forked from pool/docker
- Update to 1.10.0 version
Add usernamespace support
Add support for custom seccomp profiles
Improvements in network and volume management
detailed changelog in
590d5108bb/CHANGELOG.md
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=58
This commit is contained in:
parent
9dce1f84b9
commit
64062d332d
4
_service
4
_service
@ -3,8 +3,8 @@
|
||||
<param name="url">https://github.com/docker/docker.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="exclude">.git</param>
|
||||
<param name="versionformat">1.9.1</param>
|
||||
<param name="revision">v1.9.1</param>
|
||||
<param name="versionformat">1.10.0</param>
|
||||
<param name="revision">v1.10.0</param>
|
||||
</service>
|
||||
<service name="recompress" mode="disabled">
|
||||
<param name="file">docker-*.tar</param>
|
||||
|
@ -1,20 +0,0 @@
|
||||
From: Michel Normand <normand@linux.vnet.ibm.com>
|
||||
Subject: add bolt arm64
|
||||
Date: Fri, 04 Dec 2015 17:07:22 +0100
|
||||
|
||||
add bolt arm64
|
||||
|
||||
Signed-off-by: Michel Normand <normand@linux.vnet.ibm.com>
|
||||
---
|
||||
vendor/src/github.com/boltdb/bolt/bolt_arm64.go | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
Index: docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_arm64.go
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_arm64.go
|
||||
@@ -0,0 +1,4 @@
|
||||
+package bolt
|
||||
+
|
||||
+// maxMapSize represents the largest mmap size supported by Bolt.
|
||||
+const maxMapSize = 0xFFFFFFFFFFFF // 256TB
|
@ -1,23 +0,0 @@
|
||||
---
|
||||
vendor/src/github.com/boltdb/bolt/bolt_ppc64.go | 4 ++++
|
||||
vendor/src/github.com/boltdb/bolt/bolt_ppc64le.go | 4 ++++
|
||||
2 files changed, 8 insertions(+)
|
||||
|
||||
Index: docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go
|
||||
@@ -0,0 +1,4 @@
|
||||
+package bolt
|
||||
+
|
||||
+// maxMapSize represents the largest mmap size supported by Bolt.
|
||||
+const maxMapSize = 0xFFFFFFFFFFFF // 256TB
|
||||
Index: docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_ppc64le.go
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ docker-1.9.1/vendor/src/github.com/boltdb/bolt/bolt_ppc64le.go
|
||||
@@ -0,0 +1,4 @@
|
||||
+package bolt
|
||||
+
|
||||
+// maxMapSize represents the largest mmap size supported by Bolt.
|
||||
+const maxMapSize = 0xFFFFFFFFFFFF // 256TB
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:edb9bdbcce529e4170b6ad8a14643b12f176c8d2b1690f182f29bc79e3dde3c0
|
||||
size 6283244
|
@ -1,3 +1,16 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 5 09:14:15 UTC 2016 - jmassaguerpla@suse.com
|
||||
|
||||
- Update to 1.10.0 version
|
||||
|
||||
Add usernamespace support
|
||||
Add support for custom seccomp profiles
|
||||
Improvements in network and volume management
|
||||
|
||||
detailed changelog in
|
||||
|
||||
https://github.com/docker/docker/blob/590d5108bbdaabb05af590f76c9757daceb6d02e/CHANGELOG.md
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 27 23:40:09 UTC 2016 - asarai@suse.com
|
||||
|
||||
|
47
docker.spec
47
docker.spec
@ -16,10 +16,10 @@
|
||||
#
|
||||
|
||||
|
||||
%define git_version a34a1d5
|
||||
%define git_version 590d510
|
||||
%define go_arches %ix86 x86_64
|
||||
Name: docker
|
||||
Version: 1.9.1
|
||||
Version: 1.10.0
|
||||
Release: 0
|
||||
Summary: The Linux container runtime
|
||||
License: Apache-2.0
|
||||
@ -41,34 +41,16 @@ Source7: README_SUSE.md
|
||||
Source8: docker-audit.rules
|
||||
# TODO: remove once we figure out what is wrong with iptables on ppc64le
|
||||
Source100: sysconfig.docker.ppc64le
|
||||
Patch0: fix-docker-init.patch
|
||||
# PATCH-FIX-OPENSUSE libcontainer-apparmor-fixes.patch -- mount rules aren't supported in our apparmor
|
||||
Patch1: libcontainer-apparmor-fixes.patch
|
||||
# fix regexp in apparmor default profile. This is already fixed upstream so in version > 1.9.1 it should be already fixed
