Accepting request 393252 from Virtualization:containers

Update to Docker 1.11.1. The changelog changes are due to OBS and IBS being
synced, and were ok'd by maintainence. From this point onwards, all updates to
Docker packages will be sourced from Virtualization:containers. This request
goes together with request 392078 and 393249.

In addition, this includes a patch to fix a vulnerability in Docker <= 1.11.1.
This patch is upstream but was merged after the 1.11.x merge window.
CVE-2016-3697. bsc#976777.

OBS-URL: https://build.opensuse.org/request/show/393252
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=33
This commit is contained in:
Dominique Leuenberger 2016-05-04 06:20:15 +00:00 committed by Git OBS Bridge
commit d01848e2f9
15 changed files with 1202 additions and 620 deletions

View File

@ -3,8 +3,8 @@
<param name="url">https://github.com/docker/docker.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">1.10.3</param>
<param name="revision">v1.10.3</param>
<param name="versionformat">1.11.1</param>
<param name="revision">v1.11.1</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">docker-*.tar</param>

View File

@ -1,18 +0,0 @@
---
vendor/src/github.com/boltdb/bolt/bolt_ppc64.go | 9 +++++++++
1 file changed, 9 insertions(+)
Index: docker-1.10.2/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go
===================================================================
--- /dev/null
+++ docker-1.10.2/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go
@@ -0,0 +1,9 @@
+// +build ppc64
+
+package bolt
+
+// maxMapSize represents the largest mmap size supported by Bolt.
+const maxMapSize = 0xFFFFFFFFFFFF // 256TB
+
+// maxAllocSize is the size used when creating array pointers.
+const maxAllocSize = 0x7FFFFFFF

View File

@ -0,0 +1,316 @@
From d67c0bf0caf26358f5345d6c0ac039026c46bd1e Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 22 Apr 2016 20:36:43 +1000
Subject: [PATCH] libcontainer: user: always treat numeric ids numerically
Most shadow-related tools don't treat numeric ids as potential
usernames, so change our behaviour to match that. Previously, using an
explicit specification like 111:222 could result in the UID and GID not
being 111 and 222 respectively (which is confusing).
Some of the code was quite confusing inside libcontainer/user, so
refactor and comment it so future maintainers can understand what's
going and what edge cases we have to deal with.
This fixes CVE-2016-3697.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
.../runc/libcontainer/user/lookup.go | 3 +
.../opencontainers/runc/libcontainer/user/user.go | 149 ++++++++++++---------
2 files changed, 89 insertions(+), 63 deletions(-)
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go b/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go
index 6f8a982..7062940 100644
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go
@@ -9,6 +9,9 @@ import (
var (
// The current operating system does not provide the required data for user lookups.
ErrUnsupported = errors.New("user lookup: operating system does not provide passwd-formatted data")
+ // No matching entries found in file.
+ ErrNoPasswdEntries = errors.New("no matching entries in passwd file")
+ ErrNoGroupEntries = errors.New("no matching entries in group file")
)
func lookupUser(filter func(u User) bool) (User, error) {
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go b/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go
index e6375ea..43fd39e 100644
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go
@@ -15,7 +15,7 @@ const (
)
var (
- ErrRange = fmt.Errorf("Uids and gids must be in range %d-%d", minId, maxId)
+ ErrRange = fmt.Errorf("uids and gids must be in range %d-%d", minId, maxId)
)
type User struct {
@@ -42,29 +42,30 @@ func parseLine(line string, v ...interface{}) {
parts := strings.Split(line, ":")
for i, p := range parts {
+ // Ignore cases where we don't have enough fields to populate the arguments.
+ // Some configuration files like to misbehave.
if len(v) <= i {
- // if we have more "parts" than we have places to put them, bail for great "tolerance" of naughty configuration files
break
}
+ // Use the type of the argument to figure out how to parse it, scanf() style.
+ // This is legit.
switch e := v[i].(type) {
case *string:
- // "root", "adm", "/bin/bash"
*e = p
case *int:
- // "0", "4", "1000"
- // ignore string to int conversion errors, for great "tolerance" of naughty configuration files
+ // "numbers", with conversion errors ignored because of some misbehaving configuration files.
*e, _ = strconv.Atoi(p)
case *[]string:
- // "", "root", "root,adm,daemon"
+ // Comma-separated lists.
if p != "" {
*e = strings.Split(p, ",")
} else {
*e = []string{}
}
default:
- // panic, because this is a programming/logic error, not a runtime one
- panic("parseLine expects only pointers! argument " + strconv.Itoa(i) + " is not a pointer!")
+ // Someone goof'd when writing code using this function. Scream so they can hear us.
+ panic(fmt.Sprintf("parseLine only accepts {*string, *int, *[]string} as arguments! %#v is not a pointer!", e))
}
}
}
@@ -106,8 +107,8 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) {
return nil, err
}
- text := strings.TrimSpace(s.Text())
- if text == "" {
+ line := strings.TrimSpace(s.Text())
+ if line == "" {
continue
}
@@ -117,10 +118,7 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) {
// root:x:0:0:root:/root:/bin/bash
// adm:x:3:4:adm:/var/adm:/bin/false
p := User{}
- parseLine(
- text,
- &p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell,
- )
+ parseLine(line, &p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell)
if filter == nil || filter(p) {
out = append(out, p)
@@ -135,6 +133,7 @@ func ParseGroupFile(path string) ([]Group, error) {
if err != nil {
return nil, err
}
+
defer group.Close()
return ParseGroup(group)
}
@@ -178,10 +177,7 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
// root:x:0:root
// adm:x:4:root,adm,daemon
p := Group{}
- parseLine(
- text,
- &p.Name, &p.Pass, &p.Gid, &p.List,
- )
+ parseLine(text, &p.Name, &p.Pass, &p.Gid, &p.List)
if filter == nil || filter(p) {
out = append(out, p)
@@ -192,9 +188,10 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
}
type ExecUser struct {
- Uid, Gid int
- Sgids []int
- Home string
+ Uid int
+ Gid int
+ Sgids []int
+ Home string
}
// GetExecUserPath is a wrapper for GetExecUser. It reads data from each of the
@@ -235,12 +232,12 @@ func GetExecUserPath(userSpec string, defaults *ExecUser, passwdPath, groupPath
// * "uid:gid
// * "user:gid"
// * "uid:group"
+//
+// It should be noted that if you specify a numeric user or group id, they will
+// not be evaluated as usernames (only the metadata will be filled). So attempting
+// to parse a user with user.Name = "1337" will produce the user with a UID of
+// 1337.
func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (*ExecUser, error) {
- var (
- userArg, groupArg string
- name string
- )
-
if defaults == nil {
defaults = new(ExecUser)
}
@@ -258,87 +255,113 @@ func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (
user.Sgids = []int{}
}
- // allow for userArg to have either "user" syntax, or optionally "user:group" syntax
+ // Allow for userArg to have either "user" syntax, or optionally "user:group" syntax
+ var userArg, groupArg string
parseLine(userSpec, &userArg, &groupArg)
+ // Convert userArg and groupArg to be numeric, so we don't have to execute
+ // Atoi *twice* for each iteration over lines.
+ uidArg, uidErr := strconv.Atoi(userArg)
+ gidArg, gidErr := strconv.Atoi(groupArg)
+
+ // Find the matching user.
users, err := ParsePasswdFilter(passwd, func(u User) bool {
if userArg == "" {
+ // Default to current state of the user.
return u.Uid == user.Uid
}
- return u.Name == userArg || strconv.Itoa(u.Uid) == userArg
+
+ if uidErr == nil {
+ // If the userArg is numeric, always treat it as a UID.
+ return uidArg == u.Uid
+ }
+
+ return u.Name == userArg
})
+
+ // If we can't find the user, we have to bail.
if err != nil && passwd != nil {
if userArg == "" {
userArg = strconv.Itoa(user.Uid)
}
- return nil, fmt.Errorf("Unable to find user %v: %v", userArg, err)
+ return nil, fmt.Errorf("unable to find user %s: %v", userArg, err)
}
- haveUser := users != nil && len(users) > 0
- if haveUser {
- // if we found any user entries that matched our filter, let's take the first one as "correct"
- name = users[0].Name
+ var matchedUserName string
+ if len(users) > 0 {
+ // First match wins, even if there's more than one matching entry.
+ matchedUserName = users[0].Name
user.Uid = users[0].Uid
user.Gid = users[0].Gid
user.Home = users[0].Home
} else if userArg != "" {
- // we asked for a user but didn't find them... let's check to see if we wanted a numeric user
- user.Uid, err = strconv.Atoi(userArg)
- if err != nil {
- // not numeric - we have to bail
- return nil, fmt.Errorf("Unable to find user %v", userArg)
+ // If we can't find a user with the given username, the only other valid
+ // option is if it's a numeric username with no associated entry in passwd.
+
+ if uidErr != nil {
+ // Not numeric.
+ return nil, fmt.Errorf("unable to find user %s: %v", userArg, ErrNoPasswdEntries)
}
+ user.Uid = uidArg
// Must be inside valid uid range.
if user.Uid < minId || user.Uid > maxId {
return nil, ErrRange
}
- // if userArg couldn't be found in /etc/passwd but is numeric, just roll with it - this is legit
+ // Okay, so it's numeric. We can just roll with this.
}
- if groupArg != "" || name != "" {
+ // On to the groups. If we matched a username, we need to do this because of
+ // the supplementary group IDs.
+ if groupArg != "" || matchedUserName != "" {
groups, err := ParseGroupFilter(group, func(g Group) bool {
- // Explicit group format takes precedence.
- if groupArg != "" {
- return g.Name == groupArg || strconv.Itoa(g.Gid) == groupArg
+ // If the group argument isn't explicit, we'll just search for it.
+ if groupArg == "" {
+ // Check if user is a member of this group.
+ for _, u := range g.List {
+ if u == matchedUserName {
+ return true
+ }
+ }
+ return false
}
- // Check if user is a member.
- for _, u := range g.List {
- if u == name {
- return true
- }
+ if gidErr == nil {
+ // If the groupArg is numeric, always treat it as a GID.
+ return gidArg == g.Gid
}
- return false
+ return g.Name == groupArg
})
if err != nil && group != nil {
- return nil, fmt.Errorf("Unable to find groups for user %v: %v", users[0].Name, err)
+ return nil, fmt.Errorf("unable to find groups for spec %v: %v", matchedUserName, err)
}
- haveGroup := groups != nil && len(groups) > 0
+ // Only start modifying user.Gid if it is in explicit form.
if groupArg != "" {
- if haveGroup {
- // if we found any group entries that matched our filter, let's take the first one as "correct"
+ if len(groups) > 0 {
+ // First match wins, even if there's more than one matching entry.
user.Gid = groups[0].Gid
- } else {
- // we asked for a group but didn't find id... let's check to see if we wanted a numeric group
- user.Gid, err = strconv.Atoi(groupArg)
- if err != nil {
- // not numeric - we have to bail
- return nil, fmt.Errorf("Unable to find group %v", groupArg)
+ } else if groupArg != "" {
+ // If we can't find a group with the given name, the only other valid
+ // option is if it's a numeric group name with no associated entry in group.
+
+ if gidErr != nil {
+ // Not numeric.
+ return nil, fmt.Errorf("unable to find group %s: %v", groupArg, ErrNoGroupEntries)
}
+ user.Gid = gidArg
- // Ensure gid is inside gid range.
+ // Must be inside valid gid range.
if user.Gid < minId || user.Gid > maxId {
return nil, ErrRange
}
- // if groupArg couldn't be found in /etc/group but is numeric, just roll with it - this is legit
+ // Okay, so it's numeric. We can just roll with this.
}
- } else if haveGroup {
- // If implicit group format, fill supplementary gids.
+ } else if len(groups) > 0 {
+ // Supplementary group ids only make sense if in the implicit form.
user.Sgids = make([]int, len(groups))
for i, group := range groups {
user.Sgids[i] = group.Gid
--
2.8.1

