Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2017-12-21 11:25:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker" Thu Dec 21 11:25:14 2017 rev:67 rq:558281 version:17.09.1_ce Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2017-12-08 12:54:02.400940025 +0100 +++ /work/SRC/openSUSE:Factory/.docker.new/docker.changes 2017-12-21 11:25:16.559449330 +0100 @@ -1,0 +2,35 @@ +Mon Dec 18 12:32:35 UTC 2017 - asa...@suse.com + +- Update to Docker v17.09.1_ce. Upstream changelog: + https://github.com/docker/docker-ce/releases/tag/v17.09.1-ce +- Removed patches (merged upstream): + - bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch + - bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch + - bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch + +------------------------------------------------------------------- +Mon Dec 18 12:32:35 UTC 2017 - asa...@suse.com + +- Update to Docker v17.09.0_ce. Upstream changelog: + https://github.com/docker/docker-ce/releases/tag/v17.09.0-ce +- Rebased patches: + * bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch + * bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch + * bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch + * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch + * secrets-0002-SUSE-implement-SUSE-container-secrets.patch +- Removed patches (merged upstream): + - bsc1064781-0001-Allow-to-override-build-date.patch + +------------------------------------------------------------------- +Tue Dec 5 10:58:07 UTC 2017 - asa...@suse.com + +- Add a patch to dynamically probe whether libdevmapper supports + dm_task_deferred_remove. This is necessary because we build the containers + module on a SLE12 base, but later SLE versions have libdevmapper support. + This should not affect openSUSE, as all openSUSE versions have a new enough + libdevmapper. Backport of https://github.com/moby/moby/pull/35518. + bsc#1021227 bsc#1029320 bsc#1058173 + + bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch + +------------------------------------------------------------------- @@ -70 +105 @@ -- Update to Docker v17.07-ce (bsc#1069758). Upstream changelog: +- Update to Docker v17.07.0_ce (bsc#1069758). Upstream changelog: Old: ---- bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch bsc1064781-0001-Allow-to-override-build-date.patch bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch docker-17.07.0_ce.tar.xz New: ---- bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch docker-17.09.1_ce.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.ufTQlA/_old 2017-12-21 11:25:17.411407789 +0100 +++ /var/tmp/diff_new_pack.ufTQlA/_new 2017-12-21 11:25:17.415407594 +0100 @@ -31,11 +31,17 @@ # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define git_version 87847530f717 -%define git_commit_epoch 1508266293 +%define git_version f4ffd2511ce9 +%define git_commit_epoch 1508606827 + +# These are the git commits required. We verify them against the source to make +# sure we didn't miss anything important when doing upgrades. +%define required_containerd 06b9cb35161009dcb7123345749fef02f7cea8e0 +%define required_dockerrunc 3f2f8b84a77f73d38244dd690525642a72156c64 +%define required_libnetwork 7b2b1feb1de4817d522cc372af149ff48d25028e Name: docker -Version: 17.07.0_ce +Version: 17.09.1_ce Release: 0 Summary: The Linux container runtime License: Apache-2.0 @@ -57,15 +63,9 @@ Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35205. bsc#1055676 -Patch401: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34573. bsc#1045628 -Patch402: bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34176. boo#1064781 -Patch403: bsc1064781-0001-Allow-to-override-build-date.