diff --git a/0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch b/0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch deleted file mode 100644 index 28d9dc8..0000000 --- a/0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 9961826453fee3b52244ba920359b9e2f9ad137c Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Thu, 29 Nov 2018 20:53:16 +1100 -Subject: [PATCH 1/5] PACKAGING: revert "Remove 'docker-' prefix for containerd - and runc binaries" - -This reverts commit 34eede0296bce6a9c335cb429f10728ae3f4252d, as it -would significantly break openSUSE's packaging (as well as causing -conflicts between the very-outdated runc that Docker uses and the more -up-to-date one available for Podman). - -Signed-off-by: Aleksa Sarai ---- - builder/builder-next/executor_unix.go | 2 +- - daemon/daemon_unix.go | 8 ++++++-- - libcontainerd/supervisor/remote_daemon.go | 4 ++-- - libcontainerd/supervisor/remote_daemon_linux.go | 4 ++-- - libcontainerd/supervisor/remote_daemon_windows.go | 4 ++-- - 5 files changed, 13 insertions(+), 9 deletions(-) - -diff --git a/builder/builder-next/executor_unix.go b/builder/builder-next/executor_unix.go -index c052ec707fec..d1caf53f5023 100644 ---- a/builder/builder-next/executor_unix.go -+++ b/builder/builder-next/executor_unix.go -@@ -32,7 +32,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dn - } - return runcexecutor.New(runcexecutor.Opt{ - Root: filepath.Join(root, "executor"), -- CommandCandidates: []string{"runc"}, -+ CommandCandidates: []string{"docker-runc", "runc"}, - DefaultCgroupParent: cgroupParent, - Rootless: rootless, - NoPivot: os.Getenv("DOCKER_RAMDISK") != "", -diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go -index 5fa688dff4c7..f610fdb01d27 100644 ---- a/daemon/daemon_unix.go -+++ b/daemon/daemon_unix.go -@@ -58,11 +58,11 @@ const ( - - // DefaultShimBinary is the default shim to be used by containerd if none - // is specified -- DefaultShimBinary = "containerd-shim" -+ DefaultShimBinary = "docker-containerd-shim" - - // DefaultRuntimeBinary is the default runtime to be used by - // containerd if none is specified -- DefaultRuntimeBinary = "runc" -+ DefaultRuntimeBinary = "docker-runc" - - // See https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/tree/kernel/sched/sched.h?id=8cd9234c64c584432f6992fe944ca9e46ca8ea76#n269 - linuxMinCPUShares = 2 -@@ -78,6 +78,10 @@ const ( - cgroupFsDriver = "cgroupfs" - cgroupSystemdDriver = "systemd" - cgroupNoneDriver = "none" -+ -+ // DefaultRuntimeName is the default runtime to be used by -+ // containerd if none is specified -+ DefaultRuntimeName = "docker-runc" - ) - - type containerGetter interface { -diff --git a/libcontainerd/supervisor/remote_daemon.go b/libcontainerd/supervisor/remote_daemon.go -index 3538612246f4..f17868a7e1f8 100644 ---- a/libcontainerd/supervisor/remote_daemon.go -+++ b/libcontainerd/supervisor/remote_daemon.go -@@ -27,8 +27,8 @@ const ( - shutdownTimeout = 15 * time.Second - startupTimeout = 15 * time.Second - configFile = "containerd.toml" -- binaryName = "containerd" -- pidFile = "containerd.pid" -+ binaryName = "docker-containerd" -+ pidFile = "docker-containerd.pid" - ) - - type pluginConfigs struct { -diff --git a/libcontainerd/supervisor/remote_daemon_linux.go b/libcontainerd/supervisor/remote_daemon_linux.go -index d229881a62b3..da93fc45371d 100644 ---- a/libcontainerd/supervisor/remote_daemon_linux.go -+++ b/libcontainerd/supervisor/remote_daemon_linux.go -@@ -11,8 +11,8 @@ import ( - ) - - const ( -- sockFile = "containerd.sock" -- debugSockFile = "containerd-debug.sock" -+ sockFile = "docker-containerd.sock" -+ debugSockFile = "docker-containerd-debug.sock" - ) - - func (r *remote) setDefaults() { -diff --git a/libcontainerd/supervisor/remote_daemon_windows.go b/libcontainerd/supervisor/remote_daemon_windows.go -index 9b254ef58a0a..bcdc9529e0f7 100644 ---- a/libcontainerd/supervisor/remote_daemon_windows.go -+++ b/libcontainerd/supervisor/remote_daemon_windows.go -@@ -7,8 +7,8 @@ import ( - ) - - const ( -- grpcPipeName = `\\.\pipe\containerd-containerd` -- debugPipeName = `\\.\pipe\containerd-debug` -+ grpcPipeName = `\\.\pipe\docker-containerd-containerd` -+ debugPipeName = `\\.