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:981d52320b7936c294d4b433deffe7af9934b715e207d38a7a993a5a74b3862e
size 8307800

3
docker-1.11.1.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d36c5f677ea5ddb77b25552509217674cd18a526f1e86202befb69fa1f9a242f
size 8794588

412
docker-mount-secrets.patch Normal file
View File

@ -0,0 +1,412 @@
From fb84d5a3fbc3f1fad7dfc961b5dace3915eae7f9 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Mon, 11 Apr 2016 22:54:35 +1000
Subject: [PATCH] SUSE: implement SUSE container secrets
This allows for us to pass in host credentials to a container, allowing
for SUSEConnect to work with containers.
THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
container/container_unix.go | 63 ++++++++++++
daemon/container_operations_unix.go | 50 ++++++++++
daemon/daemon_unix.go | 6 +-
daemon/oci_linux.go | 7 ++
daemon/start.go | 6 ++
daemon/suse_secrets.go | 184 ++++++++++++++++++++++++++++++++++++
6 files changed, 314 insertions(+), 2 deletions(-)
create mode 100644 daemon/suse_secrets.go
Index: docker-1.11.0/container/container_unix.go
===================================================================
--- docker-1.11.0.orig/container/container_unix.go
+++ docker-1.11.0/container/container_unix.go
@@ -34,6 +34,8 @@ type Container struct {
HostsPath string
ShmPath string
ResolvConfPath string
+ // SUSE:secrets :: We need to add the container-specific secrets path here.
+ SuseSecretsPath string
SeccompProfile string
NoNewPrivileges bool
}
@@ -243,6 +245,67 @@ func (container *Container) IpcMounts()
return mounts
}
+// SUSE:secrets :: SuseSecretsResourcePath returns the path to the container's
+// personal /run/secrets tmpfs.
+func (container *Container) SuseSecretsResourcePath() (string, error) {
+ return container.GetRootResourcePath("suse:secrets")
+}
+
+// SUSE:secrets :: SuseSecretMounts returns the list of mounts required for the
+// SUSE-specific /run/secrets patch. The container's personal /run/secrets tmpfs
+// has already been set up at this point.
+func (container *Container) SuseSecretMounts() []Mount {
+ var mounts []Mount
+
+ logrus.WithFields(logrus.Fields{
+ "container": container.ID,
+ "path": container.SuseSecretsPath,
+ "hasmount": container.HasMountFor("/run/secrets"),
+ }).Debug("SUSE:secrets :: adding container secrets to mountpoint")
+
+ // TODO(SUSE): How do we register for HasMountFor().
+ if !container.HasMountFor("/run/secrets") {
+ label.SetFileLabel(container.SuseSecretsPath, container.MountLabel)
+ mounts = append(mounts, Mount{
+ Source: container.SuseSecretsPath,
+ Destination: "/run/secrets",
+ Writable: true,
+ Propagation: volume.DefaultPropagationMode,
+ })
+ }
+
+ return mounts
+}
+
+// SUSE:secrets :: Unmounts the container's personal /run/secrets tmpfs using the
+// provided function. This is done to clean up the mountpoints properly.
+func (container *Container) UnmountSuseSecretMounts(unmount func(string) error) {
+ logrus.WithFields(logrus.Fields{
+ "container": container.ID,
+ "hasmount": container.HasMountFor("/run/secrets"),
+ }).Debug("SUSE:secrets :: requested to clean up container secrets")
+
+ if !container.HasMountFor("/run/secrets") {
+ logrus.Debugf("SUSE:secrets :: cleaning up secrets mount for container")
+
+ suseSecretsPath, err := container.SuseSecretsResourcePath()
+ if err != nil {
+ logrus.Error("SUSE:secrets :: failed to clean up secrets mounts: no secrets resource path found for container %v: %v", container.ID, err)
+ }
+
+ if suseSecretsPath != "" {
+ logrus.WithFields(logrus.Fields{
+ "path": suseSecretsPath,
+ }).Debugf("SUSE:secrets :: actually unmounting conatiner secrets")
+
+ if err := unmount(suseSecretsPath); err != nil && !os.IsNotExist(err) {
+ // We can't error out here.
+ logrus.Warnf("SUSE:secrets :: failed to clean up secrets mounts: failed to umount %s: %v", suseSecretsPath, err)
+ }
+ }
+ }
+}
+
// UpdateContainer updates configuration of a container.
func (container *Container) UpdateContainer(hostConfig *containertypes.HostConfig) error {
container.Lock()
Index: docker-1.11.0/daemon/container_operations_unix.go
===================================================================
--- docker-1.11.0.orig/daemon/container_operations_unix.go
+++ docker-1.11.0/daemon/container_operations_unix.go
@@ -182,6 +182,56 @@ func (daemon *Daemon) getIpcContainer(co
return c, nil
}
+// SUSE:secrets :: Create a container's personal /run/secrets tmpfs and fill it
+// with the host's credentials.
+func (daemon *Daemon) setupSuseSecrets(c *container.Container) (err error) {
+ c.SuseSecretsPath, err = c.SuseSecretsResourcePath()
+ if err != nil {
+ return err
+ }
+
+ if !c.HasMountFor("/run/secrets") {
+ rootUID, rootGID := daemon.GetRemappedUIDGID()
+ if err = idtools.MkdirAllAs(c.SuseSecretsPath, 0700, rootUID, rootGID); err != nil {
+ return fmt.Errorf("SUSE:secrets :: failed to create container secret: %v", err)
+ }
+ if err = syscall.Mount("tmpfs", c.SuseSecretsPath, "tmpfs", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), label.FormatMountLabel("", c.GetMountLabel())); err != nil {
+ return fmt.Errorf("SUSE:secrets :: mounting secrets tmpfs: %v", err)
+ }
+ // We need to defer a cleanup, to make sure errors that occur before the container
+ // starts don't cause wasted memory due to tmpfs-es that aren't being used.
+ defer func() {
+ if err != nil {
+ logrus.Infof("SUSE::secrets :: cleaning up secrets mount due to failed setup")
+ c.UnmountSuseSecretMounts(detachMounted)
+ }
+ }()
+ if err = os.Chown(c.SuseSecretsPath, rootUID, rootGID); err != nil {
+ return fmt.Errorf("SUSE:secrets :: failed to chown container secret to (uid=%d,gid=%d): %v", rootUID, rootGID, err)
+ }
+
+ // Now we need to inject the credentials. But in order to play properly with
+ // user namespaces, they must be owned by rootUID:rootGID.
+
+ data, err := getHostSuseSecretData()
+ if err != nil {
+ return fmt.Errorf("SUSE:secrets :: failed to get host secret data: %v", err)
+ }
+
+ uidMap, gidMap := daemon.GetUIDGIDMaps()
+ for _, s := range data {
+ if err := s.SaveTo(c.SuseSecretsPath, uidMap, gidMap); err != nil {
+ logrus.WithFields(logrus.Fields{
+ "s.path": s.Path,
+ "path": c.SuseSecretsPath,
+ }).Errorf("SUSE:secrets :: failed to save secret data: %v", err)
+ }
+ }
+ }
+
+ return
+}
+
func (daemon *Daemon) setupIpcDirs(c *container.Container) error {
var err error
Index: docker-1.11.0/daemon/daemon_unix.go
===================================================================
--- docker-1.11.0.orig/daemon/daemon_unix.go
+++ docker-1.11.0/daemon/daemon_unix.go
@@ -786,8 +786,10 @@ func initBridgeDriver(controller libnetw
// the container from unwanted side-effects on the rw layer.
func setupInitLayer(initLayer string, rootUID, rootGID int) error {
for pth, typ := range map[string]string{
- "/dev/pts": "dir",
- "/dev/shm": "dir",
+ "/dev/pts": "dir",
+ "/dev/shm": "dir",
+ // SUSE:secrets :: We need to add the mountpoint in the init layer.
+ "/run/secrets": "dir",
"/proc": "dir",
"/sys": "dir",
"/.dockerenv": "file",
Index: docker-1.11.0/daemon/oci_linux.go
===================================================================
--- docker-1.11.0.orig/daemon/oci_linux.go
+++ docker-1.11.0/daemon/oci_linux.go
@@ -634,12 +634,19 @@ func (daemon *Daemon) createSpec(c *cont
return nil, err
}
+ // SUSE:secrets :: We need to set up the container-specific secrets tmpfs here.
+ if err := daemon.setupSuseSecrets(c); err != nil {
+ return nil, err
+ }
+
mounts, err := daemon.setupMounts(c)
if err != nil {
return nil, err
}
mounts = append(mounts, c.IpcMounts()...)
mounts = append(mounts, c.TmpfsMounts()...)
+ // SUSE:secrets :: We add the mounts to the OCI config which containerd then uses.
+ mounts = append(mounts, c.SuseSecretMounts()...)
if err := setMounts(daemon, &s, c, mounts); err != nil {
return nil, fmt.Errorf("linux mounts: %v", err)
}
Index: docker-1.11.0/daemon/start.go
===================================================================
--- docker-1.11.0.orig/daemon/start.go
+++ docker-1.11.0/daemon/start.go
@@ -164,6 +164,12 @@ func (daemon *Daemon) Cleanup(container
container.UnmountIpcMounts(detachMounted)
+ // TODO(SUSE): Make sure this gets called by containerCleanup. Do we need to
+ // port this part of the patch there as well?
+
+ // SUSE:secrets :: We need to unmount stuff here so that we clean up properly.
+ container.UnmountSuseSecretMounts(detachMounted)
+
if err := daemon.conditionalUnmountOnCleanup(container); err != nil {
// FIXME: remove once reference counting for graphdrivers has been refactored
// Ensure that all the mounts are gone
Index: docker-1.11.0/daemon/suse_secrets.go
===================================================================
--- /dev/null
+++ docker-1.11.0/daemon/suse_secrets.go
@@ -0,0 +1,184 @@
+package daemon
+
+// SUSE:secrets :: This is a set of functions to copy host credentials into a
+// container's /run/secrets.
+
+import (
+ "io/ioutil"
+ "os"
+ "path/filepath"
+ "syscall"
+
+ "github.com/Sirupsen/logrus"
+ "github.com/docker/docker/pkg/idtools"
+)
+
+// TODO(SUSE): We need to reimplement this to use tar. Immediately.
+
+// Creating a fake file.
+type SuseFakeFile struct {
+ Path string
+ Uid int
+ Gid int
+ Mode os.FileMode
+ Data []byte
+}
+
+func (s *SuseFakeFile) SaveTo(dir string, uidMap, gidMap []idtools.IDMap) error {
+ // Create non-existant path components with an owner of root (other FakeFiles
+ // will clean this up if the owner is critical).
+ rootUid, rootGid, err := idtools.GetRootUIDGID(uidMap, gidMap)
+
+ path := filepath.Join(dir, s.Path)
+ if err := idtools.MkdirAllNewAs(filepath.Dir(path), 0755, rootUid, rootGid); err != nil && !os.IsExist(err) {
+ return err
+ }
+
+ uid, err := idtools.ToHost(s.Uid, uidMap)
+ if err != nil {
+ return err
+ }
+
+ gid, err := idtools.ToHost(s.Gid, gidMap)
+ if err != nil {
+ return err
+ }
+
+ if s.Mode.IsDir() {
+ if err := idtools.MkdirAs(path, s.Mode, uid, gid); err != nil {
+ return err
+ }
+ } else {
+ if err := ioutil.WriteFile(path, s.Data, s.Mode); err != nil {
+ return err
+ }
+ }
+
+ return os.Chown(path, uid, gid)
+}
+
+// readDir will recurse into a directory prefix/dir, and return the set of secrets
+// in that directory. The Path attribute of each has the prefix stripped. Symlinks
+// are evaluated.
+func readDir(prefix, dir string) ([]*SuseFakeFile, error) {
+ var suseFiles []*SuseFakeFile
+
+ path := filepath.Join(prefix, dir)
+
+ fi, err := os.Stat(path)
+ if err != nil {
+ // Ignore dangling symlinks.
+ if os.IsNotExist(err) {
+ logrus.Warnf("SUSE:secrets :: dangling symlink: %s", path)
+ return suseFiles, nil
+ }
+ return nil, err
+ }
+
+ stat, ok := fi.Sys().(*syscall.Stat_t)
+ if !ok {
+ logrus.Warnf("SUSE:secrets :: failed to cast directory stat_t: defaulting to owned by root:root: %s", path)
+ }
+
+ suseFiles = append(suseFiles, &SuseFakeFile{
+ Path: dir,
+ Uid: int(stat.Uid),
+ Gid: int(stat.Gid),
+ Mode: fi.Mode(),
+ })
+
+ files, err := ioutil.ReadDir(path)
+ if err != nil {
+ return nil, err
+ }
+
+ for _, f := range files {
+ subpath := filepath.Join(dir, f.Name())
+
+ if f.IsDir() {
+ secrets, err := readDir(prefix, subpath)
+ if err != nil {
+ return nil, err
+ }
+ suseFiles = append(suseFiles, secrets...)
+ } else {
+ secrets, err := readFile(prefix, subpath)
+ if err != nil {
+ return nil, err
+ }
+ suseFiles = append(suseFiles, secrets...)
+ }
+ }
+
+ return suseFiles, nil
+}
+
+func readFile(prefix, file string) ([]*SuseFakeFile, error) {
+ var suseFiles []*SuseFakeFile
+
+ path := filepath.Join(prefix, file)
+ fi, err := os.Stat(path)
+ if err != nil {
+ // Ignore dangling symlinks.
+ if os.IsNotExist(err) {
+ logrus.Warnf("SUSE:secrets :: dangling symlink: %s", path)
+ return suseFiles, nil
+ }
+ return nil, err
+ }
+
+ stat, ok := fi.Sys().(*syscall.Stat_t)
+ if !ok {
+ logrus.Warnf("SUSE:secrets :: failed to cast file stat_t: defaulting to owned by root:root: %s", path)
+ }
+
+ if fi.IsDir() {
+ secrets, err := readDir(prefix, file)
+ if err != nil {
+ return nil, err
+ }
+ suseFiles = append(suseFiles, secrets...)
+ } else {
+ bytes, err := ioutil.ReadFile(path)
+ if err != nil {
+ return nil, err
+ }
+ suseFiles = append(suseFiles, &SuseFakeFile{
+ Path: file,
+ Uid: int(stat.Uid),
+ Gid: int(stat.Gid),
+ Mode: fi.Mode(),
+ Data: bytes,
+ })
+ }
+
+ return suseFiles, nil
+}
+
+func getHostSuseSecretData() ([]*SuseFakeFile, error) {
+ secrets := []*SuseFakeFile{}
+
+ credentials, err := readDir("/etc/zypp", "credentials.d")
+ if err != nil {
+ if os.IsNotExist(err) {
+ credentials = []*SuseFakeFile{}
+ } else {
+ logrus.Errorf("SUSE:secrets :: error while reading zypp credentials: %s", err)
+ return nil, err
+ }
+ }
+ secrets = append(secrets, credentials...)
+
+ suseConnect, err := readFile("/etc", "SUSEConnect")
+ if err != nil {
+ if os.IsNotExist(err) {
+ suseConnect = []*SuseFakeFile{}
+ } else {
+ logrus.Errorf("SUSE:secrets :: error while reading /etc/SUSEConnect: %s", err)
+ return nil, err
+ }
+ }
+ secrets = append(secrets, suseConnect...)
+
+ return secrets, nil
+}

