From b2da1ef3a2b91858e01b05a480339c8698ed21e44530b27670069432c1b307af Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Tue, 5 Jul 2016 14:37:24 +0000 Subject: [PATCH 1/2] Accepting request 406751 from home:cyphar:branches:Virtualization:containers This fixes up a few things, including bnc#983015. Delegate and TaskMax are commented out for documentation purposes. OBS-URL: https://build.opensuse.org/request/show/406751 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=114 --- docker.changes | 7 +++++++ docker.service | 15 ++++++++++++--- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/docker.changes b/docker.changes index 2f30426..ee6b399 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Jul 5 14:26:45 UTC 2016 - asarai@suse.com + +* Update docker.service to include changes from upstream, including the + soon-to-be-merged patch https://github.com/docker/docker/pull/24307, + which fixes bnc#983015. + ------------------------------------------------------------------- Fri Jun 24 00:23:57 UTC 2016 - dmueller@suse.com diff --git a/docker.service b/docker.service index ba34b05..5ea1fc0 100644 --- a/docker.service +++ b/docker.service @@ -7,10 +7,19 @@ Requires=docker.socket containerd.socket [Service] EnvironmentFile=/etc/sysconfig/docker ExecStart=/usr/bin/docker daemon -H fd:// --containerd /run/containerd/containerd.sock $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS -LimitNOFILE=1048576 -LimitNPROC=1048576 +ExecReload=/bin/kill -s HUP $MAINPID +# Having non-zero Limit*s causes performance problems due to accounting overhead +# in the kernel. We recommend using cgroups to do container-local accounting. +LimitNOFILE=infinity +LimitNPROC=infinity LimitCORE=infinity +# Uncomment TasksMax if your systemd version supports it. +# Only systemd 226 and above support this version. +#TasksMax=infinity +# Set delegate yes so that systemd does not reset the cgroups of docker containers +Delegate=yes +# Kill only the docker process, not all processes in the cgroup +KillMode=process [Install] WantedBy=multi-user.target - From d9b4385673918abdf37ed67838d15c94b408a0492a8e8fe874efffbc6afcce8c Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Tue, 5 Jul 2016 18:33:23 +0000 Subject: [PATCH 2/2] Accepting request 406826 from home:jordimassaguerpla:branch:docker:2016_07_06 - fix bsc#984942: audit.rules in docker-1.9.1-58.1.x86_64.rpm has a syntax error OBS-URL: https://build.opensuse.org/request/show/406826 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=115 --- docker-audit.rules | 4 ++-- docker.changes | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/docker-audit.rules b/docker-audit.rules index 1ba1e93..363341e 100644 --- a/docker-audit.rules +++ b/docker-audit.rules @@ -1,7 +1,7 @@ ## # Audit rules based on CIS Docker 1.6 Benchmark v1.0.0 # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf -# Not all of these apply to SUSE. +# Not all of these apply to SUSE. # 1.8 Audit docker daemon -w /usr/bin/docker -k docker # 1.9 Audit Docker files and directories @@ -23,5 +23,5 @@ # 1.17 Audit Docker files and directories - /etc/sysconfig/docker-storage -w /etc/sysconfig/docker-storage -k docker # 1.18 Audit Docker files and directories - /etc/default/docker --w /etc/default/docker-k docker +-w /etc/default/docker -k docker ## end docker audit rules diff --git a/docker.changes b/docker.changes index ee6b399..97c327d 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Jul 5 17:52:58 UTC 2016 - jmassaguerpla@suse.com + +- fix bsc#984942: audit.rules in docker-1.9.1-58.1.x86_64.rpm has a + syntax error + ------------------------------------------------------------------- Tue Jul 5 14:26:45 UTC 2016 - asarai@suse.com