From ecd515dab22ccffcff53f22aeddcd167d41ecc7ce6351e4e5266e21de609c0c5 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Wed, 1 Feb 2023 14:35:09 +0000 Subject: [PATCH 1/2] - update to 20.10.23-ce * see upstream changelog at https://docs.docker.com/engine/release-notes/#201023 - drop kubic flavor as kubic is EOL. this removes: kubelet.env docker-kubic-service.conf 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=379 --- ...-add-private-registry-mirror-support.patch | 1155 ----------------- _multibuild | 3 - _service | 10 +- docker-20.10.21_ce_3056208812eb.tar.xz | 3 - docker-20.10.23_ce_6051f1429.tar.xz | 3 + docker-cli-20.10.21_ce.tar.xz | 3 - docker-cli-20.10.23_ce.tar.xz | 3 + docker-kubic-service.conf | 4 - ...e0d3a95952f70c113b0bc5bdb538d7afdd7.tar.xz | 3 + ...c895075df6e3630e76f750a447cf63f4789.tar.xz | 3 - docker-rpmlintrc | 9 +- docker.changes | 9 + docker.spec | 103 +- kubelet.env | 1 - 14 files changed, 30 insertions(+), 1282 deletions(-) delete mode 100644 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch delete mode 100644 _multibuild delete mode 100644 docker-20.10.21_ce_3056208812eb.tar.xz create mode 100644 docker-20.10.23_ce_6051f1429.tar.xz delete mode 100644 docker-cli-20.10.21_ce.tar.xz create mode 100644 docker-cli-20.10.23_ce.tar.xz delete mode 100644 docker-kubic-service.conf create mode 100644 docker-libnetwork-05b93e0d3a95952f70c113b0bc5bdb538d7afdd7.tar.xz delete mode 100644 docker-libnetwork-0dde5c895075df6e3630e76f750a447cf63f4789.tar.xz delete mode 100644 kubelet.env diff --git a/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch deleted file mode 100644 index a26bbd8..0000000 --- a/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch +++ /dev/null @@ -1,1155 +0,0 @@ -From 0fe6aba9612d2b483b29192c0605b1311b77a92b Mon Sep 17 00:00:00 2001 -From: Valentin Rothberg -Date: Mon, 2 Jul 2018 13:37:34 +0200 -Subject: [PATCH 3/7] PRIVATE-REGISTRY: add private-registry mirror support - -NOTE: This is a backport/downstream patch of the upstream pull-request - for Moby, which is still subject to changes. Please visit - for the current status. - -Add support for mirroring private registries. The daemon.json config -can now be configured as exemplified below: - -```json -{ -"registries": [ - { - "Prefix": "docker.io/library/alpine", - "Mirrors": [ - { - "URL": "http://local-alpine-mirror.lan" - } - ] - }, - { - "Prefix": "registry.suse.com", - "Mirrors": [ - { - "URL": "https://remote.suse.mirror.com" - } - ] - }, - { - "Prefix": "http://insecure.registry.org:5000" - } -], -"registry-mirrors": ["https://deprecated-mirror.com"] -} -``` - -With the new semantics, a mirror will be selected as an endpoint if the -specified prefix matches the prefix of the requested resource (e.g., an -image reference). In the upper example, "local-alpine-mirror" will only -serve as a mirror for docker.io if the requested resource matches the -"alpine" prefix, such as "alpine:latest" or "alpine-foo/bar". - -Furthermore, private registries can now be mirrored as well. In the -example above, "remote.suse.mirror.com" will serve as a mirror for all -requests to "registry.suse.com". Notice that if no http{s,} scheme is -specified, the URI will always default to https without fallback to -http. An insecure registry can now be specified by adding the "http://" -scheme to the corresponding prefix. - -Note that the configuration is sanity checked, so that a given mirror -can serve multiple prefixes if they all point to the same registry, -while a registry cannot simultaneously serve as a mirror. The daemon -will warn in case the URI schemes of a registry and one of its mirrors -do not correspond. - -This change deprecates the "insecure-regestries" and "registry-mirrors" -options, while the "insecure-registries" cannot be used simultaneously -with the new "registries", which doesn't allow a fallback from https to -http for security reasons. - -Signed-off-by: Flavio Castelli -Signed-off-by: Valentin Rothberg -Signed-off-by: Aleksa Sarai ---- - api/types/registry/registry.go | 144 +++++++++++++++++++++++++++++++++ - daemon/config/config.go | 4 + - daemon/reload.go | 33 ++++++++ - daemon/reload_test.go | 95 ++++++++++++++++++++++ - distribution/pull.go | 2 +- - distribution/pull_v2.go | 2 +- - distribution/push.go | 2 +- - registry/config.go | 133 +++++++++++++++++++++++++++++- - registry/config_test.go | 142 ++++++++++++++++++++++++++++++++ - registry/registry_test.go | 99 ++++++++++++++++++++--- - registry/service.go | 43 +++++++--- - registry/service_v2.go | 63 +++++++++++---- - 12 files changed, 716 insertions(+), 46 deletions(-) - -diff --git a/api/types/registry/registry.go b/api/types/registry/registry.go -index 53e47084c8d5..b4bb9ef805d3 100644 ---- a/api/types/registry/registry.go -+++ b/api/types/registry/registry.go -@@ -2,7 +2,10 @@ package registry // import "github.com/docker/docker/api/types/registry" - - import ( - "encoding/json" -+ "fmt" - "net" -+ "net/url" -+ "strings" - - v1 "github.com/opencontainers/image-spec/specs-go/v1" - ) -@@ -14,6 +17,147 @@ type ServiceConfig struct { - InsecureRegistryCIDRs []*NetIPNet `json:"InsecureRegistryCIDRs"` - IndexConfigs map[string]*IndexInfo `json:"IndexConfigs"` - Mirrors []string -+ Registries map[string]Registry -+} -+ -+// Registry holds information for a registry and its mirrors. -+type Registry struct { -+ // Prefix is used for the lookup of endpoints, where the given registry -+ // is selected when its Prefix is a prefix of the passed reference, for -+ // instance, Prefix:"docker.io/opensuse" will match a `docker pull -+ // opensuse:tumleweed`. -+ URL RegURL `json:"Prefix"` -+ // The mirrors will be selected prior to the registry during lookup of -+ // endpoints. -+ Mirrors []Mirror `json:"Mirrors,omitempty"` -+} -+ -+// NewRegistry returns a Registry and interprets input as a URL. -+func NewRegistry(input string) (Registry, error) { -+ reg := Registry{} -+ err := reg.URL.Parse(input) -+ return reg, err -+} -+ -+// AddMirror interprets input as a URL and adds it as a new mirror. -+func (r *Registry) AddMirror(input string) error { -+ mir, err := NewMirror(input) -+ if err != nil { -+ return err -+ } -+ r.Mirrors = append(r.Mirrors, mir) -+ return nil -+} -+ -+// ContainsMirror returns true if the URL of any mirror equals input. -+func (r *Registry) ContainsMirror(input string) bool { -+ for _, m := range r.Mirrors { -+ if m.URL.String() == input { -+ return true -+ } -+ } -+ return false -+} -+ -+// Mirror holds information for a given registry mirror. -+type Mirror struct { -+ // The URL of the mirror. -+ URL RegURL `json:"URL,omitempty"` -+} -+ -+// NewMirror returns a Registry and interprets input as a URL. -+func