Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package docker for openSUSE:Factory checked
in at 2021-02-04 20:22:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/docker (Old)
and /work/SRC/openSUSE:Factory/.docker.new.28504 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker"
Thu Feb 4 20:22:48 2021 rev:109 rq:868782 version:20.10.3_ce
Changes:
--------
--- /work/SRC/openSUSE:Factory/docker/docker.changes 2020-12-23
14:21:11.957723359 +0100
+++ /work/SRC/openSUSE:Factory/.docker.new.28504/docker.changes 2021-02-04
20:23:35.502782187 +0100
@@ -1,0 +2,59 @@
+Tue Feb 2 13:06:17 UTC 2021 - Aleksa Sarai <asa...@suse.com>
+
+- Update to Docker 20.10.3-ce. See upstream changelog in the packaged
+ /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-21285 CVE-2021-21284
+- Rebase patches on top of 20.10.3-ce.
+ - 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ + 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ - 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ + 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ - 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+ + 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+ - 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ + 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+
+-------------------------------------------------------------------
+Tue Feb 2 05:28:01 UTC 2021 - Aleksa Sarai <asa...@suse.com>
+
+- Drop docker-runc, docker-test and docker-libnetwork packages. We now just use
+ the upstream runc package (it's stable enough and Docker no longer pins git
+ versions). docker-libnetwork is so unstable that it doesn't have any
+ versioning scheme and so it really doesn't make sense to maintain the project
+ as a separate package. bsc#1181641 bsc#1181677
+- Remove no-longer-needed patch for packaging now that we've dropped
+ docker-runc and docker-libnetwork.
+ - 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch
+
+-------------------------------------------------------------------
+Fri Jan 29 22:55:48 UTC 2021 - Aleksa Sarai <asa...@suse.com>
+
+- Update to Docker 20.10.2-ce. See upstream changelog in the packaged
+ /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1181594
+- Remove upstreamed patches:
+ - bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch
+ - boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
+- Add patches to fix build:
+ + cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch
+- Since upstream has changed their source repo (again) we have to rebase all of
+ our patches. While doing this, I've collapsed all patches into one branch
+ per-release and thus all the patches are now just one series:
+ - packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
+ + 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch
+ - secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
+ + 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ - secrets-0002-SUSE-implement-SUSE-container-secrets.patch
+ + 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ - private-registry-0001-Add-private-registry-mirror-support.patch
+ + 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+ - bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch
+ + 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+
+-------------------------------------------------------------------
+Fri Jan 29 11:54:53 UTC 2021 - Aleksa Sarai <asa...@suse.com>
+
+- Re-apply secrets fix for bsc#1065609 which appears to have been lost after it
+ was fixed.
+ * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
+ * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
+
+-------------------------------------------------------------------
Old:
----
boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch
bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch
docker-19.03.14_ce_5eb3275d4006.tar.xz
packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
private-registry-0001-Add-private-registry-mirror-support.patch
secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
secrets-0002-SUSE-implement-SUSE-container-secrets.patch
tests.sh
New:
----
0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch
docker-20.10.3_ce_46229ca1d815.tar.xz
docker-cli-20.10.3_ce.tar.xz
docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ docker.spec ++++++
--- /var/tmp/diff_new_pack.PihP2M/_old 2021-02-04 20:23:36.318783429 +0100
+++ /var/tmp/diff_new_pack.PihP2M/_new 2021-02-04 20:23:36.322783435 +0100
@@ -1,7 +1,7 @@
#
# spec file for package docker
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -42,52 +42,55 @@
# helpfully injects into our build environment from the changelog). If you want
# to generate a new git_commit_epoch, use this:
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP
'(?<=^CommitDate: ).*')" '+%s'
-%define git_version 5eb3275d4006
-%define git_commit_epoch 1606849828
+%define git_version 46229ca1d815
+%define git_commit_epoch 1611869592
-# These are the git commits required. We verify them against the source to make
-# sure we didn't miss anything important when doing upgrades.
-%define required_containerd ea765aba0d05254012b0b9e595e995c09186427f
-%define required_dockerrunc dc9208a3303feef5b3839f4323d9beb36df0a9dd
-%define required_libnetwork 55e924b8a84231a065879156c0de95aefc5f5435
+# We require a specific pin of libnetwork because it doesn't really do
+# versioning and minor version mismatches in libnetwork can break Docker
+# networking. All other key runtime dependencies (containerd, runc) are stable
+# enough that this isn't necessary.
+%define libnetwork_version fa125a3512ee0f6187721c88582bf8c4378bd4d7
+
+%define dist_builddir %{_builddir}/dist-suse
+%define cli_builddir %{dist_builddir}/src/github.com/docker/cli
+%define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
Name: %{realname}%{name_suffix}
-Version: 19.03.14_ce
+Version: 20.10.3_ce
Release: 0
Summary: The Moby-project Linux container runtime
License: Apache-2.0
Group: System/Management
URL: http://www.docker.io
-# TODO(VR): check those SOURCE files below
Source: %{realname}-%{version}_%{git_version}.tar.xz
-Source1: docker.service
+Source1: %{realname}-cli-%{version}.tar.xz
+Source2: %{realname}-libnetwork-%{libnetwork_version}.tar.xz
+Source3: docker-rpmlintrc
+# TODO: Move these source files to somewhere nicer.
+Source100: docker.service
+Source101: 80-docker.rules
+Source102: sysconfig.docker
+Source103: README_SUSE.md
+Source104: docker-audit.rules
+Source105: docker-daemon.json
+# Kubelet-specific sources.
# bsc#1086185 -- but we only apply this on Kubic.
-Source2: docker-kubic-service.conf
-Source3: 80-docker.rules
-Source4: sysconfig.docker
-Source5: kubelet.env
-Source6: docker-rpmlintrc
-Source7: README_SUSE.md
-Source8: docker-audit.rules
-Source9: tests.sh
-Source10: docker-daemon.json
+Source900: docker-kubic-service.conf
+Source901: kubelet.env
+# NOTE: All of these patches are maintained in <https://github.com/suse/docker>
+# in the suse-<version> branch. Make sure you update the patches in that
+# branch and then git-format-patch the patch here.
