68dcb35da6
- fix bsc#1007249 - CVE-2016-8867: Fix ambient capability usage in containers - other fixes: https://github.com/docker/docker/releases/tag/v1.12.3 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=150
439 lines
16 KiB
RPMSpec
439 lines
16 KiB
RPMSpec
#
|
|
# spec file for package docker
|
|
#
|
|
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
# nodebuginfo
|
|
|
|
|
|
# Check if go_arches is defined in the project configuration
|
|
# Otherwise, define it here
|
|
# In order to define it in the project configuration, see
|
|
#
|
|
# https://en.opensuse.org/openSUSE:Build%20Service%20prjconf#Macros
|
|
#
|
|
# The Macros tag is the one that defines the go_arches variable to be used
|
|
# in the spec file.
|
|
# The "define" one is to help the specfile parser of the buildservice
|
|
# to see what packages are being built. You also want to define it here
|
|
# for keeping things consistent.
|
|
|
|
%{!?go_arches: %global go_arches %ix86 x86_64 aarch64 ppc64le}
|
|
|
|
%global docker_store %{_localstatedir}/lib/docker
|
|
%global docker_migration_testfile %{docker_store}/.suse-image-migration-v1to2-complete
|
|
%global docker_migration_warnfile %{docker_store}/docker-update-message.txt
|
|
%define docker_graph %{docker_store}/graph
|
|
%define git_version 8eab29e
|
|
%define version_unconverted 1.12.3
|
|
%define docker_version 1.12.1
|
|
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
|
|
# When upgrading to a new version requires the service not to be restarted
|
|
# Due to a long migration process update last_migration_version to the new version
|
|
# that will first perform the migration, last time this was needed was version
|
|
# 1.10.1
|
|
%global last_migration_version 1.10.1
|
|
Name: docker
|
|
Version: 1.12.3
|
|
Release: 0
|
|
Summary: The Linux container runtime
|
|
License: Apache-2.0
|
|
Group: System/Management
|
|
Url: http://www.docker.io
|
|
Source: %{name}-%{version}.tar.xz
|
|
Source1: docker.service
|
|
Source3: 80-docker.rules
|
|
Source4: sysconfig.docker
|
|
Source6: docker-rpmlintrc
|
|
Source7: README_SUSE.md
|
|
Source8: docker-audit.rules
|
|
Source9: docker-update-message.txt
|
|
Source10: tests.sh
|
|
# Fixes for architecture-specific issues (gcc-go).
|
|
Patch100: gcc-go-patches.patch
|
|
Patch101: netlink_gcc_go.patch
|
|
Patch102: netlink_netns_powerpc.patch
|
|
# SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers
|
|
# which is not snapshotted when images are committed. Note that if you modify
|
|
# this patch, please also modify the patch in the suse-secrets-v<version>
|
|
# branch in http://github.com/suse/docker.mirror.
|
|
Patch200: docker-mount-secrets.patch
|
|
Patch300: integration-cli-fix-TestInfoEnsureSucceeds.patch
|
|
BuildRequires: audit
|
|
BuildRequires: bash-completion
|
|
BuildRequires: device-mapper-devel >= 1.2.68
|
|
BuildRequires: glibc-devel-static
|
|
BuildRequires: libapparmor-devel
|
|
BuildRequires: libbtrfs-devel >= 3.8
|
|
BuildRequires: procps
|
|
BuildRequires: sqlite3-devel
|
|
BuildRequires: systemd-devel
|
|
BuildRequires: zsh
|
|
Requires: apparmor-parser
|
|
Requires: bridge-utils
|
|
Requires: ca-certificates-mozilla
|
|
# Containerd and runC are required as they are the only currently supported
|
|
# execdrivers of Docker. NOTE: The version pinning here matches upstream's
|
