b7f9caccb8
- Update the AppArmor patchset again to fix a separate issue where changed AppArmor profiles don't actually get applied on Docker daemon reboot. bsc#1099277 * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch + bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch OBS-URL: https://build.opensuse.org/request/show/619741 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=254
379 lines
14 KiB
RPMSpec
379 lines
14 KiB
RPMSpec
#
|
|
# spec file for package docker
|
|
#
|
|
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
# nodebuginfo
|
|
|
|
|
|
# Where important update information will be stored, such that an administrator
|
|
# is guaranteed to see the relevant warning.
|
|
%define update_messages %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}
|
|
|
|
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
|
%if ! %{defined _fillupdir}
|
|
%define _fillupdir /var/adm/fillup-templates
|
|
%endif
|
|
|
|
# Used when generating the "build" information for Docker version. The value of
|
|
# git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm
|
|
# helpfully injects into our build environment from the changelog). If you want
|
|
# to generate a new git_commit_epoch, use this:
|
|
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
|
|
%define git_version f4ffd2511ce9
|
|
%define git_commit_epoch 1508606827
|
|
|
|
# These are the git commits required. We verify them against the source to make
|
|
# sure we didn't miss anything important when doing upgrades.
|
|
%define required_containerd 06b9cb35161009dcb7123345749fef02f7cea8e0
|
|
%define required_dockerrunc 3f2f8b84a77f73d38244dd690525642a72156c64
|
|
%define required_libnetwork 7b2b1feb1de4817d522cc372af149ff48d25028e
|
|
|
|
Name: docker
|
|
Version: 17.09.1_ce
|
|
Release: 0
|
|
Summary: The Linux container runtime
|
|
License: Apache-2.0
|
|
Group: System/Management
|
|
Url: http://www.docker.io
|
|
# TODO(VR): check those SOURCE files below
|
|
Source: %{name}-%{version}.tar.xz
|
|
Source1: docker.service
|
|
Source3: 80-docker.rules
|
|
Source4: sysconfig.docker
|
|
Source6: docker-rpmlintrc
|
|
Source7: README_SUSE.md
|
|
Source8: docker-audit.rules
|
|
Source9: tests.sh
|
|
# SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers
|
|
# which is not snapshotted when images are committed. Note that if you modify
|
|
# this patch, please also modify the patch in the suse-secrets-v<version>
|
|
# branch in http://github.com/suse/docker.mirror.
|
|
Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
|
|
Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
|
|
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35205. bsc#1055676
|
|
Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
|
|
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173
|
|
Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
|
|
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877
|
|
Patch402: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
|
|
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277
|
|
Patch403: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
|
|
BuildRequires: audit
|
|
BuildRequires: bash-completion
|
|
BuildRequires: ca-certificates
|
|
BuildRequires: device-mapper-devel >= 1.2.68
|
|
BuildRequires: glibc-devel-static
|
|
BuildRequires: libapparmor-devel
|
|
BuildRequires: libbtrfs-devel >= 3.8
|
|
# enable libseccomp for sle >= sle12sp2
|
|
%if 0%{?sle_version} >= 120200
|
|
%define with_libseccomp 1
|
|
%endif
|
|
# enable libseccomp for leap >= 42.2
|
|
%if 0%{?leap_version} >= 420200
|
|
%define with_libseccomp 1
|
|
%endif
|
|
# enable libseccomp for Factory
|
|
%if 0%{?suse_version} > 1320
|
|
%define with_libseccomp 1
|
|
%endif
|
|
%if 0%{?with_libseccomp}
|
|
BuildRequires: libseccomp-devel
|
|
%endif
|
|
BuildRequires: libtool
|
|
BuildRequires: procps
|
|
BuildRequires: sqlite3-devel
