Accepting request 494283 from home:cyphar:containers

- Add a partial fix for boo#1038493. - Fixed bsc#1037436 where execids were being leaked due to bad error handling. This is a backport of https://github.com/docker/cli/pull/52. + bsc1037436-0001-client-check-tty-before-creating-exec-job.patch OBS-URL: https://build.opensuse.org/request/show/494283 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=184
2017-05-10 14:04:27 +00:00 · 2017-05-10 14:04:27 +00:00 · e7663235ed
commit e7663235ed
parent 1e1a89ae18
3 changed files with 86 additions and 3 deletions
--- a/bsc1037436-0001-client-check-tty-before-creating-exec-job.patch
+++ b/bsc1037436-0001-client-check-tty-before-creating-exec-job.patch
@ -0,0 +1,69 @@
+From c117441b1a74affb013a42ee8225d69ecfaf4d72 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Tue, 9 May 2017 23:31:46 +1000
+Subject: [PATCH] client: check tty before creating exec job
+
+This is necessary in order to avoid execId leaks in the case where a
+`docker exec -it` is run without a terminal available for the client.
+You can reproduce this issue by running the following command many
+times.
+
+  % nohup docker exec -it some_container true
+
+The container `some_container` will have execIDs that will never
+normally be cleaned up (because the client died before they were
+started).
+
+In addition, this patch adds a docker-inspect step to ensure that we
+give "container does not exist" errors consistently.
+
+[SUSE: Fixes bsc#1037436.]
+
+Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ cli/command/container/exec.go | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/cli/command/container/exec.go b/cli/command/container/exec.go
+index 676708c77b91..d85113259242 100644
+--- a/cli/command/container/exec.go
+++ b/cli/command/container/exec.go
+@@ -79,6 +79,19 @@ func runExec(dockerCli *command.DockerCli, opts *execOptions, container string,
+ 	ctx := context.Background()
+ 	client := dockerCli.Client()
+ 
+	// We need to check the tty _before_ we do the ContainerExecCreate, because
+	// otherwise if we error out we will leak execIDs on the server (and
+	// there's no easy way to clean those up). But also in order to make "not
+	// exist" errors take precedence we do a dummy inspect first.
+	if _, err := client.ContainerInspect(ctx, container); err != nil {
+		return err
+	}
+	if !execConfig.Detach {
+		if err := dockerCli.In().CheckTty(execConfig.AttachStdin, execConfig.Tty); err != nil {
+			return err
+		}
+	}
+
+ 	response, err := client.ContainerExecCreate(ctx, container, *execConfig)
+ 	if err != nil {
+ 		return err
+@@ -90,12 +103,8 @@ func runExec(dockerCli *command.DockerCli, opts *execOptions, container string,
+ 		return nil
+ 	}
+ 
+-	//Temp struct for execStart so that we don't need to transfer all the execConfig
+-	if !execConfig.Detach {
+-		if err := dockerCli.In().CheckTty(execConfig.AttachStdin, execConfig.Tty); err != nil {
+-			return err
+-		}
+-	} else {
+	// Temp struct for execStart so that we don't need to transfer all the execConfig.
+	if execConfig.Detach {
+ 		execStartCheck := types.ExecStartCheck{
+ 			Detach: execConfig.Detach,
+ 			Tty:    execConfig.Tty,
+-- 
+2.12.2
+
--- a/docker.changes
+++ b/docker.changes
@ -1,7 +1,15 @@
+-------------------------------------------------------------------
+Wed May 10 13:54:44 UTC 2017 - asarai@suse.com
+
+- Add a partial fix for boo#1038493.
+- Fixed bsc#1037436 where execids were being leaked due to bad error handling.
+  This is a backport of https://github.com/docker/cli/pull/52.
+   + bsc1037436-0001-client-check-tty-before-creating-exec-job.patch
+
 -------------------------------------------------------------------
 Thu May  4 19:03:40 UTC 2017 - jmassaguerpla@suse.com

- Fix golang requirements in the subpackages 
+- Fix golang requirements in the subpackages

 -------------------------------------------------------------------
 Mon May  1 07:57:35 UTC 2017 - fcastelli@suse.com
@ -33,7 +41,7 @@ see /usr/share/doc/packages/docker/CHANGELOG.md
 -------------------------------------------------------------------
 Wed Apr 12 09:54:18 UTC 2017 - jmassaguerpla@suse.com

- Make sure this is being built with go 1.7 
+- Make sure this is being built with go 1.7

 -------------------------------------------------------------------
 Wed Apr 12 09:14:35 UTC 2017 - jmassaguerpla@suse.com
--- a/docker.spec
+++ b/docker.spec
@ -54,6 +54,8 @@ Patch200:       secrets-0001-daemon-allow-directory-creation-in-run-secrets.patc
 Patch201:       secrets-0002-SUSE-implement-SUSE-container-secrets.patch
 # PATCH-FIX-UPSTREAM: Backports.
 Patch300:       integration-cli-fix-TestInfoEnsureSucceeds.patch
+# PATCH-FIX-UPSTREAM: Backport of https://github.com/docker/cli/pull/52 (bsc#1037436).
+Patch400:       bsc1037436-0001-client-check-tty-before-creating-exec-job.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@ -165,6 +167,7 @@ Test package for docker. It contains the source code and the tests.
 %patch201 -p1
 %endif
 %patch300 -p1
+%patch400 -p1
 cp %{SOURCE7} .
 cp %{SOURCE10} .

@ -186,6 +189,9 @@ BUILDTAGS="seccomp $BUILDTAGS"
 export AUTO_GOPATH=1
 export DOCKER_BUILDTAGS="$BUILDTAGS"
 export DOCKER_GITCOMMIT=%{git_version}
+# Until boo#1038493 is fixed properly we need to do this hack to get the
+# compiled-into-the-binary GOROOT.
+export GOROOT="$(GOROOT= go env GOROOT)"
 EOF
 ) > docker_build_env
 . ./docker_build_env
@ -255,7 +261,7 @@ PKG_LIST=$(go list -e \
 		| grep -v 'github.com/docker/docker/pkg/integration$')
 %else
 		| grep -v 'github.com/docker/docker/pkg/integration$' \
-    | grep -v 'github.com/docker/docker/profiles/seccomp$') 
+		| grep -v 'github.com/docker/docker/profiles/seccomp$')
 %endif

 go test -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST