From aed78a93a0c3f30d89c9454f7d6b145bf767d1cb6e2421f648d891ba988329d5 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Fri, 15 May 2015 05:44:24 +0000 Subject: [PATCH] Accepting request 307100 from Virtualization:containers 1 OBS-URL: https://build.opensuse.org/request/show/307100 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=15 --- 0002-Stripped-dockerinit-binary.patch | 6 ++-- docker-1.5.0.tar.bz2 | 3 -- docker-1.6.1.tar.bz2 | 3 ++ docker.changes | 43 +++++++++++++++++++++++++++ docker.socket | 8 ++--- docker.spec | 10 +++++-- docker_systemd_lt_214.socket | 12 ++++++++ libcontainer-apparmor-fixes.patch | 24 +-------------- 8 files changed, 72 insertions(+), 37 deletions(-) delete mode 100644 docker-1.5.0.tar.bz2 create mode 100644 docker-1.6.1.tar.bz2 create mode 100644 docker_systemd_lt_214.socket diff --git a/0002-Stripped-dockerinit-binary.patch b/0002-Stripped-dockerinit-binary.patch index 3ae8a69..89e472c 100644 --- a/0002-Stripped-dockerinit-binary.patch +++ b/0002-Stripped-dockerinit-binary.patch @@ -15,10 +15,10 @@ This commit strips the debugging symbols from `dockerinit` _before_ the hack/make/dynbinary | 1 + 1 file changed, 1 insertion(+) -Index: docker/project/make/.dockerinit +Index: docker/hack/make/.dockerinit =================================================================== ---- docker.orig/project/make/.dockerinit -+++ docker/project/make/.dockerinit +--- docker.orig/hack/make/.dockerinit ++++ docker/hack/make/.dockerinit @@ -25,5 +25,7 @@ else exit 1 fi diff --git a/docker-1.5.0.tar.bz2 b/docker-1.5.0.tar.bz2 deleted file mode 100644 index 0a15830..0000000 --- a/docker-1.5.0.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f338cd9ea4996dac9a8fa8a180b9ff147487e55a5a8c74e552f16f5de7ce26df -size 6228117 diff --git a/docker-1.6.1.tar.bz2 b/docker-1.6.1.tar.bz2 new file mode 100644 index 0000000..340e18c --- /dev/null +++ b/docker-1.6.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:27d81e446387690698830e86119340d4e7e3654b1c5b3e0d0f614284f2553157 +size 5479620 diff --git a/docker.changes b/docker.changes index 5d4787d..948570f 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,46 @@ +------------------------------------------------------------------- +Fri May 8 15:00:38 UTC 2015 - fcastelli@suse.com + +Updated to version 1.6.1 (2015-05-07) [bnc#930235] + * Security + - Fix read/write /proc paths (CVE-2015-3630) + - Prohibit VOLUME /proc and VOLUME / (CVE-2015-3631) + - Fix opening of file-descriptor 1 (CVE-2015-3627) + - Fix symlink traversal on container respawn allowing local privilege escalation (CVE-2015-3629) + - Prohibit mount of /sys + * Runtime + - Update Apparmor policy to not allow mounts +- Updated libcontainer-apparmor-fixes.patch: adapt patch to reflect + changes introduced by docker 1.6.1 + +------------------------------------------------------------------- +Thu May 7 13:33:03 UTC 2015 - develop7@develop7.info + +- Get rid of SocketUser and SocketGroup workarounds for docker.socket + +------------------------------------------------------------------- +Fri Apr 17 14:02:13 UTC 2015 - fcastelli@suse.com + +- Updated to version 1.6.0 (2015-04-07) [bnc#908033] + * Builder: + + Building images from an image ID + + build containers with resource constraints, ie `docker build --cpu-shares=100 --memory=1024m...