# SUSE-FEATURE: Adds the /run/secrets mountpoint inside all Docker containers
-# which is not snapshotted when images are committed. Note that if you modify
-# this patch, please also modify the patch in the suse-secrets-v<version>
-# branch in http://github.com/suse/docker.mirror.
-Patch200:
secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
-Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch
-# SUSE-ISSUE: Revert of https://github.com/docker/docker/pull/37907.
-Patch300:
packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
-# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353.
bsc#1099277
-Patch401:
bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch
-# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/39121.
bsc#1122469
-Patch402: bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch
-# SUSE-BACKPORT: Backport of https://github.com/moby/libnetwork/pull/2548.
boo#1178801, SLE-16460
-Patch403:
boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
-# SUSE-FEATURE: Add support to mirror inofficial/private registries
-# (https://github.com/docker/docker/pull/34319)
-Patch500: private-registry-0001-Add-private-registry-mirror-support.patch
+# which is not snapshotted when images are committed.
+Patch100: 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+Patch101: 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+# SUSE-FEATURE: Add support to mirror unofficial/private registries
+# <https://github.com/docker/docker/pull/34319>.
+Patch200: 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+# SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353.
bsc#1073877 bsc#1099277
+Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/2888.
+Patch301: cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch
BuildRequires: audit
BuildRequires: bash-completion
BuildRequires: ca-certificates
@@ -101,23 +104,21 @@
BuildRequires: sqlite3-devel
BuildRequires: zsh
BuildRequires: fish
+BuildRequires: go-go-md2man
+# We cannot use Go 1.14 because it breaks io.Copy (among other things) by
+# returning -EINTR from I/O syscalls much more often.
+BuildRequires: go1.13
BuildRequires: pkgconfig(libsystemd)
Requires: apparmor-parser
Requires: ca-certificates-mozilla
-# Required in order for networking to work. fix_bsc_1057743 is a work-around
-# for some old packaging issues (where rpm would delete a binary that was
-# installed by docker-libnetwork). See bsc#1057743 for more details.
-BuildRequires: docker-libnetwork%{name_suffix}-git = %{required_libnetwork}
-Requires: docker-libnetwork%{name_suffix}-git = %{required_libnetwork}
-Requires: fix_bsc_1057743
-# Containerd and runC are required as they are the only currently supported
-# execdrivers of Docker. NOTE: The version pinning here matches upstream's
-# vendor.conf to ensure that we don't use a slightly incompatible version of
-# runC or containerd (which would be bad).
-BuildRequires: containerd%{name_suffix}-git = %{required_containerd}
-Requires: containerd%{name_suffix}-git = %{required_containerd}
-BuildRequires: docker-runc%{name_suffix}-git = %{required_dockerrunc}
-Requires: docker-runc%{name_suffix}-git = %{required_dockerrunc}
+# The docker-proxy binary used to be in a separate package. We obsolete it,
+# since now docker-proxy is maintained as part of this package.
+Obsoletes: docker-libnetwork%{name_suffix} < 0.7.0.2
+Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
+# Required to actually run containers. We require the minimum version that is
+# pinned by Docker, but in order to avoid headaches we allow for updates.
+Requires: runc >= 1.0.0~rc92
+Requires: containerd >= 1.4.3
# Needed for --init support. We don't use "tini", we use our own implementation
# which handles edge-cases better.
Requires: catatonit
@@ -131,20 +132,13 @@
Requires(post): %fillup_prereq
Requires(post): udev
Requires(post): shadow
-# We used to have a migration tool for the upgrade from v1.9.x to v1.10.x.
-# It is no longer useful, so we obsolete it. bsc#1069758
-Obsoletes: docker-image-migrator
# Not necessary, but must be installed when the underlying system is
# configured to use lvm and the user doesn't explicitly provide a
# different storage-driver than devicemapper
Recommends: lvm2 >= 2.2.89
Recommends: git-core >= 1.7
-Conflicts: lxc < 1.0
ExcludeArch: s390 ppc
-BuildRequires: go-go-md2man
-# We cannot use Go 1.14 because it breaks io.Copy (among other things) by
-# returning -EINTR from I/O syscalls much more often.
-BuildRequires: go1.13
+
# KUBIC-SPECIFIC: This was required when upgrading from the original kubic
# packaging, when everything was renamed to -kubic. It also is
# used to ensure that nothing complains too much when using
@@ -232,31 +226,6 @@
%description fish-completion
Fish command line completion support for %{name}.
-%package test
-%global __requires_exclude ^libgo.so.*$
-Summary: Test package for docker
-# Needed for test-suite.
-Group: System/Management
-Requires: curl
-Requires: go
-Requires: iputils
-Requires: jq
-Requires: net-tools-deprecated
-# KUBIC-SPECIFIC: This was required when upgrading from the original kubic
-# packaging, when everything was renamed to -kubic. It also is
-# used to ensure that nothing complains too much when using
-# -kubic packages. Hopfully it can be removed one day.
-%if "%flavour" == "kubic"
-# Obsolete old packege without the -kubic suffix
-Obsoletes: %{realname}-test = 1.12.6
-# Conflict with non-kubic package, and provide equivalent
-Conflicts: %{realname}-test > 1.12.6
-Provides: %{realname}-test = %{version}
-%endif
-
-%description test
-Test package for docker. It contains the source code and the tests.
-
%if "%flavour" == "kubic"
%package kubeadm-criconfig
Summary: docker container runtime configuration for kubeadm
@@ -273,34 +242,47 @@
%prep
%setup -q -n %{realname}-%{version}_%{git_version}
+
%if 0%{?is_opensuse}
# nothing
%else
# PATCH-SUSE: Secrets patches.
-%patch200 -p1
-%patch201 -p1
+%patch100 -p1
+%patch101 -p1
%endif
-# revert upstream
-%patch300 -p1
-# bsc#1099277
-%patch401 -p1
-# bsc#1122469
-%patch402 -p1
-# boo#1178801, SLE-16460
-%patch403 -p1
%if "%flavour" == "kubic"
# PATCH-SUSE: Mirror patch.
-%patch500 -p1
+%patch200 -p1
%endif
+# bsc#1099277
+%patch300 -p1
+
+# README_SUSE.md for documentation.