|
||||
Patch2: fix_bnc_958255.patch
|
||||
# fix default cgroups. This is fixed upstream, too.
|
||||
Patch3: use_fs_cgroups_by_default.patch
|
||||
# fix an issue with cgroups. This is fixed upstream, too.
|
||||
Patch4: fix_cgroup.parent_path_sanitisation.patch
|
||||
# fix an issue with JSON and containers not starting. This is fixed upstream, too.
|
||||
Patch5: fix_json_econnreset_bug.patch
|
||||
# Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
|
||||
# Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time
|
||||
# We cannot do that, right now a quick and really dirty way to get it running is
|
||||
# to simply disable this check
|
||||
# Required to overcome some limitations of gcc-go: https://groups.google.com/forum/# !msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
|
||||
Patch6: gcc5_socket_workaround.patch
|
||||
Patch100: ignore-dockerinit-checksum.patch
|
||||
Patch101: gcc-go-patches.patch
|
||||
Patch102: add_bolt_ppc64.patch
|
||||
Patch105: add_bolt_arm64.patch
|
||||
Patch108: fix-ppc64le.patch
|
||||
Patch0: fix_platform_type_arm.patch
|
||||
Patch1: gcc5_socket_workaround.patch
|
||||
Patch100: gcc-go-patches.patch
|
||||
Patch101: fix-ppc64le.patch
|
||||
BuildRequires: audit
|
||||
BuildRequires: bash-completion
|
||||
BuildRequires: device-mapper-devel >= 1.2.68
|
||||
BuildRequires: glibc-devel-static
|
||||
%ifarch %go_arches
|
||||
BuildRequires: go >= 1.4
|
||||
BuildRequires: go >= 1.5
|
||||
BuildRequires: go-go-md2man
|
||||
%else
|
||||
BuildRequires: gcc5-go >= 5.0
|
||||
@ -156,11 +138,6 @@ Test package for docker. It contains the source code and the tests.
|
||||
%prep
|
||||
%setup -q -n docker-%{version}
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
# 1330 is Tumbleweed after leap has been released
|
||||
# gcc5-go in Tumbleweed includes this commit
|
||||
# https://github.com/golang/gofrontend/commit/a850225433a66a58613c22185c3b09626f5545eb
|
||||
@ -169,14 +146,11 @@ Test package for docker. It contains the source code and the tests.
|
||||
# for that issue.
|
||||
# Thus, we need to workaround the workaroundn in tumbleweed
|
||||
%if 0%{?suse_version} >= 1330 && 0%{?is_opensuse} == 1
|
||||
%patch6 -p1
|
||||
%patch1 -p1
|
||||
%endif
|
||||
%ifnarch %go_arches
|
||||
%patch100 -p1
|
||||
%patch101 -p0
|
||||
%patch102 -p1
|
||||
%patch105 -p1
|
||||
%patch108 -p1
|
||||
%patch101 -p1
|
||||
%endif
|
||||
cp %{SOURCE7} .
