diff --git a/docker.spec b/docker.spec index a3ba49b..4535a7d 100644 --- a/docker.spec +++ b/docker.spec @@ -1,7 +1,7 @@ # # spec file for package docker # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -44,17 +44,21 @@ Source100: sysconfig.docker.ppc64le Patch0: fix-docker-init.patch # PATCH-FIX-OPENSUSE libcontainer-apparmor-fixes.patch -- mount rules aren't supported in our apparmor Patch1: libcontainer-apparmor-fixes.patch +# fix regexp in apparmor default profile. This is already fixed upstream so in version > 1.9.1 it should be already fixed +Patch2: fix_bnc_958255.patch +# fix default cgroups. This is fixed upstream, too. +Patch3: use_fs_cgroups_by_default.patch +# fix an issue with cgroups. This is fixed upstream, too. +Patch4: fix_cgroup.parent_path_sanitisation.patch # Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ # Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time # We cannot do that, right now a quick and really dirty way to get it running is # to simply disable this check Patch100: ignore-dockerinit-checksum.patch -Patch101: gcc-go-build-static-libgo.patch +Patch101: gcc-go-patches.patch Patch102: add_bolt_ppc64.patch -Patch103: docker_remove_journald_to_fix_dynbinary_build_on_arm.patch -Patch104: docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch Patch105: add_bolt_arm64.patch -Patch106: docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch +Patch108: fix-ppc64le.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: device-mapper-devel >= 1.2.68 @@ -140,6 +144,8 @@ Requires: procps Requires: sqlite3-devel BuildArch: noarch +%global __requires_exclude ^libgo.so.*$ + %description test Test package for docker. It contains the source code and the tests. @@ -147,14 +153,15 @@ Test package for docker. It contains the source code and the tests. %setup -q -n docker-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %ifnarch %go_arches %patch100 -p1 %patch101 -p0 %patch102 -p1 -%patch103 -p1 -%patch104 -p1 %patch105 -p1 -%patch106 -p1 +%patch108 -p1 %endif cp %{SOURCE7} . @@ -174,10 +181,14 @@ export DOCKER_GITCOMMIT=%{git_version} EOF ) > docker_build_env . ./docker_build_env -./hack/make.sh dynbinary + %ifarch %go_arches +./hack/make.sh dynbinary man/md2man-all.sh +%else +./hack/make.sh dyngccgo %endif + # remove other than systemd # otherwise the resulting package will have extra requires rm -rf hack/make/.build-deb @@ -185,7 +196,13 @@ rm -rf hack/make/.build-deb %install install -d %{buildroot}%{go_contribdir} install -d %{buildroot}%{_bindir} +%ifarch %go_arches install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name} +install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit +%else +install -D -m755 bundles/%{version}/dyngccgo/%{name}-%{version} %{buildroot}/%{_bindir}/%{name} +install -D -m755 bundles/%{version}/dyngccgo/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit +%endif install -d %{buildroot}/%{_prefix}/lib/docker install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit install -Dd -m 0755 \ diff --git a/docker_remove_journald_to_fix_dynbinary_build_on_arm.patch b/docker_remove_journald_to_fix_dynbinary_build_on_arm.patch deleted file mode 100644 index 94b4950..0000000 --- a/docker_remove_journald_to_fix_dynbinary_build_on_arm.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 6f6f10a75f8b447637e8a89d685452871899e9c0 Mon Sep 17 00:00:00 2001 -From: Stefan Scherer -Date: Thu, 19 Nov 2015 17:09:20 +0100 -Subject: [PATCH] prevent journald from being built on ARM - -Signed-off-by: Govinda Fichtner - ---- - daemon/logger/journald/journald.go | 2 +- - daemon/logger/journald/journald_unsupported.go | 2 +- - daemon/logger/journald/read.go | 2 +- - daemon/logger/journald/read_unsupported.go | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -Index: docker-1.9.1/daemon/logger/journald/journald.go -=================================================================== ---- docker-1.9.1.orig/daemon/logger/journald/journald.go -+++ docker-1.9.1/daemon/logger/journald/journald.go -@@ -1,4 +1,4 @@ --// +build linux -+// +build linux,!arm - - // Package journald provides the log driver for forwarding server logs - // to endpoints that receive the systemd format. -Index: docker-1.9.1/daemon/logger/journald/journald_unsupported.go -=================================================================== ---- docker-1.9.1.orig/daemon/logger/journald/journald_unsupported.go -+++ docker-1.9.1/daemon/logger/journald/journald_unsupported.go -@@ -1,3 +1,3 @@ --// +build !linux -+// +build !linux linux,arm - - package journald -Index: docker-1.9.1/daemon/logger/journald/read.go -=================================================================== ---- docker-1.9.1.orig/daemon/logger/journald/read.go -+++ docker-1.9.1/daemon/logger/journald/read.go -@@ -1,4 +1,4 @@ --// +build linux,cgo,!static_build,journald -+// +build linux,cgo,!static_build,journald,!arm - - package journald - -Index: docker-1.9.1/daemon/logger/journald/read_unsupported.go -=================================================================== ---- docker-1.9.1.orig/daemon/logger/journald/read_unsupported.go -+++ docker-1.9.1/daemon/logger/journald/read_unsupported.go -@@ -1,4 +1,4 @@ --// +build !linux !cgo static_build !journald -+// +build !linux !cgo static_build !journald linux,arm - - package journald - diff --git a/docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch b/docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch deleted file mode 100644 index 729b7d3..0000000 --- a/docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Michel Normand -Subject: docker remove journald to fix dynbinary build on arm64 -Date: Fri, 04 Dec 2015 17:07:12 +0100 - -docker remove journald to fix dynbinary build on arm64 - -Signed-off-by: Michel Normand ---- - daemon/logger/journald/journald.go | 2 +- - daemon/logger/journald/journald_unsupported.go | 2 +- - daemon/logger/journald/read.go | 2 +- - daemon/logger/journald/read_unsupported.go | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -Index: docker-1.9.1/daemon/logger/journald/journald.go -=================================================================== ---- docker-1.9.1.orig/daemon/logger/journald/journald.go -+++ docker-1.9.1/daemon/logger/journald/journald.go -@@ -1,4 +1,4 @@ --// +build linux,!arm linux,!ppc64 linux,!ppc64le -+// +build linux,!arm linux,!arm64 linux,!ppc64 linux,!ppc64le - - // Package journald provides the log driver for forwarding server logs - // to endpoints that receive the systemd format. -Index: docker-1.9.1/daemon/logger/journald/journald_unsupported.go -=================================================================== ---- docker-1.9.1.orig/daemon/logger/journald/journald_unsupported.go -+++ docker-1.9.1/daemon/logger/journald/journald_unsupported.go -@@ -1,3 +1,3 @@ --// +build !linux linux,arm linux,ppc64 linux,ppc64le -+// +build !linux linux,arm linux,arm64 linux,ppc64 linux,ppc64le - - package journald -Index: docker-1.9.1/daemon/logger/journald/read.go -=================================================================== ---- docker-1.9.1.orig/daemon/logger/journald/read.go -+++ docker-1.9.1/daemon/logger/journald/read.go -@@ -1,4 +1,4 @@ --// +build linux,cgo,!static_build,journald,!arm,!ppc64,!ppc64le -+// +build linux,cgo,!static_build,journald,!arm,!arm64,!ppc64,!ppc64le - - package journald - -Index: docker-1.9.1/daemon/logger/journald/read_unsupported.go -=================================================================== ---- docker-1.9.1.orig/daemon/logger/journald/read_unsupported.go -+++ docker-1.9.1/daemon/logger/journald/read_unsupported.go -@@ -1,4 +1,4 @@ --// +build !linux !cgo static_build !journald linux,arm linux,ppc64 linux,ppc64le -+// +build !linux !cgo static_build !journald linux,arm linux,arm64 linux,ppc64 linux,ppc64le - - package journald - diff --git a/docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch b/docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch deleted file mode 100644 index ec2fb22..0000000 --- a/docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Michel Normand -Subject: docker remove journald to fix dynbinary build on powerpc -Date: Fri, 04 Dec 2015 14:45:43 +0100 - -docker remove journald to fix dynbinary build on powerpc - -Signed-off-by: Michel Normand ---- - daemon/logger/journald/journald.go | 2 +- - daemon/logger/journald/journald_unsupported.go | 2 +- - daemon/logger/journald/read.go | 2 +- - daemon/logger/journald/read_unsupported.go | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -Index: docker-1.9.1/daemon/logger/journald/journald.go -=================================================================== ---- docker-1.9.1.orig/daemon/logger/journald/journald.go -+++ docker-1.9.1/daemon/logger/journald/journald.go -@@ -1,4 +1,4 @@ --// +build linux,!arm -+// +build linux,!arm linux,!ppc64 linux,!ppc64le - - // Package journald provides the log driver for forwarding server logs - // to endpoints that receive the systemd format. -Index: docker-1.9.1/daemon/logger/journald/journald_unsupported.go -=================================================================== ---- docker-1.9.1.orig/daemon/logger/journald/journald_unsupported.go -+++ docker-1.9.1/daemon/logger/journald/journald_unsupported.go -@@ -1,3 +1,3 @@ --// +build !linux linux,arm -+// +build !linux linux,arm linux,ppc64 linux,ppc64le - - package journald -Index: docker-1.9.1/daemon/logger/journald/read.go -=================================================================== ---- docker-1.9.1.orig/daemon/logger/journald/read.go -+++ docker-1.9.1/daemon/logger/journald/read.go -@@ -1,4 +1,4 @@ --// +build linux,cgo,!static_build,journald,!arm -+// +build linux,cgo,!static_build,journald,!arm,!ppc64,!ppc64le - - package journald - -Index: docker-1.9.1/daemon/logger/journald/read_unsupported.go -=================================================================== ---- docker-1.9.1.orig/daemon/logger/journald/read_unsupported.go -+++ docker-1.9.1/daemon/logger/journald/read_unsupported.go -@@ -1,4 +1,4 @@ --// +build !linux !cgo static_build !journald linux,arm -+// +build !linux !cgo static_build !journald linux,arm linux,ppc64 linux,ppc64le - - package journald - diff --git a/fix-ppc64le.patch b/fix-ppc64le.patch new file mode 100644 index 0000000..a4c7a40 --- /dev/null +++ b/fix-ppc64le.patch @@ -0,0 +1,20 @@ +Index: docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go +=================================================================== +--- docker-1.9.1.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go ++++ docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go +@@ -1,4 +1,4 @@ +-// +build arm ppc64 ppc64le ++// +build arm ppc64,!ppc64le + + package bridge + +Index: docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go +=================================================================== +--- docker-1.9.1.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go ++++ docker-1.9.1/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go +@@ -1,4 +1,4 @@ +-// +build !arm,!ppc64,!ppc64le ++// +build !arm,!ppc64 ppc64le + + package bridge + diff --git a/fix_bnc_958255.patch b/fix_bnc_958255.patch new file mode 100644 index 0000000..aa436c1 --- /dev/null +++ b/fix_bnc_958255.patch @@ -0,0 +1,13 @@ +diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go +index 3aaba98..06babd3 100644 +--- a/daemon/execdriver/native/apparmor.go ++++ b/daemon/execdriver/native/apparmor.go +@@ -40,7 +40,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { + file, + umount, + +- deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx, ++ deny @{PROC}/{*,**^[0-9]*,sys/kernel/shm*} wkx, + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, diff --git a/fix_cgroup.parent_path_sanitisation.patch b/fix_cgroup.parent_path_sanitisation.patch new file mode 100644 index 0000000..c1e6500 --- /dev/null +++ b/fix_cgroup.parent_path_sanitisation.patch @@ -0,0 +1,67 @@ +diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go +index a0a93a4..da31d06 100644 +--- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go ++++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go +@@ -216,12 +216,39 @@ func (m *Manager) GetPids() ([]int, error) { + return cgroups.GetPids(dir) + } + ++// pathClean makes a path safe for use with filepath.Join. This is done by not ++// only cleaning the path, but also (if the path is relative) adding a leading ++// '/' and cleaning it (then removing the leading '/'). This ensures that a ++// path resulting from prepending another path will always resolve to lexically ++// be a subdirectory of the prefixed path. This is all done lexically, so paths ++// that include symlinks won't be safe as a result of using pathClean. ++func pathClean(path string) string { ++ // Ensure that all paths are cleaned (especially problematic ones like ++ // "/../../../../../" which can cause lots of issues). ++ path = filepath.Clean(path) ++ ++ // If the path isn't absolute, we need to do more processing to fix paths ++ // such as "../../../..