- Update to Docker 24.0.6-ce. See upstream changelong online at

<https://docs.docker.com/engine/release-notes/24.0/#2406>. bsc#1215323 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Switch from disabledrun to manualrun in _service. - Add a docker.socket unit file, but with socket activation effectively disabled to ensure that Docker will always run even if you start the socket individually. Users should probably just ignore this unit file. bsc#1210141 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=395
2023-09-14 06:38:15 +00:00 · 2023-09-14 06:38:15 +00:00 · f28071cbb5
commit f28071cbb5
parent aa4eb4b1c7
14 changed files with 409 additions and 287 deletions
--- a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
@ -1,4 +1,4 @@
-From 2e2fdee74ce8572ff90f213a444ece63248fa01c Mon Sep 17 00:00:00 2001
+From 2dedd52de834525fa533aba7854b91fdc783d821 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
 Subject: [PATCH 1/4] SECRETS: daemon: allow directory creation in /run/secrets
@ -69,5 +69,5 @@ index 290ec59a34a7..b7013fb89c83 100644
 			return errors.Wrap(err, "error setting ownership for secret")
 		}
 -- 
-2.40.1
+2.42.0

--- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
@ -1,4 +1,4 @@
-From bc80631658b8b9b94ca7cf7fc6b8234e6547e947 Mon Sep 17 00:00:00 2001
+From bd4c072521bdee906febc98d81ac092fcad8fc3b Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
 Subject: [PATCH 2/4] SECRETS: SUSE: implement SUSE container secrets
@ -19,10 +19,10 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
 create mode 100644 daemon/suse_secrets.go

 diff --git a/daemon/start.go b/daemon/start.go
-index 0b4eb6d67bcc..0bcecba31386 100644
+index 2e0b9e6be847..dca04486888f 100644
 --- a/daemon/start.go
 +++ b/daemon/start.go
-@@ -152,6 +152,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, container *container.C
+@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, container *container.C
 		return err
 	}
 
@ -456,5 +456,5 @@ index 000000000000..32b0ece91b59
 +	return nil
 +}
 -- 
-2.40.1
+2.42.0

--- a/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+++ b/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
@ -1,4 +1,4 @@
-From 16b520570514380a706fc13363b5e5c64f9fa4e7 Mon Sep 17 00:00:00 2001
+From fd0172ba27352f397ce7ff05d5dd1ec6c80054e5 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Mon, 22 May 2023 15:44:54 +1000
 Subject: [PATCH 3/4] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
@ -42,5 +42,5 @@ index d88efc4be2bb..4e976aa689cd 100644
 static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
     snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
 -- 
-2.40.1
+2.42.0

--- a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
@ -1,4 +1,4 @@
-From 45cbecbd3ee7b4f21ce32c16979631b6d87b6cf6 Mon Sep 17 00:00:00 2001
+From c19fad9e09248bf390fe9b2cd38f351104f186b8 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
 Subject: [PATCH 4/4] bsc1073877: apparmor: clobber docker-default profile on
@ -69,10 +69,10 @@ index e3dc18b32b5e..9c7723056268 100644
 	return nil
 }
 diff --git a/daemon/daemon.go b/daemon/daemon.go
-index 9be2f289696a..25fa052310e2 100644
+index 4d76c5798888..15c95b50c4eb 100644
 --- a/daemon/daemon.go
 +++ b/daemon/daemon.go
-@@ -836,8 +836,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
+@@ -839,8 +839,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 		logrus.Warnf("Failed to configure golang's threads limit: %v", err)
 	}
 
