Accepting request 477346 from home:jordimassaguerpla:branch:V:c:docker:small_fixes_1_13_0

- fix docker-mount-secrets.patch to apply to docker-1.13.0 

- Remove old plugins.json to prevent docker-1.13 to fail to start 

- Fix bsc#1026827: systemd TasksMax default throttles docker  

- Fix post section by adding shadow as a package requirement
  Otherwise the groupadd instruction fails

OBS-URL: https://build.opensuse.org/request/show/477346
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=171
This commit is contained in:
Aleksa Sarai 2017-03-07 10:40:30 +00:00 committed by Git OBS Bridge
parent bfed92d82d
commit f0d9c665f7
4 changed files with 53 additions and 46 deletions

View File

@ -1,31 +1,8 @@
From 17cd15ba4160f0e0830453529b9b01edc308d847 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Mon, 11 Apr 2016 22:54:35 +1000
Subject: [PATCH] SUSE: implement SUSE container secrets
This allows for us to pass in host credentials to a container, allowing
for SUSEConnect to work with containers.
THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
container/container_unix.go | 63 ++++++++++++
daemon/container_operations_unix.go | 50 ++++++++++
daemon/daemon_unix.go | 6 +-
daemon/oci_linux.go | 6 ++
daemon/start.go | 6 ++
daemon/suse_secrets.go | 184 ++++++++++++++++++++++++++++++++++++
6 files changed, 313 insertions(+), 2 deletions(-)
create mode 100644 daemon/suse_secrets.go
diff --git a/container/container_unix.go b/container/container_unix.go diff --git a/container/container_unix.go b/container/container_unix.go
index 2727b81..07a0710 100644 index f92d586..70cc74f 100644
--- a/container/container_unix.go --- a/container/container_unix.go
+++ b/container/container_unix.go +++ b/container/container_unix.go
@@ -35,6 +35,8 @@ type Container struct { @@ -39,6 +39,8 @@ type Container struct {
HostsPath string HostsPath string
ShmPath string ShmPath string
ResolvConfPath string ResolvConfPath string
@ -34,8 +11,8 @@ index 2727b81..07a0710 100644
SeccompProfile string SeccompProfile string
NoNewPrivileges bool NoNewPrivileges bool
} }
@@ -256,6 +258,67 @@ func (container *Container) IpcMounts() []Mount { @@ -281,6 +283,67 @@ func (container *Container) UnmountSecrets() error {
return mounts return detachMounted(container.SecretMountPath())
} }
+// SUSE:secrets :: SuseSecretsResourcePath returns the path to the container's +// SUSE:secrets :: SuseSecretsResourcePath returns the path to the container's
@ -63,7 +40,7 @@ index 2727b81..07a0710 100644
+ Source: container.SuseSecretsPath, + Source: container.SuseSecretsPath,
+ Destination: "/run/secrets", + Destination: "/run/secrets",
+ Writable: true, + Writable: true,
+ Propagation: volume.DefaultPropagationMode, + Propagation: string(volume.DefaultPropagationMode),
+ }) + })
+ } + }
+ +
@ -103,10 +80,10 @@ index 2727b81..07a0710 100644
func (container *Container) UpdateContainer(hostConfig *containertypes.HostConfig) error { func (container *Container) UpdateContainer(hostConfig *containertypes.HostConfig) error {
container.Lock() container.Lock()
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index 55bd3fc..a3ab7fb 100644 index 2296045..d6f7889 100644
--- a/daemon/container_operations_unix.go --- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go
@@ -184,6 +184,56 @@ func (daemon *Daemon) getPidContainer(container *container.Container) (*containe @@ -87,6 +87,56 @@ func (daemon *Daemon) getPidContainer(container *container.Container) (*containe
return c, nil return c, nil
} }
@ -163,13 +140,13 @@ index 55bd3fc..a3ab7fb 100644
func (daemon *Daemon) setupIpcDirs(c *container.Container) error { func (daemon *Daemon) setupIpcDirs(c *container.Container) error {
var err error var err error
diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go diff --git a/daemon/initlayer/setup_unix.go b/daemon/initlayer/setup_unix.go
index f266912..2ced1b8 100644 index e83c275..8c56310 100644
--- a/daemon/daemon_unix.go --- a/daemon/initlayer/setup_unix.go
+++ b/daemon/daemon_unix.go +++ b/daemon/initlayer/setup_unix.go
@@ -809,8 +809,10 @@ func initBridgeDriver(controller libnetwork.NetworkController, config *Config) e @@ -18,8 +18,10 @@ import (
// the container from unwanted side-effects on the rw layer. // the container from unwanted side-effects on the rw layer.
func setupInitLayer(initLayer string, rootUID, rootGID int) error { func Setup(initLayer string, rootUID, rootGID int) error {
for pth, typ := range map[string]string{ for pth, typ := range map[string]string{
- "/dev/pts": "dir", - "/dev/pts": "dir",
- "/dev/shm": "dir", - "/dev/shm": "dir",
@ -181,11 +158,11 @@ index f266912..2ced1b8 100644
"/sys": "dir", "/sys": "dir",
"/.dockerenv": "file", "/.dockerenv": "file",
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 4459d02..6af7d35 100644 index 1daefc5..8e27f1d 100644
--- a/daemon/oci_linux.go --- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go +++ b/daemon/oci_linux.go
@@ -656,6 +656,10 @@ func (daemon *Daemon) createSpec(c *container.Container) (*libcontainerd.Spec, e @@ -693,6 +693,10 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) {
if err := daemon.setupIpcDirs(c); err != nil { if err := daemon.setupSecretDir(c); err != nil {
return nil, err return nil, err
} }
+ // SUSE:secrets :: We need to set up the container-specific secrets tmpfs here. + // SUSE:secrets :: We need to set up the container-specific secrets tmpfs here.
@ -195,20 +172,21 @@ index 4459d02..6af7d35 100644
ms, err := daemon.setupMounts(c) ms, err := daemon.setupMounts(c)
if err != nil { if err != nil {
@@ -663,6 +667,8 @@ func (daemon *Daemon) createSpec(c *container.Container) (*libcontainerd.Spec, e @@ -711,6 +715,9 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) {
ms = append(ms, *m)
} }
ms = append(ms, c.IpcMounts()...)
ms = append(ms, c.TmpfsMounts()...)
+ // SUSE:secrets :: We add the mounts to the OCI config which containerd then uses. + // SUSE:secrets :: We add the mounts to the OCI config which containerd then uses.
+ ms = append(ms, c.SuseSecretMounts()...) + ms = append(ms, c.SuseSecretMounts()...)
+
sort.Sort(mounts(ms)) sort.Sort(mounts(ms))
if err := setMounts(daemon, &s, c, ms); err != nil { if err := setMounts(daemon, &s, c, ms); err != nil {
return nil, fmt.Errorf("linux mounts: %v", err) return nil, fmt.Errorf("linux mounts: %v", err)
diff --git a/daemon/start.go b/daemon/start.go diff --git a/daemon/start.go b/daemon/start.go
index fcf24c5..57a8c33 100644 index 6c94fd5..9bbdc21 100644
--- a/daemon/start.go --- a/daemon/start.go
+++ b/daemon/start.go +++ b/daemon/start.go
@@ -173,6 +173,12 @@ func (daemon *Daemon) Cleanup(container *container.Container) { @@ -205,6 +205,12 @@ func (daemon *Daemon) Cleanup(container *container.Container) {
container.UnmountIpcMounts(detachMounted) container.UnmountIpcMounts(detachMounted)
@ -225,7 +203,7 @@ diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
new file mode 100644 new file mode 100644
index 0000000..417a1a9 index 0000000..417a1a9
--- /dev/null --- /dev/null
+++ b/daemon/suse_secrets.go +++ b/b/daemon/suse_secrets.go
@@ -0,0 +1,184 @@ @@ -0,0 +1,184 @@
+package daemon +package daemon
+ +