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539 -Patch404: bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35424. boo#1066210 CVE-2017-14992 -Patch405: bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch +Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173 +Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -99,14 +99,14 @@ # Required in order for networking to work. fix_bsc_1057743 is a work-around # for some old packaging issues (where rpm would delete a binary that was # installed by docker-libnetwork). See bsc#1057743 for more details. -Requires: docker-libnetwork = 0.7.0+gitr2322_4a242dba7739 +Requires: docker-libnetwork-git = %{required_libnetwork} Requires: fix_bsc_1057743 # Containerd and runC are required as they are the only currently supported # execdrivers of Docker. NOTE: The version pinning here matches upstream's # vendor.conf to ensure that we don't use a slightly incompatible version of # runC or containerd (which would be bad). -Requires: containerd = 0.2.8+gitr671_3addd8406531 -Requires: docker-runc = 1.0.0rc3+gitr3201_2d41c04 +Requires: containerd-git = %{required_containerd} +Requires: docker-runc-git = %{required_dockerrunc} # Provides mkfs.ext4 - used by Docker when devicemapper storage driver is used Requires: e2fsprogs Requires: git-core >= 1.7 @@ -124,7 +124,7 @@ Recommends: lvm2 >= 2.2.89 Conflicts: lxc < 1.0 BuildRoot: %{_tmppath}/%{name}-%{version}-build -ExcludeArch: %ix86 s390 ppc +ExcludeArch: s390 ppc # Make sure we build with go 1.8 BuildRequires: go-go-md2man BuildRequires: golang(API) = 1.8 @@ -181,19 +181,14 @@ %if 0%{?is_opensuse} # nothing %else +# PATCH-SUSE: Secrets patches. %patch200 -p1 -d components/engine %patch201 -p1 -d components/engine %endif # bsc#1055676 +%patch400 -p1 -d components/engine +# bsc#1021227 bsc#1029320 bsc#1058173 %patch401 -p1 -d components/engine -# bsc#1045628 -%patch402 -p1 -d components/engine -# boo#1064781 -%patch403 -p1 -d components/engine -# boo#1066801 CVE-2017-16539 -%patch404 -p1 -d components/engine -# boo#1066210 CVE-2017-14992 -%patch405 -p1 -d components/engine cp %{SOURCE7} . cp %{SOURCE9} . @@ -203,10 +198,11 @@ %if 0%{?with_libseccomp} BUILDTAGS="seccomp $BUILDTAGS" %endif -# For SLE12 libdevmapper.h is not recent enough to define -# dm_task_deferred_remove(). %if 0%{?sle_version} == 120000 - BUILDTAGS="libdm_no_deferred_remove $BUILDTAGS" + # Provided by patch406, to allow us to build with older distros but still + # have deferred removal support at runtime. We only use this when building + # on SLE12. + BUILDTAGS="libdm_dlsym_deferred_remove $BUILDTAGS" %endif (cat <<EOF @@ -272,6 +268,12 @@ cd $HOME/go/src/github.com/docker/docker +# We verify that all of our -git requires are correct. This is done on-build to +# make sure that someone doing an update didn't miss anything. +grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/binaries-commits +grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits +grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits + # The command is taken from hack/make/test-unit and various test runs. # Everything that follows github.com/docker/pkg/integration-cli are packages # containing tests that cannot run in an obs build context. Some tests must be @@ -289,9 +291,13 @@ | grep -v 'github.com/docker/docker/builder/dockerfile/parser$' \ | grep -v 'github.com/docker/docker/builder/remotecontext' \ | grep -v 'github.com/docker/docker/cmd/dockerd$' \ +%ifarch s390x + | grep -v 'github.com/docker/docker/container' \ +%endif | grep -v 'github.com/docker/docker/daemon$' \ | grep -v 'github.com/docker/docker/daemon/graphdriver' \ | grep -Pv 'github.com/docker/docker/daemon/logger(?!/gelf)' \ + | grep -v 'github.com/docker/docker/integration' \ | grep -v 'github.com/docker/docker/integration-cli' \ | grep -v 'github.com/docker/docker/man$' \ | grep -v 'github.com/docker/docker/pkg/archive$' \ @@ -314,22 +320,33 @@ ) # PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER! rm ./pkg/system/rm_test.go - go test -buildmode=pie -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST # DOCKER CLIENT +find $(go env GOROOT) -type d + cp -ar %{buildroot}/usr/src/docker/cli $HOME/go/src/github.com/docker/cli cd $HOME/go/src/github.com/docker/cli PKG_LIST=$(go list ./... \ | grep 'github.com/docker/cli' \ | grep -v 'github.com/docker/cli/vendor' \ + | grep -Ev 'vendor/(.+/)?github.com/docker/cli' \ | grep -v 'github.com/docker/cli/cli/command/idresolver' \ | grep -v 'github.com/docker/cli/cli/command/image' \ | grep -v 'github.com/docker/cli/cli/image' \ + | grep -v 'github.com/docker/cli/cmd/docker' \ + | grep -v 'github.com/docker/cli/e2e' \ + | grep -v 'github.com/docker/cli/cli/image' \ ) # PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER! -go test -buildmode=pie -cover -ldflags -w -tags daemon -a -test.timeout=10m $PKG_LIST +# We cannot use -buildmode=pie here becaue (for some reason) 'go test' will +# produce really odd errors about packages missing (this only happens if we +# have a lot of packages in the cmdline). So just avoid running these tests if +# we're on ppc64le (which requires -buildmode=pie). +%ifnarch ppc64le +go test -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST +%endif %install install -d %{buildroot}%{go_contribdir} ++++++ _service ++++++ --- /var/tmp/diff_new_pack.ufTQlA/_old 2017-12-21 11:25:17.479404473 +0100 +++ /var/tmp/diff_new_pack.ufTQlA/_new 2017-12-21 11:25:17.479404473 +0100 @@ -3,8 +3,8 @@ <param name="url">https://github.com/docker/docker-ce.