View File

@ -1,3 +1,231 @@
-------------------------------------------------------------------
Mon May 2 07:40:22 UTC 2016 - asarai@suse.de
* Remove conditional Patch directive for SUSE secrets, since conditionally
including patches results in incompatible .src.rpms. The patch is still
applied conditionally.
-------------------------------------------------------------------
Fri Apr 29 09:04:54 UTC 2016 - asarai@suse.de
* Update to Docker 1.11.1. Changelog from upstream:
* Distribution
- Fix schema2 manifest media type to be of type `application/vnd.docker.container.image.v1+json` ([#21949](https://github.com/docker/docker/pull/21949))
* Documentation
+ Add missing API documentation for changes introduced with 1.11.0 ([#22048](https://github.com/docker/docker/pull/22048))
* Builder
* Append label passed to `docker build` as arguments as an implicit `LABEL` command at the end of the processed `Dockerfile` ([#22184](https://github.com/docker/docker/pull/22184))
* Networking
- Fix a panic that would occur when forwarding DNS query ([#22261](https://github.com/docker/docker/pull/22261))
- Fix an issue where OS threads could end up within an incorrect network namespace when using user defined networks ([#22261](https://github.com/docker/docker/pull/22261))
* Runtime
- Fix a bug preventing labels configuration to be reloaded via the config file ([#22299](https://github.com/docker/docker/pull/22299))
- Fix a regression where container mounting `/var/run` would prevent other containers from being removed ([#22256](https://github.com/docker/docker/pull/22256))
- Fix an issue where it would be impossible to update both `memory-swap` and `memory` value together ([#22255](https://github.com/docker/docker/pull/22255))
- Fix a regression from 1.11.0 where the `/auth` endpoint would not initialize `serveraddress` if it is not provided ([#22254](https://github.com/docker/docker/pull/22254))
- Add missing cleanup of container temporary files when cancelling a schedule restart ([#22237](https://github.com/docker/docker/pull/22237))
- Removed scary error message when no restart policy is specified ([#21993](https://github.com/docker/docker/pull/21993))
- Fix a panic that would occur when the plugins were activated via the json spec ([#22191](https://github.com/docker/docker/pull/22191))
- Fix restart backoff logic to correctly reset delay if container ran for at least 10secs ([#22125](https://github.com/docker/docker/pull/22125))
- Remove error message when a container restart get cancelled ([#22123](https://github.com/docker/docker/pull/22123))
- Fix an issue where `docker` would not correcly clean up after `docker exec` ([#22121](https://github.com/docker/docker/pull/22121))
- Fix a panic that could occur when servicing concurrent `docker stats` commands ([#22120](https://github.com/docker/docker/pull/22120))`
- Revert deprecation of non-existing host directories auto-creation ([#22065](https://github.com/docker/docker/pull/22065))
- Hide misleading rpc error on daemon shutdown ([#22058](https://github.com/docker/docker/pull/22058))
-------------------------------------------------------------------
Fri Apr 22 10:43:37 UTC 2016 - asarai@suse.de
- Add patch to fix vulnerability in Docker <= 1.11.0. This patch is upstream,
but was merged after the 1.11.0 merge window. CVE-2016-3697. bsc#976777.
+ cve-2016-3697-numeric-uid.patch
The upstream PR is here[1] and was vendored into Docker here[2].
[1]: https://github.com/opencontainers/runc/pull/708
[2]: https://github.com/docker/docker/pull/21665
-------------------------------------------------------------------
Mon Apr 18 19:33:56 UTC 2016 - mpluskal@suse.com
- Supplemnent zsh from zsh-completion
* zsh-completion will be automatically installed if zsh and
docker are installed
-------------------------------------------------------------------
Mon Apr 18 15:44:11 UTC 2016 - jmassaguerpla@suse.com
- Remove gcc5_socker_workaround.patch: This patch is not needed anymore
since gcc5 has been updated in all platforms
-------------------------------------------------------------------
Mon Apr 18 06:19:18 UTC 2016 - asarai@suse.de
* Removed patches that have been fixed upstream and in gcc-go:
- boltdb_bolt_powerpc.patch
- fix-apparmor.patch
- fix-btrfs-ioctl-structure.patch
- fix-docker-init.patch
- libnetwork_drivers_bridge_powerpc.patch
- ignore-dockerinit-checksum.patch
* Require containerd, as it is the only currently supported Docker execdriver.
* Update docker.socket to require containerd.socket and use --containerd in
docker.service so that the services are self-contained.
* Update to Docker 1.11.0. Changelog from upstream:
* Builder
- Fix a bug where Docker would not used the correct uid/gid when processing the `WORKDIR` command ([#21033](https://github.com/docker/docker/pull/21033))
- Fix a bug where copy operations with userns would not use the proper uid/gid ([#20782](https://github.com/docker/docker/pull/20782), [#21162](https://github.com/docker/docker/pull/21162))
* Client
* Usage of the `:` separator for security option has been deprecated. `=` should be used instead ([#21232](https://github.com/docker/docker/pull/21232))
+ The client user agent is now passed to the registry on `pull`, `build`, `push`, `login` and `search` operations ([#21306](https://github.com/docker/docker/pull/21306), [#21373](https://github.com/docker/docker/pull/21373))
* Allow setting the Domainname and Hostname separately through the API ([#20200](https://github.com/docker/docker/pull/20200))
* Docker info will now warn users if it can not detect the kernel version or the operating system ([#21128](https://github.com/docker/docker/pull/21128))
- Fix an issue where `docker stats --no-stream` output could be all 0s ([#20803](https://github.com/docker/docker/pull/20803))
- Fix a bug where some newly started container would not appear in a running `docker stats` command ([#20792](https://github.com/docker/docker/pull/20792))
* Post processing is no longer enabled for linux-cgo terminals ([#20587](https://github.com/docker/docker/pull/20587))
- Values to `--hostname` are now refused if they do not comply with [RFC1123](https://tools.ietf.org/html/rfc1123) ([#20566](https://github.com/docker/docker/pull/20566))
+ Docker learned how to use a SOCKS proxy ([#20366](https://github.com/docker/docker/pull/20366), [#18373](https://github.com/docker/docker/pull/18373))
+ Docker now supports external credential stores ([#20107](https://github.com/docker/docker/pull/20107))
* `docker ps` now supports displaying the list of volumes mounted inside a container ([#20017](https://github.com/docker/docker/pull/20017))
* `docker info` now also report Docker's root directory location ([#19986](https://github.com/docker/docker/pull/19986))
- Docker now prohibits login in with an empty username (spaces are trimmed) ([#19806](https://github.com/docker/docker/pull/19806))
* Docker events attributes are now sorted by key ([#19761](https://github.com/docker/docker/pull/19761))
* `docker ps` no longer show exported port for stopped containers ([#19483](https://github.com/docker/docker/pull/19483))
- Docker now cleans after itself if a save/export command fails ([#17849](https://github.com/docker/docker/pull/17849))
* Docker load learned how to display a progress bar ([#17329](https://github.com/docker/docker/pull/17329), [#120078](https://github.com/docker/docker/pull/20078))
* Distribution
- Fix a panic that occurred when pulling an images with 0 layers ([#21222](https://github.com/docker/docker/pull/21222))
- Fix a panic that could occur on error while pushing to a registry with a misconfigured token service ([#21212](https://github.com/docker/docker/pull/21212))
+ All first-level delegation roles are now signed when doing a trusted push ([#21046](https://github.com/docker/docker/pull/21046))
+ OAuth support for registries was added ([#20970](https://github.com/docker/docker/pull/20970))
* `docker login` now handles token using the implementation found in [docker/distribution](https://github.com/docker/distribution) ([#20832](https://github.com/docker/docker/pull/20832))
* `docker login` will no longer prompt for an email ([#20565](https://github.com/docker/docker/pull/20565))
* Docker will now fallback to registry V1 if no basic auth credentials are available ([#20241](https://github.com/docker/docker/pull/20241))
* Docker will now try to resume layer download where it left off after a network error/timeout ([#19840](https://github.com/docker/docker/pull/19840))
- Fix generated manifest mediaType when pushing cross-repository ([#19509](https://github.com/docker/docker/pull/19509))
- Fix docker requesting additional push credentials when pulling an image if Content Trust is enabled ([#20382](https://github.com/docker/docker/pull/20382))
* Logging
- Fix a race in the journald log driver ([#21311](https://github.com/docker/docker/pull/21311))
* Docker syslog driver now uses the RFC-5424 format when emitting logs ([#20121](https://github.com/docker/docker/pull/20121))
* Docker GELF log driver now allows to specify the compression algorithm and level via the `gelf-compression-type` and `gelf-compression-level` options ([#19831](https://github.com/docker/docker/pull/19831))
* Docker daemon learned to output uncolorized logs via the `--raw-logs` options ([#19794](https://github.com/docker/docker/pull/19794))
+ Docker, on Windows platform, now includes an ETW (Event Tracing in Windows) logging driver named `etwlogs` ([#19689](https://github.com/docker/docker/pull/19689))
* Journald log driver learned how to handle tags ([#19564](https://github.com/docker/docker/pull/19564))
+ The fluentd log driver learned the following options: `fluentd-address`, `fluentd-buffer-limit`, `fluentd-retry-wait`, `fluentd-max-retries` and `fluentd-async-connect` ([#19439](https://github.com/docker/docker/pull/19439))
+ Docker learned to send log to Google Cloud via the new `gcplogs` logging driver. ([#18766](https://github.com/docker/docker/pull/18766))
* Misc
+ When saving linked images together with `docker save` a subsequent `docker load` will correctly restore their parent/child relationship ([#21385](https://github.com/docker/docker/pull/c))
+ Support for building the Docker cli for OpenBSD was added ([#21325](https://github.com/docker/docker/pull/21325))
+ Labels can now be applied at network, volume and image creation ([#21270](https://github.com/docker/docker/pull/21270))
* The `dockremap` is now created as a system user ([#21266](https://github.com/docker/docker/pull/21266))
- Fix a few response body leaks ([#21258](https://github.com/docker/docker/pull/21258))
- Docker, when run as a service with systemd, will now properly manage its processes cgroups ([#20633](https://github.com/docker/docker/pull/20633))
