- Update to Docker 20.10.3-ce. See upstream changelog in the packaged

/usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-21285 CVE-2021-21284
- Drop docker-runc, docker-test and docker-libnetwork packages. We now just use
  the upstream runc package (it's stable enough and Docker no longer pins git
  versions). docker-libnetwork is so unstable that it doesn't have any
  versioning scheme and so it really doesn't make sense to maintain the project
  as a separate package. bsc#1181641 bsc#1181677

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=354
This commit is contained in:
Aleksa Sarai 2021-02-02 22:19:52 +00:00 committed by Git OBS Bridge
parent de3596b770
commit cb6967cb97
14 changed files with 151 additions and 481 deletions

View File

@ -1,110 +0,0 @@
From 9961826453fee3b52244ba920359b9e2f9ad137c Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Thu, 29 Nov 2018 20:53:16 +1100
Subject: [PATCH 1/5] PACKAGING: revert "Remove 'docker-' prefix for containerd
and runc binaries"
This reverts commit 34eede0296bce6a9c335cb429f10728ae3f4252d, as it
would significantly break openSUSE's packaging (as well as causing
conflicts between the very-outdated runc that Docker uses and the more
up-to-date one available for Podman).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
builder/builder-next/executor_unix.go | 2 +-
daemon/daemon_unix.go | 8 ++++++--
libcontainerd/supervisor/remote_daemon.go | 4 ++--
libcontainerd/supervisor/remote_daemon_linux.go | 4 ++--
libcontainerd/supervisor/remote_daemon_windows.go | 4 ++--
5 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/builder/builder-next/executor_unix.go b/builder/builder-next/executor_unix.go
index c052ec707fec..d1caf53f5023 100644
--- a/builder/builder-next/executor_unix.go
+++ b/builder/builder-next/executor_unix.go
@@ -32,7 +32,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dn
}
return runcexecutor.New(runcexecutor.Opt{
Root: filepath.Join(root, "executor"),
- CommandCandidates: []string{"runc"},
+ CommandCandidates: []string{"docker-runc", "runc"},
DefaultCgroupParent: cgroupParent,
Rootless: rootless,
NoPivot: os.Getenv("DOCKER_RAMDISK") != "",
diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
index 5fa688dff4c7..f610fdb01d27 100644
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@@ -58,11 +58,11 @@ const (
// DefaultShimBinary is the default shim to be used by containerd if none
// is specified
- DefaultShimBinary = "containerd-shim"
+ DefaultShimBinary = "docker-containerd-shim"
// DefaultRuntimeBinary is the default runtime to be used by
// containerd if none is specified
- DefaultRuntimeBinary = "runc"
+ DefaultRuntimeBinary = "docker-runc"
// See https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/tree/kernel/sched/sched.h?id=8cd9234c64c584432f6992fe944ca9e46ca8ea76#n269
linuxMinCPUShares = 2
@@ -78,6 +78,10 @@ const (
cgroupFsDriver = "cgroupfs"
cgroupSystemdDriver = "systemd"
cgroupNoneDriver = "none"
+
+ // DefaultRuntimeName is the default runtime to be used by
+ // containerd if none is specified
+ DefaultRuntimeName = "docker-runc"
)
type containerGetter interface {
diff --git a/libcontainerd/supervisor/remote_daemon.go b/libcontainerd/supervisor/remote_daemon.go
index 3538612246f4..f17868a7e1f8 100644
--- a/libcontainerd/supervisor/remote_daemon.go
+++ b/libcontainerd/supervisor/remote_daemon.go
@@ -27,8 +27,8 @@ const (
shutdownTimeout = 15 * time.Second
startupTimeout = 15 * time.Second
configFile = "containerd.toml"
- binaryName = "containerd"
- pidFile = "containerd.pid"
+ binaryName = "docker-containerd"
+ pidFile = "docker-containerd.pid"
)
type pluginConfigs struct {
diff --git a/libcontainerd/supervisor/remote_daemon_linux.go b/libcontainerd/supervisor/remote_daemon_linux.go
index d229881a62b3..da93fc45371d 100644
--- a/libcontainerd/supervisor/remote_daemon_linux.go
+++ b/libcontainerd/supervisor/remote_daemon_linux.go
@@ -11,8 +11,8 @@ import (
)
const (
- sockFile = "containerd.sock"
- debugSockFile = "containerd-debug.sock"
+ sockFile = "docker-containerd.sock"
+ debugSockFile = "docker-containerd-debug.sock"
)
func (r *remote) setDefaults() {
diff --git a/libcontainerd/supervisor/remote_daemon_windows.go b/libcontainerd/supervisor/remote_daemon_windows.go
index 9b254ef58a0a..bcdc9529e0f7 100644
--- a/libcontainerd/supervisor/remote_daemon_windows.go
+++ b/libcontainerd/supervisor/remote_daemon_windows.go
@@ -7,8 +7,8 @@ import (
)
const (
- grpcPipeName = `\\.\pipe\containerd-containerd`
- debugPipeName = `\\.\pipe\containerd-debug`
+ grpcPipeName = `\\.\pipe\docker-containerd-containerd`
+ debugPipeName = `\\.\pipe\docker-containerd-debug`
)
func (r *remote) setDefaults() {
--
2.30.0

