forked from pool/docker
Accepting request 307100 from Virtualization:containers
1 OBS-URL: https://build.opensuse.org/request/show/307100 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=15
This commit is contained in:
parent
42faa36b3e
commit
aed78a93a0
@ -15,10 +15,10 @@ This commit strips the debugging symbols from `dockerinit` _before_ the
|
|||||||
hack/make/dynbinary | 1 +
|
hack/make/dynbinary | 1 +
|
||||||
1 file changed, 1 insertion(+)
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
Index: docker/project/make/.dockerinit
|
Index: docker/hack/make/.dockerinit
|
||||||
===================================================================
|
===================================================================
|
||||||
--- docker.orig/project/make/.dockerinit
|
--- docker.orig/hack/make/.dockerinit
|
||||||
+++ docker/project/make/.dockerinit
|
+++ docker/hack/make/.dockerinit
|
||||||
@@ -25,5 +25,7 @@ else
|
@@ -25,5 +25,7 @@ else
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:f338cd9ea4996dac9a8fa8a180b9ff147487e55a5a8c74e552f16f5de7ce26df
|
|
||||||
size 6228117
|
|
3
docker-1.6.1.tar.bz2
Normal file
3
docker-1.6.1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:27d81e446387690698830e86119340d4e7e3654b1c5b3e0d0f614284f2553157
|
||||||
|
size 5479620
|
@ -1,3 +1,46 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri May 8 15:00:38 UTC 2015 - fcastelli@suse.com
|
||||||
|
|
||||||
|
Updated to version 1.6.1 (2015-05-07) [bnc#930235]
|
||||||
|
* Security
|
||||||
|
- Fix read/write /proc paths (CVE-2015-3630)
|
||||||
|
- Prohibit VOLUME /proc and VOLUME / (CVE-2015-3631)
|
||||||
|
- Fix opening of file-descriptor 1 (CVE-2015-3627)
|
||||||
|
- Fix symlink traversal on container respawn allowing local privilege escalation (CVE-2015-3629)
|
||||||
|
- Prohibit mount of /sys
|
||||||
|
* Runtime
|
||||||
|
- Update Apparmor policy to not allow mounts
|
||||||
|
- Updated libcontainer-apparmor-fixes.patch: adapt patch to reflect
|
||||||
|
changes introduced by docker 1.6.1
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 7 13:33:03 UTC 2015 - develop7@develop7.info
|
||||||
|
|
||||||
|
- Get rid of SocketUser and SocketGroup workarounds for docker.socket
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Apr 17 14:02:13 UTC 2015 - fcastelli@suse.com
|
||||||
|
|
||||||
|
- Updated to version 1.6.0 (2015-04-07) [bnc#908033]
|
||||||
|
* Builder:
|
||||||
|
+ Building images from an image ID
|
||||||
|
+ build containers with resource constraints, ie `docker build --cpu-shares=100 --memory=1024m...`
|
||||||
|
+ `commit --change` to apply specified Dockerfile instructions while committing the image
|
||||||
|
+ `import --change` to apply specified Dockerfile instructions while importing the image
|
||||||
|
+ basic build cancellation
|
||||||
|
* Client:
|
||||||
|
+ Windows Support
|
||||||
|
* Runtime:
|
||||||
|
+ Container and image Labels
|
||||||
|
+ `--cgroup-parent` for specifying a parent cgroup to place container cgroup within
|
||||||
|
+ Logging drivers, `json-file`, `syslog`, or `none`
|
||||||
|
+ Pulling images by ID
|
||||||
|
+ `--ulimit` to set the ulimit on a container
|
||||||
|
+ `--default-ulimit` option on the daemon which applies to all created containers (and overwritten by `--ulimit` on run)
|
||||||
|
- Updated '0002-Stripped-dockerinit-binary.patch' to reflect changes inside of
|
||||||
|
the latest version of Docker.