|
||||
|
||||
@ -213,10 +187,8 @@ install -d %{buildroot}%{go_contribdir}
|
||||
install -d %{buildroot}%{_bindir}
|
||||
%ifarch %go_arches
|
||||
install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
|
||||
install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit
|
||||
%else
|
||||
install -D -m755 bundles/%{version}/dyngccgo/%{name}-%{version} %{buildroot}/%{_bindir}/%{name}
|
||||
install -D -m755 bundles/%{version}/dyngccgo/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit
|
||||
%endif
|
||||
install -d %{buildroot}/%{_prefix}/lib/docker
|
||||
install -Dd -m 0755 \
|
||||
@ -284,7 +256,6 @@ groupadd -r docker 2>/dev/null || :
|
||||
%{_bindir}/docker
|
||||
%{_sbindir}/rcdocker
|
||||
%{_prefix}/lib/docker/
|
||||
%{_prefix}/lib/docker/dockerinit
|
||||
%{_unitdir}/%{name}.service
|
||||
%{_unitdir}/%{name}.socket
|
||||
%config %{_sysconfdir}/audit/rules.d/%{name}.rules
|
||||
|
@ -1,10 +0,0 @@
|
||||
diff -Naur a/hack/make/.dockerinit b/hack/make/.dockerinit
|
||||
--- a/hack/make/.dockerinit 2015-08-11 18:35:27.000000000 +0200
|
||||
+++ b/hack/make/.dockerinit 2015-08-12 18:14:25.743452565 +0200
|
||||
@@ -29,5 +29,6 @@
|
||||
exit 1
|
||||
fi
|
||||
|
||||
+/usr/bin/strip -s $DEST/dockerinit-$VERSION
|
||||
# sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another
|
||||
export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1)
|
@ -1,3 +1,4 @@
|
||||
|
||||
Index: docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
|
||||
===================================================================
|
||||
--- docker-1.9.1.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go
|
||||
@ -17,4 +18,3 @@ Index: docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netli
|
||||
+// +build !arm,!ppc64 ppc64le
|
||||
|
||||
package bridge
|
||||
|
||||
|
@ -1,13 +0,0 @@
|
||||
diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go
|
||||
index 3aaba98..06babd3 100644
|
||||
--- a/daemon/execdriver/native/apparmor.go
|
||||
+++ b/daemon/execdriver/native/apparmor.go
|
||||
@@ -40,7 +40,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||
file,
|
||||
umount,
|
||||
|
||||
- deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
|
||||
+ deny @{PROC}/{*,**^[0-9]*,sys/kernel/shm*} wkx,
|
||||
deny @{PROC}/sysrq-trigger rwklx,
|
||||
deny @{PROC}/mem rwklx,
|
||||
deny @{PROC}/kmem rwklx,
|
@ -1,67 +0,0 @@
|
||||
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
|
||||
index a0a93a4..da31d06 100644
|
||||
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
|
||||
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
|
||||
@@ -216,12 +216,39 @@ func (m *Manager) GetPids() ([]int, error) {
|
||||
return cgroups.GetPids(dir)
|
||||
}
|
||||
|
||||
+// pathClean makes a path safe for use with filepath.Join. This is done by not
|
||||
+// only cleaning the path, but also (if the path is relative) adding a leading
|
||||
+// '/' and cleaning it (then removing the leading '/'). This ensures that a
|
||||
+// path resulting from prepending another path will always resolve to lexically
|
||||
+// be a subdirectory of the prefixed path. This is all done lexically, so paths
|
||||
+// that include symlinks won't be safe as a result of using pathClean.
|
||||
+func pathClean(path string) string {
|
||||
+ // Ensure that all paths are cleaned (especially problematic ones like
|
||||
+ // "/../../../../../" which can cause lots of issues).
|
||||
+ path = filepath.Clean(path)
|
||||
+
|
||||
+ // If the path isn't absolute, we need to do more processing to fix paths
|
||||
+ // such as "../../../../<etc>/some/path". We also shouldn't convert absolute
|
||||
+ // paths to relative ones.
|
||||
+ if !filepath.IsAbs(path) {
|
||||
+ path = filepath.Clean(string(os.PathSeparator) + path)
|
||||
+ // This can't fail, as (by definition) all paths are relative to root.
|
||||
+ path, _ = filepath.Rel(string(os.PathSeparator), path)
|
||||
+ }
|
||||
+
|
||||
+ // Clean the path again for good measure.
|
||||
+ return filepath.Clean(path)
|
||||
+}
|
||||
+
|
||||
func getCgroupData(c *configs.Cgroup, pid int) (*data, error) {
|
||||
root, err := getCgroupRoot()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
+ // Clean the parent slice path.
|
||||
+ c.Parent = pathClean(c.Parent)
|
||||
+
|
||||
cgroup := c.Name
|
||||
if c.Parent != "" {
|
||||
cgroup = filepath.Join(c.Parent, cgroup)
|
||||
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
|
||||
index f3ec2c3..0b13115 100644
|
||||
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
|
||||
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
|
||||
@@ -4,6 +4,7 @@ package fs
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
+ "fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path/filepath"
|
||||
@@ -92,6 +93,10 @@ func (s *CpusetGroup) ensureParent(current, root string) error {
|
||||
if filepath.Clean(parent) == root {
|
||||
return nil
|
||||
}
|
||||
+ // Avoid infinite recursion.