View File

@ -1,7 +1,7 @@
From e24062ca12b575bc417fea2f46544ccd18e5f1eb Mon Sep 17 00:00:00 2001 From 1edf7a140c843cc6db85cdea298db19fee316dcb Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de> From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100 Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 2/5] SECRETS: daemon: allow directory creation in /run/secrets Subject: [PATCH 1/4] SECRETS: daemon: allow directory creation in /run/secrets
Since FileMode can have the directory bit set, allow a SecretStore Since FileMode can have the directory bit set, allow a SecretStore
implementation to return secrets that are actually directories. This is implementation to return secrets that are actually directories. This is
@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
1 file changed, 21 insertions(+), 3 deletions(-) 1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index f4f1bd2c0b6a..f18f522485ee 100644 index 5521adbd2749..c103d9349c51 100644
--- a/daemon/container_operations_unix.go --- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@ @@ -3,6 +3,7 @@

View File

@ -1,7 +1,7 @@
From 3469fd3b7da0477ba781d95b02bd698c770916f6 Mon Sep 17 00:00:00 2001 From b7419429d17675d8db949bd7c35812308684254a Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de> From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100 Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 3/5] SECRETS: SUSE: implement SUSE container secrets Subject: [PATCH 2/4] SECRETS: SUSE: implement SUSE container secrets
This allows for us to pass in host credentials to a container, allowing This allows for us to pass in host credentials to a container, allowing
for SUSEConnect to work with containers. for SUSEConnect to work with containers.

View File

@ -1,7 +1,7 @@
From 3e63781e1bf40affdb884ddd83b82fc51c54d88a Mon Sep 17 00:00:00 2001 From aa173dd56730552524ab35d74acbe61709c732e2 Mon Sep 17 00:00:00 2001
From: Valentin Rothberg <vrothberg@suse.com> From: Valentin Rothberg <vrothberg@suse.com>
Date: Mon, 2 Jul 2018 13:37:34 +0200 Date: Mon, 2 Jul 2018 13:37:34 +0200
Subject: [PATCH 4/5] PRIVATE-REGISTRY: add private-registry mirror support Subject: [PATCH 3/4] PRIVATE-REGISTRY: add private-registry mirror support
NOTE: This is a backport/downstream patch of the upstream pull-request NOTE: This is a backport/downstream patch of the upstream pull-request
for Moby, which is still subject to changes. Please visit for Moby, which is still subject to changes. Please visit
@ -444,7 +444,7 @@ index c8ddd4c5cfcd..b17e9d25d6c2 100644
return err return err
} }
diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go
index 12497ea890e7..926e02f851fd 100644 index 023ee2e71efd..e14cdd16b410 100644
--- a/distribution/pull_v2.go --- a/distribution/pull_v2.go
+++ b/distribution/pull_v2.go +++ b/distribution/pull_v2.go
@@ -431,7 +431,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform @@ -431,7 +431,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform

View File

@ -1,7 +1,7 @@
From 4d134a69323ba490b1f8976394cdd9fe0c278b3d Mon Sep 17 00:00:00 2001 From eb4e0b351b4bb229bfd5fd3ed57d3c35040265e0 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de> From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 29 Jun 2018 17:59:30 +1000 Date: Fri, 29 Jun 2018 17:59:30 +1000
Subject: [PATCH 5/5] bsc1073877: apparmor: clobber docker-default profile on Subject: [PATCH 4/4] bsc1073877: apparmor: clobber docker-default profile on
start start
In the process of making docker-default reloading far less expensive, In the process of making docker-default reloading far less expensive,
@ -22,12 +22,12 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
3 files changed, 17 insertions(+), 6 deletions(-) 3 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
index 2045412a7966..0c1fd0f0c940 100644 index a7cc3a5ef412..1a952953da8f 100644
--- a/daemon/apparmor_default.go --- a/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go +++ b/daemon/apparmor_default.go
@@ -15,6 +15,15 @@ const ( @@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
defaultAppArmorProfile = "docker-default" return ""
) }
+func clobberDefaultAppArmorProfile() error { +func clobberDefaultAppArmorProfile() error {
+ if apparmor.IsEnabled() { + if apparmor.IsEnabled() {
@ -41,7 +41,7 @@ index 2045412a7966..0c1fd0f0c940 100644
func ensureDefaultAppArmorProfile() error { func ensureDefaultAppArmorProfile() error {
if apparmor.IsEnabled() { if apparmor.IsEnabled() {
loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile) loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
@@ -28,10 +37,7 @@ func ensureDefaultAppArmorProfile() error { @@ -36,10 +45,7 @@ func ensureDefaultAppArmorProfile() error {
} }
// Load the profile. // Load the profile.
@ -54,7 +54,7 @@ index 2045412a7966..0c1fd0f0c940 100644
return nil return nil
} }
diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
index 51f9c526b350..97d7758442ee 100644 index dd581dc7dadb..5b14979cd4a3 100644
--- a/daemon/apparmor_default_unsupported.go --- a/daemon/apparmor_default_unsupported.go
+++ b/daemon/apparmor_default_unsupported.go +++ b/daemon/apparmor_default_unsupported.go
@@ -2,6 +2,10 @@ @@ -2,6 +2,10 @@
@ -69,7 +69,7 @@ index 51f9c526b350..97d7758442ee 100644
return nil return nil
} }
diff --git a/daemon/daemon.go b/daemon/daemon.go diff --git a/daemon/daemon.go b/daemon/daemon.go
index 3e86ab5c8721..4a574da030da 100644 index 794ff9712d08..f9e727b348c5 100644
--- a/daemon/daemon.go --- a/daemon/daemon.go
+++ b/daemon/daemon.go +++ b/daemon/daemon.go
@@ -855,8 +855,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S @@ -855,8 +855,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S

