f9483df5af
but was merged after the 1.11.0 merge window. CVE-2016-3697. bsc#976777.
+ cve-2016-3697-numeric-uid.patch
The upstream PR is here[1] and was vendored into Docker here[2].
[1]: https://github.com/opencontainers/runc/pull/708
[2]: https://github.com/docker/docker/pull/21665
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=101
376 lines
12 KiB
RPMSpec
376 lines
12 KiB
RPMSpec
#
|
|
# spec file for package docker
|
|
#
|
|
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define docker_store /var/lib/docker
|
|
%define docker_graph %{docker_store}/graph
|
|
%define docker_migration_testfile %{docker_store}/.suse-image-migration-v1to2-complete
|
|
|
|
%define git_version 9e83765
|
|
%define go_arches %ix86 x86_64 aarch64
|
|
%define version_unconverted 1.11.0
|
|
|
|
Name: docker
|
|
Version: 1.11.0
|
|
Release: 0
|
|
Summary: The Linux container runtime
|
|
License: Apache-2.0
|
|
Group: System/Management
|
|
Url: http://www.docker.io
|
|
Source: %{name}-%{version}.tar.xz
|
|
Source1: docker.service
|
|
Source3: 80-docker.rules
|
|
Source4: sysconfig.docker
|
|
|
|
%if 0%{?suse_version} > 1320
|
|
Source5: docker.socket
|
|
%else
|
|
Source5: docker_systemd_lt_214.socket
|
|
%endif
|
|
|
|
Source6: docker-rpmlintrc
|
|
Source7: README_SUSE.md
|
|
Source8: docker-audit.rules
|
|
# TODO: remove once we figure out what is wrong with iptables on ppc64le
|
|
Source100: sysconfig.docker.ppc64le
|
|
%if 0%{?is_opensuse}
|
|
# nothing
|
|
%else
|
|
# The mount-secrets patch is be a SLE-specific feature. As such, it is disabled by default on openSUSE.
|
|
# PATCH-FEATURE-SLE docker-mount-secrets.patch -- pass the SCC machine credentials and the /etc/SUSEConnect file to containers
|
|
Patch200: docker-mount-secrets.patch
|
|
%endif
|
|
# Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
|
|
Patch101: gcc-go-patches.patch
|
|
Patch102: netlink_gcc_go.patch
|
|
Patch103: netlink_netns_powerpc.patch
|
|
# This fixes bsc#976777. While the fix is upstream, it isn't in Docker 1.10.3 or
|
|
# Docker 1.11.0. This patch was squashed and cherry-picked from runc#708.
|
|
Patch301: cve-2016-3697-numeric-uid.patch
|
|
BuildRequires: audit
|
|
BuildRequires: bash-completion
|
|
BuildRequires: device-mapper-devel >= 1.2.68
|
|
BuildRequires: glibc-devel-static
|
|
%ifarch %go_arches
|
|
BuildRequires: go >= 1.5
|
|
BuildRequires: go-go-md2man
|
|
%else
|
|
BuildRequires: gcc5-go >= 5.0
|
|
%endif
|
|
BuildRequires: libapparmor-devel
|
|
BuildRequires: libbtrfs-devel >= 3.8
|
|
BuildRequires: procps
|
|
BuildRequires: sqlite3-devel
|
|
BuildRequires: systemd-devel
|
|
BuildRequires: zsh
|
|
Requires: apparmor-parser
|
|
Requires: bridge-utils
|
|
Requires: ca-certificates-mozilla
|
|
# Provides mkfs.ext4 - used by Docker when devicemapper storage driver is used
|
|
Requires: e2fsprogs
|
|
Requires: git-core >= 1.7
|
|
Requires: iproute2 >= 3.5
|
|
Requires: iptables >= 1.4
|
|
Requires: kernel >= 3.8.0
|
|
Requires: lvm2 >= 2.2.89
|
|
Requires: procps
|
|
Requires: tar >= 1.26
|
|
Requires: xz >= 4.9
|
|
# Containerd is required as it is the only currently supported execdriver of Docker.
|
|
Requires: containerd
|
|
# Not necessary, but must be installed to have a smooth upgrade.
|
|
Recommends: docker-image-migrator
|
|
Conflicts: lxc < 1.0
|
|
PreReq: %fillup_prereq
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
ExcludeArch: %ix86
|
|
ExcludeArch: s390
|
|
%if 0%{?is_opensuse}
|
|
ExcludeArch: s390x
|
|
%endif
|
|
ExcludeArch: ppc
|
|
|
|
%description
|
|
Docker complements LXC with a high-level API which operates at the process
|
|
level. It runs unix processes with strong guarantees of isolation and
|
|
repeatability across servers.