\pipe\docker-containerd-debug` - ) - - func (r *remote) setDefaults() { --- -2.30.0 - diff --git a/0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch similarity index 93% rename from 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch rename to 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch index f51629e..b86f4e8 100644 --- a/0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch +++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch @@ -1,7 +1,7 @@ -From e24062ca12b575bc417fea2f46544ccd18e5f1eb Mon Sep 17 00:00:00 2001 +From 1edf7a140c843cc6db85cdea298db19fee316dcb Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 12:41:54 +1100 -Subject: [PATCH 2/5] SECRETS: daemon: allow directory creation in /run/secrets +Subject: [PATCH 1/4] SECRETS: daemon: allow directory creation in /run/secrets Since FileMode can have the directory bit set, allow a SecretStore implementation to return secrets that are actually directories. This is @@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go -index f4f1bd2c0b6a..f18f522485ee 100644 +index 5521adbd2749..c103d9349c51 100644 --- a/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go @@ -3,6 +3,7 @@ diff --git a/0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch similarity index 99% rename from 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch rename to 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch index 33ef489..7a80865 100644 --- a/0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch +++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch @@ -1,7 +1,7 @@ -From 3469fd3b7da0477ba781d95b02bd698c770916f6 Mon Sep 17 00:00:00 2001 +From b7419429d17675d8db949bd7c35812308684254a Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 11:43:29 +1100 -Subject: [PATCH 3/5] SECRETS: SUSE: implement SUSE container secrets +Subject: [PATCH 2/4] SECRETS: SUSE: implement SUSE container secrets This allows for us to pass in host credentials to a container, allowing for SUSEConnect to work with containers. diff --git a/0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch similarity index 99% rename from 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch rename to 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch index 5bdb33f..6abb229 100644 --- a/0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch +++ b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch @@ -1,7 +1,7 @@ -From 3e63781e1bf40affdb884ddd83b82fc51c54d88a Mon Sep 17 00:00:00 2001 +From aa173dd56730552524ab35d74acbe61709c732e2 Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Mon, 2 Jul 2018 13:37:34 +0200 -Subject: [PATCH 4/5] PRIVATE-REGISTRY: add private-registry mirror support +Subject: [PATCH 3/4] PRIVATE-REGISTRY: add private-registry mirror support NOTE: This is a backport/downstream patch of the upstream pull-request for Moby, which is still subject to changes. Please visit @@ -444,7 +444,7 @@ index c8ddd4c5cfcd..b17e9d25d6c2 100644 return err } diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go -index 12497ea890e7..926e02f851fd 100644 +index 023ee2e71efd..e14cdd16b410 100644 --- a/distribution/pull_v2.go +++ b/distribution/pull_v2.go @@ -431,7 +431,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform diff --git a/0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch similarity index 88% rename from 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch rename to 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch index 9763dc0..308067a 100644 --- a/0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch @@ -1,7 +1,7 @@ -From 4d134a69323ba490b1f8976394cdd9fe0c278b3d Mon Sep 17 00:00:00 2001 +From eb4e0b351b4bb229bfd5fd3ed57d3c35040265e0 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 29 Jun 2018 17:59:30 +1000 -Subject: [PATCH 5/5] bsc1073877: apparmor: clobber docker-default profile on +Subject: [PATCH 4/4] bsc1073877: apparmor: clobber docker-default profile on start In the process of making docker-default reloading far less expensive, @@ -22,12 +22,12 @@ Signed-off-by: Aleksa Sarai 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go -index 2045412a7966..0c1fd0f0c940 100644 +index a7cc3a5ef412..1a952953da8f 100644 --- a/daemon/apparmor_default.go +++ b/daemon/apparmor_default.go -@@ -15,6 +15,15 @@ const ( - defaultAppArmorProfile = "docker-default" - ) +@@ -23,6 +23,15 @@ func DefaultApparmorProfile() string { + return "" + } +func clobberDefaultAppArmorProfile() error { + if apparmor.IsEnabled() { @@ -41,7 +41,7 @@ index 2045412a7966..0c1fd0f0c940 