View File

@ -1,20 +1,28 @@
<services> <services>
<service name="tar_scm" mode="disabled"> <service name="tar_scm" mode="disabled">
<param name="url">https://github.com/docker/docker.git</param> <param name="url">https://github.com/moby/moby.git</param>
<param name="scm">git</param> <param name="scm">git</param>
<param name="exclude">.git</param> <param name="exclude">.git</param>
<param name="versionformat">20.10.2_ce_%h</param> <param name="versionformat">20.10.3_ce_%h</param>
<param name="revision">v20.10.2</param> <param name="revision">v20.10.3</param>
<param name="filename">docker</param> <param name="filename">docker</param>
</service> </service>
<service name="tar_scm" mode="disabled"> <service name="tar_scm" mode="disabled">
<param name="url">https://github.com/docker/cli.git</param> <param name="url">https://github.com/docker/cli.git</param>
<param name="scm">git</param> <param name="scm">git</param>
<param name="exclude">.git</param> <param name="exclude">.git</param>
<param name="versionformat">20.10.2_ce</param> <param name="versionformat">20.10.3_ce</param>
<param name="revision">v20.10.2</param> <param name="revision">v20.10.3</param>
<param name="filename">docker-cli</param> <param name="filename">docker-cli</param>
</service> </service>
<service name="tar_scm" mode="disabled">
<param name="url">https://github.com/docker/libnetwork.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">%H</param>
<param name="revision">fa125a3512ee0f6187721c88582bf8c4378bd4d7</param>
<param name="filename">docker-libnetwork</param>
</service>
<service name="recompress" mode="disabled"> <service name="recompress" mode="disabled">
<param name="file">docker-*.tar</param> <param name="file">docker-*.tar</param>
<param name="compression">xz</param> <param name="compression">xz</param>

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8f38527e3b117ca42b0b702a3a8a2a3d73cb629d170730d7d741115e72da8171
size 6463700

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:84fcc9d36db90c8b87a0b19d5846ade17e8dc4586e998e071c843fd8d43a0bef
size 6481288

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:83f9812b3d0fda73d6645d82577b0e3c7d603c042be6ee80119d0d5a48d73866
size 4432320

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a8526bdb466209ffd1c3ef41fcfccb9588b67d507d4444701398d6f7987f5f16
size 4450316

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a50f42e391a98ab204eaa93e2269981be36f619c68b2bbfc3224263fbd30c4a8
size 1982676

View File

@ -1,3 +1,30 @@
-------------------------------------------------------------------
Tue Feb 2 13:06:17 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to Docker 20.10.3-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-21285 CVE-2021-21284
- Rebase patches on top of 20.10.3-ce.
- 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
- 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+ 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
- 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
-------------------------------------------------------------------
Tue Feb 2 05:28:01 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Drop docker-runc, docker-test and docker-libnetwork packages. We now just use
the upstream runc package (it's stable enough and Docker no longer pins git
versions). docker-libnetwork is so unstable that it doesn't have any
versioning scheme and so it really doesn't make sense to maintain the project
as a separate package. bsc#1181641 bsc#1181677
- Remove no-longer-needed patch for packaging now that we've dropped
docker-runc and docker-libnetwork.
- 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jan 29 22:55:48 UTC 2021 - Aleksa Sarai <asarai@suse.com> Fri Jan 29 22:55:48 UTC 2021 - Aleksa Sarai <asarai@suse.com>