` + + `commit --change` to apply specified Dockerfile instructions while committing the image + + `import --change` to apply specified Dockerfile instructions while importing the image + + basic build cancellation + * Client: + + Windows Support + * Runtime: + + Container and image Labels + + `--cgroup-parent` for specifying a parent cgroup to place container cgroup within + + Logging drivers, `json-file`, `syslog`, or `none` + + Pulling images by ID + + `--ulimit` to set the ulimit on a container + + `--default-ulimit` option on the daemon which applies to all created containers (and overwritten by `--ulimit` on run) +- Updated '0002-Stripped-dockerinit-binary.patch' to reflect changes inside of + the latest version of Docker. +- bnc#908033: support of Docker Registry API v2. + ------------------------------------------------------------------- Fri Apr 3 19:57:38 UTC 2015 - dmueller@suse.com diff --git a/docker.socket b/docker.socket index cbb9a84..bed29c5 100644 --- a/docker.socket +++ b/docker.socket @@ -5,12 +5,8 @@ PartOf=docker.service [Socket] ListenStream=/var/run/docker.sock SocketMode=0660 -# TODO: Get rid of workaround below after adopting systemd 214+ by oS Factory -# Socket(User|Group) are available as of systemd 214+ -#SocketUser=root -#SocketGroup=docker -# Fix owner manually -ExecStartPost=/usr/bin/chown root:docker /var/run/docker.sock +SocketUser=root +SocketGroup=docker [Install] WantedBy=sockets.target diff --git a/docker.spec b/docker.spec index df330d2..0d47a96 100644 --- a/docker.spec +++ b/docker.spec @@ -16,9 +16,9 @@ # -%define git_version a8a31ef +%define git_version 97cd073 Name: docker -Version: 1.5.0 +Version: 1.6.1 Release: 0 Summary: The Linux container runtime License: Apache-2.0 @@ -28,7 +28,13 @@ Source: %{name}-%{version}.tar.bz2 Source1: docker.service Source3: 80-docker.rules Source4: sysconfig.docker + +%if 0%{?suse_version} > 1320 Source5: docker.socket +%else +Source5: docker_systemd_lt_214.socket +%endif + Source6: docker-rpmlintrc Source7: README_SUSE.md Patch0: 0002-Stripped-dockerinit-binary.patch diff --git a/docker_systemd_lt_214.socket b/docker_systemd_lt_214.socket new file mode 100644 index 0000000..94b9e4d --- /dev/null +++ b/docker_systemd_lt_214.socket @@ -0,0 +1,12 @@ +[Unit] +Description=Docker Socket for the API +PartOf=docker.service + +[Socket] +ListenStream=/var/run/docker.sock +SocketMode=0660 +# A Socket(User|Group) replacement workaround for systemd <= 214 +ExecStartPost=/usr/bin/chown root:docker /var/run/docker.sock + +[Install] +WantedBy=sockets.target diff --git a/libcontainer-apparmor-fixes.patch b/libcontainer-apparmor-fixes.patch index ddb8a82..feeb859 100644 --- a/libcontainer-apparmor-fixes.patch +++ b/libcontainer-apparmor-fixes.patch @@ -2,33 +2,11 @@ Index: docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go =================================================================== --- docker.orig/vendor/src/github.com/docker/libcontainer/apparmor/gen.go +++ docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go -@@ -25,18 +25,6 @@ profile {{.Name}} flags=(attach_disconne +@@ -25,7 +25,6 @@ profile {{.Name}} flags=(attach_disconne network, capability, file, - umount, -- -- mount fstype=tmpfs, -- mount fstype=mqueue, -- mount fstype=fuse.*, -- mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, -- mount fstype=efivarfs -> /sys/firmware/efi/efivars/, -- mount fstype=fusectl -> /sys/fs/fuse/connections/, -- mount fstype=securityfs -> /sys/kernel/security/, -- mount fstype=debugfs -> /sys/kernel/debug/, -- mount fstype=proc -> /proc/, -- mount fstype=sysfs -> /sys/, deny @{PROC}/sys/fs/** wklx, deny @{PROC}/sysrq-trigger rwklx, -@@ -45,10 +33,6 @@ profile {{.Name}} flags=(attach_disconne - deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx, - deny @{PROC}/sys/kernel/*/** wklx, - -- deny mount options=(ro, remount) -> /, -- deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, -- deny mount fstype=devpts, -- - deny /sys/[^f]*/** wklx, - deny /sys/f[^s]*/** wklx, - deny /sys/fs/[^c]*/** wklx,