rpm/docker
SHA256
1
0
Fork 0
forked from pool/docker
Code Pull Requests Activity

- Update to Docker v17.09.1_ce. Upstream changelog:

Browse Source 
https://github.com/docker/docker-ce/releases/tag/v17.09.1-ce
- Removed patches (merged upstream):
  - bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
  - bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
  - bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
- Update to Docker v17.09.0_ce. Upstream changelog:
  https://github.com/docker/docker-ce/releases/tag/v17.09.0-ce
- Rebased patches:
  * bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
  * bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
  * bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
- Removed patches (merged upstream):
  - bsc1064781-0001-Allow-to-override-build-date.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=228
This commit is contained in:
Aleksa Sarai 2017-12-19 03:42:51 +00:00 committed by Git OBS Bridge
parent 6e5904b7ca
commit 9c7edd7eef
13 changed files with 97 additions and 319 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
_service
View File

@ -3,8 +3,8 @@
<param name="url">https://github.com/docker/docker-ce.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">17.07.0_ce</param>
<param name="revision">v17.07.0-ce</param>
<param name="versionformat">17.09.1_ce</param>
<param name="revision">v17.09.1-ce</param>
<param name="filename">docker</param>
</service>
<service name="recompress" mode="disabled">

25
bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
View File

@ -1,4 +1,4 @@
From 69d2f2339e43e44ea23bb9b9f699b093046568fe Mon Sep 17 00:00:00 2001
From b492588a54b8efa1fba1de700cb3e0ad3fe665d9 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Thu, 16 Nov 2017 17:09:16 +1100
Subject: [PATCH] pkg: devmapper: dynamically load dm_task_deferred_remove
@ -17,7 +17,6 @@ gate the whole dlsym(3) logic behind a buildflag that we disable by
default (libdm_dlsym_deferred_remove).
SUSE-Bugs: bsc#1021227 bsc#1029320 bsc#1058173
SUSE-Backport: https://github.com/moby/moby/pull/35518
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
hack/make.sh | 12 +-
@ -29,7 +28,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
create mode 100644 pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
diff --git a/hack/make.sh b/hack/make.sh
index 58e0d8cd628a..3b78ddef30b0 100755
index bc18c066b66c..6e94824ad557 100755
--- a/hack/make.sh
+++ b/hack/make.sh
@@ -112,6 +112,12 @@ if [ ! "$GOPATH" ]; then
@ -55,9 +54,9 @@ index 58e0d8cd628a..3b78ddef30b0 100755
+# with a newer libdevmapper than the one it was built wih.
if \
command -v gcc &> /dev/null \
&& ! ( echo -e '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null -ldevmapper &> /dev/null ) \
&& ! ( echo -e '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null ) \
; then
- DOCKER_BUILDTAGS+=' libdm_no_deferred_remove'
- DOCKER_BUILDTAGS+=' libdm_no_deferred_remove'
+ add_buildtag libdm dlsym_deferred_remove
fi
@ -69,20 +68,20 @@ rename to pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
index 7f793c270868..bf57371ff4cf 100644
--- a/pkg/devicemapper/devmapper_wrapper_deferred_remove.go
+++ b/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
@@ -1,14 +1,15 @@
@@ -1,11 +1,15 @@
-// +build linux,cgo,!libdm_no_deferred_remove
+// +build linux,cgo,!static_build
+// +build !libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
package devicemapper
/*
-#cgo LDFLAGS: -L. -ldevmapper
#include <libdevmapper.h>
*/
-// #include <libdevmapper.h>
+/*
+#include <libdevmapper.h>
+*/
import "C"
-// LibraryDeferredRemovalSupport is supported when statically linked.
-// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
+// current Docker invocation.
const LibraryDeferredRemovalSupport = true
@ -149,7 +148,7 @@ index 000000000000..5dfb369f1ff8
+import (
+ "unsafe"
+
+ "github.com/Sirupsen/logrus"
+ "github.com/sirupsen/logrus"
+)
+
+// dm_task_deferred_remove is not supported by all distributions, due to
@ -233,7 +232,7 @@ index a880fec8c499..80b034b3ff17 100644
package devicemapper
-// LibraryDeferredRemovalSupport is not supported when statically linked.
-// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
+// current Docker invocation.
const LibraryDeferredRemovalSupport = false