+cp %{SOURCE103} .
+
+# Extract the docker-cli source in a subdir.
+mkdir -p %{cli_builddir}
+pushd %{cli_builddir}
+xz -dc %{SOURCE1} | tar -xof - --strip-components=1
+# https://github.com/docker/cli/pull/2888
+%patch301 -p1
+popd
-cp %{SOURCE7} .
+# Extract the docker-libnetwork source in a subdir.
+mkdir -p %{proxy_builddir}
+pushd %{proxy_builddir}
+xz -dc %{SOURCE2} | tar -xof - --strip-components=1
+popd
%build
+echo "$PWD -- $PWD -- $PWD"
+
BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
%if 0%{?sle_version} == 120000
- # Provided by patch406, to allow us to build with older distros but
still
- # have deferred removal support at runtime. We only use this when
building
- # on SLE12.
+ # Allow us to build with older distros but still have deferred removal
+ # support at runtime. We only use this when building on SLE12, because
+ # later openSUSE/SLE versions have a new enough libdevicemapper to not
+ # require the runtime checking.
BUILDTAGS="libdm_dlsym_deferred_remove $BUILDTAGS"
%endif
@@ -326,119 +308,92 @@
# Preparing GOPATH so that the client is visible to the compiler
mkdir -p src/github.com/docker/
-ln -s $(pwd)/components/cli $(pwd)/src/github.com/docker/cli
-export GOPATH=$GOPATH:$(pwd)
+ln -s "%{cli_builddir}" "$PWD/src/github.com/docker/cli"
+export GOPATH="$GOPATH:$PWD"
###################
## DOCKER ENGINE ##
###################
-pushd components/engine/
# Ignore the warning that we compile outside a Docker container.
./hack/make.sh dynbinary
-# Build test binaries (integration-cli and integration/*). They are all stored
-# within the testdir -- we will only end up installing these test files for
-# docker-test.
-for testdir in {integration-cli,integration/*/}
-do
- ( find "$testdir" -name '*_test.go' | grep -q '.' ) || continue
- GOPATH=$(pwd)/vendor:$(pwd)/.gopath/ go test \
- -buildmode=pie \
- -tags "$DOCKER_BUILDTAGS daemon autogen" \
- -c "github.com/docker/docker/$testdir" -o "$testdir/tests.main"
-done
-popd
-
###################
## DOCKER CLIENT ##
###################
-pushd components/cli/
+pushd %{cli_builddir}
./scripts/build/dynbinary
mkdir -p ./man/man1
go build -buildmode=pie -o gen-manpages github.com/docker/cli/man
-./gen-manpages --root "$(pwd)" --target "$(pwd)/man/man1"
+./gen-manpages --root "$PWD" --target "$PWD/man/man1"
./man/md2man-all.sh
popd
-%check
-# We used to run 'go test' here, however we found that this actually didn't
-# catch any issues that were caught by smoke testing, and %check would
-# continually cause package builds to fail due to flaky tests. If you ever need
-# to know how the testing was done, you can always look in the package history.
-# boo#1095817
-
-# We verify that all of our -git requires are correct, and match the contents
-# of the upstream vendoring scripts. This is done on-build to make sure that
-# someone doing an update didn't miss anything.
-cd components/engine
-grep 'RUNC_COMMIT:=%{required_dockerrunc}'
hack/dockerfile/install/runc.installer
-grep 'CONTAINERD_COMMIT:=%{required_containerd}'
hack/dockerfile/install/containerd.installer
-grep 'LIBNETWORK_COMMIT:=%{required_libnetwork}'
hack/dockerfile/install/proxy.installer
+##################
+## DOCKER PROXY ##
+##################
+
+pushd %{proxy_builddir}
+GOPATH="%{dist_builddir}" \
+ go build -buildmode=pie -o docker-proxy
github.com/docker/libnetwork/cmd/proxy
+popd
+
+# We verify that our libnetwork source is the correct version. This is done
+# on-build to make sure that someone doing an update didn't miss anything.
+grep 'LIBNETWORK_COMMIT:=%{libnetwork_version}'
hack/dockerfile/install/proxy.installer
%install
-install -d %{buildroot}%{_bindir}
-install -D -m755 components/cli/build/docker %{buildroot}/%{_bindir}/docker
-install -D -m755 components/engine/bundles/dynbinary-daemon/dockerd
%{buildroot}/%{_bindir}/dockerd
-install -d %{buildroot}/%{_localstatedir}/lib/docker
-install -Dd -m 0755 \
+install -Dd -m0755 \
%{buildroot}%{_sysconfdir}/init.d \
+ %{buildroot}%{_bindir} \
%{buildroot}%{_sbindir}
-install -D -m0644 components/cli/contrib/completion/bash/docker
"%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}"
-install -D -m0644 components/cli/contrib/completion/zsh/_docker
"%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}"
-install -D -m0644 components/cli/contrib/completion/fish/docker.fish
"%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish"
+# docker daemon
+install -D -m0755 bundles/dynbinary-daemon/dockerd
%{buildroot}/%{_bindir}/dockerd
+install -d %{buildroot}/%{_localstatedir}/lib/docker
+# daemon.json config file
+install -D -m0644 %{SOURCE105} %{buildroot}%{_sysconfdir}/docker/daemon.json
+
+# docker cli
+install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
+install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker
"%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}"
+install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker
"%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}"
+install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish
"%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish"
+
+# docker proxy
+install -D -m0755 %{proxy_builddir}/docker-proxy
%{buildroot}/%{_bindir}/docker-proxy
-#
# systemd service
-#
-install -D -m0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{realname}.service
+install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{realname}.service
%if "%flavour" == "kubic"
-install -D -m0644 %{SOURCE2}
%{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf
+install -D -m0644 %{SOURCE900}
%{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf
%endif
ln -sf service %{buildroot}%{_sbindir}/rcdocker
-#
# udev rules that prevents dolphin to show all docker devices and slows down
# upstream report https://bugs.kde.org/show_bug.cgi?id=329930
-#
-install -D -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules
+install -D -m0644 %{SOURCE101}
%{buildroot}%{_udevrulesdir}/80-%{realname}.rules
# audit rules
-install -D -m 0640 %{SOURCE8}
%{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules
+install -D -m0640 %{SOURCE104}
%{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules
# sysconfig file
-install -D -m 644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.docker
-
-# install docker config file
-install -D -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/docker/daemon.json
+install -D -m0644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker
# install manpages (using the ones from the engine)
install -d %{buildroot}%{_mandir}/man1
-install -p -m 644 components/cli/man/man1/*.1 %{buildroot}%{_mandir}/man1
+install -p -m0644 %{cli_builddir}/man/man1/*.1 %{buildroot}%{_mandir}/man1
install -d %{buildroot}%{_mandir}/man5
-install -p -m 644 components/cli/man/man5/Dockerfile.5
%{buildroot}%{_mandir}/man5
+install -p -m0644 %{cli_builddir}/man/man5/Dockerfile.5
%{buildroot}%{_mandir}/man5
install -d %{buildroot}%{_mandir}/man8
-install -p -m 644 components/cli/man/man8/*.8 %{buildroot}%{_mandir}/man8
-
-# install docker-test files -- we want to avoid installing the entire source
tree.
