From 9102c781859d9f4f52802ac2e564c73ffda05d1aa39c3165d3f58490d26d5059 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Tue, 7 Nov 2017 09:33:12 +0000 Subject: [PATCH 1/6] Accepting request 539455 from home:cyphar:containers:docker_CVE-2017-16539 - Add a backport of https://github.com/moby/moby/pull/35399, which fixes a security issue where a Docker container (with a disabled AppArmor profile) could write to /proc/scsi/... and subsequently DoS the host. bsc#1066801 CVE-2017-16539 + bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch OBS-URL: https://build.opensuse.org/request/show/539455 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=210 --- ...01-oci-add-proc-scsi-to-masked-paths.patch | 32 +++++++++++++++++++ docker.changes | 9 ++++++ docker.spec | 4 +++ 3 files changed, 45 insertions(+) create mode 100644 bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch diff --git a/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch b/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch new file mode 100644 index 0000000..3e19a3c --- /dev/null +++ b/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch @@ -0,0 +1,32 @@ +From 48dad93f2bfc6ac5a201e98d6029fcff9cfbba80 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Tue, 7 Nov 2017 18:32:41 +1100 +Subject: [PATCH] oci: add /proc/scsi to masked paths + +This is writeable, and can be used to remove devices. Containers do +not need to know about scsi devices. + +Fixes: CVE-2017-16539 +SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066801 +Signed-off-by: Justin Cormack +Signed-off-by: Aleksa Sarai +--- + oci/defaults.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/oci/defaults.go b/oci/defaults.go +index d706fafcc021..188ec3149659 100644 +--- a/oci/defaults.go ++++ b/oci/defaults.go +@@ -132,6 +132,8 @@ func DefaultLinuxSpec() specs.Spec { + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", ++ "/sys/firmware", ++ "/proc/scsi", + }, + ReadonlyPaths: []string{ + "/proc/asound", +-- +2.14.3 + diff --git a/docker.changes b/docker.changes index 1826677..894ea65 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Nov 7 09:00:31 UTC 2017 - asarai@suse.com + +- Add a backport of https://github.com/moby/moby/pull/35399, which fixes a + security issue where a Docker container (with a disabled AppArmor profile) + could write to /proc/scsi/... and subsequently DoS the host. bsc#1066801 + CVE-2017-16539 + + bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch + ------------------------------------------------------------------- Tue Oct 24 06:50:29 UTC 2017 - asarai@suse.com diff --git a/docker.spec b/docker.spec index 658c455..61173fa 100644 --- a/docker.spec +++ b/docker.spec @@ -68,6 +68,8 @@ Patch401: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespa Patch402: bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34176. boo#1064781 Patch403: bsc1064781-0001-Allow-to-override-build-date.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539 +Patch404: bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -191,6 +193,8 @@ Test package for docker. It contains the source code and the tests. %patch402 -p1 -d components/engine # boo#1064781 %patch403 -p1 -d components/engine +# boo#1066801 CVE-2017-16539 +%patch404 -p1 -d components/engine cp %{SOURCE7} . cp %{SOURCE9} . From 2c5d57165f2668e9b8d70504ecc0eb11fb4982c6e57c8728f2f7e0cfa3ab71fd Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Tue, 7 Nov 2017 10:53:24 +0000 Subject: [PATCH 2/6] Accepting request 539487 from home:cyphar:containers:docker_CVE-2017-16539 Update bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch. OBS-URL: https://build.opensuse.org/request/show/539487 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=211 --- ...66801-0001-oci-add-proc-scsi-to-masked-paths.patch | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch b/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch index 3e19a3c..315cd5b 100644 --- a/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch +++ b/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch @@ -1,4 +1,4 @@ -From 48dad93f2bfc6ac5a201e98d6029fcff9cfbba80 Mon Sep 17 00:00:00 2001 +From d0194d04255e8121d67c1f55d7dce8f5ba67fccc Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Tue, 