|
||||||
|
- bnc#908033: support of Docker Registry API v2.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Apr 3 19:57:38 UTC 2015 - dmueller@suse.com
|
Fri Apr 3 19:57:38 UTC 2015 - dmueller@suse.com
|
||||||
|
|
||||||
|
@ -5,12 +5,8 @@ PartOf=docker.service
|
|||||||
[Socket]
|
[Socket]
|
||||||
ListenStream=/var/run/docker.sock
|
ListenStream=/var/run/docker.sock
|
||||||
SocketMode=0660
|
SocketMode=0660
|
||||||
# TODO: Get rid of workaround below after adopting systemd 214+ by oS Factory
|
SocketUser=root
|
||||||
# Socket(User|Group) are available as of systemd 214+
|
SocketGroup=docker
|
||||||
#SocketUser=root
|
|
||||||
#SocketGroup=docker
|
|
||||||
# Fix owner manually
|
|
||||||
ExecStartPost=/usr/bin/chown root:docker /var/run/docker.sock
|
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=sockets.target
|
WantedBy=sockets.target
|
||||||
|
10
docker.spec
10
docker.spec
@ -16,9 +16,9 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
%define git_version a8a31ef
|
%define git_version 97cd073
|
||||||
Name: docker
|
Name: docker
|
||||||
Version: 1.5.0
|
Version: 1.6.1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: The Linux container runtime
|
Summary: The Linux container runtime
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
@ -28,7 +28,13 @@ Source: %{name}-%{version}.tar.bz2
|
|||||||
Source1: docker.service
|
Source1: docker.service
|
||||||
Source3: 80-docker.rules
|
Source3: 80-docker.rules
|
||||||
Source4: sysconfig.docker
|
Source4: sysconfig.docker
|
||||||
|
|
||||||
|
%if 0%{?suse_version} > 1320
|
||||||
Source5: docker.socket
|
Source5: docker.socket
|
||||||
|
%else
|
||||||
|
Source5: docker_systemd_lt_214.socket
|
||||||
|
%endif
|
||||||
|
|
||||||
Source6: docker-rpmlintrc
|
Source6: docker-rpmlintrc
|
||||||
Source7: README_SUSE.md
|
Source7: README_SUSE.md
|
||||||
Patch0: 0002-Stripped-dockerinit-binary.patch
|
Patch0: 0002-Stripped-dockerinit-binary.patch
|
||||||
|
12
docker_systemd_lt_214.socket
Normal file
12
docker_systemd_lt_214.socket
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Docker Socket for the API
|
||||||
|
PartOf=docker.service
|
||||||
|
|
||||||
|
[Socket]
|
||||||
|
ListenStream=/var/run/docker.sock
|
||||||
|
SocketMode=0660
|
||||||
|
# A Socket(User|Group) replacement workaround for systemd <= 214
|
||||||
|
ExecStartPost=/usr/bin/chown root:docker /var/run/docker.sock
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sockets.target
|
@ -2,33 +2,11 @@ Index: docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- docker.orig/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
|
--- docker.orig/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
|
||||||
+++ docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
|
+++ docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
|
||||||
@@ -25,18 +25,6 @@ profile {{.Name}} flags=(attach_disconne
|
@@ -25,7 +25,6 @@ profile {{.Name}} flags=(attach_disconne
|
||||||
network,
|
network,
|
||||||
capability,
|
capability,
|
||||||
file,
|
file,
|
||||||
- umount,
|
- umount,
|
||||||
-
|
|
||||||
- mount fstype=tmpfs,
|
|
||||||
- mount fstype=mqueue,
|
|
||||||
- mount fstype=fuse.*,
|
|
||||||
- mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
|
|
||||||
- mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
|
|
||||||
- mount fstype=fusectl -> /sys/fs/fuse/connections/,
|
|
||||||
- mount fstype=securityfs -> /sys/kernel/security/,
|
|
||||||
- mount fstype=debugfs -> /sys/kernel/debug/,
|
|
||||||
- mount fstype=proc -> /proc/,
|
|
||||||
- mount fstype=sysfs -> /sys/,
|
|
||||||
|
|
||||||
deny @{PROC}/sys/fs/** wklx,
|
deny @{PROC}/sys/fs/** wklx,
|
||||||
deny @{PROC}/sysrq-trigger rwklx,
|
deny @{PROC}/sysrq-trigger rwklx,
|
||||||
@@ -45,10 +33,6 @@ profile {{.Name}} flags=(attach_disconne
|
|
||||||
deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
|
|
||||||
deny @{PROC}/sys/kernel/*/** wklx,
|
|
||||||
|
|
||||||
- deny mount options=(ro, remount) -> /,
|
|
||||||
- deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
|
|
||||||
- deny mount fstype=devpts,
|
|
||||||
-
|
|
||||||
deny /sys/[^f]*/** wklx,
|
|
||||||
deny /sys/f[^s]*/** wklx,
|
|
||||||
deny /sys/fs/[^c]*/** wklx,
|
|
||||||
|
Loading…
Reference in New Issue
Block a user