72
bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
View File

@ -1,72 +0,0 @@
From be9eaee9e25e6b389fcfacd8829bc1235269527b Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 20 Aug 2017 13:50:52 +1000
Subject: [PATCH] devicemapper: remove container rootfs mountPath after umount
libdm currently has a fairly substantial DoS bug that makes certain
operations fail on a libdm device if the device has active references
through mountpoints. This is a significant problem with the advent of
mount namespaces and MS_PRIVATE, and can cause certain --volume mounts
to cause libdm to no longer be able to remove containers:
% docker run -d --name testA busybox top
% docker run -d --name testB -v /var/lib/docker:/docker busybox top
% docker rm -f testA
[fails on libdm with dm_task_run errors.]
This also solves the problem of unprivileged users being able to DoS
docker by using unprivileged mount namespaces to preseve mounts that
Docker has dropped.
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1045628
SUSE-Backport: https://github.com/moby/moby/pull/34573
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
daemon/graphdriver/devmapper/deviceset.go | 12 ++++++++++++
daemon/graphdriver/devmapper/driver.go | 4 +++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/daemon/graphdriver/devmapper/deviceset.go b/daemon/graphdriver/devmapper/deviceset.go
index ba845d4d01d4..fe8103683b9b 100644
--- a/daemon/graphdriver/devmapper/deviceset.go
+++ b/daemon/graphdriver/devmapper/deviceset.go
@@ -2402,6 +2402,18 @@ func (devices *DeviceSet) UnmountDevice(hash, mountPath string) error {
}
logrus.Debug("devmapper: Unmount done")
+ // Remove the mountpoint here. Removing the mountpoint (in newer kernels)
+ // will cause all other instances of this mount in other mount namespaces
+ // to be killed (this is an anti-DoS measure that is necessary for things
+ // like devicemapper). This is necessary to avoid cases where a libdm mount
+ // that is present in another namespace will cause subsequent RemoveDevice
+ // operations to fail. We ignore any errors here because this may fail on
+ // older kernels which don't have
+ // torvalds/linux@8ed936b5671bfb33d89bc60bdcc7cf0470ba52fe applied.
+ if err := os.Remove(mountPath); err != nil {
+ logrus.Debugf("devmapper: error doing a remove on unmounted device %s: %v", mountPath, err)
+ }
+
return devices.deactivateDevice(info)
}
diff --git a/daemon/graphdriver/devmapper/driver.go b/daemon/graphdriver/devmapper/driver.go
index 91de5cd12a0f..69a3b3184933 100644
--- a/daemon/graphdriver/devmapper/driver.go
+++ b/daemon/graphdriver/devmapper/driver.go
@@ -227,10 +227,12 @@ func (d *Driver) Put(id string) error {
if count := d.ctr.Decrement(mp); count > 0 {
return nil
}
+
err := d.DeviceSet.UnmountDevice(id, mp)
if err != nil {
- logrus.Errorf("devmapper: Error unmounting device %s: %s", id, err)
+ logrus.Errorf("devmapper: Error unmounting device %s: %v", id, err)
}
+
return err
}
--
2.14.1

16
bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
View File

@ -1,4 +1,4 @@
From 6f18798a72d330f282ff7beb554d298f30531c8f Mon Sep 17 00:00:00 2001
From a24b98c0fc45d640b4eed8105033b313b8145e35 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Sun, 15 Oct 2017 17:06:20 +1100
Subject: [PATCH] daemon: oci: obey CL_UNPRIVILEGED for user namespaced daemon
@ -21,13 +21,13 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
1 file changed, 46 insertions(+)
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 9cf6674dfe11..0f1dabc31100 100644
index 0f8a392c2621..89ac627ff090 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -27,6 +27,7 @@ import (
"github.com/opencontainers/runc/libcontainer/devices"
"github.com/opencontainers/runc/libcontainer/user"
specs "github.com/opencontainers/runtime-spec/specs-go"
@@ -26,6 +26,7 @@ import (
"github.com/opencontainers/runc/libcontainer/user"
specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
)
@ -71,7 +71,7 @@ index 9cf6674dfe11..0f1dabc31100 100644
var (
mountPropagationMap = map[string]int{
"private": mount.PRIVATE,
@@ -573,6 +606,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c
@@ -575,6 +608,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c
opts = append(opts, mountPropagationReverseMap[pFlag])
}
@ -92,5 +92,5 @@ index 9cf6674dfe11..0f1dabc31100 100644
s.Mounts = append(s.Mounts, mt)
}
--
2.14.2
2.15.0