100644 func ensureDefaultAppArmorProfile() error { if apparmor.IsEnabled() { loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile) -@@ -28,10 +37,7 @@ func ensureDefaultAppArmorProfile() error { +@@ -36,10 +45,7 @@ func ensureDefaultAppArmorProfile() error { } // Load the profile. @@ -54,7 +54,7 @@ index 2045412a7966..0c1fd0f0c940 100644 return nil } diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go -index 51f9c526b350..97d7758442ee 100644 +index dd581dc7dadb..5b14979cd4a3 100644 --- a/daemon/apparmor_default_unsupported.go +++ b/daemon/apparmor_default_unsupported.go @@ -2,6 +2,10 @@ @@ -69,7 +69,7 @@ index 51f9c526b350..97d7758442ee 100644 return nil } diff --git a/daemon/daemon.go b/daemon/daemon.go -index 3e86ab5c8721..4a574da030da 100644 +index 794ff9712d08..f9e727b348c5 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -855,8 +855,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S diff --git a/_service b/_service index cd48a3f..76f27b9 100644 --- a/_service +++ b/_service @@ -1,20 +1,28 @@ - https://github.com/docker/docker.git + https://github.com/moby/moby.git git .git - 20.10.2_ce_%h - v20.10.2 + 20.10.3_ce_%h + v20.10.3 docker https://github.com/docker/cli.git git .git - 20.10.2_ce - v20.10.2 + 20.10.3_ce + v20.10.3 docker-cli + + https://github.com/docker/libnetwork.git + git + .git + %H + fa125a3512ee0f6187721c88582bf8c4378bd4d7 + docker-libnetwork + docker-*.tar xz diff --git a/docker-20.10.2_ce_8891c58a433a.tar.xz b/docker-20.10.2_ce_8891c58a433a.tar.xz deleted file mode 100644 index a7b3bb6..0000000 --- a/docker-20.10.2_ce_8891c58a433a.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8f38527e3b117ca42b0b702a3a8a2a3d73cb629d170730d7d741115e72da8171 -size 6463700 diff --git a/docker-20.10.3_ce_46229ca1d815.tar.xz b/docker-20.10.3_ce_46229ca1d815.tar.xz new file mode 100644 index 0000000..8aefccd --- /dev/null +++ b/docker-20.10.3_ce_46229ca1d815.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:84fcc9d36db90c8b87a0b19d5846ade17e8dc4586e998e071c843fd8d43a0bef +size 6481288 diff --git a/docker-cli-20.10.2_ce.tar.xz b/docker-cli-20.10.2_ce.tar.xz deleted file mode 100644 index 211bd68..0000000 --- a/docker-cli-20.10.2_ce.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:83f9812b3d0fda73d6645d82577b0e3c7d603c042be6ee80119d0d5a48d73866 -size 4432320 diff --git a/docker-cli-20.10.3_ce.tar.xz b/docker-cli-20.10.3_ce.tar.xz new file mode 100644 index 0000000..125a21c --- /dev/null +++ b/docker-cli-20.10.3_ce.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a8526bdb466209ffd1c3ef41fcfccb9588b67d507d4444701398d6f7987f5f16 +size 4450316 diff --git a/docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7.tar.xz b/docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7.tar.xz new file mode 100644 index 0000000..aadb7e5 --- /dev/null +++ b/docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a50f42e391a98ab204eaa93e2269981be36f619c68b2bbfc3224263fbd30c4a8 +size 1982676 diff --git a/docker.changes b/docker.changes index a900884..8bcef53 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,30 @@ +------------------------------------------------------------------- +Tue Feb 2 13:06:17 UTC 2021 - Aleksa Sarai + +- Update to Docker 20.10.3-ce. See upstream changelog in the packaged + /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-21285 CVE-2021-21284 +- Rebase patches on top of 20.10.3-ce. + - 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + + 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + - 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch + + 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + - 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch + + 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch + - 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + + 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + +------------------------------------------------------------------- +Tue Feb 2 05:28:01 UTC 2021 - Aleksa Sarai + +- Drop docker-runc, docker-test and docker-libnetwork packages. We now just use + the upstream runc package (it's stable enough and Docker no longer pins git + versions). docker-libnetwork is so unstable that it doesn't have any + versioning scheme and so it really doesn't make sense to maintain the project + as a separate package. bsc#1181641 bsc#1181677 +- Remove no-longer-needed