* Docker info now reports the value of cgroup KernelMemory or emits a warning if it is not supported ([#20863](https://github.com/docker/docker/pull/20863))
* Docker info now also reports the cgroup driver in use ([#20388](https://github.com/docker/docker/pull/20388))
* Docker completion is now available on PowerShell ([#19894](https://github.com/docker/docker/pull/19894))
* `dockerinit` is no more ([#19490](https://github.com/docker/docker/pull/19490),[#19851](https://github.com/docker/docker/pull/19851))
+ Support for building Docker on arm64 was added ([#19013](https://github.com/docker/docker/pull/19013))
+ Experimental support for building docker.exe in a native Windows Docker installation ([#18348](https://github.com/docker/docker/pull/18348))
* Networking
- Fix panic if a node is forcibly removed from the cluster ([#21671](https://github.com/docker/docker/pull/21671))
- Fix "error creating vxlan interface" when starting a container in a Swarm cluster ([#21671](https://github.com/docker/docker/pull/21671))
* `docker network inspect` will now report all endpoints whether they have an active container or not ([#21160](https://github.com/docker/docker/pull/21160))
+ Experimental support for the MacVlan and IPVlan network drivers have been added ([#21122](https://github.com/docker/docker/pull/21122))
* Output of `docker network ls` is now sorted by network name ([#20383](https://github.com/docker/docker/pull/20383))
- Fix a bug where Docker would allow a network to be created with the reserved `default` name ([#19431](https://github.com/docker/docker/pull/19431))
* `docker network inspect` returns whether a network is internal or not ([#19357](https://github.com/docker/docker/pull/19357))
+ Control IPv6 via explicit option when creating a network (`docker network create --ipv6`). This shows up as a new `EnableIPv6` field in `docker network inspect` ([#17513](https://github.com/docker/docker/pull/17513))
* Support for AAAA Records (aka IPv6 Service Discovery) in embedded DNS Server ([#21396](https://github.com/docker/docker/pull/21396))
- Fix to not forward docker domain IPv6 queries to external servers ([#21396](https://github.com/docker/docker/pull/21396))
* Multiple A/AAAA records from embedded DNS Server for DNS Round robin ([#21019](https://github.com/docker/docker/pull/21019))
- Fix endpoint count inconsistency after an ungraceful dameon restart ([#21261](https://github.com/docker/docker/pull/21261))
- Move the ownership of exposed ports and port-mapping options from Endpoint to Sandbox ([#21019](https://github.com/docker/docker/pull/21019))
- Fixed a bug which prevents docker reload when host is configured with ipv6.disable=1 ([#21019](https://github.com/docker/docker/pull/21019))
- Added inbuilt nil IPAM driver ([#21019](https://github.com/docker/docker/pull/21019))
- Fixed bug in iptables.Exists() logic [#21019](https://github.com/docker/docker/pull/21019)
- Fixed a Veth interface leak when using overlay network ([#21019](https://github.com/docker/docker/pull/21019))
- Fixed a bug which prevents docker reload after a network delete during shutdown ([#20214](https://github.com/docker/docker/pull/20214))
- Make sure iptables chains are recreated on firewalld reload ([#20419](https://github.com/docker/docker/pull/20419))
- Allow to pass global datastore during config reload ([#20419](https://github.com/docker/docker/pull/20419))
- For anonymous containers use the alias name for IP to name mapping, ie:DNS PTR record ([#21019](https://github.com/docker/docker/pull/21019))
- Fix a panic when deleting an entry from /etc/hosts file ([#21019](https://github.com/docker/docker/pull/21019))
- Source the forwarded DNS queries from the container net namespace ([#21019](https://github.com/docker/docker/pull/21019))
- Fix to retain the network internal mode config for bridge networks on daemon reload ([#21780] (https://github.com/docker/docker/pull/21780))
- Fix to retain IPAM driver option configs on daemon reload ([#21914] (https://github.com/docker/docker/pull/21914))
* Plugins
- Fix a file descriptor leak that would occur every time plugins were enumerated ([#20686](https://github.com/docker/docker/pull/20686))
- Fix an issue where Authz plugin would corrupt the payload body when faced with a large amount of data ([#20602](https://github.com/docker/docker/pull/20602))
* Runtime
- Fix a panic that could occur when cleanup after a container started with invalid parameters ([#21716](https://github.com/docker/docker/pull/21716))
- Fix a race with event timers stopping early ([#21692](https://github.com/docker/docker/pull/21692))
- Fix race conditions in the layer store, potentially corrupting the map and crashing the process ([#21677](https://github.com/docker/docker/pull/21677))
- Un-deprecate auto-creation of host directories for mounts. This feature was marked deprecated in ([#21666](https://github.com/docker/docker/pull/21666))
Docker 1.9, but was decided to be too much of an backward-incompatible change, so it was decided to keep the feature.
+ It is now possible for containers to share the NET and IPC namespaces when `userns` is enabled ([#21383](https://github.com/docker/docker/pull/21383))
+ `docker inspect <image-id>` will now expose the rootfs layers ([#21370](https://github.com/docker/docker/pull/21370))
+ Docker Windows gained a minimal `top` implementation ([#21354](https://github.com/docker/docker/pull/21354))
* Docker learned to report the faulty exe when a container cannot be started due to its condition ([#21345](https://github.com/docker/docker/pull/21345))
* Docker with device mapper will now refuse to run if `udev sync` is not available ([#21097](https://github.com/docker/docker/pull/21097))
- Fix a bug where Docker would not validate the config file upon configuration reload ([#21089](https://github.com/docker/docker/pull/21089))
- Fix a hang that would happen on attach if initial start was to fail ([#21048](https://github.com/docker/docker/pull/21048))
- Fix an issue where registry service options in the daemon configuration file were not properly taken into account ([#21045](https://github.com/docker/docker/pull/21045))
- Fix a race between the exec and resize operations ([#21022](https://github.com/docker/docker/pull/21022))
- Fix an issue where nanoseconds were not correctly taken in account when filtering Docker events ([#21013](https://github.com/docker/docker/pull/21013))
- Fix the handling of Docker command when passed a 64 bytes id ([#21002](https://github.com/docker/docker/pull/21002))
* Docker will now return a `204` (i.e http.StatusNoContent) code when it successfully deleted a network ([#20977](https://github.com/docker/docker/pull/20977))
- Fix a bug where the daemon would wait indefinitely in case the process it was about to killed had already exited on its own ([#20967](https://github.com/docker/docker/pull/20967)
* The devmapper driver learned the `dm.min_free_space` option. If the mapped device free space reaches the passed value, new device creation will be prohibited. ([#20786](https://github.com/docker/docker/pull/20786))
+ Docker can now prevent processes in container to gain new privileges via the `--security-opt=no-new-privileges` flag ([#20727](https://github.com/docker/docker/pull/20727))
- Starting a container with the `--device` option will now correctly resolves symlinks ([#20684](https://github.com/docker/docker/pull/20684))
+ Docker now relies on [`containerd`](https://github.com/docker/containerd) and [`runc`](https://github.com/opencontainers/runc) to spawn containers. ([#20662](https://github.com/docker/docker/pull/20662))
- Fix docker configuration reloading to only alter value present in the given config file ([#20604](https://github.com/docker/docker/pull/20604))
+ Docker now allows setting a container hostname via the `--hostname` flag when `--net=host` ([#20177](https://github.com/docker/docker/pull/20177))
+ Docker now allows executing privileged container while running with `--userns-remap` if both `--privileged` and the new `--userns=host` flag are specified ([#20111](https://github.com/docker/docker/pull/20111))
- Fix Docker not cleaning up correctly old containers upon restarting after a crash ([#19679](https://github.com/docker/docker/pull/19679))
* Docker will now error out if it doesn't recognize a configuration key within the config file ([#19517](https://github.com/docker/docker/pull/19517))
- Fix container loading, on daemon startup, when they depends on a plugin running within a container ([#19500](https://github.com/docker/docker/pull/19500))
* `docker update` learned how to change a container restart policy ([#19116](https://github.com/docker/docker/pull/19116))
* `docker inspect` now also returns a new `State` field containing the container state in a human readable way (i.e. one of `created`, `restarting`, `running`, `paused`, `exited` or `dead`)([#18966](https://github.com/docker/docker/pull/18966))
+ Docker learned to limit the number of active pids (i.e. processes) within the container via the `pids-limit` flags. NOTE: This requires `CGROUP_PIDS=y` to be in the kernel configuration. ([#18697](https://github.com/docker/docker/pull/18697))
- `docker load` now has a `--quiet` option to suppress the load output ([#20078](https://github.com/docker/docker/pull/20078))
- Fix a bug in neighbor discovery for IPv6 peers ([#20842](https://github.com/docker/docker/pull/20842))
- Fix a panic during cleanup if a container was started with invalid options ([#21802](https://github.com/docker/docker/pull/21802))
- Fix a situation where a container cannot be stopped if the terminal is closed ([#21840](https://github.com/docker/docker/pull/21840))
* Security
* Object with the `pcp_pmcd_t` selinux type were given management access to `/var/lib/docker(/.*)?` ([#21370](https://github.com/docker/docker/pull/21370))
* `restart_syscall`, `copy_file_range`, `mlock2` joined the list of allowed calls in the default seccomp profile ([#21117](https://github.com/docker/docker/pull/21117), [#21262](https://github.com/docker/docker/pull/21262))
* `send`, `recv` and `x32` were added to the list of allowed syscalls and arch in the default seccomp profile ([#19432](https://github.com/docker/docker/pull/19432))
* Docker Content Trust now requests the server to perform snapshot signing ([#21046](https://github.com/docker/docker/pull/21046))
* Support for using YubiKeys for Content Trust signing has been moved out of experimental ([#21591](https://github.com/docker/docker/pull/21591))
* Volumes
* Output of `docker volume ls` is now sorted by volume name ([#20389](https://github.com/docker/docker/pull/20389))
* Local volumes can now accepts options similar to the unix `mount` tool ([#20262](https://github.com/docker/docker/pull/20262))
- Fix an issue where one letter directory name could not be used as source for volumes ([#21106](https://github.com/docker/docker/pull/21106))