|
# Dockerfile to ensure that we don't use a slightly incompatible version of
|
|
# runC or containerd (which would be bad).
|
|
Requires: containerd = 0.2.4+git0366d7e
|
|
Requires: runc = 0.1.1+git02f8fa7
|
|
# Provides mkfs.ext4 - used by Docker when devicemapper storage driver is used
|
|
Requires: e2fsprogs
|
|
Requires: git-core >= 1.7
|
|
Requires: iproute2 >= 3.5
|
|
Requires: iptables >= 1.4
|
|
Requires: lvm2 >= 2.2.89
|
|
Requires: procps
|
|
Requires: tar >= 1.26
|
|
Requires: xz >= 4.9
|
|
Requires(post): %fillup_prereq
|
|
Requires(post): udev
|
|
# Not necessary, but must be installed to have a smooth upgrade.
|
|
Recommends: docker-image-migrator
|
|
Conflicts: lxc < 1.0
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
ExcludeArch: %ix86 s390 ppc
|
|
%if 0%{?suse_version} > 1320
|
|
Source5: docker.socket
|
|
%else
|
|
Source5: docker_systemd_lt_214.socket
|
|
%endif
|
|
%ifarch %{go_arches}
|
|
BuildRequires: go >= 1.5
|
|
BuildRequires: go-go-md2man
|
|
%else
|
|
BuildRequires: gcc6-go >= 6.1
|
|
%endif
|
|
%if 0%{?is_opensuse}
|
|
ExcludeArch: s390x
|
|
%endif
|
|
|
|
%description
|
|
Docker complements LXC with a high-level API which operates at the process
|
|
level. It runs unix processes with strong guarantees of isolation and
|
|
repeatability across servers.
|
|
|
|
Docker is a great building block for automating distributed systems: large-scale
|
|
web deployments, database clusters, continuous deployment systems, private PaaS,
|
|
service-oriented architectures, etc.
|
|
|
|
%package bash-completion
|
|
Summary: Bash Completion for %{name}
|
|
Group: System/Management
|
|
Requires: %{name} = %{version}
|
|
Requires: bash-completion
|
|
BuildArch: noarch
|
|
|
|
%description bash-completion
|
|
Bash command line completion support for %{name}.
|
|
|
|
%package zsh-completion
|
|
Summary: Zsh Completion for %{name}
|
|
Group: System/Management
|
|
Requires: %{name} = %{version}
|
|
Supplements: packageand(docker:zsh)
|
|
BuildArch: noarch
|
|
|
|
%description zsh-completion
|
|
Zsh command line completion support for %{name}.
|
|
|
|
%package test
|
|
%global __requires_exclude ^libgo.so.*$
|
|
Summary: Test package for docker
|
|
Group: System/Management
|
|
BuildRequires: fdupes
|
|
Requires: apparmor-parser
|
|
Requires: bash-completion
|
|
Requires: device-mapper-devel >= 1.2.68
|
|
Requires: glibc-devel-static
|
|
Requires: libapparmor-devel
|
|
Requires: libbtrfs-devel >= 3.8
|
|
Requires: procps
|
|
Requires: sqlite3-devel
|
|
%ifarch %{go_arches}
|
|
Requires: go >= 1.4
|
|
%else
|
|
Requires: gcc6-go >= 6.1
|
|
%endif
|
|
|
|
%description test
|
|
Test package for docker. It contains the source code and the tests.
|
|
|
|
%prep
|
|
%setup -q
|
|
%if 0%{?is_opensuse}
|
|
# nothing
|
|
%else
|
|
%patch200 -p1
|
|
%endif
|
|
%ifnarch %{go_arches}
|
|
%patch100 -p1
|
|
%patch101 -p1
|
|
%patch102 -p1
|
|
%endif
|
|
%patch300 -p1
|
|
cp %{SOURCE7} .
|
|
cp %{SOURCE10} .
|
|
|
|
%build
|
|
%ifnarch %{go_arches}
|
|
tmphack=/tmp/dirty-hack
|
|
[ -e $tmphack ] && rm -rf $tmphack
|
|
mkdir $tmphack
|
|
ln -s %{_bindir}/go-6 $tmphack/go
|
|
export PATH=$tmphack:$PATH
|
|
%endif
|
|
|
|
(cat <<EOF
|
|
export AUTO_GOPATH=1
|
|
export DOCKER_BUILDTAGS="exclude_graphdriver_aufs apparmor selinux"