@ -85,5 +85,5 @@ index 9be2f289696a..25fa052310e2 100644
 	}
 
 -- 
-2.40.1
+2.42.0

--- a/14
+++ b/14
@ -1,21 +1,21 @@
 <services>
-  <service name="tar_scm" mode="disabled">
+  <service name="tar_scm" mode="manual">
    <param name="url">https://github.com/moby/moby.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">24.0.5_ce_%h</param>
-    <param name="revision">v24.0.5</param>
+    <param name="versionformat">24.0.6_ce_%h</param>
+    <param name="revision">v24.0.6</param>
    <param name="filename">docker</param>
  </service>
-  <service name="tar_scm" mode="disabled">
+  <service name="tar_scm" mode="manual">
    <param name="url">https://github.com/docker/cli.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">24.0.5_ce</param>
-    <param name="revision">v24.0.5</param>
+    <param name="versionformat">24.0.6_ce</param>
+    <param name="revision">v24.0.6</param>
    <param name="filename">docker-cli</param>
  </service>
-  <service name="recompress" mode="disabled">
+  <service name="recompress" mode="manual">
    <param name="file">docker-*.tar</param>
    <param name="compression">xz</param>
  </service>
--- a/cli-0001-docs-include-required-tools-in-source-tree.patch
+++ b/cli-0001-docs-include-required-tools-in-source-tree.patch
--- a/docker-24.0.5_ce_a61e2b4c9.tar.xz
+++ b/docker-24.0.5_ce_a61e2b4c9.tar.xz
--- a/docker-24.0.6_ce_1a7969545d73.tar.xz
+++ b/docker-24.0.6_ce_1a7969545d73.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:565f1ae195dcbcae8bb0b966d053d7beb5dfafb883f79a699a12bba65a2a3e48
+size 8793164
--- a/docker-cli-24.0.5_ce.tar.xz
+++ b/docker-cli-24.0.5_ce.tar.xz
--- a/docker-cli-24.0.6_ce.tar.xz
+++ b/docker-cli-24.0.6_ce.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ad3917307bb3e4446ab625679921ee7dc7e555dfdd48f0bb7d72d59d69880265
+size 3516364
--- a/docker.changes
+++ b/docker.changes
@ -1,8 +1,24 @@
+-------------------------------------------------------------------
+Thu Sep 14 01:46:30 UTC 2023 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 24.0.6-ce. See upstream changelong online at
+  <https://docs.docker.com/engine/release-notes/24.0/#2406>. bsc#1215323
+- Rebase patches:
+  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * cli-0001-docs-include-required-tools-in-source-tree.patch
+- Switch from disabledrun to manualrun in _service.
+- Add a docker.socket unit file, but with socket activation effectively
+  disabled to ensure that Docker will always run even if you start the socket
+  individually. Users should probably just ignore this unit file. bsc#1210141
+
 -------------------------------------------------------------------
 Tue Jul 25 19:40:25 UTC 2023 - Dirk Müller <dmueller@suse.com>

- update to Docker 24.0.5-ce. See upstream changelong online at
-  <https://docs.docker.com/engine/release-notes/24.0/#2405>. bsc#1213229 
+- Update to Docker 24.0.5-ce. See upstream changelong online at
+  <https://docs.docker.com/engine/release-notes/24.0/#2405>. bsc#1213229

 -------------------------------------------------------------------
 Fri Jul  7 21:29:05 UTC 2023 - Aleksa Sarai <asarai@suse.com>
--- a/docker.service
+++ b/docker.service
@ -2,6 +2,12 @@
 Description=Docker Application Container Engine
 Documentation=http://docs.docker.com
 After=network.target lvm2-monitor.service firewalld.service
+# We don't use the docker socket activation, but doing this ensures that the
+# docker.socket unit is alive while Docker is (docker.socket has BindsTo, so we
+# only need a weak requirement to make sure starting docker.service also
+# "starts" the socket service). Forcefully stopping docker.socket will not
+# cause docker to die, but there's no nice workaround for that.
+Wants=docker.socket

 [Service]
 EnvironmentFile=/etc/sysconfig/docker
--- a/docker.socket
+++ b/docker.socket
@ -0,0 +1,18 @@
+[Unit]
+Description=Docker Socket for the API
+# We use BindsTo in order to make sure that you cannot use socket-activation
+# with Docker (Docker must always start at boot if enabled, otherwise
+# containers will not run until some administrator interacts with Docker).
+BindsTo=docker.service
+
+[Socket]
+# If /var/run is not implemented as a symlink to /run, you may need to
+# specify ListenStream=/var/run/docker.sock instead.
+ListenStream=/run/docker.sock
+SocketMode=0660
+SocketUser=root
+SocketGroup=docker
+
+[Install]
+WantedBy=sockets.target
+
--- a/docker.spec
+++ b/docker.spec
@ -31,9 +31,9 @@
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define real_version 24.0.5
-%define git_version a61e2b4c9
-%define git_commit_epoch 1689962786
+%define real_version 24.0.6
+%define git_version 1a7969545d73
+%define git_commit_epoch 1693336457