NewMirror(input string) (Mirror, error) { -+ mir := Mirror{} -+ err := mir.URL.Parse(input) -+ return mir, err -+} -+ -+// RegURL is a wrapper for url.URL to unmarshal it from the JSON config and to -+// make it an embedded type for its users. -+type RegURL struct { -+ // rURL is a simple url.URL. Notice it is no pointer to avoid potential -+ // null pointer dereferences. -+ rURL url.URL -+} -+ -+// UnmarshalJSON unmarshals the byte array into the RegURL pointer. -+func (r *RegURL) UnmarshalJSON(b []byte) error { -+ var input string -+ if err := json.Unmarshal(b, &input); err != nil { -+ return err -+ } -+ return r.Parse(input) -+} -+ -+// MarshalJSON marshals the RegURL. -+func (r *RegURL) MarshalJSON() ([]byte, error) { -+ return json.Marshal(r.String()) -+} -+ -+// Parse parses input as a URL. -+func (r *RegURL) Parse(input string) error { -+ input = strings.ToLower(input) -+ uri, err := url.Parse(input) -+ if err == nil { -+ r.rURL = *uri -+ } else { -+ return err -+ } -+ // default to https if no URI scheme is specified -+ if uri.Scheme == "" { -+ // we have to parse again to update all associated data -+ return r.Parse("https://" + input) -+ } -+ -+ // sanity checks -+ if uri.Scheme != "http" && uri.Scheme != "https" { -+ return fmt.Errorf("invalid url: unsupported scheme %q in %q", uri.Scheme, uri) -+ } -+ if uri.Host == "" { -+ return fmt.Errorf("invalid url: unspecified hostname in %s", uri) -+ } -+ if uri.User != nil { -+ // strip password from output -+ uri.User = url.UserPassword(uri.User.Username(), "xxxxx") -+ return fmt.Errorf("invalid url: username/password not allowed in URI %q", uri) -+ } -+ -+ return nil -+} -+ -+// Host returns the host:port of the URL. -+func (r *RegURL) Host() string { -+ return r.rURL.Host -+} -+ -+// Prefix returns the host:port/path of the URL. -+func (r *RegURL) Prefix() string { -+ return r.rURL.Host + r.rURL.Path -+} -+ -+// IsOfficial returns true if the URL points to an official "docker.io" host. -+func (r *RegURL) IsOfficial() bool { -+ return r.rURL.Hostname() == "docker.io" -+} -+ -+// IsSecure returns true if the URI scheme of the URL is "https". -+func (r *RegURL) IsSecure() bool { -+ return r.Scheme() == "https" -+} -+ -+// Scheme returns the URI scheme. -+func (r *RegURL) Scheme() string { -+ return r.rURL.Scheme -+} -+ -+// URL return URL of the RegURL. -+func (r *RegURL) URL() url.URL { -+ return r.rURL -+} -+ -+// String return URL as a string. -+func (r *RegURL) String() string { -+ return r.rURL.String() - } - - // NetIPNet is the net.IPNet type, which can be marshalled and -diff --git a/daemon/config/config.go b/daemon/config/config.go -index 4990727597c9..f3a53c692d73 100644 ---- a/daemon/config/config.go -+++ b/daemon/config/config.go -@@ -482,6 +482,10 @@ func findConfigurationConflicts(config map[string]interface{}, flags *pflag.Flag - // 1. Search keys from the file that we don't recognize as flags. - unknownKeys := make(map[string]interface{}) - for key, value := range config { -+ // skip complex config-only options (daemon.json) -+ if key == "registries" { -+ continue -+ } - if flag := flags.Lookup(key); flag == nil && !skipValidateOptions[key] { - unknownKeys[key] = value - } -diff --git a/daemon/reload.go b/daemon/reload.go -index 72379c054ef6..1e4afe9b3b03 100644 ---- a/daemon/reload.go -+++ b/daemon/reload.go -@@ -22,8 +22,14 @@ import ( - // - Daemon labels - // - Insecure registries - // - Registry mirrors -+// - Registries - // - Daemon live restore - func (daemon *Daemon) Reload(conf *config.Config) (err error) { -+ // check for incompatible options -+ if err := conf.ServiceOptions.CompatCheck(); err != nil { -+ return err -+ } -+ - daemon.configStore.Lock() - attributes := map[string]string{} - -@@ -69,6 +75,9 @@ func (daemon *Daemon) Reload(conf *config.Config) (err error) { - if err := daemon.reloadLiveRestore(conf, attributes); err != nil { - return err - } -+ if err := daemon.reloadRegistries(conf, attributes); err != nil { -+ return err -+ } - return daemon.reloadNetworkDiagnosticPort(conf, attributes) - } - -@@ -320,6 +329,30 @@ func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[ - return nil - } - -+// reloadRegistries updates the registries configuration and the passed attributes -+func (daemon *Daemon) reloadRegistries(conf *config.Config, attributes map[string]string) error { -+ // update corresponding configuration -+ if conf.IsValueSet("registries") { -+ daemon.configStore.Registries = conf.Registries -+ if err := daemon.RegistryService.LoadRegistries(conf.Registries); err != nil { -+ return err -+ } -+ } -+ -+ // prepare reload event attributes with updatable configurations -+ if daemon.configStore.Registries != nil { -+ registries, err := json.Marshal(daemon.configStore.Registries) -+ if err != nil { -+ return err -+ } -+ attributes["registries"] = string(registries) -+ } else { -+ attributes["registries"] = "[]" -+ } -+ -+ return nil -+} -+ - // reloadLiveRestore updates configuration with live restore option - // and updates the passed attributes - func (daemon *Daemon) reloadLiveRestore(conf *config.Config, attributes map[string]string) error { -diff --git a/daemon/reload_test.go b/daemon/reload_test.go -index 4a8466616dee..46664f4b1eda 100644 ---- a/daemon/reload_test.go -+++ b/daemon/reload_test.go -@@ -7,6 +7,7 @@ import ( - "testing" - "time" - -+ registrytypes "github.com/docker/docker/api/types/registry" - "github.com/docker/docker/daemon/config" - "github.com/docker/docker/daemon/images" - "github.com/docker/docker/pkg/discovery" -@@ -211,6 +212,100 @@ func TestDaemonReloadMirrors(t *testing.T) { - } - } - -+func TestDaemonReloadRegistries(t *testing.T) { -+ daemon := &Daemon{ -+ imageService: images.NewImageService(images.ImageServiceConfig{}), -+ } -+ -+ // create registries: note that this is done implicitly when loading -+ // daemon.json file. -+ var ( -+ err error -+ regA registrytypes.Registry // no change -+ regB registrytypes.Registry // will be changed -+ regC registrytypes.Registry // will be added -+ ) -+ -+ regA, err = registrytypes.NewRegistry("https://registry-a.com") -+ if err != nil { -+ t.Fatal(err) -+ } -+ if err := regA.AddMirror("https://mirror-a.com"); err != nil { -+ t.Fatal(err) -+ } -+ -+ // we'll add a 2nd mirror before reloading -+ regB, err = registrytypes.NewRegistry("https://registry-b.com") -+ if err != nil { -+ t.Fatal(err) -+ } -+ if err := regB.AddMirror("https://mirror1-b.com"); err != nil { -+ t.Fatal(err) -+ } -+ -+ // insecure regC will be added before reloading -+ regC, err = registrytypes.NewRegistry("http://registry-c.com") -+ if err != nil { -+ t.Fatal(err) -+ } -+ -+ daemon.RegistryService, err = registry.NewService(registry.ServiceOptions{ -+ Registries: []registrytypes.Registry{regA, regB}, -+ }) -+ if err != nil { -+ t.Fatal(err) -+ } -+ -+ daemon.configStore = &config.Config{} -+ -+ if err := regB.AddMirror("https://mirror2-b.com"); err != nil { -+ t.Fatal(err) -+ } -+ -+ registries := []registrytypes.Registry{regA, regB, regC} -+ -+ valuesSets := make(map[string]interface{}) -+ valuesSets["registries"] = registries -+ -+ newConfig := &config.Config{ -+ CommonConfig: config.CommonConfig{ -+ ServiceOptions: registry.ServiceOptions{ -+ Registries: registries, -+ }, -+ ValuesSet: valuesSets, -+ }, -+ } -+ -+ if err := daemon.Reload(newConfig); err != nil { -+ t.Fatal(err) -+ } -+ -+ registryService := daemon.RegistryService.ServiceConfig() -+ -+ if reg, exists := registryService.Registries["registry-a.com"]; !exists { -+ t.Fatal("registry should exist but doesn't") -+ } else { -+ if !reg.ContainsMirror("https://mirror-a.com") { -+ t.Fatal("registry should contain mirror but doesn't") -+ } -+ } -+ -+ if reg, exists := registryService.Registries["registry-b.com"]; !exists { -+ t.Fatal("registry should exist but doesn't") -+ } else { -+ if !reg.ContainsMirror("https://mirror1-b.com") { -+ t.Fatal("registry should contain mirror but doesn't") -+ } -+ if !reg.ContainsMirror("https://mirror2-b.com") { -+ t.Fatal("registry should contain mirror but doesn't") -+ } -+ } -+ -+ if _, exists := registryService.Registries["registry-c.com"]; !exists { -+ t.Fatal("registry should exist but doesn't") -+ } -+} -+ - func TestDaemonReloadInsecureRegistries(t *testing.T) { - daemon := &Daemon{ - imageService: images.NewImageService(images.ImageServiceConfig{}), -diff --git a/distribution/pull.go b/distribution/pull.go -index c8ddd4c5cfcd..b17e9d25d6c2 100644 ---- a/distribution/pull.go -+++ b/distribution/pull.go -@@ -61,7 +61,7 @@ func Pull(ctx context.Context, ref reference.Named, imagePullConfig *ImagePullCo - return err - } - -- endpoints, err := imagePullConfig.RegistryService.LookupPullEndpoints(reference.Domain(repoInfo.Name)) -+ endpoints, err := imagePullConfig.RegistryService.LookupPullEndpoints(ref.Name()) - if err != nil { - return err - } -diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go -index 5abd18b6cf7c..0796e7ea1d52 100644 ---- a/distribution/pull_v2.go -+++ b/distribution/pull_v2.go -@@ -433,7 +433,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform - // the other side speaks the v2 protocol. - p.confirmedV2 = true - -- logrus.Debugf("Pulling ref from V2 registry: %s", reference.FamiliarString(ref)) -+ logrus.Infof("Pulling ref %s from V2 registry %s", reference.FamiliarString(ref), p.endpoint.URL) - progress.Message(p.config.ProgressOutput, tagOrDigest, "Pulling from "+reference.FamiliarName(p.repo.Named())) - - var ( -diff --git a/distribution/push.go b/distribution/push.go -index 5617a4c95f49..0a24aebed968 100644 ---- a/distribution/push.go -+++ b/distribution/push.go -@@ -58,7 +58,7 @@ func Push(ctx context.Context, ref reference.Named, imagePushConfig *ImagePushCo - return err - } - -- endpoints, err := imagePushConfig.RegistryService.LookupPushEndpoints(reference.Domain(repoInfo.Name)) -+ endpoints, err := imagePushConfig.RegistryService.LookupPushEndpoints(ref.Name()) - if err != nil { - return err - } -diff --git a/registry/config.go b/registry/config.go -index 54b83fa40aab..5adc913e4344 100644 ---- a/registry/config.go -+++ b/registry/config.go -@@ -14,11 +14,12 @@ import ( - "github.com/sirupsen/logrus" - ) - --// ServiceOptions holds command line options. -+// ServiceOptions holds the user-specified configuration options. - type ServiceOptions struct { -- AllowNondistributableArtifacts []string `json:"allow-nondistributable-artifacts,omitempty"` -- Mirrors []string `json:"registry-mirrors,omitempty"` -- InsecureRegistries []string `json:"insecure-registries,omitempty"` -+ AllowNondistributableArtifacts []string `json:"allow-nondistributable-artifacts,omitempty"` -+ Mirrors []string `json:"registry-mirrors,omitempty"` -+ InsecureRegistries []string `json:"insecure-registries,omitempty"` -+ Registries []registrytypes.Registry `json:"registries,omitempty"` - } - - // serviceConfig holds daemon configuration for the registry service. -@@ -59,8 +60,21 @@ var ( - lookupIP = net.LookupIP - ) - -+// CompatCheck performs some compatibility checks among the config options and -+// returns an error in case of conflicts. -+func (options *ServiceOptions) CompatCheck() error { -+ if len(options.InsecureRegistries) > 0 && len(options.Registries) > 0 { -+ return fmt.Errorf("usage of \"registries\" with deprecated option \"insecure-registries\" is not supported") -+ } -+ return nil -+} -+ - // newServiceConfig returns a new instance of ServiceConfig - func newServiceConfig(options ServiceOptions) (*serviceConfig, error) { -+ if err := options.CompatCheck(); err != nil { -+ panic(fmt.Sprintf("error loading config: %v", err)) -+ } -+ - config := &serviceConfig{ - ServiceConfig: registrytypes.ServiceConfig{ - InsecureRegistryCIDRs: make([]*registrytypes.NetIPNet, 0), -@@ -78,10 +92,113 @@ func newServiceConfig(options ServiceOptions) (*serviceConfig, error) { - if err := config.LoadInsecureRegistries(options.InsecureRegistries); err != nil { - return nil, err - } -+ if err := config.LoadRegistries(options.Registries); err != nil { -+ return nil, fmt.Errorf("error loading registries: %v", err) -+ } - - return config, nil - } - -+// checkRegistries makes sure that no mirror serves more than one registry and -+// that no host is used as a registry and as a mirror simultaneously. Notice -+// that different registry prefixes can share a mirror as long as they point to -+// the same registry. It also warns if the URI schemes of a given registry and -+// one of its mirrors differ. -+func (config *serviceConfig) checkRegistries() error { -+ inUse := make(map[string]string) // key: host, value: user -+ -+ if len(config.Registries) > 0 { -+ logrus.Errorf("[SUSE] You are currently using an unsupported and out-of-tree Docker feature intended for internal SUSE only.") -+ logrus.Errorf("[SUSE] If you see this warning (and you are not using CaaSP) please open a SUSE bug report to alert us of this.") -+ logrus.Errorf("[SUSE] This feature (registry mirrors) will be removed in a future Docker release on SUSE.") -+ logrus.Errorf("[SUSE] Please DO NOT submit an upstream bug report about this warning!") -+ } -+ -+ // make sure that each mirror serves only one registry -+ for _, reg := range config.Registries { -+ for _, mirror := range reg.Mirrors { -+ if used, conflict := inUse[mirror.URL.Host()]; conflict { -+ if used != reg.URL.Host() { -+ return fmt.Errorf("mirror '%s' can only serve one registry host", mirror.URL.Host()) -+ } -+ } -+ // docker.io etc. is reserved -+ if mirror.URL.IsOfficial() { -+ return fmt.Errorf("mirror '%s' cannot be used (reserved host)", mirror.URL.Host()) -+ } -+ inUse[mirror.URL.Host()] = reg.URL.Host() -+ // also warnf if seucurity levels differ -+ if reg.URL.IsSecure() != mirror.URL.IsSecure() { -+ regURL := reg.URL.URL() -+ mirrorURL := mirror.URL.URL() -+ logrus.Warnf("registry '%s' and mirror '%s' have different security levels", ®URL, &mirrorURL) -+ } -+ } -+ if reg.URL.IsSecure() && len(reg.Mirrors) == 0 { -+ logrus.Warnf("specifying secure registry '%s' without mirrors has no effect", reg.URL.Prefix()) -+ } -+ } -+ -+ // make sure that no registry host is used as a mirror -+ for _, reg := range config.Registries { -+ if _, conflict := inUse[reg.URL.Host()]; conflict { -+ return fmt.Errorf("registry '%s' cannot simultaneously serve as a mirror for '%s'", reg.URL.Host(), inUse[reg.URL.Host()]) -+ } -+ } -+ return nil -+} -+ -+// FindRegistry returns a Registry pointer based on the passed reference. If -+// more than one index-prefix match the reference, the longest index is -+// returned. In case of no match, nil is returned. -+func (config *serviceConfig) FindRegistry(reference string) *registrytypes.Registry { -+ prefixStr := "" -+ prefixLen := 0 -+ for _, reg := range config.Registries { -+ if strings.HasPrefix(reference, reg.URL.Prefix()) { -+ length := len(reg.URL.Prefix()) -+ if length > prefixLen { -+ prefixStr = reg.URL.Prefix() -+ prefixLen = length -+ } -+ } -+ } -+ if prefixLen > 0 { -+ reg := config.Registries[prefixStr] -+ return ® -+ } -+ return nil -+} -+ -+// LoadRegistries loads the user-specified configuration options for registries. -+func (config *serviceConfig) LoadRegistries(registries []registrytypes.Registry) error { -+ config.Registries = make(map[string]registrytypes.Registry) -+ -+ for _, reg := range registries { -+ config.Registries[reg.URL.Prefix()] = reg -+ } -+ -+ // backwards compatability to the "registry-mirrors" config -+ if len(config.Mirrors) > 0 { -+ reg := registrytypes.Registry{} -+ if officialReg, exists := config.Registries[IndexName]; exists { -+ reg = officialReg -+ } else { -+ var err error -+ reg, err = registrytypes.NewRegistry(IndexName) -+ if err != nil { -+ return err -+ } -+ } -+ for _, mirrorStr := range config.Mirrors { -+ reg.AddMirror(mirrorStr) -+ } -+ config.Registries[IndexName] = reg -+ } -+ -+ return config.checkRegistries() -+} -+ - // LoadAllowNondistributableArtifacts loads allow-nondistributable-artifacts registries into config. - func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []string) error { - cidrs := map[string]*registrytypes.NetIPNet{} -@@ -122,6 +239,10 @@ func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []str - // LoadMirrors loads mirrors to config, after removing duplicates. - // Returns an error if mirrors contains an invalid mirror. - func (config *serviceConfig) LoadMirrors(mirrors []string) error { -+ if len(mirrors) > 0 { -+ logrus.Infof("usage of deprecated 'registry-mirrors' option: please use 'registries' instead") -+ } -+ - mMap := map[string]struct{}{} - unique := []string{} - -@@ -151,6 +272,10 @@ func (config *serviceConfig) LoadMirrors(mirrors []string) error { - - // LoadInsecureRegistries loads insecure registries to config - func (config *serviceConfig) LoadInsecureRegistries(registries []string) error { -+ if len(registries) > 0 { -+ logrus.Info("usage of deprecated 'insecure-registries' option: please use 'registries' instead") -+ } -+ - // Localhost is by default considered as an insecure registry - // This is a stop-gap for people who are running a private registry on localhost (especially on Boot2docker). - // -diff --git a/registry/config_test.go b/registry/config_test.go -index ae8cb23f94b6..7f31b1eb2bf4 100644 ---- a/registry/config_test.go -+++ b/registry/config_test.go -@@ -6,10 +6,152 @@ import ( - "strings" - "testing" - -+ registrytypes "github.com/docker/docker/api/types/registry" - "gotest.tools/v3/assert" - is "gotest.tools/v3/assert/cmp" - ) - -+func TestLoadValidRegistries(t *testing.T) { -+ var ( -+ secReg registrytypes.Registry -+ insecReg registrytypes.Registry -+ config *serviceConfig -+ err error -+ ) -+ // secure with mirrors -+ secReg, err = registrytypes.NewRegistry("https://secure.registry.com") -+ secMirrors := []string{"https://secure.mirror1.com", "https://secure.mirror2.com"} -+ if err != nil { -+ t.Fatal(err) -+ } -+ if err := secReg.AddMirror(secMirrors[0]); err != nil { -+ t.Fatal(err) -+ } -+ if err := secReg.AddMirror(secMirrors[1]); err != nil { -+ t.Fatal(err) -+ } -+ -+ // insecure without mirrors -+ insecReg, err = registrytypes.NewRegistry("http://insecure.registry.com") -+ if err != nil { -+ t.Fatal(err) -+ } -+ -+ // docker.io mirrors to test backwards compatibility -+ officialMirrors := []string{"https://official.mirror1.com", "https://official.mirror2.com"} -+ -+ // create serciveConfig -+ config, err = newServiceConfig( -+ ServiceOptions{ -+ Mirrors: officialMirrors, -+ Registries: []registrytypes.Registry{secReg, insecReg}, -+ }) -+ if err != nil { -+ t.Fatal(err) -+ } -+ -+ // now test if the config looks as expected -+ getMirrors := func(reg registrytypes.Registry) []string { -+ mirrors := []string{} -+ for _, mir := range reg.Mirrors { -+ mirrors = append(mirrors, mir.URL.String()) -+ } -+ return mirrors -+ } -+ -+ if reg, loaded := config.Registries["secure.registry.com"]; !loaded { -+ t.Fatalf("registry not loaded") -+ } else { -+ assert.Equal(t, true, reg.URL.IsSecure()) -+ assert.Equal(t, false, reg.URL.IsOfficial()) -+ mirrors := getMirrors(reg) -+ assert.Equal(t, len(secMirrors), len(mirrors)) -+ sort.Strings(mirrors) -+ sort.Strings(secMirrors) -+ assert.Equal(t, secMirrors[0], mirrors[0]) -+ assert.Equal(t, secMirrors[1], mirrors[1]) -+ } -+ -+ if reg, loaded := config.Registries["insecure.registry.com"]; !loaded { -+ t.Fatalf("registry not loaded") -+ } else { -+ assert.Equal(t, false, reg.URL.IsSecure()) -+ assert.Equal(t, false, reg.URL.IsOfficial()) -+ mirrors := getMirrors(reg) -+ assert.Equal(t, 0, len(mirrors)) -+ } -+ -+ // backwards compatibility: "docker.io" will be loaded due to the config.Mirrors -+ if reg, loaded := config.Registries["docker.io"]; !loaded { -+ t.Fatalf("registry not loaded") -+ } else { -+ assert.Equal(t, true, reg.URL.IsSecure()) -+ assert.Equal(t, true, reg.URL.IsOfficial()) -+ mirrors := getMirrors(reg) -+ assert.Equal(t, len(officialMirrors), len(mirrors)) -+ sort.Strings(mirrors) -+ sort.Strings(officialMirrors) -+ // append '/' (see ValidateMirror()) -+ assert.Equal(t, officialMirrors[0]+"/", mirrors[0]) -+ assert.Equal(t, officialMirrors[1]+"/", mirrors[1]) -+ } -+} -+ -+//func TestLoadInvalidRegistries(t *testing.T) { -+// XXX: this has to be tested manually as the v17.09.X doesn't have a proper -+// error handling for service configs (errors are silently ignored), so -+// the backported patch panics() instead. -+//} -+ -+func TestFindRegistry(t *testing.T) { -+ var ( -+ regA registrytypes.Registry -+ regB registrytypes.Registry -+ config *serviceConfig -+ err error -+ ) -+ -+ regA, err = registrytypes.NewRegistry("https://registry-a.com/my-prefix") -+ if err != nil { -+ t.Fatal(err) -+ } -+ -+ regB, err = registrytypes.NewRegistry("http://registry-b.com") -+ if err != nil { -+ t.Fatal(err) -+ } -+ -+ // create serciveConfig -+ config, err = newServiceConfig( -+ ServiceOptions{ -+ Registries: []registrytypes.Registry{regA, regB}, -+ }) -+ if err != nil { -+ t.Fatal(err) -+ } -+ -+ // no match -> nil -+ reg := config.FindRegistry("foo") -+ assert.Assert(t, is.Nil(reg)) -+ -+ // prefix match -> registry -+ reg = config.FindRegistry("registry-a.com/my-prefix/image:latest") -+ assert.Assert(t, reg != nil) -+ assert.Equal(t, "registry-a.com", reg.URL.Host()) -+ // no prefix match -> nil -+ reg = config.FindRegistry("registry-a.com/not-my-prefix/image:42") -+ assert.Assert(t, is.Nil(reg)) -+ -+ // prefix match -> registry -+ reg = config.FindRegistry("registry-b.com/image:latest") -+ assert.Assert(t, reg != nil) -+ assert.Equal(t, "registry-b.com", reg.URL.Host()) -+ // prefix match -> registry -+ reg = config.FindRegistry("registry-b.com/also-in-namespaces/image:latest") -+ assert.Assert(t, reg != nil) -+ assert.Equal(t, "registry-b.com", reg.URL.Host()) -+} -+ - func TestLoadAllowNondistributableArtifacts(t *testing.T) { - testCases := []struct { - registries []string -diff --git a/registry/registry_test.go b/registry/registry_test.go -index 417c9574bc5d..b3a978474ec1 100644 ---- a/registry/registry_test.go -+++ b/registry/registry_test.go -@@ -507,40 +507,119 @@ func TestNewIndexInfo(t *testing.T) { - } - - func TestMirrorEndpointLookup(t *testing.T) { -- skip.If(t, os.Getuid() != 0, "skipping test that requires root") -- containsMirror := func(endpoints []APIEndpoint) bool { -+ var ( -+ registries []registrytypes.Registry -+ secReg registrytypes.Registry -+ pushAPIEndpoints []APIEndpoint -+ pullAPIEndpoints []APIEndpoint -+ err error -+ ) -+ -+ // secure with mirrors -+ secReg, err = registrytypes.NewRegistry("https://secure.registry.com/test-prefix/") -+ secMirrors := []string{"https://secure.mirror1.com/", "https://secure.mirror2.com/"} -+ if err != nil { -+ t.Fatal(err) -+ } -+ if err := secReg.AddMirror(secMirrors[0]); err != nil { -+ t.Fatal(err) -+ } -+ if err := secReg.AddMirror(secMirrors[1]); err != nil { -+ t.Fatal(err) -+ } -+ registries = append(registries, secReg) -+ -+ // docker.io mirrors to test backwards compatibility -+ officialMirrors := []string{"https://official.mirror1.com/", "https://official.mirror2.com/"} -+ -+ containsMirror := func(needle string, endpoints []APIEndpoint) bool { - for _, pe := range endpoints { -- if pe.URL.Host == "my.mirror" { -+ if pe.URL.String() == needle { - return true - } - } - return false - } -- cfg, err := makeServiceConfig([]string{"https://my.mirror"}, nil) -+ cfg, err := newServiceConfig(ServiceOptions{ -+ Mirrors: officialMirrors, -+ Registries: registries, -+ }) - if err != nil { - t.Fatal(err) - } - s := DefaultService{config: cfg} - -- imageName, err := reference.WithName(IndexName + "/test/image") -+ // lookups for "docker.io" -+ officialRef := "docker.io/test/image:latest" -+ pushAPIEndpoints, err = s.LookupPushEndpoints(officialRef) - if err != nil { -- t.Error(err) -+ t.Fatal(err) -+ } -+ if containsMirror(officialMirrors[0], pushAPIEndpoints) { -+ t.Fatal("Push endpoint should not contain mirror") -+ } -+ if containsMirror(officialMirrors[1], pushAPIEndpoints) { -+ t.Fatal("Push endpoint should not contain mirror") -+ } -+ -+ pullAPIEndpoints, err = s.LookupPullEndpoints(officialRef) -+ if err != nil { -+ t.Fatal(err) -+ } -+ if !containsMirror(officialMirrors[0], pullAPIEndpoints) { -+ t.Fatal("Pull endpoint should contain mirror") - } -- pushAPIEndpoints, err := s.LookupPushEndpoints(reference.Domain(imageName)) -+ if !containsMirror(officialMirrors[1], pullAPIEndpoints) { -+ t.Fatal("Pull endpoint should contain mirror") -+ } -+ -+ // prefix lookups -+ prefixRef := "secure.registry.com/test-prefix/foo:latest" -+ pushAPIEndpoints, err = s.LookupPushEndpoints(prefixRef) - if err != nil { - t.Fatal(err) - } -- if containsMirror(pushAPIEndpoints) { -+ if containsMirror(secMirrors[0], pushAPIEndpoints) { -+ t.Fatal("Push endpoint should not contain mirror") -+ } -+ if containsMirror(secMirrors[1], pushAPIEndpoints) { - t.Fatal("Push endpoint should not contain mirror") - } - -- pullAPIEndpoints, err := s.LookupPullEndpoints(reference.Domain(imageName)) -+ pullAPIEndpoints, err = s.LookupPullEndpoints(prefixRef) - if err != nil { - t.Fatal(err) - } -- if !containsMirror(pullAPIEndpoints) { -+ if !containsMirror(secMirrors[0], pullAPIEndpoints) { - t.Fatal("Pull endpoint should contain mirror") - } -+ if !containsMirror(secMirrors[1], pullAPIEndpoints) { -+ t.Fatal("Pull endpoint should contain mirror") -+ } -+ -+ // lookups without matching prefix -> no mirrors -+ noPrefixRef := "secure.registry.com/no-matching-prefix/foo:latest" -+ pushAPIEndpoints, err = s.LookupPushEndpoints(noPrefixRef) -+ if err != nil { -+ t.Fatal(err) -+ } -+ if containsMirror(secMirrors[0], pushAPIEndpoints) { -+ t.Fatal("Push endpoint should not contain mirror") -+ } -+ if containsMirror(secMirrors[1], pushAPIEndpoints) { -+ t.Fatal("Push endpoint should not contain mirror") -+ } -+ -+ pullAPIEndpoints, err = s.LookupPullEndpoints(noPrefixRef) -+ if err != nil { -+ t.Fatal(err) -+ } -+ if containsMirror(secMirrors[0], pullAPIEndpoints) { -+ t.Fatal("Pull endpoint should not contain mirror") -+ } -+ if containsMirror(secMirrors[1], pullAPIEndpoints) { -+ t.Fatal("Pull endpoint should not contain mirror") -+ } - } - - func TestSearchRepositories(t *testing.T) { -diff --git a/registry/service.go b/registry/service.go -index 3b08e39da2c2..62556ba1ba70 100644 ---- a/registry/service.go -+++ b/registry/service.go -@@ -8,7 +8,7 @@ import ( - "strings" - "sync" - -- "github.com/docker/distribution/reference" -+ dref "github.com/docker/distribution/reference" - "github.com/docker/distribution/registry/client/auth" - "github.com/docker/docker/api/types" - registrytypes "github.com/docker/docker/api/types/registry" -@@ -25,14 +25,15 @@ const ( - // Service is the interface defining what a registry service should implement. - type Service interface { - Auth(ctx context.Context, authConfig *types.AuthConfig, userAgent