd5932818eb9de8e72413e616e86e
|
%define required_containerd 468a545b9edcd5932818eb9de8e72413e616e86e
|
||||||
%define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340
|
%define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340
|
||||||
%define required_libnetwork 3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b
|
%define required_libnetwork 6da50d1978302f04c3e2089e29112ea24812f05b
|
||||||
|
|
||||||
Name: %{realname}%{name_suffix}
|
Name: %{realname}%{name_suffix}
|
||||||
Version: 18.06.1_ce
|
Version: 18.09.0_ce
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: The Linux container runtime
|
Summary: The Linux container runtime
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
@ -76,16 +76,20 @@ Source9: tests.sh
|
|||||||
# branch in http://github.com/suse/docker.mirror.
|
# branch in http://github.com/suse/docker.mirror.
|
||||||
Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
|
Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
|
||||||
Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
|
Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
|
||||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877
|
# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37831. bsc#1073877
|
||||||
Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
||||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277
|
# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1099277
|
||||||
Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
|
Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
|
||||||
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727
|
|
||||||
Patch402: bsc1100727-0001-build-add-buildmode-pie.patch
|
|
||||||
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1306. boo#1047218
|
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1306. boo#1047218
|
||||||
Patch403: bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
|
Patch402: bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch
|
||||||
|
# SUSE-ISSUE: Revert of https://github.com/docker/docker/pull/37907.
|
||||||
|
Patch403: packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
|
||||||
|
# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37302. bsc#1001161
|
||||||
|
Patch404: bsc1001161-0001-oci-include-the-domainname-in-kernel.domainname.patch
|
||||||
|
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1130. bsc#1001161
|
||||||
|
Patch405: bsc1001161-0002-cli-add-a-separate-domainname-flag.patch
|
||||||
# SUSE-FEATURE: Add support to mirror inofficial/private registries
|
# SUSE-FEATURE: Add support to mirror inofficial/private registries
|
||||||
# (https://github.com/moby/moby/pull/34319)
|
# (https://github.com/docker/docker/pull/34319)
|
||||||
Patch500: private-registry-0001-Add-private-registry-mirror-support.patch
|
Patch500: private-registry-0001-Add-private-registry-mirror-support.patch
|
||||||
BuildRequires: audit
|
BuildRequires: audit
|
||||||
BuildRequires: bash-completion
|
BuildRequires: bash-completion
|
||||||
@ -263,10 +267,13 @@ docker container runtime configuration for kubeadm
|
|||||||
%patch400 -p1
|
%patch400 -p1
|
||||||
# bsc#1099277
|
# bsc#1099277
|
||||||
%patch401 -p1
|
%patch401 -p1
|
||||||
# bsc#1100727
|
|
||||||
%patch402 -p1
|
|
||||||
# boo#1047218
|
# boo#1047218
|
||||||
|
%patch402 -p1
|
||||||
|
# revert upstream
|
||||||
%patch403 -p1
|
%patch403 -p1
|
||||||
|
# bsc#1001161
|
||||||
|
%patch404 -p1
|
||||||
|
%patch405 -p1
|
||||||
%if "%flavour" == "kubic"
|
%if "%flavour" == "kubic"
|
||||||
# PATCH-SUSE: Mirror patch.
|
# PATCH-SUSE: Mirror patch.
|
||||||
%patch500 -p1
|
%patch500 -p1
|
||||||
|
@ -0,0 +1,187 @@
|
|||||||
|
From 9236191a98a0e9b8aa4ac7da4d4b1c0c196344e2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
|
Date: Thu, 29 Nov 2018 20:53:16 +1100
|
||||||
|
Subject: [PATCH] revert "Remove 'docker-' prefix for containerd and runc
|
||||||
|
binaries"
|
||||||
|
|
||||||
|
This reverts commit 34eede0296bce6a9c335cb429f10728ae3f4252d, as it
|
||||||
|
would significantly break openSUSE's packaging (as well as causing
|
||||||
|
conflicts between the very-outdated runc that Docker uses and the more
|
||||||
|
up-to-date one available for Podman).