-install -d %{buildroot}%{_prefix}/src/docker/
-install -D -m0755 %{SOURCE9} %{buildroot}%{_prefix}/src/docker/tests.sh
-# We need hack/, contrib/, profiles/, and the integration*/ trees.
-cp -a components/engine/{hack,contrib,profiles,integration{,-cli}}
%{buildroot}%{_prefix}/src/docker/
-echo "%{version}" > %{buildroot}%{_prefix}/src/docker/VERSION
-# And now we can remove all *_test.go files -- since we already have test
-# binaries. Due to a lot of hacks within the Docker integration tests, we can't
-# really do a bigger cleanup than this.
-find %{buildroot}%{_prefix}/src/docker \
- -type f -name '*_test.go' -delete
+install -p -m0644 %{cli_builddir}/man/man8/*.8 %{buildroot}%{_mandir}/man8
%if "%flavour" == "kubic"
# place kubelet.env in fillupdir (for kubeadm-criconfig)
-sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE5}
-install -D -m 0644 %{SOURCE5} %{buildroot}%{_fillupdir}/sysconfig.kubelet
+sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE901}
+install -D -m0644 %{SOURCE901} %{buildroot}%{_fillupdir}/sysconfig.kubelet
%endif
%fdupes %{buildroot}
@@ -485,10 +440,11 @@
%files
%defattr(-,root,root)
-%doc components/engine/README.md README_SUSE.md CHANGELOG.md
-%license components/engine/LICENSE
+%doc README.md README_SUSE.md CHANGELOG.md
+%license LICENSE
%{_bindir}/docker
%{_bindir}/dockerd
+%{_bindir}/docker-proxy
%{_sbindir}/rcdocker
%dir %{_localstatedir}/lib/docker/
@@ -522,10 +478,6 @@
%defattr(-,root,root)
%{_datadir}/fish/vendor_completions.d/%{realname}.fish
-%files test
-%defattr(-,root,root)
-%{_prefix}/src/docker/
-
%if "%flavour" == "kubic"
%files kubeadm-criconfig
%defattr(-,root,root)
++++++ 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch ++++++
>From 1edf7a140c843cc6db85cdea298db19fee316dcb Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asa...@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 1/4] SECRETS: daemon: allow directory creation in /run/secrets
Since FileMode can have the directory bit set, allow a SecretStore
implementation to return secrets that are actually directories. This is
useful for creating directories and subdirectories of secrets.
Signed-off-by: Antonio Murdaca <run...@redhat.com>
Signed-off-by: Aleksa Sarai <asa...@suse.de>
---
daemon/container_operations_unix.go | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/daemon/container_operations_unix.go
b/daemon/container_operations_unix.go
index 5521adbd2749..c103d9349c51 100644
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@
package daemon // import "github.com/docker/docker/daemon"
import (
+ "bytes"
"context"
"fmt"
"io/ioutil"
@@ -14,6 +15,7 @@ import (
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/links"
"github.com/docker/docker/errdefs"
+ "github.com/docker/docker/pkg/archive"
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/stringid"
"github.com/docker/docker/pkg/system"
@@ -207,9 +209,6 @@ func (daemon *Daemon) setupSecretDir(c
*container.Container) (setupErr error) {
if err != nil {
return errors.Wrap(err, "unable to get secret from
secret store")
}
- if err := ioutil.WriteFile(fPath, secret.Spec.Data,
s.File.Mode); err != nil {
- return errors.Wrap(err, "error injecting secret")
- }
uid, err := strconv.Atoi(s.File.UID)
if err != nil {
@@ -220,6 +219,25 @@ func (daemon *Daemon) setupSecretDir(c
*container.Container) (setupErr error) {
return err
}
+ if s.File.Mode.IsDir() {
+ if err := os.Mkdir(fPath, s.File.Mode); err != nil {
+ return errors.Wrap(err, "error creating
secretdir")
+ }
+ if secret.Spec.Data != nil {
+ // If the "file" is a directory, then
s.File.Data is actually a tar
+ // archive of the directory. So we just do a
tar extraction here.
+ if err :=
archive.UntarUncompressed(bytes.NewBuffer(secret.Spec.Data), fPath,
&archive.TarOptions{
+ UIDMaps: daemon.idMapping.UIDs(),
+ GIDMaps: daemon.idMapping.GIDs(),
+ }); err != nil {
+ return errors.Wrap(err, "error
injecting secretdir")
+ }
+ }
+ } else {
+ if err := ioutil.WriteFile(fPath, secret.Spec.Data,
s.File.Mode); err != nil {
+ return errors.Wrap(err, "error injecting
secret")
+ }
+ }
if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid);
err != nil {
return errors.Wrap(err, "error setting ownership for
secret")
}
--
2.30.0
++++++ 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch ++++++
>From b7419429d17675d8db949bd7c35812308684254a Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asa...@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 2/4] SECRETS: SUSE: implement SUSE container secrets
This allows for us to pass in host credentials to a container, allowing
for SUSEConnect to work with containers.
THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
Signed-off-by: Aleksa Sarai <asa...@suse.de>
---
daemon/start.go | 5 +
daemon/suse_secrets.go | 410 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 415 insertions(+)
create mode 100644 daemon/suse_secrets.go
diff --git a/daemon/start.go b/daemon/start.go
index d9bc082b1078..091dae2ae65e 100644
--- a/daemon/start.go
+++ b/daemon/start.go
@@ -150,6 +150,11 @@ func (daemon *Daemon) containerStart(container
*container.Container, checkpoint
return err
}
+ // SUSE:secrets -- inject the SUSE secret store
+ if err := daemon.injectSuseSecretStore(container); err != nil {
+ return errdefs.System(err)
+ }
+
spec, err := daemon.createSpec(container)
if err != nil {
return errdefs.System(err)
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
new file mode 100644
index 000000000000..177efcb22295
--- /dev/null
+++ b/daemon/suse_secrets.go
@@ -0,0 +1,410 @@
+/*
+ * suse-secrets: patch for Docker to implement SUSE secrets
+ * Copyright (C) 2017-2021 SUSE LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package daemon
+
+import (
+ "archive/tar"
+ "bytes"
+ "fmt"
+ "io"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+ "strings"
+
+ "github.com/docker/docker/container"
+ "github.com/docker/docker/pkg/archive"
+ "github.com/docker/docker/pkg/idtools"
+
+ swarmtypes "github.com/docker/docker/api/types/swarm"
+ swarmexec "github.com/docker/swarmkit/agent/exec"
+ swarmapi "github.com/docker/swarmkit/api"
+
+ "github.com/opencontainers/go-digest"
+ "github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
+)
+
+func init() {
+ // Output to tell us in logs that SUSE:secrets is enabled.
+ logrus.Infof("SUSE:secrets :: enabled")
+}
+
+// Creating a fake file.
+type SuseFakeFile struct {
+ Path string
+ Uid int
+ Gid int
+ Mode os.FileMode
+ Data []byte
+}
+
+func (s SuseFakeFile) id() string {
+ // NOTE: It is _very_ important that this string always has a prefix of
+ // "suse". This is how we can ensure that we can operate on
+ // SecretReferences with a confidence that it was made by us.
+ return fmt.Sprintf("suse_%s_%s", digest.FromBytes(s.Data).Hex(), s.Path)
+}
+
+func (s SuseFakeFile) toSecret() *swarmapi.Secret {
+ return &swarmapi.Secret{
+ ID: s.id(),
+ Internal: true,
+ Spec: swarmapi.SecretSpec{
+ Data: s.Data,
+ },
+ }
+}
+
+func (s SuseFakeFile) toSecretReference(idMaps *idtools.IdentityMapping)
*swarmtypes.SecretReference {
+ // Figure out the host-facing {uid,gid} based on the provided maps. Fall
+ // back to root if the UID/GID don't match (we are guaranteed that root
is
+ // mapped).
+ ctrUser := idtools.Identity{UID: s.Uid, GID: s.Gid}
+ hostUser := idMaps.RootPair()
+ if user, err := idMaps.ToHost(ctrUser); err == nil {
+ hostUser = user
+ }
+
+ // Return the secret reference as a file target.
+ return &swarmtypes.SecretReference{
+ SecretID: s.id(),
+ SecretName: s.id(),
+ File: &swarmtypes.SecretReferenceFileTarget{
+ Name: s.Path,
+ UID: fmt.Sprintf("%d", hostUser.UID),
+ GID: fmt.Sprintf("%d", hostUser.GID),
+ Mode: s.Mode,
+ },
+ }
+}
+
+// readDir will recurse into a directory prefix/dir, and return the set of
+// secrets in that directory (as a tar archive that is packed inside the "data"
+// field). The Path attribute of each has the prefix stripped. Symlinks are
+// dereferenced.
+func readDir(prefix, dir string) ([]*SuseFakeFile, error) {
+ var suseFiles []*SuseFakeFile
+
+ path := filepath.Join(prefix, dir)
+ fi, err := os.Stat(path)
+ if err != nil {
+ // Ignore missing files.
+ if os.IsNotExist(err) {
+ // If the path itself exists it was a dangling symlink
so give a
+ // warning about the symlink dangling.
+ _, err2 := os.Lstat(path)
+ if !os.IsNotExist(err2) {
+ logrus.Warnf("SUSE:secrets :: ignoring dangling
symlink: %s", path)
+ }
+ return nil, nil
+ }
+ return nil, err
+ } else if !fi.IsDir() {
+ // Just to be safe.
+ logrus.Infof("SUSE:secrets :: expected %q to be a directory,
but was a file", path)
+ return readFile(prefix, dir)
+ }
+ path, err = filepath.EvalSymlinks(path)
+ if err != nil {
+ return nil, err
+ }
+
+ // Construct a tar archive of the source directory. We tar up the prefix
+ // directory and add dir as an IncludeFiles specifically so that we
+ // preserve the name of the directory itself.
+ tarStream, err := archive.TarWithOptions(path, &archive.TarOptions{
+ Compression: archive.Uncompressed,
+ IncludeSourceDir: true,
+ })
+ if err != nil {
+ return nil, fmt.Errorf("SUSE:secrets :: failed to tar source
directory %q: %v", path, err)
+ }
+ tarStreamBytes, err := ioutil.ReadAll(tarStream)
+ if err != nil {
+ return nil, fmt.Errorf("SUSE:secrets :: failed to read full tar
archive: %v", err)
+ }
+
+ // Get a list of the symlinks in the tar archive.
+ var symlinks []string
+ tmpTr := tar.NewReader(bytes.NewBuffer(tarStreamBytes))
+ for {
+ hdr, err := tmpTr.Next()
+ if err == io.EOF {
+ break
+ }
+ if err != nil {
+ return nil, fmt.Errorf("SUSE:secrets :: failed to read
through tar reader: %v", err)
+ }
+ if hdr.Typeflag == tar.TypeSymlink {
+ symlinks = append(symlinks, hdr.Name)
+ }
+ }
+
+ // Symlinks aren't dereferenced in the above archive, so we explicitly
do a
+ // rewrite of the tar archive to include all symlinks to files. We
cannot
+ // do directories here, but lower-level directory symlinks aren't
supported
+ // by zypper so this isn't an issue.