 Name:           docker
 Version:        %{real_version}_ce
@ -50,12 +50,13 @@ Source1:        %{name}-cli-%{version}.tar.xz
 Source3:        docker-rpmlintrc
 # TODO: Move these source files to somewhere nicer.
 Source100:      docker.service
-Source101:      80-docker.rules
-Source102:      sysconfig.docker
-Source103:      README_SUSE.md
-Source104:      docker-audit.rules
-Source105:      docker-daemon.json
-Source106:      docker.sysusers
+Source101:      docker.socket
+Source110:      80-docker.rules
+Source120:      sysconfig.docker
+Source130:      README_SUSE.md
+Source140:      docker-audit.rules
+Source150:      docker-daemon.json
+Source160:      docker.sysusers
 # NOTE: All of these patches are maintained in <https://github.com/suse/docker>
 #       in the suse-v<version> branch. Make sure you update the patches in that
 #       branch and then git-format-patch the patch here.
@ -107,8 +108,8 @@ Obsoletes:      docker-libnetwork < 0.7.0.2
 Provides:       docker-libnetwork = 0.7.0.2.%{version}
 # Required to actually run containers. We require the minimum version that is
 # pinned by Docker, but in order to avoid headaches we allow for updates.
-Requires:       runc >= 1.1.7
-Requires:       containerd >= 1.6.21
+Requires:       runc >= 1.1.9
+Requires:       containerd >= 1.7.3
 # Needed for --init support. We don't use "tini", we use our own implementation
 # which handles edge-cases better.
 Requires:       catatonit
@ -202,7 +203,7 @@ Fish command line completion support for %{name}.
 %setup -q -n %{name}-%{version}_%{git_version}
 [ "%{docker_builddir}" = "$PWD" ]
 # README_SUSE.md for documentation.
-cp %{SOURCE103} .
+cp %{SOURCE130} .

 %if 0%{?is_opensuse} == 0
 # PATCH-SUSE: Secrets patches.
@ -217,7 +218,7 @@ cp %{SOURCE103} .
 %patch300 -p1

 %build
-%sysusers_generate_pre %{SOURCE106} %{name} %{name}.conf
+%sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf

 BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
 %if 0%{?sle_version} == 120000
@ -279,7 +280,7 @@ install -d %{buildroot}/usr/lib/docker/cli-plugins
 # /var/lib/docker
 install -d %{buildroot}/%{_localstatedir}/lib/docker
 # daemon.json config file
-install -D -m0644 %{SOURCE105} %{buildroot}%{_sysconfdir}/docker/daemon.json
+install -D -m0644 %{SOURCE150} %{buildroot}%{_sysconfdir}/docker/daemon.json

 # docker cli
 install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
@ -289,17 +290,18 @@ install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildro

 # systemd service
 install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{name}.service
+install -D -m0644 %{SOURCE101} %{buildroot}%{_unitdir}/%{name}.socket
 ln -sf service %{buildroot}%{_sbindir}/rcdocker

 # udev rules that prevents dolphin to show all docker devices and slows down
 # upstream report https://bugs.kde.org/show_bug.cgi?id=329930
-install -D -m0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{name}.rules
+install -D -m0644 %{SOURCE110} %{buildroot}%{_udevrulesdir}/80-%{name}.rules

 # audit rules
-install -D -m0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules
+install -D -m0640 %{SOURCE140} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules

 # sysconfig file
-install -D -m0644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker
+install -D -m0644 %{SOURCE120} %{buildroot}%{_fillupdir}/sysconfig.docker

 # install manpages (using the ones from the engine)
 install -d %{buildroot}%{_mandir}/man1
@ -310,7 +312,7 @@ install -d %{buildroot}%{_mandir}/man8
 install -p -m0644 %{cli_builddir}/man/man8/*.8 %{buildroot}%{_mandir}/man8

 # sysusers.d
-install -D -m0644 %{SOURCE106} %{buildroot}%{_sysusersdir}/%{name}.conf
+install -D -m0644 %{SOURCE160} %{buildroot}%{_sysusersdir}/%{name}.conf

 # rootless extras
 install -D -p -m 0755 contrib/dockerd-rootless.sh %{buildroot}/%{_bindir}/dockerd-rootless.sh
@ -334,17 +336,17 @@ grep -q '^dockremap:' /etc/subgid || \
 	usermod -w 100000000-200000000 dockremap &>/dev/null || \
 	echo "dockremap:100000000:100000001" >>/etc/subgid ||:

-%service_add_pre %{name}.service
+%service_add_pre %{name}.service %{name}.socket

 %post
-%service_add_post %{name}.service
+%service_add_post %{name}.service %{name}.socket
 %{fillup_only -n docker}

 %preun
-%service_del_preun %{name}.service
+%service_del_preun %{name}.service %{name}.socket

 %postun
-%service_del_postun %{name}.service
+%service_del_postun %{name}.service %{name}.socket

 %files
 %defattr(-,root,root)
@ -360,6 +362,7 @@ grep -q '^dockremap:' /etc/subgid || \
 %dir /usr/lib/docker/cli-plugins

 %{_unitdir}/%{name}.service
+%{_unitdir}/%{name}.socket
 %{_sysusersdir}/%{name}.conf

 %dir %{_sysconfdir}/docker