View File

@ -42,17 +42,21 @@
# helpfully injects into our build environment from the changelog). If you want # helpfully injects into our build environment from the changelog). If you want
# to generate a new git_commit_epoch, use this: # to generate a new git_commit_epoch, use this:
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
%define git_version 8891c58a433a %define git_version 46229ca1d815
%define git_commit_epoch 1608908869 %define git_commit_epoch 1611869592
# These are the git commits required. We verify them against the source to make # We require a specific pin of libnetwork because it doesn't really do
# sure we didn't miss anything important when doing upgrades. # versioning and minor version mismatches in libnetwork can break Docker
%define required_containerd 269548fa27e0089a8b8278fc4fc781d7f65a939b # networking. All other key runtime dependencies (containerd, runc) are stable
%define required_dockerrunc ff819c7e9184c13b7c2607fe6c30ae19403a7aff # enough that this isn't necessary.
%define required_libnetwork fa125a3512ee0f6187721c88582bf8c4378bd4d7 %define libnetwork_version fa125a3512ee0f6187721c88582bf8c4378bd4d7
%define dist_builddir %{_builddir}/dist-suse
%define cli_builddir %{dist_builddir}/src/github.com/docker/cli
%define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
Name: %{realname}%{name_suffix} Name: %{realname}%{name_suffix}
Version: 20.10.2_ce Version: 20.10.3_ce
Release: 0 Release: 0
Summary: The Moby-project Linux container runtime Summary: The Moby-project Linux container runtime
License: Apache-2.0 License: Apache-2.0
@ -60,15 +64,15 @@ Group: System/Management
URL: http://www.docker.io URL: http://www.docker.io
Source: %{realname}-%{version}_%{git_version}.tar.xz Source: %{realname}-%{version}_%{git_version}.tar.xz
Source1: %{realname}-cli-%{version}.tar.xz Source1: %{realname}-cli-%{version}.tar.xz
Source2: docker-rpmlintrc Source2: %{realname}-libnetwork-%{libnetwork_version}.tar.xz
Source3: docker-rpmlintrc
# TODO: Move these source files to somewhere nicer. # TODO: Move these source files to somewhere nicer.
Source100: docker.service Source100: docker.service
Source101: 80-docker.rules Source101: 80-docker.rules
Source102: sysconfig.docker Source102: sysconfig.docker
Source103: README_SUSE.md Source103: README_SUSE.md
Source104: docker-audit.rules Source104: docker-audit.rules
Source105: tests.sh Source105: docker-daemon.json
Source106: docker-daemon.json
# Kubelet-specific sources. # Kubelet-specific sources.
# bsc#1086185 -- but we only apply this on Kubic. # bsc#1086185 -- but we only apply this on Kubic.
Source900: docker-kubic-service.conf Source900: docker-kubic-service.conf
@ -78,17 +82,15 @@ Source901: kubelet.env
# branch and then git-format-patch the patch here. # branch and then git-format-patch the patch here.
# SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers # SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers
# which is not snapshotted when images are committed. # which is not snapshotted when images are committed.
Patch100: 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch Patch100: 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
Patch101: 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch Patch101: 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
# SUSE-FEATURE: Add support to mirror unofficial/private registries # SUSE-FEATURE: Add support to mirror unofficial/private registries
# <https://github.com/docker/docker/pull/34319>. # <https://github.com/docker/docker/pull/34319>.
Patch200: 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch Patch200: 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
# SUSE-ISSUE: Revert of <https://github.com/docker/docker/pull/37907>.
Patch300: 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch
# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1073877 bsc#1099277 # SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1073877 bsc#1099277
Patch301: 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/2888. # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/2888.
Patch302: cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch Patch301: cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch
BuildRequires: audit BuildRequires: audit
BuildRequires: bash-completion BuildRequires: bash-completion
BuildRequires: ca-certificates BuildRequires: ca-certificates
@ -102,23 +104,21 @@ BuildRequires: procps
BuildRequires: sqlite3-devel BuildRequires: sqlite3-devel
BuildRequires: zsh BuildRequires: zsh
BuildRequires: fish BuildRequires: fish
BuildRequires: go-go-md2man
# We cannot use Go 1.14 because it breaks io.Copy (among other things) by
# returning -EINTR from I/O syscalls much more often.
BuildRequires: go1.13
BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libsystemd)
Requires: apparmor-parser Requires: apparmor-parser
Requires: ca-certificates-mozilla Requires: ca-certificates-mozilla
# Required in order for networking to work. fix_bsc_1057743 is a work-around # The docker-proxy binary used to be in a separate package. We obsolete it,
# for some old packaging issues (where rpm would delete a binary that was # since now docker-proxy is maintained as part of this package.
# installed by docker-libnetwork). See bsc#1057743 for more details. Obsoletes: docker-libnetwork%{name_suffix} < 0.7.0.2
BuildRequires: docker-libnetwork%{name_suffix}-git = %{required_libnetwork} Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
Requires: docker-libnetwork%{name_suffix}-git = %{required_libnetwork} # Required to actually run containers. We require the minimum version that is
Requires: fix_bsc_1057743 # pinned by Docker, but in order to avoid headaches we allow for updates.
# Containerd and runC are required as they are the only currently supported Requires: runc >= 1.0.0~rc92
# execdrivers of Docker. NOTE: The version pinning here matches upstream's Requires: containerd >= 1.4.3
# vendor.conf to ensure that we don't use a slightly incompatible version of
# runC or containerd (which would be bad).
BuildRequires: containerd%{name_suffix}-git = %{required_containerd}
Requires: containerd%{name_suffix}-git = %{required_containerd}
BuildRequires: docker-runc%{name_suffix}-git = %{required_dockerrunc}
Requires: docker-runc%{name_suffix}-git = %{required_dockerrunc}
# Needed for --init support. We don't use "tini", we use our own implementation # Needed for --init support. We don't use "tini", we use our own implementation
# which handles edge-cases better. # which handles edge-cases better.
Requires: catatonit Requires: catatonit
@ -132,20 +132,13 @@ Requires: xz >= 4.9
Requires(post): %fillup_prereq Requires(post): %fillup_prereq
Requires(post): udev Requires(post): udev
Requires(post): shadow Requires(post): shadow
# We used to have a migration tool for the upgrade from v1.9.x to v1.10.x.
# It is no longer useful, so we obsolete it. bsc#1069758
Obsoletes: docker-image-migrator
# Not necessary, but must be installed when the underlying system is # Not necessary, but must be installed when the underlying system is
# configured to use lvm and the user doesn't explicitly provide a # configured to use lvm and the user doesn't explicitly provide a
# different storage-driver than devicemapper # different storage-driver than devicemapper
Recommends: lvm2 >= 2.2.89 Recommends: lvm2 >= 2.2.89
Recommends: git-core >= 1.7 Recommends: git-core >= 1.7
Conflicts: lxc < 1.0
ExcludeArch: s390 ppc ExcludeArch: s390 ppc
BuildRequires: go-go-md2man
# We cannot use Go 1.14 because it breaks io.Copy (among other things) by
# returning -EINTR from I/O syscalls much more often.
BuildRequires: go1.13
# KUBIC-SPECIFIC: This was required when upgrading from the original kubic # KUBIC-SPECIFIC: This was required when upgrading from the original kubic
# packaging, when everything was renamed to -kubic. It also is # packaging, when everything was renamed to -kubic. It also is
# used to ensure that nothing complains too much when using # used to ensure that nothing complains too much when using
@ -233,31 +226,6 @@ Provides: %{realname}-fish-completion = %{version}
%description fish-completion %description fish-completion
Fish command line completion support for %{name}. Fish command line completion support for %{name}.
%package test
%global __requires_exclude ^libgo.so.*$
Summary: Test package for docker
# Needed for test-suite.
Group: System/Management
Requires: curl
Requires: go
Requires: iputils
Requires: jq
Requires: net-tools-deprecated
# KUBIC-SPECIFIC: This was required when upgrading from the original kubic
# packaging, when everything was renamed to -kubic. It also is
# used to ensure that nothing complains too much when using
# -kubic packages. Hopfully it can be removed one day.
%if "%flavour" == "kubic"
# Obsolete old packege without the -kubic suffix
Obsoletes: %{realname}-test = 1.12.6
# Conflict with non-kubic package, and provide equivalent
Conflicts: %{realname}-test > 1.12.6
Provides: %{realname}-test = %{version}
%endif
%description test
Test package for docker. It contains the source code and the tests.
%if "%flavour" == "kubic" %if "%flavour" == "kubic"
%package kubeadm-criconfig %package kubeadm-criconfig
Summary: docker container runtime configuration for kubeadm Summary: docker container runtime configuration for kubeadm
@ -286,23 +254,29 @@ docker container runtime configuration for kubeadm
# PATCH-SUSE: Mirror patch. # PATCH-SUSE: Mirror patch.
%patch200 -p1 %patch200 -p1
