- Update to 1.10.0 version

Add usernamespace support Add support for custom seccomp profiles Improvements in network and volume management detailed changelog in 590d5108bb/CHANGELOG.md OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=58
2016-02-05 09:21:26 +00:00 · 2016-02-05 09:21:26 +00:00 · 64062d332d
commit 64062d332d
parent 9dce1f84b9
15 changed files with 75 additions and 290 deletions
--- a/4
+++ b/4
@ -3,8 +3,8 @@
    <param name="url">https://github.com/docker/docker.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">1.9.1</param>
+    <param name="versionformat">1.10.0</param>
-    <param name="revision">v1.9.1</param>
+    <param name="revision">v1.10.0</param>
  </service>
  <service name="recompress" mode="disabled">
    <param name="file">docker-*.tar</param>
--- a/add_bolt_arm64.patch
+++ b/add_bolt_arm64.patch
@ -1,20 +0,0 @@
 From: Michel Normand <normand@linux.vnet.ibm.com>
 Subject: add bolt arm64
 Date: Fri, 04 Dec 2015 17:07:22 +0100
 add bolt arm64
 Signed-off-by: Michel Normand <normand@linux.vnet.ibm.com>
 ---
 vendor/src/github.com/boltdb/bolt/bolt_arm64.go |    4 ++++
 1 file changed, 4 insertions(+)
 Index: docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_arm64.go
 ===================================================================
 --- /dev/null
 +++ docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_arm64.go
@@ -0,0 +1,4 @@
 +package bolt
 +
 +// maxMapSize represents the largest mmap size supported by Bolt.
 +const maxMapSize = 0xFFFFFFFFFFFF // 256TB
--- a/add_bolt_ppc64.patch
+++ b/add_bolt_ppc64.patch
@ -1,23 +0,0 @@
 ---
 vendor/src/github.com/boltdb/bolt/bolt_ppc64.go   |    4 ++++
 vendor/src/github.com/boltdb/bolt/bolt_ppc64le.go |    4 ++++
 2 files changed, 8 insertions(+)
 Index: docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go
 ===================================================================
 --- /dev/null
 +++ docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go
@@ -0,0 +1,4 @@
 +package bolt
 +
 +// maxMapSize represents the largest mmap size supported by Bolt.
 +const maxMapSize = 0xFFFFFFFFFFFF // 256TB
 Index: docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_ppc64le.go
 ===================================================================
 --- /dev/null
 +++ docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_ppc64le.go
@@ -0,0 +1,4 @@
 +package bolt
 +
 +// maxMapSize represents the largest mmap size supported by Bolt.
 +const maxMapSize = 0xFFFFFFFFFFFF // 256TB
--- a/docker-1.9.1.tar.xz
+++ b/docker-1.9.1.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:edb9bdbcce529e4170b6ad8a14643b12f176c8d2b1690f182f29bc79e3dde3c0
 size 6283244
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,16 @@
 -------------------------------------------------------------------
 Fri Feb  5 09:14:15 UTC 2016 - jmassaguerpla@suse.com
 - Update to 1.10.0 version
  Add usernamespace support
  Add support for custom seccomp profiles
  Improvements in network and volume management
 detailed changelog in
 https://github.com/docker/docker/blob/590d5108bbdaabb05af590f76c9757daceb6d02e/CHANGELOG.md 
 -------------------------------------------------------------------
 Wed Jan 27 23:40:09 UTC 2016 - asarai@suse.com
@ -16,8 +29,8 @@ Thu Jan 21 16:52:41 UTC 2016 - jmassaguerpla@suse.com
  Thus, we need to workaround the workaroundn in tumbleweed
 - There was an error in one of the file list
-  
+
- 
+
 -------------------------------------------------------------------
 Wed Dec 23 10:47:04 UTC 2015 - fcastelli@suse.com
@ -181,11 +194,11 @@ Thu Sep 10 22:33:01 UTC 2015 - jmassaguerpla@suse.com
  see detailed changelog in
-  https://github.com/docker/docker/releases/tag/v1.8.2 
+  https://github.com/docker/docker/releases/tag/v1.8.2
  fix bsc#946653 update do docker 1.8.2
- devicemapper: fix zero-sized field access 
+- devicemapper: fix zero-sized field access
  Fix issue #15279: does not build with Go 1.5 tip
  Due to golang/go@7904946
  the devices field is dropped.