|
||||||
|
|
||||||
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||||
|
---
|
||||||
|
components/engine/api/swagger.yaml | 4 +--
|
||||||
|
.../builder/builder-next/executor_unix.go | 2 +-
|
||||||
|
components/engine/cmd/dockerd/daemon.go | 36 +++++++------------
|
||||||
|
components/engine/daemon/daemon_unix.go | 6 ++--
|
||||||
|
.../libcontainerd/supervisor/remote_daemon.go | 4 +--
|
||||||
|
.../supervisor/remote_daemon_linux.go | 4 +--
|
||||||
|
.../supervisor/remote_daemon_windows.go | 4 +--
|
||||||
|
7 files changed, 25 insertions(+), 35 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/components/engine/api/swagger.yaml b/components/engine/api/swagger.yaml
|
||||||
|
index f58a64f29ea3..d275f2ff49eb 100644
|
||||||
|
--- a/components/engine/api/swagger.yaml
|
||||||
|
+++ b/components/engine/api/swagger.yaml
|
||||||
|
@@ -3852,10 +3852,10 @@ definitions:
|
||||||
|
$ref: "#/definitions/Runtime"
|
||||||
|
default:
|
||||||
|
runc:
|
||||||
|
- path: "runc"
|
||||||
|
+ path: "docker-runc"
|
||||||
|
example:
|
||||||
|
runc:
|
||||||
|
- path: "runc"
|
||||||
|
+ path: "docker-runc"
|
||||||
|
runc-master:
|
||||||
|
path: "/go/bin/runc"
|
||||||
|
custom:
|
||||||
|
diff --git a/components/engine/builder/builder-next/executor_unix.go b/components/engine/builder/builder-next/executor_unix.go
|
||||||
|
index b3ea33c05c71..94d8bb766045 100644
|
||||||
|
--- a/components/engine/builder/builder-next/executor_unix.go
|
||||||
|
+++ b/components/engine/builder/builder-next/executor_unix.go
|
||||||
|
@@ -27,7 +27,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController) (e
|
||||||
|
}
|
||||||
|
return runcexecutor.New(runcexecutor.Opt{
|
||||||
|
Root: filepath.Join(root, "executor"),
|
||||||
|
- CommandCandidates: []string{"runc"},
|
||||||
|
+ CommandCandidates: []string{"docker-runc", "runc"},
|
||||||
|
DefaultCgroupParent: cgroupParent,
|
||||||
|
}, networkProviders)
|
||||||
|
}
|
||||||
|
diff --git a/components/engine/cmd/dockerd/daemon.go b/components/engine/cmd/dockerd/daemon.go
|
||||||
|
index 839537316af4..05922e6418d0 100644
|
||||||
|
--- a/components/engine/cmd/dockerd/daemon.go
|
||||||
|
+++ b/components/engine/cmd/dockerd/daemon.go
|
||||||
|
@@ -10,7 +10,6 @@ import (
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
- containerddefaults "github.com/containerd/containerd/defaults"
|
||||||
|
"github.com/docker/distribution/uuid"
|
||||||
|
"github.com/docker/docker/api"
|
||||||
|
apiserver "github.com/docker/docker/api/server"
|
||||||
|
@@ -141,25 +140,21 @@ func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
|
||||||
|
|
||||||
|
ctx, cancel := context.WithCancel(context.Background())
|
||||||
|
if cli.Config.ContainerdAddr == "" && runtime.GOOS != "windows" {
|
||||||
|
- if !systemContainerdRunning() {
|
||||||
|
- opts, err := cli.getContainerdDaemonOpts()
|
||||||
|
- if err != nil {
|
||||||
|
- cancel()
|
||||||
|
- return fmt.Errorf("Failed to generate containerd options: %v", err)
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- r, err := supervisor.Start(ctx, filepath.Join(cli.Config.Root, "containerd"), filepath.Join(cli.Config.ExecRoot, "containerd"), opts...)