patch for packaging now that we've dropped + docker-runc and docker-libnetwork. + - 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch + ------------------------------------------------------------------- Fri Jan 29 22:55:48 UTC 2021 - Aleksa Sarai diff --git a/docker.spec b/docker.spec index 3714cec..bedcf29 100644 --- a/docker.spec +++ b/docker.spec @@ -42,17 +42,21 @@ # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define git_version 8891c58a433a -%define git_commit_epoch 1608908869 +%define git_version 46229ca1d815 +%define git_commit_epoch 1611869592 -# These are the git commits required. We verify them against the source to make -# sure we didn't miss anything important when doing upgrades. -%define required_containerd 269548fa27e0089a8b8278fc4fc781d7f65a939b -%define required_dockerrunc ff819c7e9184c13b7c2607fe6c30ae19403a7aff -%define required_libnetwork fa125a3512ee0f6187721c88582bf8c4378bd4d7 +# We require a specific pin of libnetwork because it doesn't really do +# versioning and minor version mismatches in libnetwork can break Docker +# networking. All other key runtime dependencies (containerd, runc) are stable +# enough that this isn't necessary. +%define libnetwork_version fa125a3512ee0f6187721c88582bf8c4378bd4d7 + +%define dist_builddir %{_builddir}/dist-suse +%define cli_builddir %{dist_builddir}/src/github.com/docker/cli +%define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork Name: %{realname}%{name_suffix} -Version: 20.10.2_ce +Version: 20.10.3_ce Release: 0 Summary: The Moby-project Linux container runtime License: Apache-2.0 @@ -60,15 +64,15 @@ Group: System/Management URL: http://www.docker.io Source: %{realname}-%{version}_%{git_version}.tar.xz Source1: %{realname}-cli-%{version}.tar.xz -Source2: docker-rpmlintrc +Source2: %{realname}-libnetwork-%{libnetwork_version}.tar.xz +Source3: docker-rpmlintrc # TODO: Move these source files to somewhere nicer. Source100: docker.service Source101: 80-docker.rules Source102: sysconfig.docker Source103: README_SUSE.md Source104: docker-audit.rules -Source105: tests.sh -Source106: docker-daemon.json +Source105: docker-daemon.json # Kubelet-specific sources. # bsc#1086185 -- but we only apply this on Kubic. Source900: docker-kubic-service.conf @@ -78,17 +82,15 @@ Source901: kubelet.env # branch and then git-format-patch the patch here. # SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers # which is not snapshotted when images are committed. -Patch100: 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch -Patch101: 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch +Patch100: 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch +Patch101: 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch # SUSE-FEATURE: Add support to mirror unofficial/private registries # . -Patch200: 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch -# SUSE-ISSUE: Revert of . -Patch300: 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch +Patch200: 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch # SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1073877 bsc#1099277 -Patch301: 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/2888. -Patch302: cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch +Patch301: cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -102,23 +104,21 @@ BuildRequires: procps BuildRequires: sqlite3-devel BuildRequires: zsh BuildRequires: fish +BuildRequires: go-go-md2man +# We cannot use Go 1.14 because it breaks io.Copy (among other things) by +# returning -EINTR from I/O syscalls much more often. +BuildRequires: go1.13 BuildRequires: pkgconfig(libsystemd) Requires: apparmor-parser Requires: ca-certificates-mozilla -# Required in order for networking to work. fix_bsc_1057743 is a work-around -# for some old packaging issues (where rpm would delete a binary that was -# installed by docker-libnetwork). See bsc#1057743 for more details. -BuildRequires: docker-libnetwork%{name_suffix}-git = %{required_libnetwork} -Requires: docker-libnetwork%{name_suffix}-git = %{required_libnetwork} -Requires: fix_bsc_1057743 -# Containerd and runC are required as they are the only currently supported -# execdrivers of Docker. NOTE: The version pinning here matches upstream's -# vendor.conf to ensure that we don't use a slightly incompatible version of -# runC or containerd (which would