33
bsc1064781-0001-Allow-to-override-build-date.patch
View File

@ -1,33 +0,0 @@
From 760763e9957840f1983a5006f4e66d6920ec496e Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Wed, 19 Jul 2017 06:17:19 +0200
Subject: [PATCH] Allow to override build date
in order to make builds reproducible.
See https://reproducible-builds.org/ for why this is good
and https://reproducible-builds.org/specs/source-date-epoch/
for the definition of this variable.
SUSE-Bugfix: https://bugzilla.suse.com/show_bug.cgi?id=1064781
Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
hack/make.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hack/make.sh b/hack/make.sh
index b7d59ba94a00..7d18d649b540 100755
--- a/hack/make.sh
+++ b/hack/make.sh
@@ -68,7 +68,7 @@ DEFAULT_BUNDLES=(
)
VERSION=$(< ./VERSION)
-! BUILDTIME=$(date --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
+! BUILDTIME=$(date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
if [ "$DOCKER_GITCOMMIT" ]; then
GITCOMMIT="$DOCKER_GITCOMMIT"
elif command -v git &> /dev/null && [ -d .git ] && git rev-parse &> /dev/null; then
--
2.14.2

118
bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
View File

@ -1,118 +0,0 @@
From b5cf56bc7f734ed8bfad4119fb817261e541a609 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Nov 2017 02:50:52 +1100
Subject: [PATCH] vendor: update to github.com/vbatts/tar-split@v0.10.2
Update to the latest version of tar-split, which includes a change to
fix a memory exhaustion issue where a malformed image could cause the
Docker daemon to crash.
* tar: asm: store padding in chunks to avoid memory exhaustion
Fixes: CVE-2017-14992
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066210
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
vendor.conf | 2 +-
vendor/github.com/vbatts/tar-split/README.md | 3 +-
.../vbatts/tar-split/tar/asm/disassemble.go | 43 ++++++++++++++--------
3 files changed, 31 insertions(+), 17 deletions(-)
diff --git a/vendor.conf b/vendor.conf
index 535adad38728..ea4f75bbea10 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -53,7 +53,7 @@ github.com/miekg/dns 75e6e86cc601825c5dbcd4e0c209eab180997cd7
# get graph and distribution packages
github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621
-github.com/vbatts/tar-split v0.10.1
+github.com/vbatts/tar-split v0.10.2
github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
# get go-zfs packages
diff --git a/vendor/github.com/vbatts/tar-split/README.md b/vendor/github.com/vbatts/tar-split/README.md
index 4c544d823fbc..03e3ec4308b7 100644
--- a/vendor/github.com/vbatts/tar-split/README.md
+++ b/vendor/github.com/vbatts/tar-split/README.md
@@ -1,6 +1,7 @@
# tar-split
[![Build Status](https://travis-ci.org/vbatts/tar-split.svg?branch=master)](https://travis-ci.org/vbatts/tar-split)
+[![Go Report Card](https://goreportcard.com/badge/github.com/vbatts/tar-split)](https://goreportcard.com/report/github.com/vbatts/tar-split)
Pristinely disassembling a tar archive, and stashing needed raw bytes and offsets to reassemble a validating original archive.
@@ -50,7 +51,7 @@ For example stored sparse files that have "holes" in them, will be read as a
contiguous file, though the archive contents may be recorded in sparse format.
Therefore when adding the file payload to a reassembled tar, to achieve
identical output, the file payload would need be precisely re-sparsified. This
-is not something I seek to fix imediately, but would rather have an alert that
+is not something I seek to fix immediately, but would rather have an alert that
precise reassembly is not possible.
(see more http://www.gnu.org/software/tar/manual/html_node/Sparse-Formats.html)
diff --git a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
index 54ef23aed366..009b3f5d8124 100644
--- a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
+++ b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
@@ -2,7 +2,6 @@ package asm
import (
"io"
- "io/ioutil"
"github.com/vbatts/tar-split/archive/tar"
"github.com/vbatts/tar-split/tar/storage"
@@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp storage.FilePutter) (io
}
}
- // it is allowable, and not uncommon that there is further padding on the
- // end of an archive, apart from the expected 1024 null bytes.
- remainder, err := ioutil.ReadAll(outputRdr)
- if err != nil && err != io.EOF {
- pW.CloseWithError(err)
- return
- }
- _, err = p.AddEntry(storage.Entry{
- Type: storage.SegmentType,
- Payload: remainder,
- })
- if err != nil {
- pW.CloseWithError(err)
- return
+ // It is allowable, and not uncommon that there is further padding on
+ // the end of an archive, apart from the expected 1024 null bytes. We
+ // do this in chunks rather than in one go to avoid cases where a
+ // maliciously crafted tar file tries to trick us into reading many GBs
+ // into memory.
+ const paddingChunkSize = 1024 * 1024
+ var paddingChunk [paddingChunkSize]byte
+ for {
+ var isEOF bool
+ n, err := outputRdr.Read(paddingChunk[:])
+ if err != nil {
+ if err != io.EOF {
+ pW.CloseWithError(err)
+ return
+ }
+ isEOF = true
+ }
+ _, err = p.AddEntry(storage.Entry{
+ Type: storage.SegmentType,
+ Payload: paddingChunk[:n],
+ })
+ if err != nil {
+ pW.CloseWithError(err)
+ return
+ }
+ if isEOF {
+ break
+ }
}
pW.Close()
}()
--
2.14.3