//some/path". We also shouldn't convert absolute ++ // paths to relative ones. ++ if !filepath.IsAbs(path) { ++ path = filepath.Clean(string(os.PathSeparator) + path) ++ // This can't fail, as (by definition) all paths are relative to root. ++ path, _ = filepath.Rel(string(os.PathSeparator), path) ++ } ++ ++ // Clean the path again for good measure. ++ return filepath.Clean(path) ++} ++ + func getCgroupData(c *configs.Cgroup, pid int) (*data, error) { + root, err := getCgroupRoot() + if err != nil { + return nil, err + } + ++ // Clean the parent slice path. ++ c.Parent = pathClean(c.Parent) ++ + cgroup := c.Name + if c.Parent != "" { + cgroup = filepath.Join(c.Parent, cgroup) +diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go +index f3ec2c3..0b13115 100644 +--- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go ++++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go +@@ -4,6 +4,7 @@ package fs + + import ( + "bytes" ++ "fmt" + "io/ioutil" + "os" + "path/filepath" +@@ -92,6 +93,10 @@ func (s *CpusetGroup) ensureParent(current, root string) error { + if filepath.Clean(parent) == root { + return nil + } ++ // Avoid infinite recursion. ++ if parent == current { ++ return fmt.Errorf("cpuset: cgroup parent path outside cgroup root") ++ } + if err := s.ensureParent(parent, root); err != nil { + return err + } diff --git a/gcc-go-build-static-libgo.patch b/gcc-go-build-static-libgo.patch deleted file mode 100644 index e4096fd..0000000 --- a/gcc-go-build-static-libgo.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- hack/make/binary -+++ hack/make/binary -@@ -9,6 +9,7 @@ - - echo "Building: $DEST/$BINARY_FULLNAME" - go build \ -+ -gccgoflags="-static-libgo" \ - -o "$DEST/$BINARY_FULLNAME" \ - "${BUILDFLAGS[@]}" \ - -ldflags " diff --git a/gcc-go-patches.patch b/gcc-go-patches.patch new file mode 100644 index 0000000..67dbcd8 --- /dev/null +++ b/gcc-go-patches.patch @@ -0,0 +1,33 @@ +Index: hack/make/.dockerinit-gccgo +=================================================================== +--- hack/make/.dockerinit-gccgo.orig ++++ hack/make/.dockerinit-gccgo +@@ -1,5 +1,5 @@ + #!/bin/bash +-set -e ++set -ex + + IAMSTATIC="true" + source "${MAKEDIR}/.go-autogen" +Index: hack/make/gccgo +=================================================================== +--- hack/make/gccgo.orig ++++ hack/make/gccgo +@@ -1,5 +1,5 @@ + #!/bin/bash +-set -e ++set -ex + + BINARY_NAME="docker-$VERSION" + BINARY_EXTENSION="$(binary_extension)" +@@ -17,6 +17,8 @@ go build -compiler=gccgo \ + -g ++ -Wl,--add-needed -Wl,--no-as-needed + $EXTLDFLAGS_STATIC ++ -static-libgo + -Wl,--no-export-dynamic +- -ldl ++ -ldl -lselinux -lsystemd + " \ + ./docker + diff --git a/use_fs_cgroups_by_default.patch b/use_fs_cgroups_by_default.patch new file mode 100644 index 0000000..f699da2 --- /dev/null +++ b/use_fs_cgroups_by_default.patch @@ -0,0 +1,51 @@ +From 419fd7449fe1a984f582731fcd4d9455000846b0 Mon Sep 17 00:00:00 2001 +From: Alexander Morozov +Date: Wed, 4 Nov 2015 13:51:46 -0800 +Subject: [PATCH] Use fs cgroups by default + +Our implementation of systemd cgroups is mixture of systemd api and +plain filesystem api. It's hard to keep it up to date with systemd and +it already contains some nasty bugs with new versions. Ideally it should +be replaced with some daemon flag which will allow to set parent systemd +slice. + +Signed-off-by: Alexander Morozov +--- + daemon/execdriver/native/driver.go | 3 --- + docs/reference/commandline/daemon.md | 8 ++++---- + 2 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/daemon/execdriver/native/driver.go b/daemon/execdriver/native/driver.go +index 09171c5..0b6cec3 100644 +--- a/daemon/execdriver/native/driver.go ++++ b/daemon/execdriver/native/driver.go +@@ -74,9 +74,6 @@ func NewDriver(root, initPath string, options []string) (*Driver, error) { + // this makes sure there are no breaking changes to people + // who upgrade from versions without native.cgroupdriver opt + cgm := libcontainer.Cgroupfs +- if systemd.UseSystemd() { +- cgm = libcontainer.SystemdCgroups +- } + + // parse the options + for _, option := range options { +diff --git a/docs/reference/commandline/daemon.md b/docs/reference/commandline/daemon.md +index 91fd3c6..0721538 100644 +--- a/docs/reference/commandline/daemon.md ++++ b/docs/reference/commandline/daemon.md +@@ -452,11 +452,11 @@ single `native.cgroupdriver` option is available. + + The `native.cgroupdriver` option specifies the management of the container's + cgroups. You can specify `cgroupfs` or `systemd`. If you specify `systemd` and +-it is not available, the system uses `cgroupfs`. By default, if no option is +-specified, the execdriver first tries `systemd` and falls back to `cgroupfs`. +-This example sets the execdriver to `cgroupfs`: ++it is not available, the system uses `cgroupfs`. If you omit the ++`native.cgroupdriver` option,` cgroupfs` is used. ++This example sets the `cgroupdriver` to `systemd`: + +- $ sudo docker daemon --exec-opt native.cgroupdriver=cgroupfs ++ $ sudo docker daemon --exec-opt native.cgroupdriver=systemd + + Setting this option applies to all containers the daemon launches. +