|
|
export DOCKER_GITCOMMIT=%{git_version}
|
|
EOF
|
|
) > docker_build_env
|
|
. ./docker_build_env
|
|
|
|
%ifarch %{go_arches}
|
|
./hack/make.sh dynbinary
|
|
man/md2man-all.sh
|
|
%else
|
|
./hack/make.sh dyngccgo
|
|
%endif
|
|
|
|
# build the tests binary
|
|
GOPATH=$(pwd)/vendor:$(pwd)/.gopath/ go test \
|
|
-tags "$DOCKER_BUILDTAGS daemon autogen" \
|
|
-c github.com/docker/docker/integration-cli -o tests.main
|
|
|
|
# remove other than systemd
|
|
# otherwise the resulting package will have extra requires
|
|
rm -rf hack/make/.build-deb
|
|
|
|
%ifarch %go_arches
|
|
%check
|
|
. ./docker_build_env
|
|
|
|
# go test will look in github.com/docker/docker/vendor for vendored packages but
|
|
# Docker keeps them in github.com/docker/docker/vendor/src. Let's do it like
|
|
# Docker does it and append github.com/docker/docker/vendor to the GOPATH so the
|
|
# packages are found by go test.
|
|
export GOPATH=$HOME/go/src/github.com/docker/docker/vendor:$GOPATH
|
|
|
|
# Create or dir if it doesn't exist already
|
|
mkdir -p $HOME/go/src/github.com/docker
|
|
|
|
# Remove any existing symlinks.
|
|
rm -rf $HOME/go/src/github.com/docker/*
|
|
|
|
# go list -e ... doesn't seem to work with symlinks so do a full copy instead.
|
|
cp -avr %{buildroot}/usr/src/%{name} $HOME/go/src/github.com/docker/docker
|
|
|
|
cd $HOME/go/src/github.com/docker/docker
|
|
|
|
# Note that these commands do not allow %%elseif.
|
|
# For versions equal to or below SLE12 && openSUSE_13.2 libdevmapper.h is not
|
|
# recent enough to define dm_task_deferred_remove(). (This is not true of
|
|
# SLE12_SP1 but we cannot distinguish it with this macro.)
|
|
EXCLUDE_TAGS=
|
|
%if 0%{?suse_version} <= 1320
|
|
EXCLUDE_TAGS="libdm_no_deferred_remove $EXCLUDE_TAGS"
|
|
%endif
|
|
|
|
# The command is taken from hack/make/test-unit and various test runs.
|
|
# Everything that follows github.com/docker/pkg/integration-cli are packages
|
|
# containing tests that cannot run in an obs build context.
|
|
PKG_LIST=$(go list -e \
|
|
-f '{{if ne .Name "github.com/docker/docker"}} {{.ImportPath}}
|
|
{{end}}' \
|
|
-tags $EXCLUDE_TAGS \
|
|
-a "${BUILDFLAGS[@]}" ... \
|
|
| grep 'github.com/docker/docker' \
|
|
| grep -v 'github.com/docker/docker/vendor' \
|
|
| grep -v 'github.com/docker/docker/integration-cli' \
|
|
| grep -v 'github.com/docker/docker/pkg/archive$' \
|
|
| grep -v 'github.com/docker/docker/pkg/chrootarchive$' \
|
|
| grep -v 'github.com/docker/docker/pkg/gitutils$' \
|
|
| grep -v 'github.com/docker/docker/pkg/idtools$' \
|
|
| grep -v 'github.com/docker/docker/pkg/jsonlog$' \
|
|
| grep -v 'github.com/docker/docker/pkg/mount$' \
|
|
| grep -v 'github.com/docker/docker/pkg/sysinfo$' \
|
|
| grep -v 'github.com/docker/docker/registry$' \
|
|
| grep -v 'github.com/docker/docker/volume/local$' \
|
|
| grep -v 'github.com/docker/docker/builder$' \
|
|
| grep -v 'github.com/docker/docker/daemon$' \
|
|