@ -193,7 +206,7 @@ Thu Sep 10 22:33:01 UTC 2015 - jmassaguerpla@suse.com
  This solution works on go1.4 and go1.5
  See more in https://github.com/docker/docker/pull/15404
-  
+
  This fix was not included in v1.8.2. See previous link
  on why.
@ -221,9 +234,9 @@ Thu Aug 13 09:00:25 UTC 2015 - jmassaguerpla@suse.com
 - Update to docker 1.8.0:
  see detailed changelog in
-  https://github.com/docker/docker/releases/tag/v1.8.0 
+  https://github.com/docker/docker/releases/tag/v1.8.0
- remove docker-netns-aarch64.patch: This patch was adding 
+- remove docker-netns-aarch64.patch: This patch was adding
   vendor/src/github.com/vishvananda/netns/netns_linux_arm64.go
  which is now included upstream, so we don't need this patch anymore
@ -233,7 +246,7 @@ Fri Jul 24 14:24:16 UTC 2015 - jmassaguerpla@suse.com
 - Exclude archs where docker does not build. Otherwise it gets into
  and infinite loop when building.
-  We'll fix that later if we want to release for those archs. 
+  We'll fix that later if we want to release for those archs.
 -------------------------------------------------------------------
 Wed Jul 15 08:11:11 UTC 2015 - jmassaguerpla@suse.com
@ -262,18 +275,18 @@ Distribution
    Fix pulling private images
    Fix fallback between registry V2 and V1
- 
+
 -------------------------------------------------------------------
 Fri Jul 10 11:22:00 UTC 2015 - jmassaguerpla@suse.com
- Exclude init scripts other than systemd from the test-package 
+- Exclude init scripts other than systemd from the test-package
 -------------------------------------------------------------------
 Wed Jul  1 12:38:50 UTC 2015 - jmassaguerpla@suse.com
 - Exclude intel 32 bits arch. Docker does not built on that. Let's
-  make it explicit. 
+  make it explicit.
 -------------------------------------------------------------------
 Thu Jun 25 16:49:59 UTC 2015 - dmueller@suse.com
@ -325,7 +338,7 @@ Mon Jun 22 08:48:11 UTC 2015 - fcastelli@suse.com
 -------------------------------------------------------------------
 Tue Jun  9 16:35:46 UTC 2015 - jmassaguerpla@suse.com
- Add test subpackage and fix line numbers in patches 
+- Add test subpackage and fix line numbers in patches
 -------------------------------------------------------------------
 Fri Jun  5 15:29:45 UTC 2015 - fcastelli@suse.com
@ -498,7 +511,7 @@ Fri Dec 12 16:13:30 UTC 2014 - fcastelli@suse.com
  * Notable Features since 1.3.0:
    - Set key=value labels to the daemon (displayed in `docker info`), applied with
      new `-label` daemon flag
-    - Add support for `ENV` in Dockerfile of the form: 
+    - Add support for `ENV` in Dockerfile of the form:
      `ENV name=value name2=value2...`
    - New Overlayfs Storage Driver
    - `docker info` now returns an `ID` and `Name` field
@ -976,7 +989,7 @@ Wed Feb 19 08:35:27 UTC 2014 - fcastelli@suse.com
      - Fix broken images API for version less than 1.7
      - Use the right encoding for all API endpoints which return JSON
      - Move remote api client to api/
-      - Queue calls to the API using generic socket wait 
+      - Queue calls to the API using generic socket wait
    * Runtime:
      - Fix the use of custom settings for bridges and custom bridges
      - Refactor the devicemapper code to avoid many mount/unmount race
@ -1099,7 +1112,7 @@ Fri Jan 10 10:44:23 UTC 2014 - fcastelli@suse.com
      * Do not add hostname when networking is disabled
      * Return most recent image from the cache by date
      * Return all errors from docker wait
-      * Add Content-Type Header "application/json" to GET /version and /info responses 
+      * Add Content-Type Header "application/json" to GET /version and /info responses