|
|
BuildRequires: systemd-devel
|
|
BuildRequires: zsh
|
|
Requires: apparmor-parser
|
|
Requires: ca-certificates-mozilla
|
|
# Required in order for networking to work. fix_bsc_1057743 is a work-around
|
|
# for some old packaging issues (where rpm would delete a binary that was
|
|
# installed by docker-libnetwork). See bsc#1057743 for more details.
|
|
Requires: docker-libnetwork-git = %{required_libnetwork}
|
|
Requires: fix_bsc_1057743
|
|
# Containerd and runC are required as they are the only currently supported
|
|
# execdrivers of Docker. NOTE: The version pinning here matches upstream's
|
|
# vendor.conf to ensure that we don't use a slightly incompatible version of
|
|
# runC or containerd (which would be bad).
|
|
Requires: containerd-git = %{required_containerd}
|
|
Requires: docker-runc-git = %{required_dockerrunc}
|
|
# Needed for --init support. We don't use "tini", we use our own implementation
|
|
# which handles edge-cases better.
|
|
Requires: catatonit
|
|
# Provides mkfs.ext4 - used by Docker when devicemapper storage driver is used
|
|
Requires: e2fsprogs
|
|
Requires: git-core >= 1.7
|
|
Requires: iproute2 >= 3.5
|
|
Requires: iptables >= 1.4
|
|
Requires: procps
|
|
Requires: tar >= 1.26
|
|
Requires: xz >= 4.9
|
|
Requires(post): %fillup_prereq
|
|
Requires(post): udev
|
|
Requires(post): shadow
|
|
# We used to have a migration tool for the upgrade from v1.9.x to v1.10.x.
|
|
# It is no longer useful, so we obsolete it. bsc#1069758
|
|
Obsoletes: docker-image-migrator
|
|
# Not necessary, but must be installed when the underlying system is
|
|
# configured to use lvm and the user doesn't explicitly provide a
|
|
# different storage-driver than devicemapper
|
|
Recommends: lvm2 >= 2.2.89
|
|
Conflicts: lxc < 1.0
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
ExcludeArch: s390 ppc
|
|
# Make sure we build with go 1.8
|
|
BuildRequires: go-go-md2man
|
|
BuildRequires: golang(API) = 1.8
|
|
|
|
%description
|
|
Docker complements LXC with a high-level API which operates at the process
|
|
level. It runs unix processes with strong guarantees of isolation and
|
|
repeatability across servers.
|
|
|
|
Docker is a great building block for automating distributed systems: large-scale
|
|
web deployments, database clusters, continuous deployment systems, private PaaS,
|
|
service-oriented architectures, etc.
|
|
|
|
%package bash-completion
|
|
Summary: Bash Completion for %{name}
|
|
Group: System/Management
|
|
Requires: %{name} = %{version}
|
|
Supplements: packageand(docker:bash-completion)
|
|
BuildArch: noarch
|
|
|
|
%description bash-completion
|
|
Bash command line completion support for %{name}.
|
|
|
|
%package zsh-completion
|
|
Summary: Zsh Completion for %{name}
|
|
Group: System/Management
|
|
Requires: %{name} = %{version}
|
|
Supplements: packageand(docker:zsh)
|
|
BuildArch: noarch
|
|
|
|
%description zsh-completion
|
|
Zsh command line completion support for %{name}.
|
|
|
|
%package test
|
|
%global __requires_exclude ^libgo.so.*$
|
|
Summary: Test package for docker
|
|
Group: System/Management
|
|
BuildRequires: fdupes
|
|
Requires: apparmor-parser
|
|
Requires: bash-completion
|
|
Requires: device-mapper-devel >= 1.2.68
|
|
Requires: glibc-devel-static
|
|
Requires: libapparmor-devel
|
|
Requires: libbtrfs-devel >= 3.8
|
|
Requires: procps
|
|
Requires: sqlite3-devel
|
|
Requires: golang(API) = 1.8
|
|
|
|
%description test
|
|
Test package for docker. It contains the source code and the tests.
|
|
|
|
%prep
|
|
%setup -q
|
|
%if 0%{?is_opensuse}
|
|
# nothing
|
|
%else
|
|
# PATCH-SUSE: Secrets patches.
|
|
%patch200 -p1
|
|
%patch201 -p1
|
|
%endif
|
|
# bsc#1055676
|
|
%patch400 -p1
|
|
# bsc#1021227 bsc#1029320 bsc#1058173
|
|
%patch401 -p1
|
|
# bsc#1073877
|
|
%patch402 -p1
|
|
# bsc#1099277
|
|
%patch403 -p1
|
|
|
|
cp %{SOURCE7} .