|
|
|
|
Docker is a great building block for automating distributed systems: large-scale
|
|
web deployments, database clusters, continuous deployment systems, private PaaS,
|
|
service-oriented architectures, etc.
|
|
|
|
%package bash-completion
|
|
Summary: Bash Completion for %{name}
|
|
Group: System/Management
|
|
Requires: %{name} = %{version}
|
|
Requires: bash-completion
|
|
BuildArch: noarch
|
|
|
|
%description bash-completion
|
|
Bash command line completion support for %{name}.
|
|
|
|
%package zsh-completion
|
|
Summary: Zsh Completion for %{name}
|
|
Group: System/Management
|
|
Requires: %{name} = %{version}
|
|
Supplements: packageand(docker:zsh)
|
|
BuildArch: noarch
|
|
|
|
%description zsh-completion
|
|
Zsh command line completion support for %{name}.
|
|
|
|
%package test
|
|
Summary: Test package for docker
|
|
Group: System/Management
|
|
Requires: device-mapper-devel >= 1.2.68
|
|
Requires: glibc-devel-static
|
|
%ifarch %go_arches
|
|
Requires: go >= 1.4
|
|
%else
|
|
Requires: gcc5-go >= 5.0
|
|
%endif
|
|
BuildRequires: fdupes
|
|
Requires: apparmor-parser
|
|
Requires: bash-completion
|
|
Requires: libapparmor-devel
|
|
Requires: libbtrfs-devel >= 3.8
|
|
Requires: procps
|
|
Requires: sqlite3-devel
|
|
BuildArch: noarch
|
|
|
|
%global __requires_exclude ^libgo.so.*$
|
|
|
|
%description test
|
|
Test package for docker. It contains the source code and the tests.
|
|
|
|
%prep
|
|
%setup -q -n %{name}-%{version}
|
|
%if 0%{?is_opensuse}
|
|
# nothing
|
|
%else
|
|
%patch200 -p1
|
|
%endif
|
|
%ifnarch %go_arches
|
|
%patch101 -p1
|
|
%patch102 -p1
|
|
%patch103 -p1
|
|
%endif
|
|
# bsc#976777
|
|
%patch301 -p1
|
|
cp %{SOURCE7} .
|
|
|
|
%build
|
|
%ifnarch %go_arches
|
|
tmphack=/tmp/dirty-hack
|
|
[ -e $tmphack ] && rm -rf $tmphack
|
|
mkdir $tmphack
|
|
ln -s /usr/bin/go-5 $tmphack/go
|
|
export PATH=$tmphack:$PATH
|
|
%endif
|
|
|
|
(cat <<EOF
|
|
export AUTO_GOPATH=1
|
|
export DOCKER_BUILDTAGS="exclude_graphdriver_aufs apparmor selinux"
|
|
export DOCKER_GITCOMMIT=%{git_version}
|
|
EOF
|
|
) > docker_build_env
|
|
. ./docker_build_env
|
|
|
|
%ifarch %go_arches
|
|
./hack/make.sh dynbinary
|
|
man/md2man-all.sh
|
|
%else
|
|
./hack/make.sh dyngccgo
|
|
%endif
|
|
|
|
# remove other than systemd
|
|
# otherwise the resulting package will have extra requires
|
|
rm -rf hack/make/.build-deb
|
|
|
|
%install
|
|
install -d %{buildroot}%{go_contribdir}
|
|
install -d %{buildroot}%{_bindir}
|
|
%ifarch %go_arches
|
|
install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
|
|
%else
|
|
install -D -m755 bundles/%{version}/dyngccgo/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
|
|
%endif
|
|
install -d %{buildroot}/%{_prefix}/lib/docker
|
|
install -Dd -m 0755 \
|
|
%{buildroot}%{_sysconfdir}/init.d \
|
|
%{buildroot}%{_sbindir}
|
|
|
|
install -D -m0644 contrib/completion/bash/docker "%{buildroot}/etc/bash_completion.d/%{name}"
|
|
install -D -m0644 contrib/completion/zsh/_docker "%{buildroot}/etc/zsh_completion.d/%{name}"