    * Other:
      - Update DCO to version 1.1
      - Update Makefile to use "docker:GIT_BRANCH" as the generated image name
@ -1118,7 +1131,7 @@ Fri Jan 10 10:44:23 UTC 2014 - fcastelli@suse.com
      - Fix for wrong version warning on master instead of latest
    * Runtime:
      - Only get the image's rootfs when we need to calculate the image size
-      - Correctly handle unmapping UDP ports 
+      - Correctly handle unmapping UDP ports
      - Make CopyFileWithTar use a pipe instead of a buffer to save memory on docker build
      - Fix login message to say pull instead of push
      - Fix "docker load" help by removing "SOURCE" prompt and mentioning STDIN
--- a/docker.spec
+++ b/docker.spec
@ -16,10 +16,10 @@
 #
-%define git_version a34a1d5
+%define git_version 590d510
 %define go_arches %ix86 x86_64
 Name:           docker
-Version:        1.9.1
+Version:        1.10.0
 Release:        0
 Summary:        The Linux container runtime
 License:        Apache-2.0
@ -41,34 +41,16 @@ Source7:        README_SUSE.md
 Source8:        docker-audit.rules
 # TODO: remove once we figure out what is wrong with iptables on ppc64le
 Source100:      sysconfig.docker.ppc64le
-Patch0:         fix-docker-init.patch
+Patch0:         fix_platform_type_arm.patch
-# PATCH-FIX-OPENSUSE libcontainer-apparmor-fixes.patch -- mount rules aren't supported in our apparmor
+Patch1:         gcc5_socket_workaround.patch
-Patch1:         libcontainer-apparmor-fixes.patch
+Patch100:       gcc-go-patches.patch
-# fix regexp in apparmor default profile. This is already fixed upstream so in version > 1.9.1 it should be already fixed
+Patch101:       fix-ppc64le.patch
 Patch2:         fix_bnc_958255.patch
 # fix default cgroups. This is fixed upstream, too.
 Patch3:         use_fs_cgroups_by_default.patch
 # fix an issue with cgroups. This is fixed upstream, too.
 Patch4:         fix_cgroup.parent_path_sanitisation.patch
 # fix an issue with JSON and containers not starting. This is fixed upstream, too.
 Patch5:         fix_json_econnreset_bug.patch
 # Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
 # Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time
 # We cannot do that, right now a quick and really dirty way to get it running is
 # to simply disable this check
 # Required to overcome some limitations of gcc-go: https://groups.google.com/forum/# !msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
 Patch6:         gcc5_socket_workaround.patch
 Patch100:       ignore-dockerinit-checksum.patch
 Patch101:       gcc-go-patches.patch
 Patch102:       add_bolt_ppc64.patch
 Patch105:       add_bolt_arm64.patch
 Patch108:       fix-ppc64le.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel >= 1.2.68
 BuildRequires:  glibc-devel-static
 %ifarch %go_arches
-BuildRequires:  go >= 1.4
+BuildRequires:  go >= 1.5
 BuildRequires:  go-go-md2man
 %else
 BuildRequires:  gcc5-go >= 5.0
@ -156,11 +138,6 @@ Test package for docker. It contains the source code and the tests.
 %prep
 %setup -q -n docker-%{version}
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 # 1330 is Tumbleweed after leap has been released
 # gcc5-go in Tumbleweed includes this commit
 # https://github.com/golang/gofrontend/commit/a850225433a66a58613c22185c3b09626f5545eb
@ -169,14 +146,11 @@ Test package for docker. It contains the source code and the tests.
 # for that issue.
 # Thus, we need to workaround the workaroundn in tumbleweed
 %if 0%{?suse_version} >= 1330 && 0%{?is_opensuse} == 1
-%patch6 -p1
+%patch1 -p1
 %endif
 %ifnarch %go_arches
 %patch100 -p1
-%patch101 -p0
+%patch101 -p1
 %patch102 -p1
 %patch105 -p1
 %patch108 -p1
 %endif
 cp %{SOURCE7} .