be bad). -BuildRequires: containerd%{name_suffix}-git = %{required_containerd} -Requires: containerd%{name_suffix}-git = %{required_containerd} -BuildRequires: docker-runc%{name_suffix}-git = %{required_dockerrunc} -Requires: docker-runc%{name_suffix}-git = %{required_dockerrunc} +# The docker-proxy binary used to be in a separate package. We obsolete it, +# since now docker-proxy is maintained as part of this package. +Obsoletes: docker-libnetwork%{name_suffix} < 0.7.0.2 +Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version} +# Required to actually run containers. We require the minimum version that is +# pinned by Docker, but in order to avoid headaches we allow for updates. +Requires: runc >= 1.0.0~rc92 +Requires: containerd >= 1.4.3 # Needed for --init support. We don't use "tini", we use our own implementation # which handles edge-cases better. Requires: catatonit @@ -132,20 +132,13 @@ Requires: xz >= 4.9 Requires(post): %fillup_prereq Requires(post): udev Requires(post): shadow -# We used to have a migration tool for the upgrade from v1.9.x to v1.10.x. -# It is no longer useful, so we obsolete it. bsc#1069758 -Obsoletes: docker-image-migrator # Not necessary, but must be installed when the underlying system is # configured to use lvm and the user doesn't explicitly provide a # different storage-driver than devicemapper Recommends: lvm2 >= 2.2.89 Recommends: git-core >= 1.7 -Conflicts: lxc < 1.0 ExcludeArch: s390 ppc -BuildRequires: go-go-md2man -# We cannot use Go 1.14 because it breaks io.Copy (among other things) by -# returning -EINTR from I/O syscalls much more often. -BuildRequires: go1.13 + # KUBIC-SPECIFIC: This was required when upgrading from the original kubic # packaging, when everything was renamed to -kubic. It also is # used to ensure that nothing complains too much when using @@ -233,31 +226,6 @@ Provides: %{realname}-fish-completion = %{version} %description fish-completion Fish command line completion support for %{name}. -%package test -%global __requires_exclude ^libgo.so.*$ -Summary: Test package for docker -# Needed for test-suite. -Group: System/Management -Requires: curl -Requires: go -Requires: iputils -Requires: jq -Requires: net-tools-deprecated -# KUBIC-SPECIFIC: This was required when upgrading from the original kubic -# packaging, when everything was renamed to -kubic. It also is -# used to ensure that nothing complains too much when using -# -kubic packages. Hopfully it can be removed one day. -%if "%flavour" == "kubic" -# Obsolete old packege without the -kubic suffix -Obsoletes: %{realname}-test = 1.12.6 -# Conflict with non-kubic package, and provide equivalent -Conflicts: %{realname}-test > 1.12.6 -Provides: %{realname}-test = %{version} -%endif - -%description test -Test package for docker. It contains the source code and the tests. - %if "%flavour" == "kubic" %package kubeadm-criconfig Summary: docker container runtime configuration for kubeadm @@ -286,23 +254,29 @@ docker container runtime configuration for kubeadm # PATCH-SUSE: Mirror patch. %patch200 -p1 %endif -# packaging -%patch300 -p1 # bsc#1099277 -%patch301 -p1 +%patch300 -p1 # README_SUSE.md for documentation. cp %{SOURCE103} . -# Fill the CLI sources in a subdir. -mkdir -p dist-suse/cli -pushd dist-suse/cli/ +# Extract the docker-cli source in a subdir. +mkdir -p %{cli_builddir} +pushd %{cli_builddir} xz -dc %{SOURCE1} | tar -xof - --strip-components=1 # https://github.com/docker/cli/pull/2888 -%patch302 -p1 +%patch301 -p1 +popd + +# Extract the docker-libnetwork source in a subdir. +mkdir -p %{proxy_builddir} +pushd %{proxy_builddir} +xz -dc %{SOURCE2} | tar -xof - --strip-components=1 popd %build +echo "$PWD -- $PWD -- $PWD" + BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11" %if 0%{?sle_version} == 120000 # Allow us to build with older distros but still have deferred removal @@ -334,8 +308,8 @@ EOF # Preparing GOPATH so that the client is visible to the compiler mkdir -p src/github.com/docker/ -ln -s $(pwd)/dist-suse/cli $(pwd)/src/github.com/docker/cli -export GOPATH=$GOPATH:$(pwd) +ln -s "%{cli_builddir}" "$PWD/src/github.com/docker/cli" +export GOPATH="$GOPATH:$PWD" ################### ## DOCKER ENGINE ## @@ -344,106 +318,82 @@ export GOPATH=$GOPATH:$(pwd) # Ignore the warning that we compile outside a Docker container. ./hack/make.sh dynbinary -# Build test binaries (integration-cli and integration/*). They are all stored -# within the testdir -- we will only end up installing these test files for -# docker-test. -for testdir in {integration-cli,integration/*/} -do - ( find "$testdir" -name '*_test.go' | grep -q '.' ) || continue - GOPATH=$(pwd)/vendor:$(pwd)/.gopath/ go test -c \ - -o "$testdir/tests.main" -buildmode=pie \ - -tags "$DOCKER_BUILDTAGS daemon" \ - "github.com/docker/docker/$testdir" -done - ################### ## DOCKER CLIENT ## ################### -pushd dist-suse/cli/ +pushd %{cli_builddir} ./scripts/build/dynbinary mkdir -p ./man/man1 go build -buildmode=pie -o gen-manpages github.com/docker/cli/man -./gen-manpages --root "$(pwd)" --target "$(pwd)/man/man1" +./gen-manpages --root "$PWD" --target "$PWD/man/man1" ./man/md2man-all.sh popd -%check -# We used to run 'go test' here, however we found that this actually didn't -# catch any issues that were caught by smoke testing, and %check would -# continually cause package builds to fail due to flaky tests. If you ever need -# to know how the testing was done, you can always look in the package history. -# boo#1095817 +################## +## DOCKER PROXY ## +################## -# We verify that all of our -git requires are correct, and match the contents -# of the upstream vendoring scripts. This is done on-build to make sure that -# someone doing an update didn't miss anything. -grep 'RUNC_COMMIT:=%{required_dockerrunc}' hack/dockerfile/install/runc.installer -grep 'CONTAINERD_COMMIT:=%{required_containerd}' hack/dockerfile/install/containerd.installer -grep 'LIBNETWORK_COMMIT:=%{required_libnetwork}' hack/dockerfile/install/proxy.installer +pushd %{proxy_builddir} +GOPATH="%{dist_builddir}" \ + go build -buildmode=pie -o docker-proxy github.com/docker/libnetwork/cmd/proxy +popd + +# We verify that our libnetwork source is the correct version. This is done +# on-build to make sure that someone doing an update didn't miss anything. +grep 'LIBNETWORK_COMMIT:=%{libnetwork_version}' hack/dockerfile/install/proxy.installer %install -install -d %{buildroot}%{_bindir} -install -D -m755 dist-suse/cli/build/docker %{buildroot}/%{_bindir}/docker -install -D -m755 bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd -install -d %{buildroot}/%{_localstatedir}/lib/docker -install -Dd -m 0755 \ +install -Dd -m0755 \ %{buildroot}%{_sysconfdir}/init.d \ + %{buildroot}%{_bindir} \ %{buildroot}%{_sbindir} -install -D -m0644 dist-suse/cli/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}" -install -D -m0644 dist-suse/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}" -install -D -m0644 dist-suse/cli/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish" +# docker daemon +install -D -m0755 bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd +install -d %{buildroot}/%{_localstatedir}/lib/docker +# daemon.json config file +install -D -m0644 %{SOURCE105} %{buildroot}%{_sysconfdir}/docker/daemon.json + +# docker cli +install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker +install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}" +install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}" +install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish" + +# docker proxy +install -D -m0755 %{proxy_builddir}/docker-proxy %{buildroot}/%{_bindir}/docker-proxy -# # systemd service -# install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{realname}.service %if "%flavour" == "kubic" install -D -m0644 %{SOURCE900} %{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf %endif ln -sf service %{buildroot}%{_sbindir}/rcdocker -# # udev rules that prevents dolphin to show all docker devices and slows down # upstream report https://bugs.kde.org/show_bug.cgi?id=329930 -# -install -D -m 0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules +install -D -m0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules # audit rules -install -D -m 0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules +install -D -m0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules # sysconfig file -install -D -m 644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker - -# install docker config file -install -D -m 644 %{SOURCE106} %{buildroot}%{_sysconfdir}/docker/daemon.json +install -D -m0644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker # install manpages (using the ones