7 Nov 2017 18:32:41 +1100 Subject: [PATCH] oci: add /proc/scsi to masked paths @@ -11,18 +11,17 @@ SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066801 Signed-off-by: Justin Cormack Signed-off-by: Aleksa Sarai --- - oci/defaults.go | 2 ++ - 1 file changed, 2 insertions(+) + oci/defaults.go | 1 + + 1 file changed, 1 insertion(+) diff --git a/oci/defaults.go b/oci/defaults.go -index d706fafcc021..188ec3149659 100644 +index d706fafcc021..a7fd285060c2 100644 --- a/oci/defaults.go +++ b/oci/defaults.go -@@ -132,6 +132,8 @@ func DefaultLinuxSpec() specs.Spec { +@@ -132,6 +132,7 @@ func DefaultLinuxSpec() specs.Spec { "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", -+ "/sys/firmware", + "/proc/scsi", }, ReadonlyPaths: []string{ From ca68434d7941841e6577ae74f105d07747d947e4995e7f066f5b23e18a8efb4e Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Tue, 7 Nov 2017 17:23:31 +0000 Subject: [PATCH 3/6] Accepting request 539622 from home:cyphar:containers:docker_CVE-2017-14992 - Add a backport of https://github.com/moby/moby/pull/35424, which fixes a security issue where a maliciously crafted image could be used to crash a Docker daemon. bsc#1066210 CVE-2017-14992 + bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch OBS-URL: https://build.opensuse.org/request/show/539622 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=212 --- ...-github.com-vbatts-tar-split-v0.10.2.patch | 118 ++++++++++++++++++ docker.changes | 8 ++ docker.spec | 4 + 3 files changed, 130 insertions(+) create mode 100644 bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch diff --git a/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch b/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch new file mode 100644 index 0000000..b3dca29 --- /dev/null +++ b/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch @@ -0,0 +1,118 @@ +From b5cf56bc7f734ed8bfad4119fb817261e541a609 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Wed, 8 Nov 2017 02:50:52 +1100 +Subject: [PATCH] vendor: update to github.com/vbatts/tar-split@v0.10.2 + +Update to the latest version of tar-split, which includes a change to +fix a memory exhaustion issue where a malformed image could cause the +Docker daemon to crash. + + * tar: asm: store padding in chunks to avoid memory exhaustion + +Fixes: CVE-2017-14992 +SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066210 +Signed-off-by: Aleksa Sarai +--- + vendor.conf | 2 +- + vendor/github.com/vbatts/tar-split/README.md | 3 +- + .../vbatts/tar-split/tar/asm/disassemble.go | 43 ++++++++++++++-------- + 3 files changed, 31 insertions(+), 17 deletions(-) + +diff --git a/vendor.conf b/vendor.conf +index 535adad38728..ea4f75bbea10 100644 +--- a/vendor.conf ++++ b/vendor.conf +@@ -53,7 +53,7 @@ github.com/miekg/dns 75e6e86cc601825c5dbcd4e0c209eab180997cd7 + + # get graph and distribution packages + github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621 +-github.com/vbatts/tar-split v0.10.1 ++github.com/vbatts/tar-split v0.10.2 + github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb + + # get go-zfs packages +diff --git a/vendor/github.com/vbatts/tar-split/README.md b/vendor/github.com/vbatts/tar-split/README.md +index 4c544d823fbc..03e3ec4308b7 100644 +--- a/vendor/github.com/vbatts/tar-split/README.md ++++ b/vendor/github.com/vbatts/tar-split/README.md +@@ -1,6 +1,7 @@ + # tar-split + + [![Build Status](https://travis-ci.org/vbatts/tar-split.svg?branch=master)](https://travis-ci.org/vbatts/tar-split) ++[![Go Report Card](https://goreportcard.com/badge/github.com/vbatts/tar-split)](https://goreportcard.com/report/github.com/vbatts/tar-split) + + Pristinely disassembling a tar archive, and stashing needed raw bytes and offsets to reassemble a validating original archive. + +@@ -50,7 +51,7 @@ For example stored sparse files that have "holes" in them, will be read as a + contiguous file, though the archive contents may be recorded in sparse format. + Therefore when adding the file payload to a reassembled tar, to achieve + identical output, the file payload would need be precisely re-sparsified. This +-is not something I seek to fix imediately, but would rather have an alert that ++is not something I