@ -213,10 +187,8 @@ install -d %{buildroot}%{go_contribdir}
 install -d %{buildroot}%{_bindir}
 %ifarch %go_arches
 install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
 install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit
 %else
 install -D -m755 bundles/%{version}/dyngccgo/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
 install -D -m755 bundles/%{version}/dyngccgo/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit
 %endif
 install -d %{buildroot}/%{_prefix}/lib/docker
 install -Dd -m 0755 \
@ -284,7 +256,6 @@ groupadd -r docker 2>/dev/null || :
 %{_bindir}/docker
 %{_sbindir}/rcdocker
 %{_prefix}/lib/docker/
 %{_prefix}/lib/docker/dockerinit
 %{_unitdir}/%{name}.service
 %{_unitdir}/%{name}.socket
 %config %{_sysconfdir}/audit/rules.d/%{name}.rules
--- a/fix-docker-init.patch
+++ b/fix-docker-init.patch
@ -1,10 +0,0 @@
 diff -Naur a/hack/make/.dockerinit b/hack/make/.dockerinit
 --- a/hack/make/.dockerinit	2015-08-11 18:35:27.000000000 +0200
 +++ b/hack/make/.dockerinit	2015-08-12 18:14:25.743452565 +0200
@@ -29,5 +29,6 @@
 	exit 1
 fi
 +/usr/bin/strip -s $DEST/dockerinit-$VERSION
 # sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another
 export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1)
--- a/fix-ppc64le.patch
+++ b/fix-ppc64le.patch
@ -1,3 +1,4 @@
 Index: docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
 ===================================================================
 --- docker-1.9.1.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
@ -5,9 +6,9 @@ Index: docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netli
@@ -1,4 +1,4 @@
 -// +build arm ppc64 ppc64le
 +// +build arm ppc64,!ppc64le
- 
+
 package bridge
- 
+
 Index: docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go
 ===================================================================
 --- docker-1.9.1.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go
@ -15,6 +16,5 @@ Index: docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netli
@@ -1,4 +1,4 @@
 -// +build !arm,!ppc64,!ppc64le
 +// +build !arm,!ppc64 ppc64le
- 
+
 package bridge
--- a/fix_bnc_958255.patch
+++ b/fix_bnc_958255.patch
@ -1,13 +0,0 @@
 diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go
 index 3aaba98..06babd3 100644
 --- a/daemon/execdriver/native/apparmor.go
 +++ b/daemon/execdriver/native/apparmor.go
@@ -40,7 +40,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   file,
   umount,
 -  deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
 +  deny @{PROC}/{*,**^[0-9]*,sys/kernel/shm*} wkx,
   deny @{PROC}/sysrq-trigger rwklx,
   deny @{PROC}/mem rwklx,
   deny @{PROC}/kmem rwklx,
--- a/fix_cgroup.parent_path_sanitisation.patch
+++ b/fix_cgroup.parent_path_sanitisation.patch
@ -1,67 +0,0 @@
 diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
 index a0a93a4..da31d06 100644
 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
 +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
@@ -216,12 +216,39 @@ func (m *Manager) GetPids() ([]int, error) {
 	return cgroups.GetPids(dir)
 }
 +// pathClean makes a path safe for use with filepath.Join. This is done by not
 +// only cleaning the path, but also (if the path is relative) adding a leading
 +// '/' and cleaning it (then removing the leading '/'). This ensures that a
 +// path resulting from prepending another path will always resolve to lexically
 +// be a subdirectory of the prefixed path. This is all done lexically, so paths
 +// that include symlinks won't be safe as a result of using pathClean.
 +func pathClean(path string) string {
 +	// Ensure that all paths are cleaned (especially problematic ones like
 +	// "/../../../../../" which can cause lots of issues).
 +	path = filepath.Clean(path)
 +
 +	// If the path isn't absolute, we need to do more processing to fix paths
 +	// such as "../../../../<etc>/some/path". We also shouldn't convert absolute
 +	// paths to relative ones.
 +	if !filepath.IsAbs(path) {
 +		path = filepath.Clean(string(os.PathSeparator) + path)
 +		// This can't fail, as (by definition) all paths are relative to root.