|
||||||
|
- if err != nil {
|
||||||
|
- cancel()
|
||||||
|
- return fmt.Errorf("Failed to start containerd: %v", err)
|
||||||
|
- }
|
||||||
|
- cli.Config.ContainerdAddr = r.Address()
|
||||||
|
+ opts, err := cli.getContainerdDaemonOpts()
|
||||||
|
+ if err != nil {
|
||||||
|
+ cancel()
|
||||||
|
+ return fmt.Errorf("Failed to generate containerd options: %v", err)
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- // Try to wait for containerd to shutdown
|
||||||
|
- defer r.WaitTimeout(10 * time.Second)
|
||||||
|
- } else {
|
||||||
|
- cli.Config.ContainerdAddr = containerddefaults.DefaultAddress
|
||||||
|
+ r, err := supervisor.Start(ctx, filepath.Join(cli.Config.Root, "containerd"), filepath.Join(cli.Config.ExecRoot, "containerd"), opts...)
|
||||||
|
+ if err != nil {
|
||||||
|
+ cancel()
|
||||||
|
+ return fmt.Errorf("Failed to start containerd: %v", err)
|
||||||
|
}
|
||||||
|
+ cli.Config.ContainerdAddr = r.Address()
|
||||||
|
+
|
||||||
|
+ // Try to wait for containerd to shutdown
|
||||||
|
+ defer r.WaitTimeout(10 * time.Second)
|
||||||
|
}
|
||||||
|
defer cancel()
|
||||||
|
|
||||||
|
@@ -665,8 +660,3 @@ func validateAuthzPlugins(requestedPlugins []string, pg plugingetter.PluginGette
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
-
|
||||||
|
-func systemContainerdRunning() bool {
|
||||||
|
- _, err := os.Lstat(containerddefaults.DefaultAddress)
|
||||||
|
- return err == nil
|
||||||
|
-}
|
||||||
|
diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go
|
||||||
|
index b69eede21c44..77adba94a468 100644
|
||||||
|
--- a/components/engine/daemon/daemon_unix.go
|
||||||
|
+++ b/components/engine/daemon/daemon_unix.go
|
||||||
|
@@ -54,11 +54,11 @@ import (
|
||||||
|
const (
|
||||||
|
// DefaultShimBinary is the default shim to be used by containerd if none
|
||||||
|
// is specified
|
||||||
|
- DefaultShimBinary = "containerd-shim"
|
||||||
|
+ DefaultShimBinary = "docker-containerd-shim"
|
||||||
|
|
||||||
|
// DefaultRuntimeBinary is the default runtime to be used by
|
||||||
|
// containerd if none is specified
|
||||||
|
- DefaultRuntimeBinary = "runc"
|
||||||
|
+ DefaultRuntimeBinary = "docker-runc"
|
||||||
|
|
||||||
|
// See https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/tree/kernel/sched/sched.h?id=8cd9234c64c584432f6992fe944ca9e46ca8ea76#n269
|
||||||
|
linuxMinCPUShares = 2
|
||||||
|
@@ -76,7 +76,7 @@ const (
|
||||||
|
|
||||||
|
// DefaultRuntimeName is the default runtime to be used by
|
||||||
|
// containerd if none is specified
|
||||||
|
- DefaultRuntimeName = "runc"
|
||||||
|
+ DefaultRuntimeName = "docker-runc"
|
||||||
|
)
|
||||||
|
|
||||||
|
type containerGetter interface {
|
||||||
|
diff --git a/components/engine/libcontainerd/supervisor/remote_daemon.go b/components/engine/libcontainerd/supervisor/remote_daemon.go
|
||||||
|
index 095300f753e9..1dcfbe176b0d 100644
|
||||||
|
--- a/components/engine/libcontainerd/supervisor/remote_daemon.go
|
||||||
|
+++ b/components/engine/libcontainerd/supervisor/remote_daemon.go
|
||||||
|
@@ -27,8 +27,8 @@ const (
|
||||||
|
shutdownTimeout = 15 * time.Second
|
||||||
|
startupTimeout = 15 * time.Second
|
||||||
|
configFile = "containerd.toml"
|
||||||
|
- binaryName = "containerd"
|
||||||
|
- pidFile = "containerd.pid"
|
||||||
|
+ binaryName = "docker-containerd"
|
||||||
|
+ pidFile = "docker-containerd.pid"
|
||||||
|
)
|
||||||
|
|
||||||
|
type pluginConfigs struct {