seek to fix immediately, but would rather have an alert that + precise reassembly is not possible. + (see more http://www.gnu.org/software/tar/manual/html_node/Sparse-Formats.html) + +diff --git a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go +index 54ef23aed366..009b3f5d8124 100644 +--- a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go ++++ b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go +@@ -2,7 +2,6 @@ package asm + + import ( + "io" +- "io/ioutil" + + "github.com/vbatts/tar-split/archive/tar" + "github.com/vbatts/tar-split/tar/storage" +@@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp storage.FilePutter) (io + } + } + +- // it is allowable, and not uncommon that there is further padding on the +- // end of an archive, apart from the expected 1024 null bytes. +- remainder, err := ioutil.ReadAll(outputRdr) +- if err != nil && err != io.EOF { +- pW.CloseWithError(err) +- return +- } +- _, err = p.AddEntry(storage.Entry{ +- Type: storage.SegmentType, +- Payload: remainder, +- }) +- if err != nil { +- pW.CloseWithError(err) +- return ++ // It is allowable, and not uncommon that there is further padding on ++ // the end of an archive, apart from the expected 1024 null bytes. We ++ // do this in chunks rather than in one go to avoid cases where a ++ // maliciously crafted tar file tries to trick us into reading many GBs ++ // into memory. ++ const paddingChunkSize = 1024 * 1024 ++ var paddingChunk [paddingChunkSize]byte ++ for { ++ var isEOF bool ++ n, err := outputRdr.Read(paddingChunk[:]) ++ if err != nil { ++ if err != io.EOF { ++ pW.CloseWithError(err) ++ return ++ } ++ isEOF = true ++ } ++ _, err = p.AddEntry(storage.Entry{ ++ Type: storage.SegmentType, ++ Payload: paddingChunk[:n], ++ }) ++ if err != nil { ++ pW.CloseWithError(err) ++ return ++ } ++ if isEOF { ++ break ++ } + } + pW.Close() + }() +-- +2.14.3 + diff --git a/docker.changes b/docker.changes index 894ea65..29ba17a 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Nov 7 16:47:01 UTC 2017 - asarai@suse.com + +- Add a backport of https://github.com/moby/moby/pull/35424, which fixes a + security issue where a maliciously crafted image could be used to crash a + Docker daemon. bsc#1066210 CVE-2017-14992 + + bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch + ------------------------------------------------------------------- Tue Nov 7 09:00:31 UTC 2017 - asarai@suse.com diff --git a/docker.spec b/docker.spec index 61173fa..4ef0b21 100644 --- a/docker.spec +++ b/docker.spec @@ -70,6 +70,8 @@ Patch402: bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-a Patch403: bsc1064781-0001-Allow-to-override-build-date.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539 Patch404: bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35424. boo#1066210 CVE-2017-14992 +Patch405: bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -195,6 +197,8 @@ Test package for docker. It contains the source code and the tests. %patch403 -p1 -d components/engine # boo#1066801 CVE-2017-16539 %patch404 -p1 -d components/engine +# boo#1066210 CVE-2017-14992 +%patch405 -p1 -d components/engine cp %{SOURCE7} . cp %{SOURCE9} . From 9a0bb40a4654a365cddf0b1fee7f4dd3f2d470da297ce85c39a693cc3d048ec7 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 9 Nov 2017 11:08:27 +0000 Subject: [PATCH 4/6] - Fix bsc#1059011 The systemd service helper script used a timeout of 60 seconds to start the daemon, which is insufficient in cases where the daemon takes longer to start. Instead, set the service type from 'simple' to 'notify' and remove the now superfluous helper script. - fix bsc#1057743: Add a Requires: fix_bsc_1057743 which is provided by the newer version of docker-libnetwork. This is necessary because of a versioning bug we found in bsc#1057743. OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=213 --- docker.changes | 17 +++++++++++++++++ docker.service | 2 +- docker.spec | 4 ++++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/docker.changes b/docker.changes index 29ba17a..581c0a8 100644 --- a/docker.changes +++ b/docker.changes @@ -48,6 +48,23 @@ Mon Oct 9 11:36:59 UTC 2017 - asarai@suse.com * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch +------------------------------------------------------------------- +Mon Oct 2 08:12:17 UTC 2017 - vrothberg@suse.com + +- Fix bsc#1059011 + + The systemd service helper script used a timeout of 60 seconds to + start the daemon, which is insufficient in cases where the daemon + takes longer to start. Instead, set the service type from 'simple' to + 'notify' and remove the now superfluous helper script. + +------------------------------------------------------------------- +Wed Sep 27 15:04:19 UTC 2017 - jmassaguerpla@suse.com + +- fix bsc#1057743: Add a Requires: fix_bsc_1057743 which is provided by the + newer version of docker-libnetwork. This is necessary because of a versioning + bug we found in bsc#1057743. + ------------------------------------------------------------------- Fri Sep 15 15:32:49 UTC 2017 - jmassaguerpla@suse.com diff --git a/docker.service b/docker.service index ea5d855..ead1d5f 100644 --- a/docker.service +++ b/docker.service @@ -10,7 +10,7 @@ EnvironmentFile=/etc/sysconfig/docker # While Docker has support for socket activation (-H fd://), this is not # enabled by default because enabling socket activation means that on boot your # containers won't start until someone tries to administer the Docker daemon. -Type=simple +Type=notify ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS ExecReload=/bin/kill -s HUP $MAINPID diff --git a/docker.spec b/docker.spec index 4ef0b21..e38fc5d 100644 --- a/docker.spec +++ b/docker.spec @@ -102,7 +102,11 @@ BuildRequires: zsh Requires: apparmor-parser Requires: bridge-utils Requires: ca-certificates-mozilla +# Required in order for networking to work. fix_bsc_1057743 is a work-around +# for some old packaging issues (where rpm would delete a binary that was +# installed by docker-libnetwork). See bsc#1057743 for more details. Requires: docker-libnetwork = 0.7.0+gitr2322_4a242dba7739 +Requires: fix_bsc_1057743 # Containerd and runC are required as they are the only currently supported # execdrivers of Docker. NOTE: The version pinning here matches upstream's # vendor.conf to ensure that we don't use a slightly incompatible version of From 7ee12cd06b50a2fda836a7fcb91a615de0de65d9b70ad0922d5f044f081d473d Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 9 Nov 2017 11:09:35 +0000 Subject: [PATCH 5/6] osc copypac from project:Virtualization:containers package:docker revision:212 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=214 --- docker.changes | 17 ----------------- docker.service | 2 +- docker.spec | 4 ---- 3 files changed, 1 insertion(+), 22 deletions(-) diff --git a/docker.changes b/docker.changes index 581c0a8..29ba17a 100644 --- a/docker.changes +++ b/docker.changes @@ -48,23 +48,6 @@ Mon Oct 9 11:36:59 UTC 2017 - asarai@suse.com * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch -------------------------------------------------------------------- -Mon Oct 2 08:12:17 UTC 2017 - vrothberg@suse.com - -- Fix bsc#1059011 - - The systemd service helper script used a timeout of 60 seconds to - start the daemon, which is insufficient in cases where the daemon - takes longer to start. Instead, set the service type from 'simple' to - 'notify' and remove the now superfluous helper script. - -------------------------------------------------------------------- -Wed Sep 27 15:04:19 UTC 2017 - jmassaguerpla@suse.com - -- fix bsc#1057743: Add a Requires: fix_bsc_1057743 which is provided by the - newer version of docker-libnetwork. This is necessary because of a versioning - bug we found in bsc#1057743. - ------------------------------------------------------------------- Fri Sep 15 15:32:49 UTC 2017 - jmassaguerpla@suse.com diff --git a/docker.service b/docker.service index ead1d5f..ea5d855 100644 --- a/docker.service +++ b/docker.service @@ -10,7 +10,7 @@ EnvironmentFile=/etc/sysconfig/docker # While Docker has support for socket activation (-H fd://), this is not # enabled by default because enabling socket activation means that on boot your # containers won't start until someone tries to administer the Docker daemon. -Type=notify +Type=simple ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS ExecReload=/bin/kill -s HUP $MAINPID diff --git a/docker.spec b/docker.spec index e38fc5d..4ef0b21 