%endif %endif
# packaging
%patch300 -p1
# bsc#1099277 # bsc#1099277
%patch301 -p1 %patch300 -p1
# README_SUSE.md for documentation. # README_SUSE.md for documentation.
cp %{SOURCE103} . cp %{SOURCE103} .
# Fill the CLI sources in a subdir. # Extract the docker-cli source in a subdir.
mkdir -p dist-suse/cli mkdir -p %{cli_builddir}
pushd dist-suse/cli/ pushd %{cli_builddir}
xz -dc %{SOURCE1} | tar -xof - --strip-components=1 xz -dc %{SOURCE1} | tar -xof - --strip-components=1
# https://github.com/docker/cli/pull/2888 # https://github.com/docker/cli/pull/2888
%patch302 -p1 %patch301 -p1
popd
# Extract the docker-libnetwork source in a subdir.
mkdir -p %{proxy_builddir}
pushd %{proxy_builddir}
xz -dc %{SOURCE2} | tar -xof - --strip-components=1
popd popd
%build %build
echo "$PWD -- $PWD -- $PWD"
BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11" BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
%if 0%{?sle_version} == 120000 %if 0%{?sle_version} == 120000
# Allow us to build with older distros but still have deferred removal # Allow us to build with older distros but still have deferred removal
@ -334,8 +308,8 @@ EOF
# Preparing GOPATH so that the client is visible to the compiler # Preparing GOPATH so that the client is visible to the compiler
mkdir -p src/github.com/docker/ mkdir -p src/github.com/docker/
ln -s $(pwd)/dist-suse/cli $(pwd)/src/github.com/docker/cli ln -s "%{cli_builddir}" "$PWD/src/github.com/docker/cli"
export GOPATH=$GOPATH:$(pwd) export GOPATH="$GOPATH:$PWD"
################### ###################
## DOCKER ENGINE ## ## DOCKER ENGINE ##
@ -344,106 +318,82 @@ export GOPATH=$GOPATH:$(pwd)
# Ignore the warning that we compile outside a Docker container. # Ignore the warning that we compile outside a Docker container.
./hack/make.sh dynbinary ./hack/make.sh dynbinary
# Build test binaries (integration-cli and integration/*). They are all stored
# within the testdir -- we will only end up installing these test files for
# docker-test.
for testdir in {integration-cli,integration/*/}
do
( find "$testdir" -name '*_test.go' | grep -q '.' ) || continue
GOPATH=$(pwd)/vendor:$(pwd)/.gopath/ go test -c \
-o "$testdir/tests.main" -buildmode=pie \
-tags "$DOCKER_BUILDTAGS daemon" \
"github.com/docker/docker/$testdir"
done
################### ###################
## DOCKER CLIENT ## ## DOCKER CLIENT ##
################### ###################
pushd dist-suse/cli/ pushd %{cli_builddir}
./scripts/build/dynbinary ./scripts/build/dynbinary
mkdir -p ./man/man1 mkdir -p ./man/man1
go build -buildmode=pie -o gen-manpages github.com/docker/cli/man go build -buildmode=pie -o gen-manpages github.com/docker/cli/man
./gen-manpages --root "$(pwd)" --target "$(pwd)/man/man1" ./gen-manpages --root "$PWD" --target "$PWD/man/man1"
./man/md2man-all.sh ./man/md2man-all.sh
popd popd
%check ##################
# We used to run 'go test' here, however we found that this actually didn't ## DOCKER PROXY ##
# catch any issues that were caught by smoke testing, and %check would ##################
# continually cause package builds to fail due to flaky tests. If you ever need
# to know how the testing was done, you can always look in the package history.
# boo#1095817
# We verify that all of our -git requires are correct, and match the contents pushd %{proxy_builddir}
# of the upstream vendoring scripts. This is done on-build to make sure that GOPATH="%{dist_builddir}" \
# someone doing an update didn't miss anything. go build -buildmode=pie -o docker-proxy github.com/docker/libnetwork/cmd/proxy
grep 'RUNC_COMMIT:=%{required_dockerrunc}' hack/dockerfile/install/runc.installer popd
grep 'CONTAINERD_COMMIT:=%{required_containerd}' hack/dockerfile/install/containerd.installer
grep 'LIBNETWORK_COMMIT:=%{required_libnetwork}' hack/dockerfile/install/proxy.installer # We verify that our libnetwork source is the correct version. This is done
# on-build to make sure that someone doing an update didn't miss anything.
grep 'LIBNETWORK_COMMIT:=%{libnetwork_version}' hack/dockerfile/install/proxy.installer
%install %install
install -d %{buildroot}%{_bindir} install -Dd -m0755 \
install -D -m755 dist-suse/cli/build/docker %{buildroot}/%{_bindir}/docker
install -D -m755 bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd
install -d %{buildroot}/%{_localstatedir}/lib/docker
install -Dd -m 0755 \
%{buildroot}%{_sysconfdir}/init.d \ %{buildroot}%{_sysconfdir}/init.d \
%{buildroot}%{_bindir} \
%{buildroot}%{_sbindir} %{buildroot}%{_sbindir}
install -D -m0644 dist-suse/cli/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}" # docker daemon
install -D -m0644 dist-suse/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}" install -D -m0755 bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd
install -D -m0644 dist-suse/cli/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish" install -d %{buildroot}/%{_localstatedir}/lib/docker
# daemon.json config file
install -D -m0644 %{SOURCE105} %{buildroot}%{_sysconfdir}/docker/daemon.json
# docker cli
install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}"
install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}"
install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish"
# docker proxy
install -D -m0755 %{proxy_builddir}/docker-proxy %{buildroot}/%{_bindir}/docker-proxy
#
# systemd service # systemd service
#
install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{realname}.service install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{realname}.service
%if "%flavour" == "kubic" %if "%flavour" == "kubic"
install -D -m0644 %{SOURCE900} %{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf install -D -m0644 %{SOURCE900} %{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf
%endif %endif
ln -sf service %{buildroot}%{_sbindir}/rcdocker ln -sf service %{buildroot}%{_sbindir}/rcdocker
#
# udev rules that prevents dolphin to show all docker devices and slows down # udev rules that prevents dolphin to show all docker devices and slows down
# upstream report https://bugs.kde.org/show_bug.cgi?id=329930 # upstream report https://bugs.kde.org/show_bug.cgi?id=329930
# install -D -m0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules
install -D -m 0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules
# audit rules # audit rules
install -D -m 0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules install -D -m0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules
# sysconfig file # sysconfig file
install -D -m 644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker install -D -m0644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker
# install docker config file
install -D -m 644 %{SOURCE106} %{buildroot}%{_sysconfdir}/docker/daemon.json
# install manpages (using the ones from the engine) # install manpages (using the ones from the engine)
install -d %{buildroot}%{_mandir}/man1 install -d %{buildroot}%{_mandir}/man1
install -p -m 644 dist-suse/cli/man/man1/*.1 %{buildroot}%{_mandir}/man1 install -p -m0644 %{cli_builddir}/man/man1/*.1 %{buildroot}%{_mandir}/man1
install -d %{buildroot}%{_mandir}/man5 install -d %{buildroot}%{_mandir}/man5
install -p -m 644 dist-suse/cli/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5 install -p -m0644 %{cli_builddir}/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
install -d %{buildroot}%{_mandir}/man8 install -d %{buildroot}%{_mandir}/man8
install -p -m 644 dist-suse/cli/man/man8/*.8 %{buildroot}%{_mandir}/man8 install -p -m0644 %{cli_builddir}/man/man8/*.8 %{buildroot}%{_mandir}/man8
# install docker-test files -- we want to avoid installing the entire source tree.
install -d %{buildroot}%{_prefix}/src/docker/
install -D -m0755 %{SOURCE105} %{buildroot}%{_prefix}/src/docker/tests.sh
# We need hack/, contrib/, profiles/, and the integration*/ trees.
cp -a {hack,contrib,profiles,integration{,-cli}} %{buildroot}%{_prefix}/src/docker/
echo "%{version}" > %{buildroot}%{_prefix}/src/docker/VERSION
# And now we can remove all *_test.go files -- since we already have test
# binaries. Due to a lot of hacks within the Docker integration tests, we can't
# really do a bigger cleanup than this.
find %{buildroot}%{_prefix}/src/docker \
-type f -name '*_test.go' -delete
%if "%flavour" == "kubic" %if "%flavour" == "kubic"
# place kubelet.env in fillupdir (for kubeadm-criconfig) # place kubelet.env in fillupdir (for kubeadm-criconfig)
sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE901} sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE901}
install -D -m 0644 %{SOURCE901} %{buildroot}%{_fillupdir}/sysconfig.kubelet install -D -m0644 %{SOURCE901} %{buildroot}%{_fillupdir}/sysconfig.kubelet
%endif %endif
%fdupes %{buildroot} %fdupes %{buildroot}
@ -494,6 +444,7 @@ grep -q '^dockremap:' /etc/subgid || \
%license LICENSE %license LICENSE
%{_bindir}/docker %{_bindir}/docker
%{_bindir}/dockerd %{_bindir}/dockerd
%{_bindir}/docker-proxy
%{_sbindir}/rcdocker %{_sbindir}/rcdocker
%dir %{_localstatedir}/lib/docker/ %dir %{_localstatedir}/lib/docker/
@ -527,10 +478,6 @@ grep -q '^dockremap:' /etc/subgid || \
%defattr(-,root,root) %defattr(-,root,root)
%{_datadir}/fish/vendor_completions.d/%{realname}.fish %{_datadir}/fish/vendor_completions.d/%{realname}.fish
%files test
%defattr(-,root,root)
%{_prefix}/src/docker/
%if "%flavour" == "kubic" %if "%flavour" == "kubic"
%files kubeadm-criconfig %files kubeadm-criconfig
%defattr(-,root,root) %defattr(-,root,root)