 +		path, _ = filepath.Rel(string(os.PathSeparator), path)
 +	}
 +
 +	// Clean the path again for good measure.
 +	return filepath.Clean(path)
 +}
 +
 func getCgroupData(c *configs.Cgroup, pid int) (*data, error) {
 	root, err := getCgroupRoot()
 	if err != nil {
 		return nil, err
 	}
 +	// Clean the parent slice path.
 +	c.Parent = pathClean(c.Parent)
 +
 	cgroup := c.Name
 	if c.Parent != "" {
 		cgroup = filepath.Join(c.Parent, cgroup)
 diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
 index f3ec2c3..0b13115 100644
 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
 +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
@@ -4,6 +4,7 @@ package fs
 import (
 	"bytes"
 +	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
@@ -92,6 +93,10 @@ func (s *CpusetGroup) ensureParent(current, root string) error {
 	if filepath.Clean(parent) == root {
 		return nil
 	}
 +	// Avoid infinite recursion.
 +	if parent == current {
 +		return fmt.Errorf("cpuset: cgroup parent path outside cgroup root")
 +	}
 	if err := s.ensureParent(parent, root); err != nil {
 		return err
 	}
--- a/fix_platform_type_arm.patch
+++ b/fix_platform_type_arm.patch
@ -0,0 +1,20 @@
 diff --git a/pkg/platform/utsname_int8.go b/pkg/platform/utsname_int8.go
 index 5dcbadf..a022a35 100644
 --- a/pkg/platform/utsname_int8.go
 +++ b/pkg/platform/utsname_int8.go
@@ -1,4 +1,4 @@
 -// +build linux,386 linux,amd64 linux,arm64
 +// +build linux,386 linux,amd64
 // see golang's sources src/syscall/ztypes_linux_*.go that use int8
 package platform
 diff --git a/pkg/platform/utsname_uint8.go b/pkg/platform/utsname_uint8.go
 index c9875cf..0ee937a 100644
 --- a/pkg/platform/utsname_uint8.go
 +++ b/pkg/platform/utsname_uint8.go
@@ -1,4 +1,4 @@
 -// +build linux,arm linux,ppc64 linux,ppc64le s390x
 +// +build linux,arm linux,ppc64 linux,ppc64le s390x linux,arm64 linux,aarch64
 // see golang's sources src/syscall/ztypes_linux_*.go that use uint8
 package platform
--- a/gcc-go-patches.patch
+++ b/gcc-go-patches.patch
@ -1,33 +1,24 @@
-Index: hack/make/.dockerinit-gccgo
+diff --git a/hack/make/gccgo b/hack/make/gccgo
-===================================================================
+index 878c814..84b7f69 100644
--- hack/make/.dockerinit-gccgo.orig
+--- a/hack/make/gccgo
-+++ hack/make/.dockerinit-gccgo
+++ b/hack/make/gccgo
@@ -1,5 +1,5 @@
 #!/bin/bash
 -set -e
 +set -ex
- 
+
 IAMSTATIC="true"
 source "${MAKEDIR}/.go-autogen"
 Index: hack/make/gccgo
 ===================================================================
 --- hack/make/gccgo.orig
 +++ hack/make/gccgo
@@ -1,5 +1,5 @@
 #!/bin/bash
 -set -e
 +set -ex
 BINARY_NAME="docker-$VERSION"
 BINARY_EXTENSION="$(binary_extension)"
-@@ -17,6 +17,8 @@ go build -compiler=gccgo \
+@@ -16,9 +16,11 @@ go build -compiler=gccgo \
 	"${BUILDFLAGS[@]}" \
 	-gccgoflags "
 		-g
-+		-Wl,--add-needed -Wl,--no-as-needed
+   -Wl,--add-needed -Wl,--no-as-needed
 		$EXTLDFLAGS_STATIC
-+		-static-libgo
+   -static-libgo
 		-Wl,--no-export-dynamic
 -		-ldl
 +		-ldl -lselinux -lsystemd
 		-pthread
 	" \
 	./docker
--- a/ignore-dockerinit-checksum.patch
+++ b/ignore-dockerinit-checksum.patch
@ -1,12 +0,0 @@
 diff -Naur a/utils/utils.go b/utils/utils.go
 --- a/utils/utils.go	2015-08-11 18:35:27.000000000 +0200