|
||||||
|
diff --git a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
|
||||||
|
index 799399c07bc5..1ea91d2b5d0b 100644
|
||||||
|
--- a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
|
||||||
|
+++ b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go
|
||||||
|
@@ -11,8 +11,8 @@ import (
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
- sockFile = "containerd.sock"
|
||||||
|
- debugSockFile = "containerd-debug.sock"
|
||||||
|
+ sockFile = "docker-containerd.sock"
|
||||||
|
+ debugSockFile = "docker-containerd-debug.sock"
|
||||||
|
)
|
||||||
|
|
||||||
|
func (r *remote) setDefaults() {
|
||||||
|
diff --git a/components/engine/libcontainerd/supervisor/remote_daemon_windows.go b/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
|
||||||
|
index 9b254ef58a0a..bcdc9529e0f7 100644
|
||||||
|
--- a/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
|
||||||
|
+++ b/components/engine/libcontainerd/supervisor/remote_daemon_windows.go
|
||||||
|
@@ -7,8 +7,8 @@ import (
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
- grpcPipeName = `\\.\pipe\containerd-containerd`
|
||||||
|
- debugPipeName = `\\.\pipe\containerd-debug`
|
||||||
|
+ grpcPipeName = `\\.\pipe\docker-containerd-containerd`
|
||||||
|
+ debugPipeName = `\\.\pipe\docker-containerd-debug`
|
||||||
|
)
|
||||||
|
|
||||||
|
func (r *remote) setDefaults() {
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 46c2590f7637dba208b3db7e44c04e24f33c436d Mon Sep 17 00:00:00 2001
|
From a2d285ef5de9537fe2dbf14c4671625aa3035b98 Mon Sep 17 00:00:00 2001
|
||||||
From: Valentin Rothberg <vrothberg@suse.com>
|
From: Valentin Rothberg <vrothberg@suse.com>
|
||||||
Date: Mon, 2 Jul 2018 13:37:34 +0200
|
Date: Mon, 2 Jul 2018 13:37:34 +0200
|
||||||
Subject: [PATCH] Add private-registry mirror support
|
Subject: [PATCH] Add private-registry mirror support
|
||||||
@ -63,6 +63,7 @@ http for security reasons.
|
|||||||
|
|
||||||
Signed-off-by: Flavio Castelli <fcastelli@suse.com>
|
Signed-off-by: Flavio Castelli <fcastelli@suse.com>
|
||||||
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
|
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
|
||||||
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||||
---
|
---
|
||||||
.../engine/api/types/registry/registry.go | 144 ++++++++++++++++++
|
.../engine/api/types/registry/registry.go | 144 ++++++++++++++++++
|
||||||
components/engine/daemon/config/config.go | 4 +
|
components/engine/daemon/config/config.go | 4 +
|
||||||
@ -242,10 +243,10 @@ index 8789ad3b3210..c663fec7d881 100644
|
|||||||
|
|
||||||
// NetIPNet is the net.IPNet type, which can be marshalled and
|
// NetIPNet is the net.IPNet type, which can be marshalled and
|
||||||
diff --git a/components/engine/daemon/config/config.go b/components/engine/daemon/config/config.go
|
diff --git a/components/engine/daemon/config/config.go b/components/engine/daemon/config/config.go
|
||||||
index 6cda223a1181..308eb83f2116 100644
|
index 8b2c844a579f..e61940661c70 100644
|
||||||
--- a/components/engine/daemon/config/config.go
|
--- a/components/engine/daemon/config/config.go
|
||||||
+++ b/components/engine/daemon/config/config.go
|
+++ b/components/engine/daemon/config/config.go
|
||||||
@@ -439,6 +439,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag
|
@@ -470,6 +470,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag
|
||||||
// 1. Search keys from the file that we don't recognize as flags.