|
||||
+ if parent == current {
|
||||
+ return fmt.Errorf("cpuset: cgroup parent path outside cgroup root")
|
||||
+ }
|
||||
if err := s.ensureParent(parent, root); err != nil {
|
||||
return err
|
||||
}
|
20
fix_platform_type_arm.patch
Normal file
20
fix_platform_type_arm.patch
Normal file
@ -0,0 +1,20 @@
|
||||
diff --git a/pkg/platform/utsname_int8.go b/pkg/platform/utsname_int8.go
|
||||
index 5dcbadf..a022a35 100644
|
||||
--- a/pkg/platform/utsname_int8.go
|
||||
+++ b/pkg/platform/utsname_int8.go
|
||||
@@ -1,4 +1,4 @@
|
||||
-// +build linux,386 linux,amd64 linux,arm64
|
||||
+// +build linux,386 linux,amd64
|
||||
// see golang's sources src/syscall/ztypes_linux_*.go that use int8
|
||||
|
||||
package platform
|
||||
diff --git a/pkg/platform/utsname_uint8.go b/pkg/platform/utsname_uint8.go
|
||||
index c9875cf..0ee937a 100644
|
||||
--- a/pkg/platform/utsname_uint8.go
|
||||
+++ b/pkg/platform/utsname_uint8.go
|
||||
@@ -1,4 +1,4 @@
|
||||
-// +build linux,arm linux,ppc64 linux,ppc64le s390x
|
||||
+// +build linux,arm linux,ppc64 linux,ppc64le s390x linux,arm64 linux,aarch64
|
||||
// see golang's sources src/syscall/ztypes_linux_*.go that use uint8
|
||||
|
||||
package platform
|
@ -1,18 +1,7 @@
|
||||
Index: hack/make/.dockerinit-gccgo
|
||||
===================================================================
|
||||
--- hack/make/.dockerinit-gccgo.orig
|
||||
+++ hack/make/.dockerinit-gccgo
|
||||
@@ -1,5 +1,5 @@
|
||||
#!/bin/bash
|
||||
-set -e
|
||||
+set -ex
|
||||
|
||||
IAMSTATIC="true"
|
||||
source "${MAKEDIR}/.go-autogen"
|
||||
Index: hack/make/gccgo
|
||||
===================================================================
|
||||
--- hack/make/gccgo.orig
|
||||
+++ hack/make/gccgo
|
||||
diff --git a/hack/make/gccgo b/hack/make/gccgo
|
||||
index 878c814..84b7f69 100644
|
||||
--- a/hack/make/gccgo
|
||||
+++ b/hack/make/gccgo
|
||||
@@ -1,5 +1,5 @@
|
||||
#!/bin/bash
|
||||
-set -e
|
||||
@ -20,14 +9,16 @@ Index: hack/make/gccgo
|
||||
|
||||
BINARY_NAME="docker-$VERSION"
|
||||
BINARY_EXTENSION="$(binary_extension)"
|
||||
@@ -17,6 +17,8 @@ go build -compiler=gccgo \
|
||||
@@ -16,9 +16,11 @@ go build -compiler=gccgo \
|
||||
"${BUILDFLAGS[@]}" \
|
||||
-gccgoflags "
|
||||
-g
|
||||
+ -Wl,--add-needed -Wl,--no-as-needed
|
||||
+ -Wl,--add-needed -Wl,--no-as-needed
|
||||
$EXTLDFLAGS_STATIC
|
||||
+ -static-libgo
|
||||
+ -static-libgo
|
||||
-Wl,--no-export-dynamic
|
||||
- -ldl
|
||||
+ -ldl -lselinux -lsystemd
|
||||
-pthread
|
||||
" \
|
||||
./docker
|
||||
|
||||
|
@ -1,12 +0,0 @@
|
||||
diff -Naur a/utils/utils.go b/utils/utils.go
|
||||
--- a/utils/utils.go 2015-08-11 18:35:27.000000000 +0200
|
||||
+++ b/utils/utils.go 2015-08-12 18:06:47.930445696 +0200
|
||||
@@ -76,7 +76,7 @@
|
||||
}
|
||||
return os.SameFile(targetFileInfo, selfPathFileInfo)
|
||||
}
|
||||
- return dockerversion.INITSHA1 != "" && dockerInitSha1(target) == dockerversion.INITSHA1
|
||||
+ return true
|
||||
}
|
||||
|
||||
// DockerInitPath figures out the path of our dockerinit (which may be SelfPath())
|
@ -1,11 +0,0 @@
|
||||