 +++ b/utils/utils.go	2015-08-12 18:06:47.930445696 +0200
@@ -76,7 +76,7 @@
 		}
 		return os.SameFile(targetFileInfo, selfPathFileInfo)
 	}
 -	return dockerversion.INITSHA1 != "" && dockerInitSha1(target) == dockerversion.INITSHA1
 +	return true
 }
 // DockerInitPath figures out the path of our dockerinit (which may be SelfPath())
--- a/libcontainer-apparmor-fixes.patch
+++ b/libcontainer-apparmor-fixes.patch
@ -1,11 +0,0 @@
 diff -Naur a/contrib/apparmor/docker-engine b/contrib/apparmor/docker-engine
 --- a/contrib/apparmor/docker-engine	2015-08-11 18:35:27.000000000 +0200
 +++ b/contrib/apparmor/docker-engine	2015-08-12 18:05:07.608444190 +0200
@@ -13,7 +13,6 @@
   mount -> /sys/**,
   mount -> /run/docker/netns/**,
 -  umount,
   pivot_root,
   signal (receive) peer=@{profile_name},
   signal (receive) peer=unconfined,
--- a/use_fs_cgroups_by_default.patch
+++ b/use_fs_cgroups_by_default.patch
@ -1,51 +0,0 @@
 From 419fd7449fe1a984f582731fcd4d9455000846b0 Mon Sep 17 00:00:00 2001
 From: Alexander Morozov <lk4d4@docker.com>
 Date: Wed, 4 Nov 2015 13:51:46 -0800
 Subject: [PATCH] Use fs cgroups by default
 Our implementation of systemd cgroups is mixture of systemd api and
 plain filesystem api. It's hard to keep it up to date with systemd and
 it already contains some nasty bugs with new versions. Ideally it should
 be replaced with some daemon flag which will allow to set parent systemd
 slice.
 Signed-off-by: Alexander Morozov <lk4d4@docker.com>
 ---
 daemon/execdriver/native/driver.go   | 3 ---
 docs/reference/commandline/daemon.md | 8 ++++----
 2 files changed, 4 insertions(+), 7 deletions(-)
 diff --git a/daemon/execdriver/native/driver.go b/daemon/execdriver/native/driver.go
 index 09171c5..0b6cec3 100644
 --- a/daemon/execdriver/native/driver.go
 +++ b/daemon/execdriver/native/driver.go
@@ -74,9 +74,6 @@ func NewDriver(root, initPath string, options []string) (*Driver, error) {
 	// this makes sure there are no breaking changes to people
 	// who upgrade from versions without native.cgroupdriver opt
 	cgm := libcontainer.Cgroupfs
 -	if systemd.UseSystemd() {
 -		cgm = libcontainer.SystemdCgroups
 -	}
 	// parse the options
 	for _, option := range options {
 diff --git a/docs/reference/commandline/daemon.md b/docs/reference/commandline/daemon.md
 index 91fd3c6..0721538 100644
 --- a/docs/reference/commandline/daemon.md
 +++ b/docs/reference/commandline/daemon.md
@@ -452,11 +452,11 @@ single `native.cgroupdriver` option is available.
 The `native.cgroupdriver` option specifies the management of the container's
 cgroups. You can specify `cgroupfs` or `systemd`. If you specify `systemd` and
 -it is not available, the system uses `cgroupfs`. By default, if no option is
 -specified, the execdriver first tries `systemd` and falls back to `cgroupfs`.
 -This example sets the execdriver to `cgroupfs`:
 +it is not available, the system uses `cgroupfs`. If you omit the
 +`native.cgroupdriver` option,` cgroupfs` is used.
 +This example sets the `cgroupdriver` to `systemd`:
 -    $ sudo docker daemon --exec-opt native.cgroupdriver=cgroupfs
 +    $ sudo docker daemon --exec-opt native.cgroupdriver=systemd
 Setting this option applies to all containers the daemon launches.