string) (status, token string, err error) -- LookupPullEndpoints(hostname string) (endpoints []APIEndpoint, err error) -- LookupPushEndpoints(hostname string) (endpoints []APIEndpoint, err error) -- ResolveRepository(name reference.Named) (*RepositoryInfo, error) -+ LookupPullEndpoints(reference string) (endpoints []APIEndpoint, err error) -+ LookupPushEndpoints(reference string) (endpoints []APIEndpoint, err error) -+ ResolveRepository(name dref.Named) (*RepositoryInfo, error) - Search(ctx context.Context, term string, limit int, authConfig *types.AuthConfig, userAgent string, headers map[string][]string) (*registrytypes.SearchResults, error) - ServiceConfig() *registrytypes.ServiceConfig - TLSConfig(hostname string) (*tls.Config, error) - LoadAllowNondistributableArtifacts([]string) error - LoadMirrors([]string) error -+ LoadRegistries([]registrytypes.Registry) error - LoadInsecureRegistries([]string) error - } - -@@ -61,6 +62,7 @@ func (s *DefaultService) ServiceConfig() *registrytypes.ServiceConfig { - AllowNondistributableArtifactsHostnames: make([]string, 0), - InsecureRegistryCIDRs: make([]*(registrytypes.NetIPNet), 0), - IndexConfigs: make(map[string]*(registrytypes.IndexInfo)), -+ Registries: make(map[string]registrytypes.Registry), - Mirrors: make([]string, 0), - } - -@@ -76,6 +78,10 @@ func (s *DefaultService) ServiceConfig() *registrytypes.ServiceConfig { - - servConfig.Mirrors = append(servConfig.Mirrors, s.config.ServiceConfig.Mirrors...) - -+ for key, value := range s.config.ServiceConfig.Registries { -+ servConfig.Registries[key] = value -+ } -+ - return &servConfig - } - -@@ -103,6 +109,14 @@ func (s *DefaultService) LoadInsecureRegistries(registries []string) error { - return s.config.LoadInsecureRegistries(registries) - } - -+// LoadRegistries loads registries for Service -+func (s *DefaultService) LoadRegistries(registries []registrytypes.Registry) error { -+ s.mu.Lock() -+ defer s.mu.Unlock() -+ -+ return s.config.LoadRegistries(registries) -+} -+ - // Auth contacts the public registry with the provided credentials, - // and returns OK if authentication was successful. - // It can be used to verify the validity of a client's credentials. -@@ -230,7 +244,7 @@ func (s *DefaultService) Search(ctx context.Context, term string, limit int, aut - - // ResolveRepository splits a repository name into its components - // and configuration of the associated registry. --func (s *DefaultService) ResolveRepository(name reference.Named) (*RepositoryInfo, error) { -+func (s *DefaultService) ResolveRepository(name dref.Named) (*RepositoryInfo, error) { - s.mu.Lock() - defer s.mu.Unlock() - return newRepositoryInfo(s.config, name) -@@ -270,22 +284,25 @@ func (s *DefaultService) tlsConfigForMirror(mirrorURL *url.URL) (*tls.Config, er - return s.tlsConfig(mirrorURL.Host) - } - --// LookupPullEndpoints creates a list of v2 endpoints to try to pull from, in order of preference. --// It gives preference to mirrors over the actual registry, and HTTPS over plain HTTP. --func (s *DefaultService) LookupPullEndpoints(hostname string) (endpoints []APIEndpoint, err error) { -+// LookupPullEndpoints creates a list of endpoints based on the provided -+// reference to try to pull from, in order of preference. It gives preference -+// to v2 endpoints over v1, mirrors over the actual registry, and HTTPS over -+// plain HTTP. -+func (s *DefaultService) LookupPullEndpoints(reference string) (endpoints []APIEndpoint, err error) { - s.mu.Lock() - defer s.mu.Unlock() - -- return s.lookupV2Endpoints(hostname) -+ return s.lookupV2Endpoints(reference) - } - --// LookupPushEndpoints creates a list of v2 endpoints to try to push to, in order of preference. --// It gives preference to HTTPS over plain HTTP. Mirrors are not included. --func (s *DefaultService) LookupPushEndpoints(hostname string) (endpoints []APIEndpoint, err error) { -+// LookupPushEndpoints creates a list of endpoints based on the provided -+// reference to try to push to, in order of preference. It gives preference to -+// v2 endpoints over v1, and HTTPS over plain HTTP. Mirrors are not included. -+func (s *DefaultService) LookupPushEndpoints(reference string) (endpoints []APIEndpoint, err error) { - s.mu.Lock() - defer s.mu.Unlock() - -- allEndpoints, err := s.lookupV2Endpoints(hostname) -+ allEndpoints, err := s.lookupV2Endpoints(reference) - if err == nil { - for _, endpoint := range allEndpoints { - if !endpoint.Mirror { -diff --git a/registry/service_v2.go b/registry/service_v2.go -index 154ac7c93e80..06f7d20de8f9 100644 ---- a/registry/service_v2.go -+++ b/registry/service_v2.go -@@ -1,42 +1,73 @@ - package registry // import "github.com/docker/docker/registry" - - import ( -+ "fmt" - "net/url" - "strings" - -+ registrytypes "github.com/docker/docker/api/types/registry" - "github.com/docker/go-connections/tlsconfig" - ) - --func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndpoint, err error) { -+func (s *DefaultService) lookupV2Endpoints(reference string) (endpoints []APIEndpoint, err error) { - tlsConfig := tlsconfig.ServerDefault() - -+ // extraxt the hostname from the reference -+ refURL := reference -+ if !strings.HasPrefix(refURL, "http://") && !strings.HasPrefix(refURL, "https://") { -+ refURL = "https://" + refURL -+ } -+ u, err := url.Parse(refURL) -+ if err != nil { -+ return nil, fmt.Errorf("SUSE PATCH [lookupV2Endpoints]: error parsing reference %s: %s", reference, err) -+ } -+ hostname := u.Host // hostname + port (if present) -+ if hostname == "" { -+ return nil, fmt.Errorf("SUSE PATCH [lookupV2Endpoints]: cannot determine hostname of reference %s", reference) -+ } -+ - ana := allowNondistributableArtifacts(s.config, hostname) - -- if hostname == DefaultNamespace || hostname == IndexHostname { -- for _, mirror := range s.config.Mirrors { -- if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") { -- mirror = "https://" + mirror -- } -- mirrorURL, err := url.Parse(mirror) -- if err != nil { -- return nil, err -- } -- mirrorTLSConfig, err := s.tlsConfigForMirror(mirrorURL) -+ // create endpoints for official and configured registries -+ official := false -+ if hostname == "docker.io" { -+ official = true -+ } -+ reg := s.config.FindRegistry(reference) -+ -+ if reg != nil || official { -+ if reg == nil { -+ reg = ®istrytypes.Registry{} -+ } -+ // if present, add mirrors prior to the registry -+ for _, mirror := range reg.Mirrors { -+ mURL := mirror.URL.URL() -+ mirrorTLSConfig, err := s.tlsConfigForMirror(&mURL) - if err != nil { -- return nil, err -+ return nil, fmt.Errorf("SUSE PATCH [lookupV2Endpoints]: %s", err) - } - endpoints = append(endpoints, APIEndpoint{ -- URL: mirrorURL, -+ URL: &mURL, - Version: APIVersion2, - Mirror: true, - TrimHostname: true, - TLSConfig: mirrorTLSConfig, - }) - } -+ // add the registry -+ var endpointURL *url.URL -+ if official { -+ endpointURL = DefaultV2Registry -+ } else { -+ endpointURL = &url.URL{ -+ Scheme: reg.URL.Scheme(), -+ Host: reg.URL.Host(), -+ } -+ } - endpoints = append(endpoints, APIEndpoint{ -- URL: DefaultV2Registry, -+ URL: endpointURL, - Version: APIVersion2, -- Official: true, -+ Official: official, - TrimHostname: true, - TLSConfig: tlsConfig, - -@@ -48,7 +79,7 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp - - tlsConfig, err = s.tlsConfig(hostname) - if err != nil { -- return nil, err -+ return nil, fmt.Errorf("SUSE PATCH [lookupV2Enpoints]: %s", err) - } - - endpoints = []APIEndpoint{ --- -2.38.1 - diff --git a/_multibuild b/_multibuild deleted file mode 100644 index ef76501..0000000 --- a/_multibuild +++ /dev/null @@ -1,3 +0,0 @@ - - kubic - diff --git a/_service b/_service index f239518..8c0e48d 100644 --- a/_service +++ b/_service @@ -3,16 +3,16 @@ https://github.com/moby/moby.git git .git - 20.10.21_ce_%h - v20.10.21 + 20.10.23_ce_%h + v20.10.23 docker https://github.com/docker/cli.git git .git - 20.10.21_ce - v20.10.21 + 20.10.23_ce + v20.10.23 docker-cli @@ -20,7 +20,7 @@ git .git %H - 0dde5c895075df6e3630e76f750a447cf63f4789 + 05b93e0d3a95952f70c113b0bc5bdb538d7afdd7 docker-libnetwork diff --git a/docker-20.10.21_ce_3056208812eb.tar.xz b/docker-20.10.21_ce_3056208812eb.tar.xz deleted file mode 100644 index 10fc677..0000000 --- a/docker-20.10.21_ce_3056208812eb.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2696414f3d39bb862d2e60e614a4fe2e6a655c65c30742a4a28b776fbbd59bc5 -size 6590696 diff --git a/docker-20.10.23_ce_6051f1429.tar.xz b/docker-20.10.23_ce_6051f1429.tar.xz new file mode 100644 index 0000000..823ee94 --- /dev/null +++ b/docker-20.10.23_ce_6051f1429.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0d6b832806f3144a4b917657f615d9388081e7c7b3f77db3b4b7c6c01b931686 +size 6589992 diff --git a/docker-cli-20.10.21_ce.tar.xz b/docker-cli-20.10.21_ce.tar.xz deleted file mode 100644 index ab727e4..0000000 --- a/docker-cli-20.10.21_ce.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:cfa23215b99aed9c85a401fd1aeb961a5a3f8b3095fb6815ba8eb83cf182481f -size 4358052 diff --git a/docker-cli-20.10.23_ce.tar.xz b/docker-cli-20.10.23_ce.tar.xz new file mode 100644 index 0000000..be55404 --- /dev/null +++ b/docker-cli-20.10.23_ce.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c2a96dd55814fc22ccfe054b78438963fc139b292696bc3ba7667abd399d7c70 +size 4320480 diff --git a/docker-kubic-service.conf b/docker-kubic-service.conf deleted file mode 100644 index 8b60aa1..0000000 --- a/docker-kubic-service.conf +++ /dev/null @@ -1,4 +0,0 @@ -[Service] -# Put docker under the podruntime slice. This the recommended -# deployment to allow fine resource control on Kubernetes. -Slice=podruntime.slice diff --git a/docker-libnetwork-05b93e0d3a95952f70c113b0bc5bdb538d7afdd7.tar.xz b/docker-libnetwork-05b93e0d3a95952f70c113b0bc5bdb538d7afdd7.tar.xz new file mode 100644 index 0000000..91a8dd5 --- /dev/null +++ b/docker-libnetwork-05b93e0d3a95952f70c113b0bc5bdb538d7afdd7.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:44fa1530b22f18434174b03895c8933b356f254b718855fd7487888afbb10e91 +size 1983112 diff --git a/docker-libnetwork-0dde5c895075df6e3630e76f750a447cf63f4789.tar.xz b/docker-libnetwork-0dde5c895075df6e3630e76f750a447cf63f4789.tar.xz deleted file mode 100644 index acaa518..0000000 --- a/docker-libnetwork-0dde5c895075df6e3630e76f750a447cf63f4789.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:24a4b6aeb1391b2ab9f99fad7343913ecc7191a10669a056e0a2cdf449e3733e -size 1983868 diff --git a/docker-rpmlintrc b/docker-rpmlintrc index ec2474b..8d783dc 100644 --- a/docker-rpmlintrc +++ b/docker-rpmlintrc @@ -1,9 +1,6 @@ -# This is intentional, since we use _multibuild for the flavours. -addFilter ("^docker-kubic.src: W: invalid-spec-name") - # The #! comes from upstream. -addFilter ("^docker(-kubic)?-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash") -addFilter ("^docker(-kubic)?-zsh-completion.noarch: W: sourced-script-with-shebang /etc/zsh_completion.d/docker zsh") +addFilter ("^docker-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash") +addFilter ("^docker-zsh-completion.noarch: W: sourced-script-with-shebang /etc/zsh_completion.d/docker zsh") # -test is something that is used internally and isn't actually shipped -- it's a pseduo-source package. -addFilter ("^docker(-kubic)?-test.*") +addFilter ("^docker-test.*") diff --git a/docker.changes b/docker.changes index a19b064..3fa7912 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Feb 1 14:33:19 UTC 2023 - Dirk Müller + +- update to 20.10.23-ce + * see upstream changelog at https://docs.docker.com/engine/release-notes/#201023 + +- drop kubic flavor as kubic is EOL. this removes: + kubelet.env docker-kubic-service.conf 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch + ------------------------------------------------------------------- Tue Dec 6 11:49:32 UTC 2022 - Aleksa Sarai diff --git a/docker.spec b/docker.spec index 381e1b1..8b44c62 100644 --- a/docker.spec +++ b/docker.spec @@ -42,15 +42,15 @@ # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define real_version 20.10.21 -%define git_version 3056208812eb -%define git_commit_epoch 1666698255 +%define real_version 20.10.23 +%define git_version 6051f1429 +%define git_commit_epoch 1674059068 # We require a specific pin of libnetwork because it doesn't really do # versioning and minor version mismatches in libnetwork can break Docker # networking. All other key runtime dependencies (containerd, runc) are stable # enough that this isn't necessary. -%define libnetwork_version 0dde5c895075df6e3630e76f750a447cf63f4789 +%define libnetwork_version 05b93e0d3a95952f70c113b0bc5bdb538d7afdd7 %define dist_builddir %{_builddir}/dist-suse %define cli_builddir %{dist_builddir}/src/github.com/docker/cli @@ -78,10 +78,6 @@ Source103: README_SUSE.md Source104: docker-audit.rules Source105: docker-daemon.json Source106: docker.sysusers -# Kubelet-specific sources. -# bsc#1086185 -- but we only apply this on Kubic. -Source900: docker-kubic-service.conf -Source901: kubelet.env # NOTE: All of these patches are maintained in # in the suse- branch. Make sure you update the patches in that # branch and then git-format-patch the patch here. @@ -91,8 +87,6 @@ Patch100: 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch Patch101: 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch # SUSE-FEATURE: Add support to mirror unofficial/private registries # . -Patch200: 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch -# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1073877 bsc#1099277 Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081 Patch301: 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch @@ -157,26 +151,6 @@ Recommends: lvm2 >= 2.2.89 Recommends: git-core >= 1.7 ExcludeArch: s390 ppc -# KUBIC-SPECIFIC: This was required when upgrading from the original kubic -# packaging, when everything was renamed to -kubic. It also is -# used to ensure that nothing complains too much when using -# -kubic packages. Hopfully it can be removed one day. -%if "%flavour" == "kubic" -# Obsolete old packege without the -kubic suffix -Obsoletes: %{realname} = 1.12.6 -Obsoletes: %{realname}_1_12_6 -# Conflict with non-kubic package, and provide equivalent -Conflicts: %{realname} -Provides: %{realname} = %{version} -# Kubernetes requires cri-runtime, which should be provided only by the -kubic flavour of this package -Provides: cri-runtime -# No i586 Kubernetes, so docker-kubic must not be built for i586 also -ExcludeArch: i586 -# Disable leap based builds for kubic flavor (bsc#1121412) -%if 0%{?suse_version} == 1500 && 0%{?is_opensuse} -ExclusiveArch: do_not_build -%endif -%endif %description Docker complements LXC with a high-level API which operates at the process @@ -194,17 +168,6 @@ Requires: %{name} = %{version} Requires: bash-completion Supplements: packageand(%{name}:bash-completion) BuildArch: noarch -# KUBIC-SPECIFIC: This was required when upgrading from the original kubic -# packaging, when everything was renamed to -kubic. It also is -# used to ensure that nothing complains too much when using -# -kubic packages. Hopfully it can be removed one day. -%if "%flavour" == "kubic" -# Obsolete old packege without the -kubic suffix -Obsoletes: %{realname}-bash-completion = 1.12.6 -# Conflict with non-kubic package, and provide equivalent -Conflicts: %{realname}-bash-completion > 1.12.6 -Provides: %{realname}-bash-completion = %{version} -%endif %description bash-completion Bash command line completion support for %{name}. @@ -216,17 +179,6 @@ Requires: %{name} = %{version} Requires: zsh Supplements: packageand(%{name}:zsh) BuildArch: noarch -# KUBIC-SPECIFIC: This was required when upgrading from the original kubic -# packaging, when everything was renamed to -kubic. It also is -# used to ensure that nothing complains too much when using -# -kubic packages. Hopfully it can be removed one day. -%if "%flavour" == "kubic" -# Obsolete old packege without the -kubic suffix -Obsoletes: %{realname}-zsh-completion = 1.12.6 -# Conflict with non-kubic package, and provide equivalent -Conflicts: %{realname}-zsh-completion > 1.12.6 -Provides: %{realname}-zsh-completion = %{version} -%endif %description zsh-completion Zsh command line completion support for %{name}. @@ -238,29 +190,10 @@ Requires: %{name} = %{version} Requires: fish Supplements: packageand(%{name}:fish) BuildArch: noarch -%if "%flavour" == "kubic" -# Conflict with non-kubic package, and provide equivalent -Conflicts: %{realname}-fish-completion -Provides: %{realname}-fish-completion = %{version} -%endif %description fish-completion Fish command line completion support for %{name}. -%if "%flavour" == "kubic" -%package kubeadm-criconfig -Summary: docker container runtime configuration for kubeadm -Group: System/Management -Requires: kubernetes-kubeadm -Requires(post): %fillup_prereq -Supplements: docker-kubic -Provides: kubernetes-kubeadm-criconfig -Conflicts: cri-o-kubeadm-criconfig - -%description kubeadm-criconfig -docker container runtime configuration for kubeadm -%endif - %prep %setup -q -n %{realname}-%{version}_%{git_version} @@ -271,10 +204,6 @@ docker container runtime configuration for kubeadm %patch100 -p1 %patch101 -p1 %endif -%if "%flavour" == "kubic" -# PATCH-SUSE: Mirror patch. -%patch200 -p1 -%endif # bsc#1099277 %patch300 -p1 # bsc#1183855 bsc#1175081 @@ -395,9 +324,6 @@ install -D -m0755 %{proxy_builddir}/docker-proxy %{buildroot}/%{_bindir}/docker- # systemd service install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{realname}.service -%if "%flavour" == "kubic" -install -D -m0644 %{SOURCE900} %{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf -%endif ln -sf service %{buildroot}%{_sbindir}/rcdocker # udev rules that prevents dolphin to show all docker devices and slows down @@ -421,12 +347,6 @@ install -p -m0644 %{cli_builddir}/man/man8/*.8 %{buildroot}%{_mandir}/man8 # sysusers.d install -D -m0644 %{SOURCE106} %{buildroot}%{_sysusersdir}/%{name}.conf -%if "%flavour" == "kubic" -# place kubelet.env in fillupdir (for kubeadm-criconfig) -sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE901} -install -D -m0644 %{SOURCE901} %{buildroot}%{_fillupdir}/sysconfig.kubelet -%endif - %fdupes %{buildroot} %pre -f %{name}.pre @@ -451,11 +371,6 @@ grep -q '^dockremap:' /etc/subgid || \ %service_add_post %{realname}.service %{fillup_only -n docker} -%if "%flavour" == "kubic" -%post kubeadm-criconfig -%fillup_only -n kubelet -%endif - %preun %service_del_preun %{realname}.service @@ -474,10 +389,6 @@ grep -q '^dockremap:' /etc/subgid || \ %{_unitdir}/%{realname}.service %{_sysusersdir}/%{name}.conf -%if "%flavour" == "kubic" -%dir %{_unitdir}/%{realname}.service.d/ -%{_unitdir}/%{realname}.service.d/90-kubic.conf -%endif %dir %{_sysconfdir}/docker %config(noreplace) %{_sysconfdir}/docker/daemon.json @@ -503,10 +414,4 @@ grep -q '^dockremap:' /etc/subgid || \ %defattr(-,root,root) %{_datadir}/fish/vendor_completions.d/%{realname}.fish -%if "%flavour" == "kubic" -%files kubeadm-criconfig -%defattr(-,root,root) -%{_fillupdir}/sysconfig.kubelet -%endif - %changelog diff --git a/kubelet.env b/kubelet.env deleted file mode 100644 index ae7b0ee..0000000 --- a/kubelet.env +++ /dev/null @@ -1 +0,0 @@ -KUBELET_EXTRA_ARGS="--cni-bin-dir=@LIBEXECDIR@/cni" From abe375056a1949edf6b2ed183afd8dc53142596c50054f42b2c6a116edd5e5e7 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Wed, 1 Feb 2023 14:39:44 +0000 Subject: [PATCH 2/2] OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=380 --- docker.spec | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docker.spec b/docker.spec index 8b44c62..20ed0bc 100644 --- a/docker.spec +++ b/docker.spec @@ -111,9 +111,7 @@ BuildRequires: fish BuildRequires: go-go-md2man BuildRequires: pkgconfig(libsystemd) BuildRequires: sysuser-tools -# Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires -# for 'golang(API) >= 1.18' here, so just require 1.18 exactly. bsc#1172608 -BuildRequires: go1.18 +BuildRequires: golang(API) = 1.18 Requires: (apparmor-parser or container-selinux) Requires: ca-certificates-mozilla # The docker-proxy binary used to be in a separate package. We obsolete it,