+ `docker run -v` now accepts a new flag `nocopy`. This tell the runtime not to copy the container path content into the volume (which is the default behavior) ([#21223](https://github.com/docker/docker/pull/21223))
-------------------------------------------------------------------
Wed Apr 13 11:16:51 UTC 2016 - jmassaguerpla@suse.com
- docker.spec: apply gcc5 socket patch also for sle12 and leap
because gcc5 has been updated there as well.
- docker.spec: add a "is_opensuse" check for the mount-secrets patch.
This way we can use this same package for opensuse.
-------------------------------------------------------------------
Fri Apr 8 13:27:55 UTC 2016 - dmueller@suse.com
@ -203,144 +431,164 @@ https://github.com/docker/docker/blob/590d5108bbdaabb05af590f76c9757daceb6d02e/C
-------------------------------------------------------------------
Wed Jan 27 23:40:09 UTC 2016 - asarai@suse.com
Tue Feb 9 13:24:34 UTC 2016 - asarai@suse.com
- backport 1 bugfix from the upstream 1.10 branch
Added:
fix_json_econnreset_bug.patch (https://github.com/docker/docker/issues/14203)
- docker-mount-secrets.patch: fix up this patch to work on Docker 1.10
-------------------------------------------------------------------
Fri Jan 22 15:08:05 UTC 2016 - jmassaguerpla@suse.com
Wed Jan 27 11:57:59 UTC 2016 - asarai@suse.com
- use_fs_cgroups_by_default.patch: fix bsc#963177 - Use fs cgroups
by default in docker
- fix_cgroup.parent_path_sanitisation.patch: fix bsc# 963198 - fix
cgroup.Parent path sanitisation in docker
- fix_bnc_958255.patch: fix bnc#958255 - Docker creates strange
apparmor profile
- docker-mount-secrets.patch: properly register /run/secrets as a
mountpoint, so that it is unmounted properly when the container
is removed and thus container removal works. (bnc#963142)
- docker-mount-secrets.patch: in addition, add some extra debugging
information to the secrets patch.
-------------------------------------------------------------------
Thu Jan 21 16:52:41 UTC 2016 - jmassaguerpla@suse.com
- gcc5-go in Tumbleweed includes this commit
https://github.com/golang/gofrontend/commit/a850225433a66a58613c22185c3b09626f5545eb
Which "fixes" the data type for RawSockaddr.Data
However, docker now expects the "wrong" data type, since docker had a workaround
for that issue.
Thus, we need to workaround the workaroundn in tumbleweed
- There was an error in one of the file list
Wed Jan 27 09:42:59 UTC 2016 - asarai@suse.com
- fix_json_econnreset_bug.patch: fix JSON bug that causes containers to not start
in weird circumstances. https://github.com/docker/docker/issues/14203
-------------------------------------------------------------------
Wed Dec 23 10:47:04 UTC 2015 - fcastelli@suse.com
Wed Dec 23 11:10:54 UTC 2015 - fcastelli@suse.com jmassaguerpla@suse.com
- fix_bnc_958255.patch: fix Docker creates strange apparmor profile
(bnc#958255)
- use_fs_cgroups_by_default.patch: Use fs cgroups by default:
https://github.com/docker/docker/commit/419fd7449fe1a984f582731fcd4d9455000846b0
- fix_cgroup.parent_path_sanitisation.patch: fix cgroup.Parent path
sanitisation:
https://github.com/opencontainers/runc/commit/bf899fef451956be4abd63de6d6141d9f9096a02
- Add rules for auditd. This is required to fix bnc#959405
-------------------------------------------------------------------
Fri Dec 4 16:08:22 UTC 2015 - normand@linux.vnet.ibm.com
- remove 2 patches and add 5 others after 1.9.1 upgrade
Removed:
docker_missing_ppc64le_netlink_linux_files.patch
docker_rename_jump_amd64_as_jump_linux.patch
Added:
add_bolt_ppc64.patch
add_bolt_arm64.patch
docker_remove_journald_to_fix_dynbinary_build_on_arm.patch
docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch
docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch
-------------------------------------------------------------------
Tue Nov 24 10:53:44 UTC 2015 - fcastelli@suse.com
- Remove 7 patches, add 6 and modify 1, after 1.9.1 upgrade
* Removed:
- docker_missing_ppc64le_netlink_linux_files.patch: the code that this
bug refers to has benn removed upstream
- docker_rename_jump_amd64_as_jump_linux.patch: the code that this bug
refers to has been removed upstream
- Remove fix_15279.patch: code has been merged upstream
- Remove add_missing_syscall_for_s390x.patch: code has been merged upstream
- Remove fix_incompatible_assignment_error_bnc_950931.patch: code has been
merged upstream
- Remove fix_libsecomp_error_bnc_950931.patch: the code that this bug refers to
has been removed upstream
- Remove gcc5_socket_workaround.patch: Code has been fixed. Building with
this patch is giving the error we were trying to fix, implying that the
code has been fixed somewhere else.
* Added:
- add_bolt_ppc64.patch
- add_bolt_arm64.patch
- docker_remove_journald_to_fix_dynbinary_build_on_arm.patch
- docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch
- docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch
- gcc-go-build-static-libgo.patch: enable static linking of libgo in ggc-go
In order to do this, we had to work-around an issue from gcc-go:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69357
* Modify:
- Upgrade to 1.9.1(bnc#956434)
* Runtime:
- Do not prevent daemon from booting if images could not be restored (#17695)
- Do not prevent daemon from booting if images could not be restored
(#17695)
- Force IPC mount to unmount on daemon shutdown/init (#17539)
- Turn IPC unmount errors into warnings (#17554)
- Fix `docker stats` performance regression (#17638)
- Clarify cryptic error message upon `docker logs` if `--log-driver=none` (#17767)
- Clarify cryptic error message upon `docker logs` if `--log-driver=none`
(#17767)
- Fix seldom panics (#17639, #17634, #17703)
- Fix opq whiteouts problems for files with dot prefix (#17819)
- devicemapper: try defaulting to xfs instead of ext4 for performance reasons (#17903, #17918)
- devicemapper: try defaulting to xfs instead of ext4 for performance
reasons (#17903, #17918)
- devicemapper: fix displayed fs in docker info (#17974)
- selinux: only relabel if user requested so with the `z` option (#17450, #17834)
- selinux: only relabel if user requested so with the `z` option
(#17450, #17834)
- Do not make network calls when normalizing names (#18014)
*Client:
- Fix `docker login` on windows (#17738)
- Fix bug with `docker inspect` output when not connected to daemon (#17715)
- Fix bug with `docker inspect` output when not connected to daemon
(#17715)
- Fix `docker inspect -f {{.HostConfig.Dns}} somecontainer` (#17680)
* Builder:
- Fix regression with symlink behavior in ADD/COPY (#17710)
* Networking:
- Allow passing a network ID as an argument for `--net` (#17558)
- Fix connect to host and prevent disconnect from host for `host` network (#17476)
- Fix `--fixed-cidr` issue when gateway ip falls in ip-range and ip-range is
not the first block in the network (#17853)
- Restore deterministic `IPv6` generation from `MAC` address on default `bridge` network (#17890)
- Fix connect to host and prevent disconnect from host for `host` network
(#17476)
- Fix `--fixed-cidr` issue when gateway ip falls in ip-range and ip-range
is not the first block in the network (#17853)
- Restore deterministic `IPv6` generation from `MAC` address on default
`bridge` network (#17890)
- Allow port-mapping only for endpoints created on docker run (#17858)
- Fixed an endpoint delete issue with a possible stale sbox (#18102)
* Distribution:
- Correct parent chain in v2 push when v1Compatibility files on the disk are inconsistent (#18047)
-------------------------------------------------------------------
Fri Nov 13 16:58:43 UTC 2015 - fcastelli@suse.com
- Correct parent chain in v2 push when v1Compatibility files on the disk
are inconsistent (#18047)
- Update to version 1.9.0 (bnc#954812):
* Runtime:
- `docker stats` now returns block IO metrics (#15005)
- `docker stats` now details network stats per interface (#15786)
- Add `ancestor=<image>` filter to `docker ps --filter` flag to filter
containers based on their ancestor images (#14570)
- Add `label=<somelabel>` filter to `docker ps --filter` to filter containers
based on label (#16530)
- Add `label=<somelabel>` filter to `docker ps --filter` to filter
containers based on label (#16530)
- Add `--kernel-memory` flag to `docker run` (#14006)
- Add `--message` flag to `docker import` allowing to specify an optional
message (#15711)
- Add `--privileged` flag to `docker exec` (#14113)
- Add `--stop-signal` flag to `docker run` allowing to replace the container
process stopping signal (#15307)
- Add `--stop-signal` flag to `docker run` allowing to replace the
container process stopping signal (#15307)
- Add a new `unless-stopped` restart policy (#15348)
- Inspecting an image now returns tags (#13185)
- Add container size information to `docker inspect` (#15796)
- Add `RepoTags` and `RepoDigests` field to `/images/{name:.*}/json` (#17275)
- Add `RepoTags` and `RepoDigests` field to `/images/{name:.*}/json`
(#17275)
- Remove the deprecated `/container/ps` endpoint from the API (#15972)
- Send and document correct HTTP codes for `/exec/<name>/start` (#16250)
- Share shm and mqueue between containers sharing IPC namespace (#15862)
- Event stream now shows OOM status when `--oom-kill-disable` is set (#16235)
- Ensure special network files (/etc/hosts etc.) are read-only if bind-mounted
- Event stream now shows OOM status when `--oom-kill-disable` is
set (#16235)
- Ensure special network files (/etc/hosts etc.) are read-only if
bind-mounted
with `ro` option (#14965)
- Improve `rmi` performance (#16890)
- Do not update /etc/hosts for the default bridge network, except for links (#17325)
- Do not update /etc/hosts for the default bridge network, except for links
(#17325)
- Fix conflict with duplicate container names (#17389)
- Fix an issue with incorrect template execution in `docker inspect` (#17284)
- DEPRECATE `-c` short flag variant for `--cpu-shares` in docker run (#16271)
- Fix an issue with incorrect template execution in `docker inspect`
(#17284)
- DEPRECATE `-c` short flag variant for `--cpu-shares` in docker run
(#16271)
* Client:
- Allow `docker import` to import from local files (#11907)
* Builder:
- Add a `STOPSIGNAL` Dockerfile instruction allowing to set a different
stop-signal for the container process (#15307)
- Add an `ARG` Dockerfile instruction and a `--build-arg` flag to `docker build`
- Add an `ARG` Dockerfile instruction and a `--build-arg` flag to
`docker build`
that allows to add build-time environment variables (#15182)
- Improve cache miss performance (#16890)
* Storage:
- devicemapper: Implement deferred deletion capability (#16381)
* Networking:
- `docker network` exits experimental and is part of standard release (#16645)