+ symlinkModifyMap := map[string]archive.TarModifierFunc{}
+ for _, sym := range symlinks {
+ logrus.Debugf("SUSE:secrets: archive(%q) %q is a
need-to-rewrite symlink", path, sym)
+ symlinkModifyMap[sym] = func(tarPath string, hdr *tar.Header, r
io.Reader) (*tar.Header, []byte, error) {
+ logrus.Debugf("SUSE:secrets: archive(%q) mapping for
symlink %q", path, tarPath)
+ tarFullPath := filepath.Join(path, tarPath)
+
+ // Get a copy of the original byte stream.
+ oldContent, err := ioutil.ReadAll(r)
+ if err != nil {
+ return nil, nil, fmt.Errorf("suse_rewrite:
failed to read archive entry %q: %v", tarPath, err)
+ }
+
+ // Check that the file actually exists.
+ fi, err := os.Stat(tarFullPath)
+ if err != nil {
+ logrus.Warnf("suse_rewrite: failed to stat
archive entry %q: %v", tarFullPath, err)
+ return hdr, oldContent, nil
+ }
+
+ // Read the actual contents.
+ content, err := ioutil.ReadFile(tarFullPath)
+ if err != nil {
+ logrus.Warnf("suse_rewrite: failed to read %q:
%v", tarFullPath, err)
+ return hdr, oldContent, nil
+ }
+
+ newHdr, err := tar.FileInfoHeader(fi, "")
+ if err != nil {
+ // Fake the header.
+ newHdr = &tar.Header{
+ Typeflag: tar.TypeReg,
+ Mode: 0644,
+ }
+ }
+
+ // Update the key fields.
+ hdr.Typeflag = newHdr.Typeflag
+ hdr.Mode = newHdr.Mode
+ hdr.Linkname = ""
+ return hdr, content, nil
+ }
+ }
+
+ // Create the rewritten tar stream.
+ tarStream =
archive.ReplaceFileTarWrapper(ioutil.NopCloser(bytes.NewBuffer(tarStreamBytes)),
symlinkModifyMap)
+ tarStreamBytes, err = ioutil.ReadAll(tarStream)
+ if err != nil {
+ return nil, fmt.Errorf("SUSE:secrets :: failed to read
rewritten archive: %v", err)
+ }
+
+ // Add the tar stream as a "file".
+ suseFiles = append(suseFiles, &SuseFakeFile{
+ Path: dir,
+ Mode: fi.Mode(),
+ Data: tarStreamBytes,
+ })
+ return suseFiles, nil
+}
+
+// readFile returns a secret given a file under a given prefix.
+func readFile(prefix, file string) ([]*SuseFakeFile, error) {
+ path := filepath.Join(prefix, file)
+ fi, err := os.Stat(path)
+ if err != nil {
+ // Ignore missing files.
+ if os.IsNotExist(err) {
+ // If the path itself exists it was a dangling symlink
so give a
+ // warning about the symlink dangling.
+ _, err2 := os.Lstat(path)
+ if !os.IsNotExist(err2) {
+ logrus.Warnf("SUSE:secrets :: ignoring dangling
symlink: %s", path)
+ }
+ return nil, nil
+ }
+ return nil, err
+ } else if fi.IsDir() {
+ // Just to be safe.
+ logrus.Infof("SUSE:secrets :: expected %q to be a file, but was
a directory", path)
+ return readDir(prefix, file)
+ }
+
+ var uid, gid int
+ if stat, ok := fi.Sys().(*unix.Stat_t); ok {
+ uid, gid = int(stat.Uid), int(stat.Gid)
+ } else {
+ logrus.Warnf("SUSE:secrets :: failed to cast file stat_t:
defaulting to owned by root:root: %s", path)
+ uid, gid = 0, 0
+ }
+
+ bytes, err := ioutil.ReadFile(path)
+ if err != nil {
+ return nil, err
+ }
+
+ var suseFiles []*SuseFakeFile
+ suseFiles = append(suseFiles, &SuseFakeFile{
+ Path: file,
+ Uid: uid,
+ Gid: gid,
+ Mode: fi.Mode(),
+ Data: bytes,
+ })
+ return suseFiles, nil
+}
+
+// getHostSuseSecretData returns the list of SuseFakeFiles the need to be added
+// as SUSE secrets.
+func getHostSuseSecretData() ([]*SuseFakeFile, error) {
+ secrets := []*SuseFakeFile{}
+
+ credentials, err := readDir("/etc/zypp", "credentials.d")
+ if err != nil {
+ if os.IsNotExist(err) {
+ credentials = []*SuseFakeFile{}
+ } else {
+ logrus.Errorf("SUSE:secrets :: error while reading zypp
credentials: %s", err)
+ return nil, err
+ }
+ }
+ secrets = append(secrets, credentials...)
+
+ suseConnect, err := readFile("/etc", "SUSEConnect")
+ if err != nil {
+ if os.IsNotExist(err) {
+ suseConnect = []*SuseFakeFile{}
+ } else {
+ logrus.Errorf("SUSE:secrets :: error while reading
/etc/SUSEConnect: %s", err)
+ return nil, err
+ }
+ }
+ secrets = append(secrets, suseConnect...)
+
+ return secrets, nil
+}
+
+// To fake an empty store, in the case where we are operating on a container
+// that was created pre-swarmkit. Otherwise segfaults and other fun things
+// happen. See bsc#1057743.
+type (
+ suseEmptyStore struct{}
+ suseEmptySecret struct{}
+ suseEmptyConfig struct{}
+)
+
+// In order to reduce the amount of code touched outside of this file, we
+// implement the swarm API for DependencyGetter. This asserts that this
+// requirement will always be matched. In addition, for the case of the *empty*
+// getters this reduces memory usage by having a global instance.