100644 --- a/docker.spec +++ b/docker.spec @@ -102,11 +102,7 @@ BuildRequires: zsh Requires: apparmor-parser Requires: bridge-utils Requires: ca-certificates-mozilla -# Required in order for networking to work. fix_bsc_1057743 is a work-around -# for some old packaging issues (where rpm would delete a binary that was -# installed by docker-libnetwork). See bsc#1057743 for more details. Requires: docker-libnetwork = 0.7.0+gitr2322_4a242dba7739 -Requires: fix_bsc_1057743 # Containerd and runC are required as they are the only currently supported # execdrivers of Docker. NOTE: The version pinning here matches upstream's # vendor.conf to ensure that we don't use a slightly incompatible version of From 6a6c6aa17028cf0915e1c06ba4a28425b2bddbc919af27329f6a4e4cba5e24ee Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 9 Nov 2017 12:24:37 +0000 Subject: [PATCH 6/6] Accepting request 540191 from home:cyphar:containers:docker_forwardport - Fix bsc#1059011 The systemd service helper script used a timeout of 60 seconds to start the daemon, which is insufficient in cases where the daemon takes longer to start. Instead, set the service type from 'simple' to 'notify' and remove the now superfluous helper script. - fix bsc#1057743: Add a Requires: fix_bsc_1057743 which is provided by the newer version of docker-libnetwork. This is necessary because of a versioning bug we found in bsc#1057743. OBS-URL: https://build.opensuse.org/request/show/540191 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=215 --- docker.changes | 17 +++++++++++++++++ docker.service | 2 +- docker.spec | 5 ++++- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/docker.changes b/docker.changes index 29ba17a..581c0a8 100644 --- a/docker.changes +++ b/docker.changes @@ -48,6 +48,23 @@ Mon Oct 9 11:36:59 UTC 2017 - asarai@suse.com * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch +------------------------------------------------------------------- +Mon Oct 2 08:12:17 UTC 2017 - vrothberg@suse.com + +- Fix bsc#1059011 + + The systemd service helper script used a timeout of 60 seconds to + start the daemon, which is insufficient in cases where the daemon + takes longer to start. Instead, set the service type from 'simple' to + 'notify' and remove the now superfluous helper script. + +------------------------------------------------------------------- +Wed Sep 27 15:04:19 UTC 2017 - jmassaguerpla@suse.com + +- fix bsc#1057743: Add a Requires: fix_bsc_1057743 which is provided by the + newer version of docker-libnetwork. This is necessary because of a versioning + bug we found in bsc#1057743. + ------------------------------------------------------------------- Fri Sep 15 15:32:49 UTC 2017 - jmassaguerpla@suse.com diff --git a/docker.service b/docker.service index ea5d855..ead1d5f 100644 --- a/docker.service +++ b/docker.service @@ -10,7 +10,7 @@ EnvironmentFile=/etc/sysconfig/docker # While Docker has support for socket activation (-H fd://), this is not # enabled by default because enabling socket activation means that on boot your # containers won't start until someone tries to administer the Docker daemon. -Type=simple +Type=notify ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS ExecReload=/bin/kill -s HUP $MAINPID diff --git a/docker.spec b/docker.spec index 4ef0b21..1cfe948 100644 --- a/docker.spec +++ b/docker.spec @@ -102,7 +102,11 @@ BuildRequires: zsh Requires: apparmor-parser Requires: bridge-utils Requires: ca-certificates-mozilla +# Required in order for networking to work. fix_bsc_1057743 is a work-around +# for some old packaging issues (where rpm would delete a binary that was +# installed by docker-libnetwork). See bsc#1057743 for more details. Requires: docker-libnetwork = 0.7.0+gitr2322_4a242dba7739 +Requires: fix_bsc_1057743 # Containerd and runC are required as they are the only currently supported # execdrivers of Docker. NOTE: The version pinning here matches upstream's # vendor.conf to ensure that we don't use a slightly incompatible version of @@ -443,7 +447,6 @@ fi %{_bindir}/docker %{_bindir}/dockerd %{_sbindir}/rcdocker -%{_libexecdir}/docker/ %{_unitdir}/%{name}.service %config %{_sysconfdir}/audit/rules.d/%{name}.rules %{_udevrulesdir}/80-%{name}.rules