|
|
# copy all for the test package
|
|
install -d %{buildroot}/usr/src/docker/
|
|
cp -av . %{buildroot}/usr/src/docker/
|
|
|
|
#
|
|
# systemd service
|
|
#
|
|
install -D -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/%{name}.service
|
|
install -D -m 0644 %SOURCE5 %{buildroot}%{_unitdir}/%{name}.socket
|
|
ln -sf /sbin/service $RPM_BUILD_ROOT/usr/sbin/rcdocker
|
|
|
|
#
|
|
# udev rules that prevents dolphin to show all docker devices and slows down
|
|
# upstream report https://bugs.kde.org/show_bug.cgi?id=329930
|
|
#
|
|
|
|
install -D -m 0644 %SOURCE3 %{buildroot}%{_prefix}/lib/udev/rules.d/80-%{name}.rules
|
|
|
|
# audit rules
|
|
install -D -m 0640 %SOURCE8 %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules
|
|
|
|
# sysconfig file
|
|
%ifarch ppc64le
|
|
install -D -m 644 %SOURCE100 %{buildroot}/var/adm/fillup-templates/sysconfig.docker
|
|
%else
|
|
install -D -m 644 %SOURCE4 %{buildroot}/var/adm/fillup-templates/sysconfig.docker
|
|
%endif
|
|
|
|
%ifarch %go_arches
|
|
# install manpages
|
|
install -d %{buildroot}%{_mandir}/man1
|
|
install -p -m 644 man/man1/*.1 %{buildroot}%{_mandir}/man1
|
|
install -d %{buildroot}%{_mandir}/man5
|
|
install -p -m 644 man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
|
|
%endif
|
|
|
|
%fdupes %{buildroot}
|
|
|
|
%pre
|
|
# We're currently inside rpmlint, which will cause us to fail the tests if it
|
|
# happens that the Docker install in the builder requires a migration.
|
|
if [[ -z "$BUILD_ROOT" ]]
|
|
then
|
|
# In order to make sure we don't print a scary warning when we shouldn't we
|
|
# need to test these things (in this order):
|
|
# 1. Check that /var/lib/docker actually exists (docker daemon has run).
|
|
# 2. Check that the migrator has *not* finished.
|
|
# 3. Check that /var/lib/docker/graph exists (this is a <=1.9.1 thing, but
|
|
# will stick around if it has been migrated -- which is why we need the
|
|
# MIGRATION_TESTFILE check).
|
|
# 4. Check that there are images in the graph/ directory.
|
|
if [[ -d "%{docker_store}" && ( ! -f "%{docker_migration_testfile}" ) && -d "%{docker_store}" && -n "$(find "%{docker_store}" -maxdepth 1 -type d 2>/dev/null | grep -Ev '_tmp|^%{docker_store}$')" ]]
|
|
then
|
|
|
|
if [ -n "$DOCKER_FORCE_INSTALL" ]
|
|
then
|
|
echo >&2 "*** IGNORING DOWNTIME WARNING! FORCING INSTALLATION. ***"
|
|
else
|
|
|
|
cat >&2 <<EOF
|
|
|
|
*** WARNING ***
|
|
|
|
In the migration from docker<1.10.0 to docker>=1.10.0, the Docker image format
|
|
has changed to be completely content-addressible. This results in several positive
|
|
improvements to image operations (better caching during builds mainly). However,
|
|
the migration operation may take several hours if you have a lot of large images
|
|
on a Docker host. In order to ensure that you have minimum downtime, this update
|
|
of Docker will not complete successfully, and you will have the opportunity to
|
|
run a separate migration tool (which will not cause downtime for your Docker
|
|
daemon).