diff -Naur a/contrib/apparmor/docker-engine b/contrib/apparmor/docker-engine
|
||||
--- a/contrib/apparmor/docker-engine 2015-08-11 18:35:27.000000000 +0200
|
||||
+++ b/contrib/apparmor/docker-engine 2015-08-12 18:05:07.608444190 +0200
|
||||
@@ -13,7 +13,6 @@
|
||||
mount -> /sys/**,
|
||||
mount -> /run/docker/netns/**,
|
||||
|
||||
- umount,
|
||||
pivot_root,
|
||||
signal (receive) peer=@{profile_name},
|
||||
signal (receive) peer=unconfined,
|
@ -1,51 +0,0 @@
|
||||
From 419fd7449fe1a984f582731fcd4d9455000846b0 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Morozov <lk4d4@docker.com>
|
||||
Date: Wed, 4 Nov 2015 13:51:46 -0800
|
||||
Subject: [PATCH] Use fs cgroups by default
|
||||
|
||||
Our implementation of systemd cgroups is mixture of systemd api and
|
||||
plain filesystem api. It's hard to keep it up to date with systemd and
|
||||
it already contains some nasty bugs with new versions. Ideally it should
|
||||
be replaced with some daemon flag which will allow to set parent systemd
|
||||
slice.
|
||||
|
||||
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
|
||||
---
|
||||
daemon/execdriver/native/driver.go | 3 ---
|
||||
docs/reference/commandline/daemon.md | 8 ++++----
|
||||
2 files changed, 4 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/daemon/execdriver/native/driver.go b/daemon/execdriver/native/driver.go
|
||||
index 09171c5..0b6cec3 100644
|
||||
--- a/daemon/execdriver/native/driver.go
|
||||
+++ b/daemon/execdriver/native/driver.go
|
||||
@@ -74,9 +74,6 @@ func NewDriver(root, initPath string, options []string) (*Driver, error) {
|
||||
// this makes sure there are no breaking changes to people
|
||||
// who upgrade from versions without native.cgroupdriver opt
|
||||
cgm := libcontainer.Cgroupfs
|
||||
- if systemd.UseSystemd() {
|
||||
- cgm = libcontainer.SystemdCgroups
|
||||
- }
|
||||
|
||||
// parse the options
|
||||
for _, option := range options {
|
||||
diff --git a/docs/reference/commandline/daemon.md b/docs/reference/commandline/daemon.md
|
||||
index 91fd3c6..0721538 100644
|
||||
--- a/docs/reference/commandline/daemon.md
|
||||
+++ b/docs/reference/commandline/daemon.md
|
||||
@@ -452,11 +452,11 @@ single `native.cgroupdriver` option is available.
|
||||
|
||||
The `native.cgroupdriver` option specifies the management of the container's
|
||||
cgroups. You can specify `cgroupfs` or `systemd`. If you specify `systemd` and
|
||||
-it is not available, the system uses `cgroupfs`. By default, if no option is
|
||||
-specified, the execdriver first tries `systemd` and falls back to `cgroupfs`.
|
||||
-This example sets the execdriver to `cgroupfs`:
|
||||
+it is not available, the system uses `cgroupfs`. If you omit the
|
||||
+`native.cgroupdriver` option,` cgroupfs` is used.
|
||||
+This example sets the `cgroupdriver` to `systemd`:
|
||||
|
||||
- $ sudo docker daemon --exec-opt native.cgroupdriver=cgroupfs
|
||||
+ $ sudo docker daemon --exec-opt native.cgroupdriver=systemd
|
||||
|
||||
Setting this option applies to all containers the daemon launches.
|
||||
|
Loading…
Reference in New Issue
Block a user