- New network top-level concept, with associated subcommands and API (#16645)
- `docker network` exits experimental and is part of standard release
(#16645)
- New network top-level concept, with associated subcommands and API
(#16645)
WARNING: the API is different from the experimental API
- Support for multiple isolated/micro-segmented networks (#16645)
- Built-in multihost networking using VXLAN based overlay driver (#14071)
- Support for third-party network plugins (#13424)
- Ability to dynamically connect containers to multiple networks (#16645)
- Support for user-defined IP address management via pluggable IPAM drivers (#16910)
- Add daemon flags `--cluster-store` and `--cluster-advertise` for built-in nodes discovery (#16229)
- Support for user-defined IP address management via pluggable IPAM drivers
(#16910)
- Add daemon flags `--cluster-store` and `--cluster-advertise` for built-in
nodes discovery (#16229)
- Add `--cluster-store-opt` for setting up TLS settings (#16644)
- Add `--dns-opt` to the daemon (#16031)
- DEPRECATE following container `NetworkSettings` fields in API v1.21: `EndpointID`, `Gateway`,
`GlobalIPv6Address`, `GlobalIPv6PrefixLen`, `IPAddress`, `IPPrefixLen`, `IPv6Gateway` and `MacAddress`.
Those are now specific to the `bridge` network. Use `NetworkSettings.Networks` to inspect
- DEPRECATE following container `NetworkSettings` fields in API v1.21:
`EndpointID`, `Gateway`, `GlobalIPv6Address`, `GlobalIPv6PrefixLen`,
`IPAddress`, `IPPrefixLen`, `IPv6Gateway` and `MacAddress`.
Those are now specific to the `bridge` network. Use
`NetworkSettings.Networks` to inspect
the networking settings of a container per network.
* Volumes:
- New top-level `volume` subcommand and API (#14242)
@ -358,11 +606,12 @@ Fri Nov 13 16:58:43 UTC 2015 - fcastelli@suse.com
* Distribution:
- `docker search` now works with partial names (#16509)
- Push optimization: avoid buffering to file (#15493)
- The daemon will display progress for images that were already being pulled
by another client (#15489)
- Only permissions required for the current action being performed are requested (#)
- Renaming trust keys (and respective environment variables) from `offline` to
`root` and `tagging` to `repository` (#16894)
- The daemon will display progress for images that were already being
pulled by another client (#15489)
- Only permissions required for the current action being performed are
requested (#)
- Renaming trust keys (and respective environment variables) from `offline`
to `root` and `tagging` to `repository` (#16894)
- DEPRECATE trust key environment variables
`DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and
`DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` (#16894)
@ -371,17 +620,77 @@ Fri Nov 13 16:58:43 UTC 2015 - fcastelli@suse.com
- Fix various issues with AppArmor profiles provided in the deb package
(#14609)
- Add AppArmor policy that prevents writing to /proc (#15571)
- Remove fix_15279.patch: code has been merged upstream
- Change systemd unit file to no longer use the deprecated "-d" option (bnc#954737)
- Change systemd unit file to no longer use the deprecated "-d" option
(bnc#954737)
-------------------------------------------------------------------
Mon Oct 26 14:02:47 UTC 2015 - normand@linux.vnet.ibm.com
Tue Nov 24 16:34:52 UTC 2015 - fcastelli@suse.com
- new patch to avoid ppc64le build error
- Changed docker-mount-secrets.patch: allow removal of containers
even when the entry point failed. bnc#954797
-------------------------------------------------------------------
Tue Nov 3 12:36:25 UTC 2015 - msabate@suse.com
- Fixed the format of the fix_libsecomp_error_bnc_950931 patch.
-------------------------------------------------------------------
Tue Nov 3 12:30:22 UTC 2015 - msabate@suse.com
- Merged the fix_libsecomp_error_bnc_950931.patch and the
fix_x86_build_removing_empty_file_jump_amd_64.patch patches.
-------------------------------------------------------------------
Tue Nov 3 10:39:27 UTC 2015 - jmassaguerpla@suse.com
- Fix build for x86_64. Patch fix_libsecomp_error_bnc_950931.patch
had created and empty file jump_amd64.go instead of removing it.
This broke the build for x86_64.
This commit fixes it by removing that empty file.
fix_x86_build_removing_empty_file_jump_amd_64.patch: patch that
removes empty file jump_amd64.go
-------------------------------------------------------------------
Mon Nov 2 15:49:48 UTC 2015 - msabate@suse.com
- Added patch that fixes a known gcc-go for ppc64xe in the syscall.RawSockAddr
type.
gcc5_socket_workaround.patch
-------------------------------------------------------------------
Thu Oct 29 14:17:32 UTC 2015 - jmassaguerpla@suse.com
- Add patches for fixing ppc64le build (bnc#950931)
fix_libsecomp_error_bnc_950931.patch
fix_incompatible_assignment_error_bnc_950931.patch
docker_missing_ppc64le_netlink_linux_files.patch
- Remove docker_rename_jump_amd64_as_jump_linux.patch because it clashes
with the previous patches.
-------------------------------------------------------------------
Mon Oct 12 20:28:46 UTC 2015 - fcastelli@suse.com
Thu Oct 22 12:11:14 UTC 2015 - jmassaguerpla@suse.com
- Exclude libgo as a requirement. The auto requires script was adding
libgo as a requirement when building with gcc-go which was wrong.
-------------------------------------------------------------------
Fri Oct 16 15:43:46 UTC 2015 - jmassaguerpla@suse.com
- Add patch for missing systemcall for s390x. See
https://github.com/docker/docker/commit/eecf6cd48cf7c48f00aa8261cf431c87084161ae
add_missing_syscall_for_s390x.patch: contains the patch
- Exclude s390x for sle12 because it hangs when running go. It works for sle12sp1
thus we don't want to exclude sle12sp1 but only sle12.
-------------------------------------------------------------------
Mon Oct 12 20:10:00 UTC 2015 - fcastelli@suse.com
- Update docker to 1.8.3 version:
* Fix layer IDs lead to local graph poisoning (CVE-2014-8178) (bnc#949660)
@ -389,7 +698,7 @@ Mon Oct 12 20:28:46 UTC 2015 - fcastelli@suse.com
* Add `--disable-legacy-registry` to prevent a daemon from using a v1 registry
-------------------------------------------------------------------
Thu Sep 10 22:33:01 UTC 2015 - jmassaguerpla@suse.com
Tue Sep 22 13:20:49 UTC 2015 - jmassaguerpla@suse.com
- Update docker to 1.8.2 version
@ -413,7 +722,6 @@ Thu Sep 10 22:33:01 UTC 2015 - jmassaguerpla@suse.com
fix_15279.patch: contains the patch for issue#15279
-------------------------------------------------------------------
Fri Aug 21 08:46:30 UTC 2015 - normand@linux.vnet.ibm.com
@ -427,7 +735,7 @@ Fri Aug 21 08:07:58 UTC 2015 - normand@linux.vnet.ibm.com
- ignore-dockerinit-checksum.patch need -p1 in spec
-------------------------------------------------------------------
Thu Aug 13 09:00:25 UTC 2015 - jmassaguerpla@suse.com
Thu Aug 13 09:38:03 UTC 2015 - jmassaguerpla@suse.com
- Update to docker 1.8.1(bsc#942369 and bsc#942370):
- Fix a bug where pushing multiple tags would result in invalid images
@ -441,8 +749,15 @@ Thu Aug 13 09:00:25 UTC 2015 - jmassaguerpla@suse.com
vendor/src/github.com/vishvananda/netns/netns_linux_arm64.go
which is now included upstream, so we don't need this patch anymore
-------------------------------------------------------------------
Fri Jul 24 14:24:16 UTC 2015 - jmassaguerpla@suse.com
Fri Jul 24 14:41:21 UTC 2015 - jmassaguerpla@suse.com
- Remove 0002-Stripped-dockerinit-binary.patch because we do not
use it anymore (we got rid of that when updating to 1.7.1)
-------------------------------------------------------------------
Fri Jul 24 14:14:38 UTC 2015 - jmassaguerpla@suse.com
- Exclude archs where docker does not build. Otherwise it gets into
and infinite loop when building.
@ -453,30 +768,24 @@ Fri Jul 24 14:24:16 UTC 2015 - jmassaguerpla@suse.com
Wed Jul 15 08:11:11 UTC 2015 - jmassaguerpla@suse.com
- Update to 1.7.1 (2015-07-14) (bnc#938156)
Runtime
Fix default user spawning exec process with docker exec
Make --bridge=none not to configure the network bridge
Publish networking stats properly
Fix implicit devicemapper selection with static binaries
Fix socket connections that hung intermittently
Fix bridge interface creation on CentOS/RHEL 6.6
Fix local dns lookups added to resolv.conf
Fix copy command mounting volumes
Fix read/write privileges in volumes mounted with --volumes-from
Remote API
Fix unmarshalling of Command and Entrypoint
Set limit for minimum client version supported
Validate port specification
Return proper errors when attach/reattach fail
Distribution
Fix pulling private images
Fix fallback between registry V2 and V1
* Runtime
- Fix default user spawning exec process with docker exec
- Make --bridge=none not to configure the network bridge
- Publish networking stats properly
- Fix implicit devicemapper selection with static binaries
- Fix socket connections that hung intermittently
- Fix bridge interface creation on CentOS/RHEL 6.6
- Fix local dns lookups added to resolv.conf
- Fix copy command mounting volumes
- Fix read/write privileges in volumes mounted with --volumes-from
* Remote API
- Fix unmarshalling of Command and Entrypoint
- Set limit for minimum client version supported
- Validate port specification
- Return proper errors when attach/reattach fail
* Distribution
- Fix pulling private images
- Fix fallback between registry V2 and V1
-------------------------------------------------------------------
Fri Jul 10 11:22:00 UTC 2015 - jmassaguerpla@suse.com
@ -557,6 +866,31 @@ Fri Jun 5 15:23:47 UTC 2015 - fcastelli@suse.com
* gcc-go-build-static-libgo.patch: used only when building with gcc-go,
link libgo statically into docker itself.
-------------------------------------------------------------------
Mon Jun 1 15:47:59 UTC 2015 - fcastelli@suse.com
- Remove set-SCC_URL-env-variable.patch, the SCC_URL is now read
from SUSEConnect by the container service
-------------------------------------------------------------------
Mon Jun 1 13:03:24 UTC 2015 - fcastelli@suse.com
- Automatically set SCC_URL environment variable inside of the
containers by parsing the /etc/SUSEConnect.example file
* Add set-SCC_URL-env-variable.patch
-------------------------------------------------------------------
Mon Jun 1 10:00:55 UTC 2015 - fcastelli@suse.com
- Place SCC machine credentials inside of /run/secrets/credentials.d
* Edit docker-mount-scc-credentials.patch¬
-------------------------------------------------------------------
Thu May 28 15:10:09 UTC 2015 - dmacvicar@suse.de
- pass the SCC machine credentials to the container
* Add docker-mount-scc-credentials.patch
-------------------------------------------------------------------
Wed May 27 10:02:51 UTC 2015 - dmacvicar@suse.de
@ -2035,3 +2369,4 @@ Tue Apr 9 08:24:33 UTC 2013 - fcastelli@suse.com
- create initial package using version 0.1.3 from git commit 0767916adedb01