|
|
cp %{SOURCE9} .
|
|
|
|
%build
|
|
BUILDTAGS="exclude_graphdriver_aufs apparmor selinux pkcs11"
|
|
%if 0%{?with_libseccomp}
|
|
BUILDTAGS="seccomp $BUILDTAGS"
|
|
%endif
|
|
%if 0%{?sle_version} == 120000
|
|
# Provided by patch406, to allow us to build with older distros but still
|
|
# have deferred removal support at runtime. We only use this when building
|
|
# on SLE12.
|
|
BUILDTAGS="libdm_dlsym_deferred_remove $BUILDTAGS"
|
|
%endif
|
|
|
|
(cat <<EOF
|
|
export AUTO_GOPATH=1
|
|
export DOCKER_BUILDTAGS="$BUILDTAGS"
|
|
# Until boo#1038493 is fixed properly we need to do this hack to get the
|
|
# compiled-into-the-binary GOROOT.
|
|
export GOROOT="$(GOROOT= go env GOROOT)"
|
|
# Make sure we always build PIC code. bsc#1048046
|
|
export BUILDFLAGS="-buildmode=pie"
|
|
# Specify all of the versioning information. We use SOURCE_DATE_EPOCH if it's
|
|
# been injected by rpmbuild, otherwise we use the hardcoded git_commit_epoch
|
|
# generated above. boo#1064781
|
|
export VERSION="$(cat ./VERSION 2>/dev/null || echo '%{version}')"
|
|
export DOCKER_GITCOMMIT="%{git_version}"
|
|
export GITCOMMIT="%{git_version}"
|
|
export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-%{git_commit_epoch}}"
|
|
export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null | sed -e 's/ /T/')"
|
|
EOF
|
|
) > docker_build_env
|
|
. ./docker_build_env
|
|
|
|
# Preparing GOPATH so that the client is visible to the compiler
|
|
mkdir -p src/github.com/docker/
|
|
ln -s $(pwd)/components/cli $(pwd)/src/github.com/docker/cli
|
|
GOPATH=$GOPATH:$(pwd)
|
|
|
|
# DOCKER ENGINE
|
|
cd components/engine/
|
|
# ignore the warning that we compile outside a Docker container
|
|
./hack/make.sh dynbinary
|
|
# build the tests binary
|
|
GOPATH=$(pwd)/vendor:$(pwd)/.gopath/ go test \
|
|
-buildmode=pie \
|
|
-tags "$DOCKER_BUILDTAGS daemon autogen" \
|
|
-c github.com/docker/docker/integration-cli -o tests.main
|
|
cd ../..
|
|
|
|
# DOCKER CLIENT
|
|
cd components/cli
|
|
./scripts/build/dynbinary
|
|
|
|
mkdir -p ./man/man1
|
|
go build -buildmode=pie -o gen-manpages github.com/docker/cli/man
|
|
./gen-manpages --root "$(pwd)" --target "$(pwd)/man/man1"
|
|
./man/md2man-all.sh
|
|
cd ../..