205
tests.sh
View File

@ -1,205 +0,0 @@
#!/bin/bash
#
# Script for launching the Docker integration tests
# XXX: We currently only support running integration-cli.
#
set -Eeuo pipefail
DOCKER_DIR=/usr/src/docker
SCRIPTS_DIR="$DOCKER_DIR/hack"
VERSION="$(cat "$DOCKER_DIR/VERSION")"
# working dirs
FROZEN_IMAGES_DIR="/tmp/docker-frozen-images"
FROZEN_IMAGES_LINK=/docker-frozen-images
readarray -t TESTS < <(find "$DOCKER_DIR/integration-cli" -type f -executable -name 'tests.main')
CHECK_TIMEOUT="${CHECK_TIMEOUT:-15m}"
TEST_TIMEOUT="${TEST_TIMEOUT:-0}"
TEST_ARGS=("-check.v" "-check.timeout=${CHECK_TIMEOUT}" "-test.timeout=${TEST_TIMEOUT}")
TEST_SELECT=
TEST_LOG=/tmp/docker-tests.log
KEEPBUNDLE="${KEEPBUNDLE:-}"
# the config file for Docker
CFG_DOCKER=/etc/docker/daemon.json
################################################################################
log() { echo ">>> $@" ; }
warn() { log "WARNING: $@" ; }
error() { log "ERROR: $@" ; }
abort() { log "FATAL: $@" ; exit 1 ; }
usage() { echo "$USAGE" ; }
abort_usage() { usage ; abort "$@" ; }
bundle() {
local bundle="$1"; shift
log "Making bundle: $(basename "$bundle") (in $PWD)"
local oldFlags="$-"
set +Eeu
source "$SCRIPTS_DIR/make/$bundle" "$@"
set "-$oldFlags"
}
save_backup() {
for x in $@ ; do
if [ ! -f "$x" ] ; then
touch "$x.nbak"
elif [ -f "$x.bak" ] ; then
warn "$x.bak already exists: no backup will be done"
else
cp -f "$x" "$x.bak"
fi
done
}
restore_backup() {
for x in $@ ; do
if [ -f "$x.nbak" ] ; then
rm -f "$x.nbak"
elif [ -f "$x.bak" ] ; then
mv -f "$x.bak" "$x"
fi
done
}
require_go() { go version >/dev/null 2>&1 ; }
require_git() { git version >/dev/null 2>&1 ; }
################################################################################
[ "${#TESTS[@]}" -gt 0 ] || abort "integration tests executable not found in $DOCKER_DIR"
[ "$EUID" -eq 0 ] || abort "this script must be run as root"
[ -n "$VERSION" ] || abort "could not obtain version"
if [ "$#" -gt 0 ] ; then
# run only some specific tests
TEST_ARGS+=( "-check.f=$(echo $@ | tr ' ' '|')" )
fi
# tests require this user and group
/usr/sbin/groupadd -r docker >/dev/null 2>&1 || /bin/true
/usr/sbin/useradd --create-home --gid docker unprivilegeduser >/dev/null 2>&1 || /bin/true
export DOCKER_TEST_HOST="tcp://127.0.0.1:2375"
export PATH="/usr/local/bin:$PATH"
export TZ=utc
export DOCKER_GRAPHDRIVER="${DOCKER_GRAPHDRIVER:-vfs}"
export DOCKER_USERLANDPROXY="${DOCKER_USERLANDPROXY:-true}"
export DOCKER_STORAGE_OPTS="${DOCKER_STORAGE_OPTS:-}"
export DOCKER_REMAP_ROOT="${DOCKER_REMAP_ROOT:-}" # "default" uses dockremap
# Example usage: DOCKER_STORAGE_OPTS="dm.basesize=20G,dm.loopdatasize=200G".
storage_opts=()
if [ -n "$DOCKER_STORAGE_OPTS" ]; then
IFS=','
for i in ${DOCKER_STORAGE_OPTS}; do
storage_opts+=("$i")
done
unset IFS
fi
# deal with remapping
save_backup /etc/subuid /etc/subgid
echo "dockremap:500000:65536" >/etc/subuid
echo "dockremap:500000:65536" >/etc/subgid
groupadd dockremap >/dev/null 2>&1 || /bin/true
useradd -g dockremap dockremap >/dev/null 2>&1 || /bin/true
# make sure Docker is stopped, set our config file and then start again
save_backup "$CFG_DOCKER"
cat <<CFG_DOCKER_EOF >"$CFG_DOCKER"
{
"log-level": "debug",
"log-driver": "json-file",
"log-opts": {
"max-size": "50m",
"max-file": "5"
},
"userns-remap": "$DOCKER_REMAP_ROOT",
"hosts": [
"tcp://127.0.0.1:2375"
],
"storage-driver": "$DOCKER_GRAPHDRIVER",
"storage-opts": [
$(printf '"%s",' "${storage_opts[@]}" | sed 's/"",//g;$s/,$//')
],
"userland-proxy": $DOCKER_USERLANDPROXY
}
CFG_DOCKER_EOF
systemctl restart docker.service
cleanup() {
log "Restoring configuration files..."
restore_backup /etc/subuid /etc/subgid "$CFG_DOCKER"
rm -f "$FROZEN_IMAGES_LINK"
log "Removing images and containers..."
export DOCKER_HOST="$DOCKER_TEST_HOST"
docker ps -aq | xargs docker rm -f &>/dev/null || :
docker images -q | xargs docker rmi -f &>/dev/null || :
log "Restarting the Docker service in a pristine state..."
systemctl restart docker.service
}
trap cleanup EXIT
cd "$DOCKER_DIR"
export MAKEDIR="$SCRIPTS_DIR/make"
export DOCKER_HOST="$DOCKER_TEST_HOST"
# Clean up all images on the host -- this is key to avoid test run failures.
log "Cleaning the environment..."
docker ps -aq | xargs docker rm -f &>/dev/null || :
docker images -q | xargs docker rmi -f &>/dev/null || :
log "Preparing the environment..."
bundle .integration-daemon-setup
# XXX: Really this should be sourced from the Dockerfile but this is good
# enough for now. This comes from the Docker 18.09.1-ce Dockerfile.
log "Downlading frozen images..."
mkdir -p "$FROZEN_IMAGES_DIR"
ln -sf "$FROZEN_IMAGES_DIR" "$FROZEN_IMAGES_LINK"
"$DOCKER_DIR/contrib/download-frozen-image-v2.sh" "$FROZEN_IMAGES_DIR" \
buildpack-deps:jessie@sha256:dd86dced7c9cd2a724e779730f0a53f93b7ef42228d4344b25ce9a42a1486251 \
busybox:latest@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0 \
busybox:glibc@sha256:0b55a30394294ab23b9afd58fab94e61a923f5834fba7ddbae7f8e0c11ba85e6 \
debian:jessie@sha256:287a20c5f73087ab406e6b364833e3fb7b3ae63ca0eb3486555dc27ed32c6e60 \
hello-world:latest@sha256:be0cd392e45be79ffeffa6b05338b98ebb16c87b255f48e297ec7f98e123905c
# The code within integration-cli which handles building *-test images doesn't
# appear to work within our setup, not to mention we don't want to Require: a
# bunch of build tools so we just use the provided Dockerfile and
# buildpack-deps.
tar -cC "$FROZEN_IMAGES_DIR" . | docker load
for dir in "$DOCKER_DIR"/contrib/*-test
do
log "Building *-test images ($dir)..."
docker build -t "$(basename "$dir")" "$dir"
done
# For some reason, dockerd appears to put the containerd.sock in the wrong
# place under systemd. So we just manually add a symlink for it.
[ -e "/var/run/docker/containerd/containerd.sock" ] || \
ln -s docker-containerd.sock /var/run/docker/containerd/containerd.sock
# And there appears to be an issue with daemon.json as a configuration format,
# so we need to hide our generated configuration. The original will be restored
# in cleanup().
rm -f "$CFG_DOCKER"
# Run all of our tests.
rm -f "$TEST_LOG"
for TEST in "${TESTS[@]}"
do
cd "$(dirname "$TEST")"
log "Running integration test ($TEST)..." | tee -a "$TEST_LOG"
"$TEST" "${TEST_ARGS[@]}" 2>&1 | tee -a "$TEST_LOG" || :
done
export -n DOCKER_HOST