31
bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
View File

@ -1,31 +0,0 @@
From d0194d04255e8121d67c1f55d7dce8f5ba67fccc Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Tue, 7 Nov 2017 18:32:41 +1100
Subject: [PATCH] oci: add /proc/scsi to masked paths
This is writeable, and can be used to remove devices. Containers do
not need to know about scsi devices.
Fixes: CVE-2017-16539
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066801
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
oci/defaults.go | 1 +
1 file changed, 1 insertion(+)
diff --git a/oci/defaults.go b/oci/defaults.go
index d706fafcc021..a7fd285060c2 100644
--- a/oci/defaults.go
+++ b/oci/defaults.go
@@ -132,6 +132,7 @@ func DefaultLinuxSpec() specs.Spec {
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
+ "/proc/scsi",
},
ReadonlyPaths: []string{
"/proc/asound",
--
2.14.3

3
docker-17.07.0_ce.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:50c6b7f10e313ffe906b2fd72a6844f14d23458e2881a862c630c37c1c87f4b8
size 6142992

3
docker-17.09.1_ce.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dd19ad9900aaabb9eb5870be6271262aebbd4f86fa12f7c59677d47876492bf9
size 6237800

26
docker.changes
View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Mon Dec 18 12:32:35 UTC 2017 - asarai@suse.com
- Update to Docker v17.09.1_ce. Upstream changelog:
https://github.com/docker/docker-ce/releases/tag/v17.09.1-ce
- Removed patches (merged upstream):
- bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
- bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
- bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
-------------------------------------------------------------------
Mon Dec 18 12:32:35 UTC 2017 - asarai@suse.com
- Update to Docker v17.09.0_ce. Upstream changelog:
https://github.com/docker/docker-ce/releases/tag/v17.09.0-ce
- Rebased patches:
* bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
* bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
* bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
* secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
* secrets-0002-SUSE-implement-SUSE-container-secrets.patch
- Removed patches (merged upstream):
- bsc1064781-0001-Allow-to-override-build-date.patch
-------------------------------------------------------------------
Tue Dec 5 10:58:07 UTC 2017 - asarai@suse.com
@ -78,7 +102,7 @@ Mon Oct 16 11:06:22 UTC 2017 - asarai@suse.com
-------------------------------------------------------------------
Mon Oct 9 11:36:59 UTC 2017 - asarai@suse.com
- Update to Docker v17.07-ce (bsc#1069758). Upstream changelog:
- Update to Docker v17.07.0_ce (bsc#1069758). Upstream changelog:
https://github.com/docker/docker-ce/releases/tag/v17.06.0-ce
https://github.com/docker/docker-ce/releases/tag/v17.07.0-ce
- Removed no-longer needed patches.