|
// 1. Search keys from the file that we don't recognize as flags.
|
||||||
unknownKeys := make(map[string]interface{})
|
unknownKeys := make(map[string]interface{})
|
||||||
for key, value := range config {
|
for key, value := range config {
|
||||||
@ -253,11 +254,11 @@ index 6cda223a1181..308eb83f2116 100644
|
|||||||
+ if key == "registries" {
|
+ if key == "registries" {
|
||||||
+ continue
|
+ continue
|
||||||
+ }
|
+ }
|
||||||
if flag := flags.Lookup(key); flag == nil {
|
if flag := flags.Lookup(key); flag == nil && !skipValidateOptions[key] {
|
||||||
unknownKeys[key] = value
|
unknownKeys[key] = value
|
||||||
}
|
}
|
||||||
diff --git a/components/engine/daemon/reload.go b/components/engine/daemon/reload.go
|
diff --git a/components/engine/daemon/reload.go b/components/engine/daemon/reload.go
|
||||||
index 210864ff879d..5e744c5dcf8d 100644
|
index 026d7dd517f7..924c3982cd2a 100644
|
||||||
--- a/components/engine/daemon/reload.go
|
--- a/components/engine/daemon/reload.go
|
||||||
+++ b/components/engine/daemon/reload.go
|
+++ b/components/engine/daemon/reload.go
|
||||||
@@ -21,8 +21,14 @@ import (
|
@@ -21,8 +21,14 @@ import (
|
||||||
@ -275,7 +276,7 @@ index 210864ff879d..5e744c5dcf8d 100644
|
|||||||
daemon.configStore.Lock()
|
daemon.configStore.Lock()
|
||||||
attributes := map[string]string{}
|
attributes := map[string]string{}
|
||||||
|
|
||||||
@@ -64,6 +70,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) {
|
@@ -65,6 +71,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) {
|
||||||
if err := daemon.reloadLiveRestore(conf, attributes); err != nil {
|
if err := daemon.reloadLiveRestore(conf, attributes); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -285,7 +286,7 @@ index 210864ff879d..5e744c5dcf8d 100644
|
|||||||
return daemon.reloadNetworkDiagnosticPort(conf, attributes)
|
return daemon.reloadNetworkDiagnosticPort(conf, attributes)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -293,6 +302,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[
|
@@ -294,6 +303,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1159,5 +1160,5 @@ index 3a56dc91145a..9de221cf2aa0 100644
|
|||||||
|
|
||||||
endpoints = []APIEndpoint{
|
endpoints = []APIEndpoint{
|
||||||
--
|
--
|
||||||
2.18.0
|
2.19.1
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 95a40e4f18c80cce91f16c6dff08e13642de54da Mon Sep 17 00:00:00 2001
|
From 4eba91df3257644105ef344949705651507eb2bd Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
||||||
Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
|
Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
|
||||||
@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|||||||
1 file changed, 21 insertions(+), 3 deletions(-)
|
1 file changed, 21 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go
|
diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go
|
||||||
index bc7ee452332b..d34129dfd80b 100644
|
index 9953c7f3fddc..e8f6784ca19a 100644
|
||||||
--- a/components/engine/daemon/container_operations_unix.go
|
--- a/components/engine/daemon/container_operations_unix.go
|
||||||
+++ b/components/engine/daemon/container_operations_unix.go
|
+++ b/components/engine/daemon/container_operations_unix.go
|
||||||
@@ -3,6 +3,7 @@
|
@@ -3,6 +3,7 @@
|
||||||
@ -55,8 +55,8 @@ index bc7ee452332b..d34129dfd80b 100644
|
|||||||
+ // If the "file" is a directory, then s.File.Data is actually a tar
|
+ // If the "file" is a directory, then s.File.Data is actually a tar
|
||||||
+ // archive of the directory. So we just do a tar extraction here.
|
+ // archive of the directory. So we just do a tar extraction here.