View File

@ -1,21 +1,15 @@
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
Requires=docker.socket
After=network.target docker.socket containerd.socket
Requires=docker.socket containerd.socket
[Service]
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
EnvironmentFile=/etc/sysconfig/docker
ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
MountFlags=slave
ExecStart=/usr/bin/docker daemon -H fd:// --containerd /run/containerd/containerd.sock $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
[Install]
WantedBy=multi-user.target

View File

@ -22,8 +22,10 @@
%define git_version 9e83765
%define go_arches %ix86 x86_64 aarch64
%define version_unconverted 1.11.1
Name: docker
Version: 1.10.3
Version: 1.11.1
Release: 0
Summary: The Linux container runtime
License: Apache-2.0
@ -45,22 +47,16 @@ Source7: README_SUSE.md
Source8: docker-audit.rules
# TODO: remove once we figure out what is wrong with iptables on ppc64le
Source100: sysconfig.docker.ppc64le
Patch1: gcc5_socket_workaround.patch
Patch2: fix-docker-init.patch
Patch3: fix-apparmor.patch
# TODO: Remove this once we update to Docker 1.11.0. This has been merged in
# https://github.com/docker/docker/pull/21723
Patch4: fix-btrfs-ioctl-structure.patch
# The mount-secrets patch is be a SLE-specific feature. As such, it is disabled by default on openSUSE.
# PATCH-FEATURE-SLE docker-mount-secrets.patch -- pass the SCC machine credentials and the /etc/SUSEConnect file to containers
Patch200: docker-mount-secrets.patch
# Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
# Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time
# We cannot do that, right now a quick and really dirty way to get it running is
# to simply disable this check
Patch100: ignore-dockerinit-checksum.patch
Patch101: gcc-go-patches.patch
Patch102: netlink_gcc_go.patch
Patch103: netlink_netns_powerpc.patch
Patch104: boltdb_bolt_powerpc.patch
Patch105: libnetwork_drivers_bridge_powerpc.patch
# This fixes bsc#976777. While the fix is upstream, it isn't in Docker 1.10.3 or
# Docker 1.11.0. This patch was squashed and cherry-picked from runc#708.
Patch301: cve-2016-3697-numeric-uid.patch
BuildRequires: audit
BuildRequires: bash-completion
BuildRequires: device-mapper-devel >= 1.2.68
@ -90,6 +86,8 @@ Requires: lvm2 >= 2.2.89
Requires: procps
Requires: tar >= 1.26
Requires: xz >= 4.9
# Containerd is required as it is the only currently supported execdriver of Docker.
Requires: containerd
# Not necessary, but must be installed to have a smooth upgrade.
Recommends: docker-image-migrator
Conflicts: lxc < 1.0
@ -97,7 +95,9 @@ PreReq: %fillup_prereq
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExcludeArch: %ix86
ExcludeArch: s390
%if 0%{?is_opensuse}
ExcludeArch: s390x
%endif
ExcludeArch: ppc
%description
@ -123,7 +123,7 @@ Bash command line completion support for %{name}.
Summary: Zsh Completion for %{name}
Group: System/Management
Requires: %{name} = %{version}
Requires: zsh
Supplements: packageand(docker:zsh)
BuildArch: noarch
%description zsh-completion
@ -155,27 +155,18 @@ Test package for docker. It contains the source code and the tests.
%prep
%setup -q -n %{name}-%{version}
# 1330 is Tumbleweed after leap has been released
# gcc5-go in Tumbleweed includes this commit
# https://github.com/golang/gofrontend/commit/a850225433a66a58613c22185c3b09626f5545eb
# Which "fixes" the data type for RawSockaddr.Data
# However, docker now expects the "wrong" data type, since docker had a workaround
# for that issue.
# Thus, we need to workaround the workaroundn in tumbleweed
%if 0%{?suse_version} >= 1330 && 0%{?is_opensuse} == 1
%patch1 -p1
%if 0%{?is_opensuse}
# nothing
%else
%patch200 -p1
%endif
%patch2 -p1
%patch3 -p1
%patch4 -p1
%ifnarch %go_arches
%patch101 -p1
%patch102 -p1
%patch103 -p1
%patch104 -p1
%patch105 -p1
%patch100 -p1
%endif
# bsc#976777
%patch301 -p1
cp %{SOURCE7} .
%build
@ -211,10 +202,8 @@ install -d %{buildroot}%{go_contribdir}
install -d %{buildroot}%{_bindir}
%ifarch %go_arches
install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit
%else
install -D -m755 bundles/%{version}/dyngccgo/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
install -D -m755 bundles/%{version}/dyngccgo/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit
%endif
install -d %{buildroot}/%{_prefix}/lib/docker
install -Dd -m 0755 \
@ -349,7 +338,6 @@ groupadd -r docker 2>/dev/null || :
%{_bindir}/docker
%{_sbindir}/rcdocker
%{_prefix}/lib/docker/
%{_prefix}/lib/docker/dockerinit
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}.socket
%config %{_sysconfdir}/audit/rules.d/%{name}.rules

