Accepting request 307100 from Virtualization:containers

1

OBS-URL: https://build.opensuse.org/request/show/307100
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=15

0002-Stripped-dockerinit-binary.patch

@@ -15,10 +15,10 @@ This commit strips the debugging symbols from `dockerinit` _before_ the
  hack/make/dynbinary | 1 +
  1 file changed, 1 insertion(+)
 
-Index: docker/project/make/.dockerinit
+Index: docker/hack/make/.dockerinit
 ===================================================================
---- docker.orig/project/make/.dockerinit
-+++ docker/project/make/.dockerinit
+--- docker.orig/hack/make/.dockerinit
++++ docker/hack/make/.dockerinit
 @@ -25,5 +25,7 @@ else
  	exit 1
  fi

docker-1.5.0.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f338cd9ea4996dac9a8fa8a180b9ff147487e55a5a8c74e552f16f5de7ce26df
-size 6228117

docker-1.6.1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:27d81e446387690698830e86119340d4e7e3654b1c5b3e0d0f614284f2553157
+size 5479620

docker.changes

@@ -1,3 +1,46 @@
+-------------------------------------------------------------------
+Fri May  8 15:00:38 UTC 2015 - fcastelli@suse.com
+
+Updated to version 1.6.1 (2015-05-07) [bnc#930235]
+  * Security
+    - Fix read/write /proc paths (CVE-2015-3630)
+    - Prohibit VOLUME /proc and VOLUME / (CVE-2015-3631)
+    - Fix opening of file-descriptor 1 (CVE-2015-3627)
+    - Fix symlink traversal on container respawn allowing local privilege escalation (CVE-2015-3629)
+    - Prohibit mount of /sys
+  * Runtime
+    - Update Apparmor policy to not allow mounts
+- Updated libcontainer-apparmor-fixes.patch: adapt patch to reflect
+  changes introduced by docker 1.6.1
+
+-------------------------------------------------------------------
+Thu May  7 13:33:03 UTC 2015 - develop7@develop7.info
+
+- Get rid of SocketUser and SocketGroup workarounds for docker.socket
+
+-------------------------------------------------------------------
+Fri Apr 17 14:02:13 UTC 2015 - fcastelli@suse.com
+
+- Updated to version 1.6.0 (2015-04-07) [bnc#908033]
+  * Builder:
+    + Building images from an image ID
+    + build containers with resource constraints, ie `docker build --cpu-shares=100 --memory=1024m...`
+    + `commit --change` to apply specified Dockerfile instructions while committing the image
+    + `import --change` to apply specified Dockerfile instructions while importing the image
+    + basic build cancellation
+  * Client:
+    + Windows Support
+  * Runtime:
+    + Container and image Labels
+    + `--cgroup-parent` for specifying a parent cgroup to place container cgroup within
+    + Logging drivers, `json-file`, `syslog`, or `none`
+    + Pulling images by ID
+    + `--ulimit` to set the ulimit on a container
+    + `--default-ulimit` option on the daemon which applies to all created containers (and overwritten by `--ulimit` on run)
+- Updated '0002-Stripped-dockerinit-binary.patch' to reflect changes inside of
+  the latest version of Docker.
+- bnc#908033: support of Docker Registry API v2.
+
 -------------------------------------------------------------------
 Fri Apr  3 19:57:38 UTC 2015 - dmueller@suse.com
 

docker.socket

@@ -5,12 +5,8 @@ PartOf=docker.service
 [Socket]
 ListenStream=/var/run/docker.sock
 SocketMode=0660
-# TODO: Get rid of workaround below after adopting systemd 214+ by oS Factory
-# Socket(User|Group) are available as of systemd 214+
-#SocketUser=root
-#SocketGroup=docker
-# Fix owner manually
-ExecStartPost=/usr/bin/chown root:docker /var/run/docker.sock
+SocketUser=root
+SocketGroup=docker
 
 [Install]
 WantedBy=sockets.target

docker.spec

@@ -16,9 +16,9 @@
 #
 
 
-%define git_version a8a31ef
+%define git_version 97cd073
 Name:           docker
-Version:        1.5.0
+Version:        1.6.1
 Release:        0
 Summary:        The Linux container runtime
 License:        Apache-2.0
@@ -28,7 +28,13 @@ Source:         %{name}-%{version}.tar.bz2
 Source1:        docker.service
 Source3:        80-docker.rules
 Source4:        sysconfig.docker
+
+%if 0%{?suse_version} > 1320
 Source5:        docker.socket
+%else
+Source5:        docker_systemd_lt_214.socket
+%endif
+
 Source6:        docker-rpmlintrc
 Source7:        README_SUSE.md
 Patch0:         0002-Stripped-dockerinit-binary.patch

docker_systemd_lt_214.socket

@@ -0,0 +1,12 @@
+[Unit]
+Description=Docker Socket for the API
+PartOf=docker.service
+
+[Socket]
+ListenStream=/var/run/docker.sock
+SocketMode=0660
+# A Socket(User|Group) replacement workaround for systemd <= 214
+ExecStartPost=/usr/bin/chown root:docker /var/run/docker.sock
+
+[Install]
+WantedBy=sockets.target

libcontainer-apparmor-fixes.patch

@@ -2,33 +2,11 @@ Index: docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
 ===================================================================
 --- docker.orig/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
 +++ docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
-@@ -25,18 +25,6 @@ profile {{.Name}} flags=(attach_disconne
+@@ -25,7 +25,6 @@ profile {{.Name}} flags=(attach_disconne
    network,
    capability,
    file,
 -  umount,
--
--  mount fstype=tmpfs,
--  mount fstype=mqueue,
--  mount fstype=fuse.*,
--  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
--  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
--  mount fstype=fusectl -> /sys/fs/fuse/connections/,
--  mount fstype=securityfs -> /sys/kernel/security/,
--  mount fstype=debugfs -> /sys/kernel/debug/,
--  mount fstype=proc -> /proc/,
--  mount fstype=sysfs -> /sys/,
  
    deny @{PROC}/sys/fs/** wklx,
    deny @{PROC}/sysrq-trigger rwklx,
-@@ -45,10 +33,6 @@ profile {{.Name}} flags=(attach_disconne
-   deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
-   deny @{PROC}/sys/kernel/*/** wklx,
- 
--  deny mount options=(ro, remount) -> /,
--  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
--  deny mount fstype=devpts,
--
-   deny /sys/[^f]*/** wklx,
-   deny /sys/f[^s]*/** wklx,
-   deny /sys/fs/[^c]*/** wklx,