|
||||||
+ if err := archive.UntarUncompressed(bytes.NewBuffer(secret.Spec.Data), fPath, &archive.TarOptions{
|
+ if err := archive.UntarUncompressed(bytes.NewBuffer(secret.Spec.Data), fPath, &archive.TarOptions{
|
||||||
+ UIDMaps: daemon.idMappings.UIDs(),
|
+ UIDMaps: daemon.idMapping.UIDs(),
|
||||||
+ GIDMaps: daemon.idMappings.GIDs(),
|
+ GIDMaps: daemon.idMapping.GIDs(),
|
||||||
+ }); err != nil {
|
+ }); err != nil {
|
||||||
+ return errors.Wrap(err, "error injecting secretdir")
|
+ return errors.Wrap(err, "error injecting secretdir")
|
||||||
+ }
|
+ }
|
||||||
@ -70,5 +70,5 @@ index bc7ee452332b..d34129dfd80b 100644
|
|||||||
return errors.Wrap(err, "error setting ownership for secret")
|
return errors.Wrap(err, "error setting ownership for secret")
|
||||||
}
|
}
|
||||||
--
|
--
|
||||||
2.18.0
|
2.19.2
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From f178392f98b42bf36ff8d8c6a23c8caab9ac10f7 Mon Sep 17 00:00:00 2001
|
From 229a891b45b996a2cd10f5a71541d124e884556e Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
||||||
Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
|
Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
|
||||||
@ -36,7 +36,7 @@ index c00bd9ceb22b..aa705888df39 100644
|
|||||||
return errdefs.System(err)
|
return errdefs.System(err)
|
||||||
diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go
|
diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000000..817cd5561023
|
index 000000000000..087c877015a7
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/components/engine/daemon/suse_secrets.go
|
+++ b/components/engine/daemon/suse_secrets.go
|
||||||
@@ -0,0 +1,396 @@
|
@@ -0,0 +1,396 @@
|
||||||
@ -112,11 +112,11 @@ index 000000000000..817cd5561023
|
|||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+func (s SuseFakeFile) toSecretReference(idMaps *idtools.IDMappings) *swarmtypes.SecretReference {
|
+func (s SuseFakeFile) toSecretReference(idMaps *idtools.IdentityMapping) *swarmtypes.SecretReference {
|
||||||
+ // Figure out the host-facing {uid,gid} based on the provided maps. Fall
|
+ // Figure out the host-facing {uid,gid} based on the provided maps. Fall
|
||||||
+ // back to root if the UID/GID don't match (we are guaranteed that root is
|
+ // back to root if the UID/GID don't match (we are guaranteed that root is
|
||||||
+ // mapped).
|
+ // mapped).
|
||||||
+ ctrUser := idtools.IDPair{UID: s.Uid, GID: s.Gid}
|
+ ctrUser := idtools.Identity{UID: s.Uid, GID: s.Gid}
|
||||||
+ hostUser := idMaps.RootPair()
|
+ hostUser := idMaps.RootPair()
|
||||||
+ if user, err := idMaps.ToHost(ctrUser); err == nil {
|
+ if user, err := idMaps.ToHost(ctrUser); err == nil {
|
||||||
+ hostUser = user
|
+ hostUser = user
|
||||||
@ -410,7 +410,7 @@ index 000000000000..817cd5561023
|
|||||||
+ return err
|
+ return err
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ idMaps := daemon.IDMappings()
|
+ idMaps := daemon.idMapping
|
||||||
+ for _, secret := range secrets {
|
+ for _, secret := range secrets {
|
||||||
+ newDependencyStore.secrets[secret.id()] = secret.toSecret()
|
+ newDependencyStore.secrets[secret.id()] = secret.toSecret()
|
||||||
+ c.SecretReferences = append(c.SecretReferences, secret.toSecretReference(idMaps))
|
+ c.SecretReferences = append(c.SecretReferences, secret.toSecretReference(idMaps))
|
||||||
@ -437,5 +437,5 @@ index 000000000000..817cd5561023
|
|||||||
+ return nil
|
+ return nil
|
||||||
+}
|
+}
|
||||||
--
|
--
|
||||||
2.18.0
|
2.19.2
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user