From 9fce3cd938072e5a7ec59fccc9f77ee904ffbbbf7fa57f3b15ddec27eba11864 Mon Sep 17 00:00:00 2001 From: Jordi Massaguer Date: Mon, 29 May 2017 12:37:19 +0000 Subject: [PATCH] Accepting request 498958 from home:cyphar:containers - Update SUSE secrets patch to correctly handle restarting of containers. + secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch + secrets-0002-SUSE-implement-SUSE-container-secrets.patch OBS-URL: https://build.opensuse.org/request/show/498958 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=188 --- docker.changes | 7 +++++ ...ow-directory-creation-in-run-secrets.patch | 31 +++++++++++++------ ...USE-implement-SUSE-container-secrets.patch | 12 +++---- 3 files changed, 34 insertions(+), 16 deletions(-) diff --git a/docker.changes b/docker.changes index f733b67..d86c385 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon May 29 11:08:44 UTC 2017 - asarai@suse.com + +- Update SUSE secrets patch to correctly handle restarting of containers. + + secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch + + secrets-0002-SUSE-implement-SUSE-container-secrets.patch + ------------------------------------------------------------------- Wed May 17 14:41:29 UTC 2017 - asarai@suse.com diff --git a/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch b/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch index 8b1eebe..ceef152 100644 --- a/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch +++ b/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch @@ -1,4 +1,4 @@ -From 36b539ca64d8c47681d5f15689db03751962d496 Mon Sep 17 00:00:00 2001 +From 4de0a0a9689c4063d369d54ecc16952241c7f241 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 12:41:54 +1100 Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets @@ -8,16 +8,17 @@ implementation to return secrets that are actually directories. This is useful for creating directories and subdirectories of secrets. Backport: https://github.com/docker/docker/pull/31632 +Signed-off-by: Antonio Murdaca Signed-off-by: Aleksa Sarai --- - daemon/container_operations_unix.go | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) + daemon/container_operations_unix.go | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go -index 2296045765d4..bb08d3c4a207 100644 +index 67b3ee38c0ab..a538ba4e73e8 100644 --- a/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go -@@ -177,11 +177,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { +@@ -178,11 +178,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { } targetPath := filepath.Clean(s.File.Name) @@ -29,23 +30,33 @@ index 2296045765d4..bb08d3c4a207 100644 fPath := filepath.Join(localMountPath, targetPath) if err := idtools.MkdirAllAs(filepath.Dir(fPath), 0700, rootUID, rootGID); err != nil { return errors.Wrap(err, "error creating secret mount path") -@@ -195,8 +190,14 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { +@@ -196,9 +191,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { if secret == nil { return fmt.Errorf("unable to get secret from secret store") } - if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil { - return errors.Wrap(err, "error injecting secret") +- } + + uid, err := strconv.Atoi(s.File.UID) + if err != nil { +@@ -208,7 +200,15 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { + if err != nil { + return err + } +- + if s.File.Mode.IsDir() { -+ if err := os.Mkdir(fPath, s.File.Mode); err != nil { ++ if err := idtools.MkdirAllAs(fPath, s.File.Mode, rootUID+uid, rootGID+gid); err != nil { + return errors.Wrap(err, "error injecting secret dir") + } + } else { + if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil { + return errors.Wrap(err, "error injecting secret") + } ++ } + if err := os.Chown(fPath, rootUID+uid, rootGID+gid); err != nil { + return errors.Wrap(err, "error setting ownership for secret") } - - uid, err := strconv.Atoi(s.File.UID) -- -2.12.2 +2.13.0 diff --git a/secrets-0002-SUSE-implement-SUSE-container-secrets.patch b/secrets-0002-SUSE-implement-SUSE-container-secrets.patch index ae078b6..6497b98 100644 --- a/secrets-0002-SUSE-implement-SUSE-container-secrets.patch +++ b/secrets-0002-SUSE-implement-SUSE-container-secrets.patch @@ -1,4 +1,4 @@ -From a7fbdb729255da73e47e77ca37eec0da325356c4 Mon Sep 17 00:00:00 2001 +From a6d2f9f43ea02d93534867271f7fa7cf0f77e70c Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 11:43:29 +1100 Subject: [PATCH 2/2] SUSE: implement SUSE container secrets @@ -18,10 +18,10 @@ Signed-off-by: Aleksa Sarai create mode 100644 daemon/suse_secrets.go diff --git a/daemon/start.go b/daemon/start.go -index 6c94fd5482d0..3c06eed778d7 100644 +index eddb5d3d5060..eb74e2ab1096 100644 --- a/daemon/start.go +++ b/daemon/start.go -@@ -146,6 +146,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint +@@ -141,6 +141,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint return err } @@ -35,7 +35,7 @@ index 6c94fd5482d0..3c06eed778d7 100644 return err diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go new file mode 100644 -index 000000000000..591abc998e67 +index 000000000000..99bdbefdebcc --- /dev/null +++ b/daemon/suse_secrets.go @@ -0,0 +1,246 @@ @@ -66,8 +66,8 @@ index 000000000000..591abc998e67 + "syscall" + + "github.com/Sirupsen/logrus" -+ "github.com/opencontainers/go-digest" + "github.com/docker/docker/container" ++ "github.com/opencontainers/go-digest" + + swarmtypes "github.com/docker/docker/api/types/swarm" + swarmexec "github.com/docker/swarmkit/agent/exec" @@ -286,5 +286,5 @@ index 000000000000..591abc998e67 + return nil +} -- -2.12.2 +2.13.0