67
docker.spec
View File

@ -31,11 +31,17 @@
# helpfully injects into our build environment from the changelog). If you want
# to generate a new git_commit_epoch, use this:
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
%define git_version 87847530f717
%define git_commit_epoch 1508266293
%define git_version f4ffd2511ce9
%define git_commit_epoch 1508606827
# These are the git commits required. We verify them against the source to make
# sure we didn't miss anything important when doing upgrades.
%define required_containerd 06b9cb35161009dcb7123345749fef02f7cea8e0
%define required_dockerrunc 3f2f8b84a77f73d38244dd690525642a72156c64
%define required_libnetwork 7b2b1feb1de4817d522cc372af149ff48d25028e
Name: docker
Version: 17.07.0_ce
Version: 17.09.1_ce
Release: 0
Summary: The Linux container runtime
License: Apache-2.0
@ -57,17 +63,9 @@ Source9: tests.sh
Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35205. bsc#1055676
Patch401: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34573. bsc#1045628
Patch402: bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34176. boo#1064781
Patch403: bsc1064781-0001-Allow-to-override-build-date.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539
Patch404: bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35424. boo#1066210 CVE-2017-14992
Patch405: bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173
Patch406: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
BuildRequires: audit
BuildRequires: bash-completion
BuildRequires: ca-certificates
@ -101,14 +99,14 @@ Requires: ca-certificates-mozilla
# Required in order for networking to work. fix_bsc_1057743 is a work-around
# for some old packaging issues (where rpm would delete a binary that was
# installed by docker-libnetwork). See bsc#1057743 for more details.
Requires: docker-libnetwork = 0.7.0+gitr2322_4a242dba7739
Requires: docker-libnetwork-git = %{required_libnetwork}
Requires: fix_bsc_1057743
# Containerd and runC are required as they are the only currently supported
# execdrivers of Docker. NOTE: The version pinning here matches upstream's
# vendor.conf to ensure that we don't use a slightly incompatible version of
# runC or containerd (which would be bad).
Requires: containerd = 0.2.8+gitr671_3addd8406531
Requires: docker-runc = 1.0.0rc3+gitr3201_2d41c04
Requires: containerd-git = %{required_containerd}
Requires: docker-runc-git = %{required_dockerrunc}
# Provides mkfs.ext4 - used by Docker when devicemapper storage driver is used
Requires: e2fsprogs
Requires: git-core >= 1.7
@ -126,7 +124,7 @@ Requires(post): shadow
Recommends: lvm2 >= 2.2.89
Conflicts: lxc < 1.0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExcludeArch: %ix86 s390 ppc
ExcludeArch: s390 ppc
# Make sure we build with go 1.8
BuildRequires: go-go-md2man
BuildRequires: golang(API) = 1.8
@ -183,21 +181,14 @@ Test package for docker. It contains the source code and the tests.
%if 0%{?is_opensuse}
# nothing
%else
# PATCH-SUSE: Secrets patches.
%patch200 -p1 -d components/engine
%patch201 -p1 -d components/engine
%endif
# bsc#1055676
%patch401 -p1 -d components/engine
# bsc#1045628
%patch402 -p1 -d components/engine
# boo#1064781
%patch403 -p1 -d components/engine
# boo#1066801 CVE-2017-16539
%patch404 -p1 -d components/engine
# boo#1066210 CVE-2017-14992
%patch405 -p1 -d components/engine
%patch400 -p1 -d components/engine
# bsc#1021227 bsc#1029320 bsc#1058173
%patch406 -p1 -d components/engine
%patch401 -p1 -d components/engine
cp %{SOURCE7} .
cp %{SOURCE9} .
@ -277,6 +268,12 @@ cp -ar %{buildroot}/usr/src/docker/engine $HOME/go/src/github.com/docker/docker
cd $HOME/go/src/github.com/docker/docker
# We verify that all of our -git requires are correct. This is done on-build to
# make sure that someone doing an update didn't miss anything.
grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/binaries-commits
grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits
grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits
# The command is taken from hack/make/test-unit and various test runs.
# Everything that follows github.com/docker/pkg/integration-cli are packages
# containing tests that cannot run in an obs build context. Some tests must be
@ -300,6 +297,7 @@ PKG_LIST=$(go list -e \
| grep -v 'github.com/docker/docker/daemon$' \
| grep -v 'github.com/docker/docker/daemon/graphdriver' \
| grep -Pv 'github.com/docker/docker/daemon/logger(?!/gelf)' \
| grep -v 'github.com/docker/docker/integration' \
| grep -v 'github.com/docker/docker/integration-cli' \
| grep -v 'github.com/docker/docker/man$' \
| grep -v 'github.com/docker/docker/pkg/archive$' \
@ -322,22 +320,33 @@ PKG_LIST=$(go list -e \
)
# PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER!
rm ./pkg/system/rm_test.go
go test -buildmode=pie -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST
# DOCKER CLIENT
find $(go env GOROOT) -type d
cp -ar %{buildroot}/usr/src/docker/cli $HOME/go/src/github.com/docker/cli
cd $HOME/go/src/github.com/docker/cli
PKG_LIST=$(go list ./... \
| grep 'github.com/docker/cli' \
| grep -v 'github.com/docker/cli/vendor' \
| grep -Ev 'vendor/(.+/)?github.com/docker/cli' \
| grep -v 'github.com/docker/cli/cli/command/idresolver' \
| grep -v 'github.com/docker/cli/cli/command/image' \
| grep -v 'github.com/docker/cli/cli/image' \
| grep -v 'github.com/docker/cli/cmd/docker' \
| grep -v 'github.com/docker/cli/e2e' \
| grep -v 'github.com/docker/cli/cli/image' \
)
# PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER!
go test -buildmode=pie -cover -ldflags -w -tags daemon -a -test.timeout=10m $PKG_LIST
# We cannot use -buildmode=pie here becaue (for some reason) 'go test' will
# produce really odd errors about packages missing (this only happens if we
# have a lot of packages in the cmdline). So just avoid running these tests if
# we're on ppc64le (which requires -buildmode=pie).
%ifnarch ppc64le
go test -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST
%endif
%install
install -d %{buildroot}%{go_contribdir}