|
|
|
|
%check
|
|
# We used to run 'go test' here, however we found that this actually didn't
|
|
# catch any issues that were caught by smoke testing, and %check would
|
|
# continually cause package builds to fail due to flaky tests. If you ever need
|
|
# to know how the testing was done, you can always look in the package history.
|
|
# boo#1095817
|
|
|
|
# We verify that all of our -git requires are correct, and match the contents
|
|
# of the upstream vendoring scripts. This is done on-build to make sure that
|
|
# someone doing an update didn't miss anything.
|
|
cd components/engine
|
|
grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/binaries-commits
|
|
grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits
|
|
grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits
|
|
|
|
%install
|
|
install -d %{buildroot}%{go_contribdir}
|
|
install -d %{buildroot}%{_bindir}
|
|
install -D -m755 components/cli/build/docker %{buildroot}/%{_bindir}/docker
|
|
install -D -m755 components/engine/bundles/latest/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd
|
|
install -d %{buildroot}/%{_localstatedir}/lib/docker
|
|
install -Dd -m 0755 \
|
|
%{buildroot}%{_sysconfdir}/init.d \
|
|
%{buildroot}%{_sbindir}
|
|
|
|
install -D -m0644 components/cli/contrib/completion/bash/docker "%{buildroot}%{_sysconfdir}/bash_completion.d/%{name}"
|
|
install -D -m0644 components/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/%{name}"
|
|
# copy all for the test package
|
|
install -d %{buildroot}%{_prefix}/src/docker/
|
|
cp -a components/engine/. %{buildroot}%{_prefix}/src/docker/engine
|
|
cp -a components/cli/. %{buildroot}%{_prefix}/src/docker/cli
|
|
|
|
#
|
|
# systemd service
|
|
#
|
|
install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
|
|
ln -sf service %{buildroot}%{_sbindir}/rcdocker
|
|
|
|
#
|
|
# udev rules that prevents dolphin to show all docker devices and slows down
|
|
# upstream report https://bugs.kde.org/show_bug.cgi?id=329930
|
|
#
|
|
install -D -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}/80-%{name}.rules
|
|
|
|
# audit rules
|
|
install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules
|
|
|
|
# sysconfig file
|
|
install -D -m 644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.docker
|
|
|
|
# install manpages (using the ones from the engine)
|
|
install -d %{buildroot}%{_mandir}/man1
|
|
install -p -m 644 components/cli/man/man1/*.1 %{buildroot}%{_mandir}/man1
|
|
install -d %{buildroot}%{_mandir}/man5
|
|
install -p -m 644 components/cli/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
|
|
install -d %{buildroot}%{_mandir}/man8
|
|
install -p -m 644 components/cli/man/man8/*.8 %{buildroot}%{_mandir}/man8
|
|
|
|
%fdupes %{buildroot}
|
|
|
|
%pre
|
|
getent group docker >/dev/null || groupadd -r docker
|
|
%service_add_pre %{name}.service
|
|
|
|
%post
|
|
%service_add_post %{name}.service
|
|
%{fillup_only -n docker}
|
|
|
|
%preun
|
|
%service_del_preun %{name}.service
|
|
|
|
%postun
|
|
%service_del_postun %{name}.service
|
|
|
|
%files
|
|
%defattr(-,root,root)
|
|
%doc components/engine/README.md README_SUSE.md CHANGELOG.md
|
|
%license components/engine/LICENSE
|
|
%{_bindir}/docker
|
|
%{_bindir}/dockerd
|
|
%{_sbindir}/rcdocker
|
|
%{_unitdir}/%{name}.service
|
|
%config %{_sysconfdir}/audit/rules.d/%{name}.rules
|
|
%{_udevrulesdir}/80-%{name}.rules
|
|
%{_fillupdir}/sysconfig.docker
|
|
%dir %{_localstatedir}/lib/docker/
|
|
%{_mandir}/man1/docker-*.1%{ext_man}
|
|
%{_mandir}/man1/docker.1%{ext_man}
|
|
%{_mandir}/man5/Dockerfile.5%{ext_man}
|
|
%{_mandir}/man8/dockerd.8%{ext_man}
|
|
|
|
%files bash-completion
|
|
%defattr(-,root,root)
|
|
%config %{_sysconfdir}/bash_completion.d/%{name}
|
|
|
|
%files zsh-completion
|
|
%defattr(-,root,root)
|
|
%config %{_sysconfdir}/zsh_completion.d/%{name}
|
|
|
|
%files test
|
|
%defattr(-,root,root)
|
|
%{_prefix}/src/docker/
|
|
# exclude binaries
|
|
%exclude %{_prefix}/src/docker/engine/bundles/
|
|
%exclude %{_prefix}/src/docker/cli/build/
|
|
# exclude init configurations other than systemd
|
|
%exclude %{_prefix}/src/docker/engine/contrib/init/openrc
|
|
%exclude %{_prefix}/src/docker/engine/contrib/init/sysvinit-debian
|
|
%exclude %{_prefix}/src/docker/engine/contrib/init/sysvinit-redhat
|
|
%exclude %{_prefix}/src/docker/engine/contrib/init/upstart
|
|
|
|
%changelog
|