View File

@ -1,292 +0,0 @@
Index: docker-1.10.1/contrib/apparmor/main.go
===================================================================
--- docker-1.10.1.orig/contrib/apparmor/main.go
+++ docker-1.10.1/contrib/apparmor/main.go
@@ -11,8 +11,7 @@ import (
)
type profileData struct {
- MajorVersion int
- MinorVersion int
+ Version int
}
func main() {
@@ -23,13 +22,12 @@ func main() {
// parse the arg
apparmorProfilePath := os.Args[1]
- majorVersion, minorVersion, err := aaparser.GetVersion()
+ version, err := aaparser.GetVersion()
if err != nil {
log.Fatal(err)
}
data := profileData{
- MajorVersion: majorVersion,
- MinorVersion: minorVersion,
+ Version: version,
}
fmt.Printf("apparmor_parser is of version %+v\n", data)
Index: docker-1.10.1/daemon/execdriver/native/apparmor.go
===================================================================
--- docker-1.10.1.orig/daemon/execdriver/native/apparmor.go
+++ docker-1.10.1/daemon/execdriver/native/apparmor.go
@@ -25,8 +25,7 @@ type data struct {
ExecPath string
Imports []string
InnerImports []string
- MajorVersion int
- MinorVersion int
+ Version int
}
const baseTemplate = `
@@ -64,14 +63,17 @@ profile {{.Name}} flags=(attach_disconne
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}}
+{{if ge .Version 208095}}
+ # apparmor-2.8.95 is Ubuntu 14.04 LTS (Trusty Tahr)
+ # apparmor-2.8.95 is apparmor-2.9 beta, which supports ptrace rule
+ # other apparmor-2.8 versions do not support this rule
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
ptrace (trace,read) peer=docker-default,
-{{end}}{{end}}
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
+{{end}}
+{{if ge .Version 209000}}
# docker daemon confinement requires explict allow rule for signal
signal (receive) set=(kill,term) peer={{.ExecPath}},
-{{end}}{{end}}
+{{end}}
}
`
@@ -91,7 +93,7 @@ func generateProfile(out io.Writer) erro
if abstractionsExists() {
data.InnerImports = append(data.InnerImports, "#include <abstractions/base>")
}
- data.MajorVersion, data.MinorVersion, err = aaparser.GetVersion()
+ data.Version, err = aaparser.GetVersion()
if err != nil {
return err
}
Index: docker-1.10.1/pkg/aaparser/aaparser.go
===================================================================
--- docker-1.10.1.orig/pkg/aaparser/aaparser.go
+++ docker-1.10.1/pkg/aaparser/aaparser.go
@@ -1,45 +1,92 @@
+// Package aaparser is a convenience package interacting with `apparmor_parser`.
package aaparser
import (
"fmt"
- "log"
"os/exec"
+ "path/filepath"
"strconv"
"strings"
)
-// GetVersion returns the major and minor version of apparmor_parser
-func GetVersion() (int, int, error) {
- // get the apparmor_version version
- cmd := exec.Command("apparmor_parser", "--version")
+const (
+ binary = "apparmor_parser"
+)
+
+// GetVersion returns the major and minor version of apparmor_parser.
+func GetVersion() (int, error) {
+ output, err := cmd("", "--version")
+ if err != nil {
+ return -1, err
+ }
+
+ return parseVersion(output)
+}
- output, err := cmd.CombinedOutput()
+// LoadProfile runs `apparmor_parser -r -W` on a specified apparmor profile to
+// replace and write it to disk.
+func LoadProfile(profilePath string) error {
+ _, err := cmd(filepath.Dir(profilePath), "-r", "-W", filepath.Base(profilePath))
if err != nil {
- log.Fatalf("getting apparmor_parser version failed: %s (%s)", err, output)
+ return err
}
+ return nil
+}
+
+// cmd runs `apparmor_parser` with the passed arguments.
+func cmd(dir string, arg ...string) (string, error) {
+ c := exec.Command(binary, arg...)
+ c.Dir = dir
- // parse the version from the output
+ output, err := c.CombinedOutput()
+ if err != nil {
+ return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), string(output), err)
+ }
+
+ return string(output), nil
+}
+
+// parseVersion takes the output from `apparmor_parser --version` and returns
+// a representation of the {major, minor, patch} version as a single number of
+// the form MMmmPPP {major, minor, patch}.
+func parseVersion(output string) (int, error) {
// output is in the form of the following:
// AppArmor parser version 2.9.1
// Copyright (C) 1999-2008 Novell Inc.
// Copyright 2009-2012 Canonical Ltd.
- lines := strings.SplitN(string(output), "\n", 2)
+
+ lines := strings.SplitN(output, "\n", 2)
words := strings.Split(lines[0], " ")
version := words[len(words)-1]
+
// split by major minor version
v := strings.Split(version, ".")
- if len(v) < 2 {
- return -1, -1, fmt.Errorf("parsing major minor version failed for %q", version)
+ if len(v) == 0 || len(v) > 3 {
+ return -1, fmt.Errorf("parsing version failed for output: `%s`", output)
}
+ // Default the versions to 0.
+ var majorVersion, minorVersion, patchLevel int
+
majorVersion, err := strconv.Atoi(v[0])
if err != nil {
- return -1, -1, err
+ return -1, err
}
- minorVersion, err := strconv.Atoi(v[1])
- if err != nil {
- return -1, -1, err
+
+ if len(v) > 1 {
+ minorVersion, err = strconv.Atoi(v[1])
+ if err != nil {
+ return -1, err
+ }
+ }
+ if len(v) > 2 {
+ patchLevel, err = strconv.Atoi(v[2])
+ if err != nil {
+ return -1, err
+ }
}
- return majorVersion, minorVersion, nil
+ // major*10^5 + minor*10^3 + patch*10^0
+ numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel
+ return numericVersion, nil
}
Index: docker-1.10.1/contrib/apparmor/template.go
===================================================================
--- docker-1.10.1.orig/contrib/apparmor/template.go
+++ docker-1.10.1/contrib/apparmor/template.go
@@ -20,11 +20,11 @@ profile /usr/bin/docker (attach_disconne
umount,
pivot_root,
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
+{{if ge .Version 209000}}
signal (receive) peer=@{profile_name},
signal (receive) peer=unconfined,
signal (send),
-{{end}}{{end}}
+{{end}}
network,
capability,
owner /** rw,
@@ -46,12 +46,12 @@ profile /usr/bin/docker (attach_disconne
/etc/ld.so.cache r,
/etc/passwd r,
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
+{{if ge .Version 209000}}
ptrace peer=@{profile_name},
ptrace (read) peer=docker-default,
deny ptrace (trace) peer=docker-default,
deny ptrace peer=/usr/bin/docker///bin/ps,
-{{end}}{{end}}
+{{end}}
/usr/lib/** rm,
/lib/** rm,
@@ -72,11 +72,11 @@ profile /usr/bin/docker (attach_disconne
/sbin/zfs rCx,
/sbin/apparmor_parser rCx,
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
+{{if ge .Version 209000}}
# Transitions
change_profile -> docker-*,
change_profile -> unconfined,
-{{end}}{{end}}
+{{end}}
profile /bin/cat (complain) {
/etc/ld.so.cache r,
@@ -98,10 +98,10 @@ profile /usr/bin/docker (attach_disconne
/dev/null rw,
/bin/ps mr,
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
+{{if ge .Version 209000}}
# We don't need ptrace so we'll deny and ignore the error.
deny ptrace (read, trace),
-{{end}}{{end}}
+{{end}}
# Quiet dac_override denials
deny capability dac_override,
@@ -119,15 +119,15 @@ profile /usr/bin/docker (attach_disconne
/proc/tty/drivers r,
}
profile /sbin/iptables (complain) {
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
+{{if ge .Version 209000}}
signal (receive) peer=/usr/bin/docker,
-{{end}}{{end}}
+{{end}}
capability net_admin,
}
profile /sbin/auplink flags=(attach_disconnected, complain) {
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
+{{if ge .Version 209000}}
signal (receive) peer=/usr/bin/docker,
-{{end}}{{end}}
+{{end}}
capability sys_admin,
capability dac_override,
@@ -146,9 +146,9 @@ profile /usr/bin/docker (attach_disconne
/proc/[0-9]*/mounts rw,
}
profile /sbin/modprobe /bin/kmod (complain) {
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
+{{if ge .Version 209000}}
signal (receive) peer=/usr/bin/docker,
-{{end}}{{end}}
+{{end}}
capability sys_module,
/etc/ld.so.cache r,
/lib/** rm,
@@ -162,9 +162,9 @@ profile /usr/bin/docker (attach_disconne
}
# xz works via pipes, so we do not need access to the filesystem.
profile /usr/bin/xz (complain) {
-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
+{{if ge .Version 209000}}
signal (receive) peer=/usr/bin/docker,
-{{end}}{{end}}
+{{end}}
/etc/ld.so.cache r,
/lib/** rm,
/usr/bin/xz rm,

View File

@ -1,48 +0,0 @@
From a038cccf88998814249a7a40b71a33a680e3f02f Mon Sep 17 00:00:00 2001
From: Julio Montes <imc.coder@gmail.com>
Date: Fri, 1 Apr 2016 08:58:29 -0600
Subject: [PATCH] Fix compilation errors with btrfs-progs-4.5
btrfs-progs-4.5 introduces device delete by devid
for this reason btrfs_ioctl_vol_args_v2's name was encapsulated
in a union
this patch is for setting btrfs_ioctl_vol_args_v2's name
using a C function in order to preserve compatibility
with all btrfs-progs versions
Signed-off-by: Julio Montes <imc.coder@gmail.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
daemon/graphdriver/btrfs/btrfs.go | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
Index: docker-1.10.3/daemon/graphdriver/btrfs/btrfs.go
===================================================================
--- docker-1.10.3.orig/daemon/graphdriver/btrfs/btrfs.go
+++ docker-1.10.3/daemon/graphdriver/btrfs/btrfs.go
@@ -7,6 +7,10 @@ package btrfs
#include <dirent.h>
#include <btrfs/ioctl.h>
#include <btrfs/ctree.h>
+
+static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
+ snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
+}
*/
import "C"
@@ -160,9 +164,10 @@ func subvolSnapshot(src, dest, name stri
var args C.struct_btrfs_ioctl_vol_args_v2
args.fd = C.__s64(getDirFd(srcDir))
- for i, c := range []byte(name) {
- args.name[i] = C.char(c)
- }
+
+ var cs = C.CString(name)
+ C.set_name_btrfs_ioctl_vol_args_v2(&args, cs)
+ C.free(unsafe.Pointer(cs))
_, _, errno := syscall.Syscall(syscall.SYS_IOCTL, getDirFd(destDir), C.BTRFS_IOC_SNAP_CREATE_V2,
uintptr(unsafe.Pointer(&args)))

View File

@ -1,21 +0,0 @@
diff -Naur a/hack/make/.dockerinit b/hack/make/.dockerinit
--- a/hack/make/.dockerinit 2015-08-11 18:35:27.000000000 +0200
+++ b/hack/make/.dockerinit 2015-08-12 18:14:25.743452565 +0200
@@ -29,5 +29,6 @@
exit 1
fi
+/usr/bin/strip -s $DEST/dockerinit-$VERSION
# sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another
export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1)
diff --git a/hack/make/.dockerinit-gccgo b/hack/make/.dockerinit-gccgo
index 3caa526..f272d29 100644
--- a/hack/make/.dockerinit-gccgo
+++ b/hack/make/.dockerinit-gccgo
@@ -27,5 +27,6 @@ else
exit 1
fi
+/usr/bin/strip -s $DEST/dockerinit-$VERSION
# sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another
export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1)

View File

@ -1,46 +0,0 @@
diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go
index 007ccb2..65f638f 100644
--- a/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go
+++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go
@@ -22,7 +22,7 @@ type ifreqIndex struct {
type ifreqHwaddr struct {
IfrnName [ifNameSize]byte
- IfruHwaddr syscall.RawSockaddr
+ IfruHwaddr patchedRawSockAddr
}
var rnd = rand.New(rand.NewSource(time.Now().UnixNano()))
diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go
new file mode 100644
index 0000000..118f7bf
--- /dev/null
+++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go
@@ -0,0 +1,11 @@
+// Copyright (c) 2015 SUSE LLC. All rights reserved.
+
+// +build linux
+// +build ppc64 ppc64le
+
+package bridge
+
+type patchedRawSockAddr struct {
+ Family uint16
+ Data [14]int8
+}
diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go
new file mode 100644
index 0000000..cdba329
--- /dev/null
+++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go
@@ -0,0 +1,10 @@
+// Copyright (c) 2015 SUSE LLC. All rights reserved.
+
+// +build linux,!ppc64,!ppc64le
+
+package bridge
+
+type patchedRawSockAddr struct {
+ Family uint16
+ Data [14]int8
+}

View File

@ -1,13 +0,0 @@
diff --git a/utils/utils.go b/utils/utils.go
index 340b9e4..70a85a6 100644
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -75,7 +75,7 @@ func isValidDockerInitPath(target string, selfPath string) bool { // target and
}
return os.SameFile(targetFileInfo, selfPathFileInfo)
}
- return dockerversion.InitSHA1 != "" && dockerInitSha1(target) == dockerversion.InitSHA1
+ return true
}
// DockerInitPath figures out the path of our dockerinit (which may be SelfPath())

View File

@ -1,25 +0,0 @@
---
vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go | 2 +-
vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
Index: docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
===================================================================
--- docker-1.10.2.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
+++ docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
@@ -1,4 +1,4 @@
-// +build arm ppc64 ppc64le
+// +build arm,!ppc64,!ppc64le
package bridge
Index: docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go
===================================================================
--- docker-1.10.2.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go
+++ docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go
@@ -1,4 +1,4 @@
-// +build !arm,!ppc64,!ppc64le
+// +build !arm ppc64 ppc64le
package bridge