8
secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
View File

@ -1,4 +1,4 @@
From 102c28e548a544d672163300334d01240cfc965b Mon Sep 17 00:00:00 2001
From 5022c3554723040682444e324cd26ec8e2500131 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index 84b7eb352f1a..dc3a48bfe47a 100644
index 954c194ea836..3ef1e0262edc 100644
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@
@ -26,7 +26,7 @@ index 84b7eb352f1a..dc3a48bfe47a 100644
"fmt"
"io/ioutil"
@@ -13,6 +14,7 @@ import (
"github.com/Sirupsen/logrus"
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/links"
+ "github.com/docker/docker/pkg/archive"
@ -70,5 +70,5 @@ index 84b7eb352f1a..dc3a48bfe47a 100644
return errors.Wrap(err, "error setting ownership for secret")
}
--
2.15.0
2.15.1

10
secrets-0002-SUSE-implement-SUSE-container-secrets.patch
View File

@ -1,4 +1,4 @@
From c62fb8fa766b6917839987b7e1323f0523166d32 Mon Sep 17 00:00:00 2001
From a84aa9152b50ea1fd73a7d09246ac056534d0e48 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
@ -19,7 +19,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
create mode 100644 daemon/suse_secrets.go
diff --git a/daemon/start.go b/daemon/start.go
index 55438cf2c45f..7dfa6cd1d055 100644
index de32a649d7ed..2b6137d315e9 100644
--- a/daemon/start.go
+++ b/daemon/start.go
@@ -147,6 +147,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
@ -33,7 +33,7 @@ index 55438cf2c45f..7dfa6cd1d055 100644
+
spec, err := daemon.createSpec(container)
if err != nil {
return err
return systemError{err}
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
new file mode 100644
index 000000000000..9d0788f0410d
@ -74,7 +74,7 @@ index 000000000000..9d0788f0410d
+ "github.com/docker/docker/pkg/archive"
+ "github.com/docker/docker/pkg/idtools"
+ "github.com/opencontainers/go-digest"
+ "github.com/Sirupsen/logrus"
+ "github.com/sirupsen/logrus"
+
+ swarmtypes "github.com/docker/docker/api/types/swarm"
+ swarmexec "github.com/docker/swarmkit/agent/exec"
@ -432,5 +432,5 @@ index 000000000000..9d0788f0410d
+ return nil
+}
--
2.15.0
2.15.1