from the engine) install -d %{buildroot}%{_mandir}/man1 -install -p -m 644 dist-suse/cli/man/man1/*.1 %{buildroot}%{_mandir}/man1 +install -p -m0644 %{cli_builddir}/man/man1/*.1 %{buildroot}%{_mandir}/man1 install -d %{buildroot}%{_mandir}/man5 -install -p -m 644 dist-suse/cli/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5 +install -p -m0644 %{cli_builddir}/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5 install -d %{buildroot}%{_mandir}/man8 -install -p -m 644 dist-suse/cli/man/man8/*.8 %{buildroot}%{_mandir}/man8 - -# install docker-test files -- we want to avoid installing the entire source tree. -install -d %{buildroot}%{_prefix}/src/docker/ -install -D -m0755 %{SOURCE105} %{buildroot}%{_prefix}/src/docker/tests.sh -# We need hack/, contrib/, profiles/, and the integration*/ trees. -cp -a {hack,contrib,profiles,integration{,-cli}} %{buildroot}%{_prefix}/src/docker/ -echo "%{version}" > %{buildroot}%{_prefix}/src/docker/VERSION -# And now we can remove all *_test.go files -- since we already have test -# binaries. Due to a lot of hacks within the Docker integration tests, we can't -# really do a bigger cleanup than this. -find %{buildroot}%{_prefix}/src/docker \ - -type f -name '*_test.go' -delete +install -p -m0644 %{cli_builddir}/man/man8/*.8 %{buildroot}%{_mandir}/man8 %if "%flavour" == "kubic" # place kubelet.env in fillupdir (for kubeadm-criconfig) sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE901} -install -D -m 0644 %{SOURCE901} %{buildroot}%{_fillupdir}/sysconfig.kubelet +install -D -m0644 %{SOURCE901} %{buildroot}%{_fillupdir}/sysconfig.kubelet %endif %fdupes %{buildroot} @@ -494,6 +444,7 @@ grep -q '^dockremap:' /etc/subgid || \ %license LICENSE %{_bindir}/docker %{_bindir}/dockerd +%{_bindir}/docker-proxy %{_sbindir}/rcdocker %dir %{_localstatedir}/lib/docker/ @@ -527,10 +478,6 @@ grep -q '^dockremap:' /etc/subgid || \ %defattr(-,root,root) %{_datadir}/fish/vendor_completions.d/%{realname}.fish -%files test -%defattr(-,root,root) -%{_prefix}/src/docker/ - %if "%flavour" == "kubic" %files kubeadm-criconfig %defattr(-,root,root) diff --git a/tests.sh b/tests.sh deleted file mode 100644 index 36ab8b6..0000000 --- a/tests.sh +++ /dev/null @@ -1,205 +0,0 @@ -#!/bin/bash -# -# Script for launching the Docker integration tests -# XXX: We currently only support running integration-cli. -# - -set -Eeuo pipefail - -DOCKER_DIR=/usr/src/docker -SCRIPTS_DIR="$DOCKER_DIR/hack" -VERSION="$(cat "$DOCKER_DIR/VERSION")" - -# working dirs -FROZEN_IMAGES_DIR="/tmp/docker-frozen-images" -FROZEN_IMAGES_LINK=/docker-frozen-images - -readarray -t TESTS < <(find "$DOCKER_DIR/integration-cli" -type f -executable -name 'tests.main') -CHECK_TIMEOUT="${CHECK_TIMEOUT:-15m}" -TEST_TIMEOUT="${TEST_TIMEOUT:-0}" -TEST_ARGS=("-check.v" "-check.timeout=${CHECK_TIMEOUT}" "-test.timeout=${TEST_TIMEOUT}") -TEST_SELECT= -TEST_LOG=/tmp/docker-tests.log -KEEPBUNDLE="${KEEPBUNDLE:-}" - -# the config file for Docker -CFG_DOCKER=/etc/docker/daemon.json - -################################################################################ - -log() { echo ">>> $@" ; } -warn() { log "WARNING: $@" ; } -error() { log "ERROR: $@" ; } -abort() { log "FATAL: $@" ; exit 1 ; } -usage() { echo "$USAGE" ; } -abort_usage() { usage ; abort "$@" ; } - -bundle() { - local bundle="$1"; shift - log "Making bundle: $(basename "$bundle") (in $PWD)" - local oldFlags="$-" - set +Eeu - source "$SCRIPTS_DIR/make/$bundle" "$@" - set "-$oldFlags" -} - -save_backup() { - for x in $@ ; do - if [ ! -f "$x" ] ; then - touch "$x.nbak" - elif [ -f "$x.bak" ] ; then - warn "$x.bak already exists: no backup will be done" - else - cp -f "$x" "$x.bak" - fi - done -} - -restore_backup() { - for x in $@ ; do - if [ -f "$x.nbak" ] ; then - rm -f "$x.nbak" - elif [ -f "$x.bak" ] ; then - mv -f "$x.bak" "$x" - fi - done -} - -require_go() { go version >/dev/null 2>&1 ; } -require_git() { git version >/dev/null 2>&1 ; } - -################################################################################ - -[ "${#TESTS[@]}" -gt 0 ] || abort "integration tests executable not found in $DOCKER_DIR" -[ "$EUID" -eq 0 ] || abort "this script must be run as root" -[ -n "$VERSION" ] || abort "could not obtain version" - -if [ "$#" -gt 0 ] ; then - # run only some specific tests - TEST_ARGS+=( "-check.f=$(echo $@ | tr ' ' '|')" ) -fi - -# tests