View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Mon Mar 6 18:11:47 UTC 2017 - jmassaguerpla@suse.com
- fix docker-mount-secrets.patch to apply to docker-1.13.0
-------------------------------------------------------------------
Mon Mar 6 15:31:02 UTC 2017 - jmassaguerpla@suse.com
- Remove old plugins.json to prevent docker-1.13 to fail to start
-------------------------------------------------------------------
Mon Mar 6 12:52:14 UTC 2017 - jmassaguerpla@suse.com
- Fix bsc#1026827: systemd TasksMax default throttles docker
-------------------------------------------------------------------
Mon Mar 6 10:09:14 UTC 2017 - jmassaguerpla@suse.com
- Fix post section by adding shadow as a package requirement
Otherwise the groupadd instruction fails
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Mar 5 04:54:52 UTC 2017 - asarai@suse.com Sun Mar 5 04:54:52 UTC 2017 - asarai@suse.com

View File

@ -23,7 +23,7 @@ LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it. # Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this property. # Only systemd 226 and above support this property.
#TasksMax=infinity TasksMax=infinity
# Set delegate yes so that systemd does not reset the cgroups of docker containers # Set delegate yes so that systemd does not reset the cgroups of docker containers
# Only systemd 218 and above support this property. # Only systemd 218 and above support this property.

View File

@ -105,6 +105,7 @@ Requires: tar >= 1.26
Requires: xz >= 4.9 Requires: xz >= 4.9
Requires(post): %fillup_prereq Requires(post): %fillup_prereq
Requires(post): udev Requires(post): udev
Requires(post): shadow
# Not necessary, but must be installed to have a smooth upgrade. # Not necessary, but must be installed to have a smooth upgrade.
Recommends: docker-image-migrator Recommends: docker-image-migrator
Conflicts: lxc < 1.0 Conflicts: lxc < 1.0
@ -378,6 +379,13 @@ else
rm %{docker_migration_warnfile} rm %{docker_migration_warnfile}
fi fi
fi fi
# If plugins.json is present, docker will fail to start
# https://github.com/docker/docker/releases/1.13.0
if [ -e /var/lib/docker/plugins/plugins.json ];then
echo "Warning: Disabling previous installed plugins"
echo "Otherwise docker will fail to boot"
mv /var/lib/docker/plugins/plugins.json /var/lib/docker/plugins/_plugins.json.old
fi
%service_add_post %{name}.service %service_add_post %{name}.service
%{fillup_only -n docker} %{fillup_only -n docker}