| grep -v 'github.com/docker/docker/daemon/graphdriver/btrfs$' \
|
|
| grep -v 'github.com/docker/docker/daemon/graphdriver/devmapper$' \
|
|
| grep -v 'github.com/docker/docker/daemon/graphdriver/vfs$' \
|
|
| grep -v 'github.com/docker/docker/builder/dockerfile$' \
|
|
| grep -v 'github.com/docker/docker/cmd/dockerd$' \
|
|
| grep -v 'github.com/docker/docker/builder/dockerfile/parser$' \
|
|
| grep -v 'github.com/docker/docker/man$' \
|
|
| grep -v 'github.com/docker/docker/pkg/integration$')
|
|
|
|
go test -cover -ldflags -w -tags $EXCLUDE_TAGS -a -test.timeout=10m $PKG_LIST
|
|
%endif
|
|
|
|
%install
|
|
install -d %{buildroot}%{go_contribdir}
|
|
install -d %{buildroot}%{_bindir}
|
|
%ifarch %{go_arches}
|
|
install -D -m755 bundles/latest/dynbinary-client/%{name} %{buildroot}/%{_bindir}/%{name}
|
|
install -D -m755 bundles/latest/dynbinary-daemon/%{name}d %{buildroot}/%{_bindir}/%{name}d
|
|
install -D -m755 bundles/latest/dynbinary-daemon/%{name}-proxy %{buildroot}/%{_bindir}/%{name}-proxy
|
|
%else
|
|
install -D -m755 bundles/latest/dyngccgo/%{name} %{buildroot}/%{_bindir}/%{name}
|
|
install -D -m755 bundles/latest/dyngccgo/%{name}d %{buildroot}/%{_bindir}/%{name}d
|
|
install -D -m755 bundles/latest/dyngccgo/%{name}-proxy %{buildroot}/%{_bindir}/%{name}-proxy
|
|
%endif
|
|
install -d %{buildroot}/%{_prefix}/lib/docker
|
|
install -Dd -m 0755 \
|
|
%{buildroot}%{_sysconfdir}/init.d \
|
|
%{buildroot}%{_sbindir}
|
|
|
|
install -D -m0644 contrib/completion/bash/docker "%{buildroot}%{_sysconfdir}/bash_completion.d/%{name}"
|
|
install -D -m0644 contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/%{name}"
|
|
# copy all for the test package
|
|
install -d %{buildroot}%{_prefix}/src/docker/
|
|
cp -av . %{buildroot}%{_prefix}/src/docker/
|
|
cp -av contrib %{buildroot}%{_prefix}/src/docker/
|
|
cp -av hack %{buildroot}%{_prefix}/src/docker/
|
|
cp -av integration-cli %{buildroot}%{_prefix}/src/docker/
|
|
cp -av VERSION Dockerfile %{buildroot}%{_prefix}/src/docker/
|
|
cp -av tests.main tests.sh %{buildroot}%{_prefix}/src/docker/hack/
|
|
|
|
# clean some things we don't need in the test package
|
|
(cd %{buildroot}%{_prefix}/src/docker/contrib && rm -rf builder completion desktop-integration init mkimage* syntax vagrant-docker)
|
|
(cd %{buildroot}%{_prefix}/src/docker/hack && rm -rf Jenkins dind generate-authors.sh install.sh make.sh release.sh vendor.sh .vendor-helpers.sh)
|
|
(cd %{buildroot}%{_prefix}/src/docker/integration-cli && rm -rf *.go)
|
|
|
|
#
|
|
# systemd service
|
|
#
|
|
install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
|
|
install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/%{name}.socket
|
|
ln -sf service %{buildroot}%{_sbindir}/rcdocker
|
|
|
|
#
|
|
# udev rules that prevents dolphin to show all docker devices and slows down
|
|
# upstream report https://bugs.kde.org/show_bug.cgi?id=329930
|
|
#
|
|
install -D -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}/80-%{name}.rules
|
|
|
|
# audit rules
|
|
install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules
|
|
|
|
# sysconfig file
|
|
install -D -m 644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.docker
|
|
|
|
%ifarch %{go_arches}
|
|
# install manpages
|
|
install -d %{buildroot}%{_mandir}/man1
|
|
install -p -m 644 man/man1/*.1 %{buildroot}%{_mandir}/man1
|
|
install -d %{buildroot}%{_mandir}/man5
|
|
install -p -m 644 man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
|
|
install -d %{buildroot}%{_mandir}/man8
|
|
install -p -m 644 man/man8/*.8 %{buildroot}%{_mandir}/man8
|
|
%endif
|
|
|
|
install -D -m 0644 %{SOURCE9} %{buildroot}%{docker_migration_warnfile}
|
|
|
|
%fdupes %{buildroot}
|
|
|
|
%pre
|
|
# In order to make sure we don't print a scary warning when we shouldn't we
|
|
# need to test these things (in this order):
|
|
# 1. Check that %{_localstatedir}/lib/docker actually exists (docker daemon has run).
|
|
# 2. Check that the migrator has *not* finished.
|
|
# 3. Check that %{_localstatedir}/lib/docker/graph exists (this is a <=1.9.1 thing, but
|
|
# will stick around if it has been migrated -- which is why we need the
|
|
# MIGRATION_TESTFILE check).
|
|
# 4. Check that there are images in the graph/ directory.
|
|
if [[ -d "%{docker_store}" && -n "$(find "%{docker_graph}" -maxdepth 1 -type d 2>/dev/null | grep -Ev '_tmp|^%{docker_graph}$')" ]]; then
|
|
# Check if currently installed version of docker is old enough to need migration.
|
|
CURRENT_DOCKER_VERSION=$(docker -v | sed 's/^.*[^0-9]\([0-9]*\.[0-9]*\.[0-9]*\).*$/\1/')
|
|
# This variable will contain the current docker version if migration is needed otherwise it will contain the upgrade point.
|
|
# Next time the docker package needs to be upgraded without restarting the service increase the 1.10.1 to the new version.
|
|
NEED_UPGRADE_VERSION=$(echo -e "$CURRENT_DOCKER_VERSION\n%{last_migration_version}" | sort -V | head -1)
|
|
|
|
if [[ $CURRENT_DOCKER_VERSION == $NEED_UPGRADE_VERSION ]]; then
|
|
touch %{docker_migration_testfile}
|
|
fi
|
|
fi
|
|
|
|
getent group docker >/dev/null || groupadd -r docker
|
|
%service_add_pre %{name}.service %{name}.socket
|
|
|
|
%post
|
|
if [ -e %{docker_migration_testfile} ]; then
|
|
cp %{docker_migration_warnfile} /var/adm/update-messages/docker
|
|
else
|
|
if [ -e %{docker_migration_warnfile} ]; then
|
|
rm %{docker_migration_warnfile}
|
|
fi
|
|
fi
|
|
%service_add_post %{name}.service %{name}.socket
|
|
%{fillup_only -n docker}
|
|
|
|
%preun
|
|
%service_del_preun %{name}.service %{name}.socket
|
|
|
|
%postun
|
|
if [ -e %{docker_migration_testfile} ]; then
|
|
rm %{docker_migration_testfile}
|
|
export DISABLE_RESTART_ON_UPDATE=yes
|
|
fi
|
|
%service_del_postun %{name}.service %{name}.socket
|
|
|
|
%files
|
|
%defattr(-,root,root)
|
|
%doc README.md LICENSE README_SUSE.md
|
|
%{_bindir}/docker
|
|
%{_bindir}/dockerd
|
|
%{_bindir}/docker-proxy
|
|
%{_sbindir}/rcdocker
|
|
%{_libexecdir}/docker/
|
|
%{_unitdir}/%{name}.service
|
|
%{_unitdir}/%{name}.socket
|
|
%config %{_sysconfdir}/audit/rules.d/%{name}.rules
|
|
%{_udevrulesdir}/80-%{name}.rules
|
|
%{_localstatedir}/adm/fillup-templates/sysconfig.docker
|
|
%{_localstatedir}/lib/docker/
|
|
%ifarch %{go_arches}
|
|
%{_mandir}/man1/docker-*.1%{ext_man}
|
|
%{_mandir}/man1/docker.1%{ext_man}
|
|
%{_mandir}/man5/Dockerfile.5%{ext_man}
|
|
%{_mandir}/man8/dockerd.8%{ext_man}
|
|
%endif
|
|
|
|
%files bash-completion
|
|
%defattr(-,root,root)
|
|
%config %{_sysconfdir}/bash_completion.d/%{name}
|
|
|
|
%files zsh-completion
|
|
%defattr(-,root,root)
|
|
%config %{_sysconfdir}/zsh_completion.d/%{name}
|
|
|
|
%files test
|
|
%defattr(-,root,root)
|
|
%{_prefix}/src/docker/
|
|
# exclude binaries
|
|
%exclude %{_prefix}/src/docker/bundles/
|
|
# exclude init configurations other than systemd
|
|
%exclude %{_prefix}/src/docker/contrib/init/openrc
|
|
%exclude %{_prefix}/src/docker/contrib/init/sysvinit-debian
|
|
%exclude %{_prefix}/src/docker/contrib/init/sysvinit-redhat
|
|
%exclude %{_prefix}/src/docker/contrib/init/upstart
|
|
|
|
%changelog
|