require this user and group -/usr/sbin/groupadd -r docker >/dev/null 2>&1 || /bin/true -/usr/sbin/useradd --create-home --gid docker unprivilegeduser >/dev/null 2>&1 || /bin/true - -export DOCKER_TEST_HOST="tcp://127.0.0.1:2375" -export PATH="/usr/local/bin:$PATH" -export TZ=utc - -export DOCKER_GRAPHDRIVER="${DOCKER_GRAPHDRIVER:-vfs}" -export DOCKER_USERLANDPROXY="${DOCKER_USERLANDPROXY:-true}" -export DOCKER_STORAGE_OPTS="${DOCKER_STORAGE_OPTS:-}" -export DOCKER_REMAP_ROOT="${DOCKER_REMAP_ROOT:-}" # "default" uses dockremap - -# Example usage: DOCKER_STORAGE_OPTS="dm.basesize=20G,dm.loopdatasize=200G". -storage_opts=() -if [ -n "$DOCKER_STORAGE_OPTS" ]; then - IFS=',' - for i in ${DOCKER_STORAGE_OPTS}; do - storage_opts+=("$i") - done - unset IFS -fi - -# deal with remapping -save_backup /etc/subuid /etc/subgid -echo "dockremap:500000:65536" >/etc/subuid -echo "dockremap:500000:65536" >/etc/subgid -groupadd dockremap >/dev/null 2>&1 || /bin/true -useradd -g dockremap dockremap >/dev/null 2>&1 || /bin/true - -# make sure Docker is stopped, set our config file and then start again -save_backup "$CFG_DOCKER" -cat <"$CFG_DOCKER" -{ - "log-level": "debug", - "log-driver": "json-file", - "log-opts": { - "max-size": "50m", - "max-file": "5" - }, - "userns-remap": "$DOCKER_REMAP_ROOT", - "hosts": [ - "tcp://127.0.0.1:2375" - ], - "storage-driver": "$DOCKER_GRAPHDRIVER", - "storage-opts": [ - $(printf '"%s",' "${storage_opts[@]}" | sed 's/"",//g;$s/,$//') - ], - "userland-proxy": $DOCKER_USERLANDPROXY -} -CFG_DOCKER_EOF -systemctl restart docker.service - -cleanup() { - log "Restoring configuration files..." - restore_backup /etc/subuid /etc/subgid "$CFG_DOCKER" - rm -f "$FROZEN_IMAGES_LINK" - - log "Removing images and containers..." - export DOCKER_HOST="$DOCKER_TEST_HOST" - docker ps -aq | xargs docker rm -f &>/dev/null || : - docker images -q | xargs docker rmi -f &>/dev/null || : - - log "Restarting the Docker service in a pristine state..." - systemctl restart docker.service -} -trap cleanup EXIT - -cd "$DOCKER_DIR" - -export MAKEDIR="$SCRIPTS_DIR/make" -export DOCKER_HOST="$DOCKER_TEST_HOST" - -# Clean up all images on the host -- this is key to avoid test run failures. -log "Cleaning the environment..." -docker ps -aq | xargs docker rm -f &>/dev/null || : -docker images -q | xargs docker rmi -f &>/dev/null || : - -log "Preparing the environment..." -bundle .integration-daemon-setup - -# XXX: Really this should be sourced from the Dockerfile but this is good -# enough for now. This comes from the Docker 18.09.1-ce Dockerfile. -log "Downlading frozen images..." -mkdir -p "$FROZEN_IMAGES_DIR" -ln -sf "$FROZEN_IMAGES_DIR" "$FROZEN_IMAGES_LINK" -"$DOCKER_DIR/contrib/download-frozen-image-v2.sh" "$FROZEN_IMAGES_DIR" \ - buildpack-deps:jessie@sha256:dd86dced7c9cd2a724e779730f0a53f93b7ef42228d4344b25ce9a42a1486251 \ - busybox:latest@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0 \ - busybox:glibc@sha256:0b55a30394294ab23b9afd58fab94e61a923f5834fba7ddbae7f8e0c11ba85e6 \ - debian:jessie@sha256:287a20c5f73087ab406e6b364833e3fb7b3ae63ca0eb3486555dc27ed32c6e60 \ - hello-world:latest@sha256:be0cd392e45be79ffeffa6b05338b98ebb16c87b255f48e297ec7f98e123905c - -# The code within integration-cli which handles building *-test images doesn't -# appear to work within our setup, not to mention we don't want to Require: a -# bunch of build tools so we just use the provided Dockerfile and -# buildpack-deps. -tar -cC "$FROZEN_IMAGES_DIR" . | docker load -for dir in "$DOCKER_DIR"/contrib/*-test -do - log "Building *-test images ($dir)..." - docker build -t "$(basename "$dir")" "$dir" -done - -# For some reason, dockerd appears to put the containerd.sock in the wrong -# place under systemd. So we just manually add a symlink for it. -[ -e "/var/run/docker/containerd/containerd.sock" ] || \ - ln -s docker-containerd.sock /var/run/docker/containerd/containerd.sock - -# And there appears to be an issue with daemon.json as a configuration format, -# so we need to hide our generated configuration. The original will be restored -# in cleanup(). -rm -f "$CFG_DOCKER" - -# Run all of our tests. -rm -f "$TEST_LOG" -for TEST in "${TESTS[@]}" -do - cd "$(dirname "$TEST")" - log "Running integration test ($TEST)..." | tee -a "$TEST_LOG" - "$TEST" "${TEST_ARGS[@]}" 2>&1 | tee -a "$TEST_LOG" || : -done - -export -n DOCKER_HOST