+var (
+ _ swarmexec.DependencyGetter = &suseDependencyStore{}
+ emptyStore swarmexec.DependencyGetter = suseEmptyStore{}
+ emptySecret swarmexec.SecretGetter = suseEmptySecret{}
+ emptyConfig swarmexec.ConfigGetter = suseEmptyConfig{}
+)
+
+var errSuseEmptyStore = fmt.Errorf("SUSE:secrets :: tried to get a resource
from empty store [this is a bug]")
+
+func (_ suseEmptyConfig) Get(_ string) (*swarmapi.Config, error) { return nil,
errSuseEmptyStore }
+func (_ suseEmptySecret) Get(_ string) (*swarmapi.Secret, error) { return nil,
errSuseEmptyStore }
+func (_ suseEmptyStore) Secrets() swarmexec.SecretGetter { return
emptySecret }
+func (_ suseEmptyStore) Configs() swarmexec.ConfigGetter { return
emptyConfig }
+
+type suseDependencyStore struct {
+ dfl swarmexec.DependencyGetter
+ secrets map[string]*swarmapi.Secret
+}
+
+// The following are effectively dumb wrappers that return ourselves, or the
+// default.
+func (s *suseDependencyStore) Secrets() swarmexec.SecretGetter { return s }
+func (s *suseDependencyStore) Configs() swarmexec.ConfigGetter { return
s.dfl.Configs() }
+
+// Get overrides the underlying DependencyGetter with our own secrets (falling
+// through to the underlying DependencyGetter if the secret isn't present).
+func (s *suseDependencyStore) Get(id string) (*swarmapi.Secret, error) {
+ logrus.Debugf("SUSE:secrets :: id=%s requested from
suseDependencyGetter", id)
+
+ secret, ok := s.secrets[id]
+ if !ok {
+ // fallthrough
+ return s.dfl.Secrets().Get(id)
+ }
+ return secret, nil
+}
+
+// removeSuseSecrets removes any SecretReferences which were added by us
+// explicitly (this is detected by checking that the prefix has a 'suse'
+// prefix). See bsc#1057743.
+func removeSuseSecrets(c *container.Container) {
+ var without []*swarmtypes.SecretReference
+ for _, secret := range c.SecretReferences {
+ if strings.HasPrefix(secret.SecretID, "suse") {
+ logrus.Warnf("SUSE:secrets :: removing 'old' suse
secret %q from container %q", secret.SecretID, c.ID)
+ continue
+ }
+ without = append(without, secret)
+ }
+ c.SecretReferences = without
+}
+
+func (daemon *Daemon) injectSuseSecretStore(c *container.Container) error {
+ newDependencyStore := &suseDependencyStore{
+ dfl: c.DependencyStore,
+ secrets: make(map[string]*swarmapi.Secret),
+ }
+ // Handle old containers. See bsc#1057743.
+ if newDependencyStore.dfl == nil {
+ newDependencyStore.dfl = emptyStore
+ }
+
+ // We drop any "old" SUSE secrets, as it appears that old containers
(when
+ // restarted) could still have references to old secrets. The .id() of
all
+ // secrets have a prefix of "suse" so this is much easier. See
bsc#1057743
+ // for details on why this could cause issues.
+ removeSuseSecrets(c)
+
+ secrets, err := getHostSuseSecretData()
+ if err != nil {
+ return err
+ }
+
+ idMaps := daemon.idMapping
+ for _, secret := range secrets {
+ newDependencyStore.secrets[secret.id()] = secret.toSecret()
+ c.SecretReferences = append(c.SecretReferences,
secret.toSecretReference(idMaps))
+ }
+
+ c.DependencyStore = newDependencyStore
+
+ // bsc#1057743 -- In older versions of Docker we added volumes
explicitly
+ // to the mount list. This causes clashes because of duplicate
namespaces.
+ // If we see an existing mount that will clash with the in-built secrets
+ // mount we assume it's our fault.
+ intendedMounts, err := c.SecretMounts()
+ if err != nil {
+ logrus.Warnf("SUSE:secrets :: fetching old secret mounts: %v",
err)
+ return err
+ }
+ for _, intendedMount := range intendedMounts {
+ mountPath := intendedMount.Destination
+ if volume, ok := c.MountPoints[mountPath]; ok {
+ logrus.Debugf("SUSE:secrets :: removing pre-existing %q
mount: %#v", mountPath, volume)
+ delete(c.MountPoints, mountPath)
+ }
+ }
+ return nil
+}
--
2.30.0
++++++ 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch ++++++
++++ 1146 lines (skipped)
++++++ 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch ++++++
>From eb4e0b351b4bb229bfd5fd3ed57d3c35040265e0 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asa...@suse.de>
Date: Fri, 29 Jun 2018 17:59:30 +1000
Subject: [PATCH 4/4] bsc1073877: apparmor: clobber docker-default profile on
start
In the process of making docker-default reloading far less expensive,
567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor
profiles") mistakenly made the initial profile load at dockerd start-up
lazy. As a result, if you have a running Docker daemon and upgrade it to
a new one with an updated AppArmor profile the new profile will not take
effect (because the old one is still loaded). The fix for this is quite
trivial, and just requires us to clobber the profile on start-up.
Fixes: 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor
profiles")
SUSE-Bugs: bsc#1099277
Signed-off-by: Aleksa Sarai <asa...@suse.de>
---
daemon/apparmor_default.go | 14 ++++++++++----
daemon/apparmor_default_unsupported.go | 4 ++++
daemon/daemon.go | 5 +++--
3 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
index a7cc3a5ef412..1a952953da8f 100644
--- a/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go
@@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
return ""
}
+func clobberDefaultAppArmorProfile() error {
+ if apparmor.IsEnabled() {
+ if err := aaprofile.InstallDefault(defaultAppArmorProfile); err
!= nil {
+ return fmt.Errorf("AppArmor enabled on system but the
%s profile could not be loaded: %s", defaultAppArmorProfile, err)
+ }
+ }
+ return nil
+}
+
func ensureDefaultAppArmorProfile() error {
if apparmor.IsEnabled() {
loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
@@ -36,10 +45,7 @@ func ensureDefaultAppArmorProfile() error {
}
// Load the profile.