|
|
|
|
In order to run this migration tool, please install the 'docker-image-migrator'
|
|
package. You can run the migration with this command, which will exit after the
|
|
migration has been completed:
|
|
|
|
$ /usr/lib/docker-image-migrator/do-image-migration-v1to2.sh
|
|
|
|
Because the migrator requires information about the storage driver used by Docker,
|
|
the migration script will source /etc/sysconfig/docker and use \$DOCKER_OPTS as
|
|
arguments to the migrator. If this automated migration fails, it will be re-attempted
|
|
with every known storage driver. In addition, the script accepts arguments which
|
|
will simiarly be appended to the set of arguments (after \$DOCKER_OPTS) to the
|
|
migrator.
|
|
|
|
However, if you prefer to not run this separate migration tool, you can force this
|
|
update using the following command. THIS WILL CAUSE DOWNTIME, BECAUSE DOCKER WILL
|
|
RUN THE MIGRATION ON FIRST START AND YOU WILL BE UNABLE TO START ANY CONTAINERS
|
|
OR USE ANY DOCKER COMMANDS (EVEN CONTAINERS WITH RESTART POLICIES ACTIVE):
|
|
|
|
$ DOCKER_FORCE_INSTALL=1 sudo -E zypper up docker
|
|
EOF
|
|
|
|
# Fail the update.
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# In order to make sure that we don't accidentally cause problems with an
|
|
# upgrade to docker>=1.10.2, we'll touch the same file we tested in (2).
|
|
# -m701 is *not* a typo, it is necessary for certain syscalls with remapped
|
|
# root.
|
|
[[ -d "%{docker_store}" ]] || install -d -m701 %{docker_store} || :
|
|
touch %{docker_migration_testfile}
|
|
fi
|
|
|
|
echo "creating group docker..."
|
|
groupadd -r docker 2>/dev/null || :
|
|
%service_add_pre %{name}.service %{name}.socket
|
|
|
|
%post
|
|
%service_add_post %{name}.service %{name}.socket
|
|
%{fillup_only -n docker}
|
|
|
|
%preun
|
|
%service_del_preun %{name}.service %{name}.socket
|
|
|
|
%postun
|
|
%service_del_postun %{name}.service %{name}.socket
|
|
|
|
%files
|
|
%defattr(-,root,root)
|
|
%doc README.md LICENSE README_SUSE.md
|
|
%{_bindir}/docker
|
|
%{_sbindir}/rcdocker
|
|
%{_prefix}/lib/docker/
|
|
%{_unitdir}/%{name}.service
|
|
%{_unitdir}/%{name}.socket
|
|
%config %{_sysconfdir}/audit/rules.d/%{name}.rules
|
|
%{_prefix}/lib/udev/rules.d/80-%{name}.rules
|
|
/var/adm/fillup-templates/sysconfig.docker
|
|
%ifarch %go_arches
|
|
%{_mandir}/man1/docker-*.1.gz
|
|
%{_mandir}/man1/docker.1.gz
|
|
%{_mandir}/man5/Dockerfile.5.gz
|
|
%endif
|
|
|
|
%files bash-completion
|
|
%defattr(-,root,root)
|
|
%config %{_sysconfdir}/bash_completion.d/%{name}
|
|
|
|
%files zsh-completion
|
|
%defattr(-,root,root)
|
|
%config %{_sysconfdir}/zsh_completion.d/%{name}
|
|
|
|
%files test
|
|
%defattr(-,root,root)
|
|
/usr/src/docker/
|
|
# exclude binaries
|
|
%exclude /usr/src/docker/bundles/
|
|
# exclude init configurations other than systemd
|
|
%exclude /usr/src/docker/contrib/init/openrc
|
|
%exclude /usr/src/docker/contrib/init/sysvinit-debian
|
|
%exclude /usr/src/docker/contrib/init/sysvinit-redhat
|
|
%exclude /usr/src/docker/contrib/init/upstart
|
|
|
|
%changelog
|