- if err := aaprofile.InstallDefault(defaultAppArmorProfile); err
!= nil {
- return fmt.Errorf("AppArmor enabled on system but the
%s profile could not be loaded: %s", defaultAppArmorProfile, err)
- }
+ return clobberDefaultAppArmorProfile()
}
-
return nil
}
diff --git a/daemon/apparmor_default_unsupported.go
b/daemon/apparmor_default_unsupported.go
index dd581dc7dadb..5b14979cd4a3 100644
--- a/daemon/apparmor_default_unsupported.go
+++ b/daemon/apparmor_default_unsupported.go
@@ -2,6 +2,10 @@
package daemon // import "github.com/docker/docker/daemon"
+func clobberDefaultAppArmorProfile() error {
+ return nil
+}
+
func ensureDefaultAppArmorProfile() error {
return nil
}
diff --git a/daemon/daemon.go b/daemon/daemon.go
index 794ff9712d08..f9e727b348c5 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -855,8 +855,9 @@ func NewDaemon(ctx context.Context, config *config.Config,
pluginStore *plugin.S
logrus.Warnf("Failed to configure golang's threads limit: %v",
err)
}
- // ensureDefaultAppArmorProfile does nothing if apparmor is disabled
- if err := ensureDefaultAppArmorProfile(); err != nil {
+ // Make sure we clobber any pre-existing docker-default profile to
ensure
+ // that upgrades to the profile actually work smoothly.
+ if err := clobberDefaultAppArmorProfile(); err != nil {
logrus.Errorf(err.Error())
}
--
2.30.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.PihP2M/_old 2021-02-04 20:23:36.454783637 +0100
+++ /var/tmp/diff_new_pack.PihP2M/_new 2021-02-04 20:23:36.458783642 +0100
@@ -1,12 +1,28 @@
<services>
<service name="tar_scm" mode="disabled">
- <param name="url">https://github.com/docker/docker-ce.git</param>
+ <param name="url">https://github.com/moby/moby.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="versionformat">19.03.14_ce_%h</param>
- <param name="revision">v19.03.14</param>
+ <param name="versionformat">20.10.3_ce_%h</param>
+ <param name="revision">v20.10.3</param>
<param name="filename">docker</param>
</service>
+ <service name="tar_scm" mode="disabled">
+ <param name="url">https://github.com/docker/cli.git</param>
+ <param name="scm">git</param>
+ <param name="exclude">.git</param>
+ <param name="versionformat">20.10.3_ce</param>
+ <param name="revision">v20.10.3</param>
+ <param name="filename">docker-cli</param>
+ </service>
+ <service name="tar_scm" mode="disabled">
+ <param name="url">https://github.com/docker/libnetwork.git</param>
+ <param name="scm">git</param>
+ <param name="exclude">.git</param>
+ <param name="versionformat">%H</param>
+ <param name="revision">fa125a3512ee0f6187721c88582bf8c4378bd4d7</param>
+ <param name="filename">docker-libnetwork</param>
+ </service>
<service name="recompress" mode="disabled">
<param name="file">docker-*.tar</param>
<param name="compression">xz</param>
++++++ cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch ++++++
>From 6e2607c6a68ecf1a7378133f22cb7192e2eb9d5b Mon Sep 17 00:00:00 2001
From: Arnaud Rebillout <elboulang...@gmail.com>
Date: Wed, 16 Dec 2020 10:19:43 +0700
Subject: [PATCH] Rename bin/md2man to bin/go-md2man
In the recent PR !2877, some code was added to check if md2man is
already installed in the build environment. This is to cater to the
needs of Linux distributions.
However it turns out that Linux distributions install md2man as
bin/go-md2man instead of bin/md2man, hence the PR !2877 doesn't help
much.
This commit fixes it by settling on using the binary name go-md2man.
For reference, here the file list of the package go-md2man in several
distributions:
- Debian: <https://packages.debian.org/sid/amd64/go-md2man/filelist>
- Ubuntu: <https://packages.ubuntu.com/hirsute/amd64/go-md2man/filelist>
- Fedora:
<https://fedora.pkgs.org/31/fedora-x86_64/golang-github-cpuguy83-md2man-2.0.0-0.4.20190624gitf79a8a8.fc31.x86_64.rpm.html>
- ArchLinux: <https://www.archlinux.org/packages/community/x86_64/go-md2man/>
Signed-off-by: Arnaud Rebillout <elboulang...@gmail.com>
---
man/md2man-all.sh | 2 +-
scripts/docs/generate-man.sh | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/man/md2man-all.sh b/man/md2man-all.sh
index eb0bc6366a27..46c7b8f08eae 100755
--- a/man/md2man-all.sh
+++ b/man/md2man-all.sh
@@ -18,5 +18,5 @@ for FILE in *.md; do
continue
fi
mkdir -p "./man${num}"
- md2man -in "$FILE" -out "./man${num}/${name}"
+ go-md2man -in "$FILE" -out "./man${num}/${name}"
done
diff --git a/scripts/docs/generate-man.sh b/scripts/docs/generate-man.sh
index 136ed1e00094..e312c87dd321 100755
--- a/scripts/docs/generate-man.sh
+++ b/scripts/docs/generate-man.sh
@@ -4,9 +4,9 @@ set -eu -o pipefail
mkdir -p ./man/man1
-if ! command -v md2man &> /dev/null; then
+if ! command -v go-md2man &> /dev/null; then
# yay, go install creates a binary named "v2" ??\_(???)_/??
- go build -o "/go/bin/md2man" ./vendor/github.com/cpuguy83/go-md2man/v2
+ go build -o "/go/bin/go-md2man"
./vendor/github.com/cpuguy83/go-md2man/v2
fi
# Generate man pages from cobra commands
--
2.30.0
++++++ docker-19.03.14_ce_5eb3275d4006.tar.xz ->
docker-20.10.3_ce_46229ca1d815.tar.xz ++++++
/work/SRC/openSUSE:Factory/docker/docker-19.03.14_ce_5eb3275d4006.tar.xz
/work/SRC/openSUSE:Factory/.docker.new.28504/docker-20.10.3_ce_46229ca1d815.tar.xz
differ: char 15, line 1