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="versionformat">17.07.0_ce</param> - <param name="revision">v17.07.0-ce</param> + <param name="versionformat">17.09.1_ce</param> + <param name="revision">v17.09.1-ce</param> <param name="filename">docker</param> </service> <service name="recompress" mode="disabled"> ++++++ bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch ++++++ >From b492588a54b8efa1fba1de700cb3e0ad3fe665d9 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Thu, 16 Nov 2017 17:09:16 +1100 Subject: [PATCH] pkg: devmapper: dynamically load dm_task_deferred_remove dm_task_deferred_remove is not supported by all distributions, due to out-dated versions of devicemapper. However, in the case where the devicemapper library was updated without rebuilding Docker (which can happen in some distributions) then we should attempt to dynamically load the relevant object rather than try to link to it. This can only be done if Docker was built dynamically, for obvious reasons. In order to avoid having issues arise when dlsym(3) was unnecessary, gate the whole dlsym(3) logic behind a buildflag that we disable by default (libdm_dlsym_deferred_remove). SUSE-Bugs: bsc#1021227 bsc#1029320 bsc#1058173 Signed-off-by: Aleksa Sarai <asa...@suse.de> --- hack/make.sh | 12 +- ...> devmapper_wrapper_dynamic_deferred_remove.go} | 10 +- ...mapper_wrapper_dynamic_dlsym_deferred_remove.go | 128 +++++++++++++++++++++ .../devmapper_wrapper_no_deferred_remove.go | 6 +- 4 files changed, 149 insertions(+), 7 deletions(-) rename pkg/devicemapper/{devmapper_wrapper_deferred_remove.go => devmapper_wrapper_dynamic_deferred_remove.go} (78%) create mode 100644 pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go diff --git a/hack/make.sh b/hack/make.sh index bc18c066b66c..6e94824ad557 100755 --- a/hack/make.sh +++ b/hack/make.sh @@ -112,6 +112,12 @@ if [ ! "$GOPATH" ]; then exit 1 fi +# Adds $1_$2 to DOCKER_BUILDTAGS unless it already +# contains a word starting from $1_ +add_buildtag() { + [[ " $DOCKER_BUILDTAGS" == *" $1_"* ]] || DOCKER_BUILDTAGS+=" $1_$2" +} + if ${PKG_CONFIG} 'libsystemd >= 209' 2> /dev/null ; then DOCKER_BUILDTAGS+=" journald" elif ${PKG_CONFIG} 'libsystemd-journal' 2> /dev/null ; then @@ -127,12 +133,14 @@ if \ fi # test whether "libdevmapper.h" is new enough to support deferred remove -# functionality. +# functionality. We favour libdm_dlsym_deferred_remove over +# libdm_no_deferred_remove in dynamic cases because the binary could be shipped +# with a newer libdevmapper than the one it was built wih. if \ command -v gcc &> /dev/null \ && ! ( echo -e '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null ) \ ; then - DOCKER_BUILDTAGS+=' libdm_no_deferred_remove' + add_buildtag libdm dlsym_deferred_remove fi # Use these flags when compiling the tests and final binary diff --git a/pkg/devicemapper/devmapper_wrapper_deferred_remove.go b/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go similarity index 78% rename from pkg/devicemapper/devmapper_wrapper_deferred_remove.go rename to pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go index 7f793c270868..bf57371ff4cf 100644 --- a/pkg/devicemapper/devmapper_wrapper_deferred_remove.go +++ b/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go @@ -1,11 +1,15 @@ -// +build linux,cgo,!libdm_no_deferred_remove +// +build linux,cgo,!static_build +// +build !libdm_dlsym_deferred_remove,!libdm_no_deferred_remove package devicemapper -// #include <libdevmapper.h> +/* +#include <libdevmapper.h> +*/ import "C" -// LibraryDeferredRemovalSupport tells if the feature is enabled in the build +// LibraryDeferredRemovalSupport tells if the feature is supported by the +// current Docker invocation. const LibraryDeferredRemovalSupport = true func dmTaskDeferredRemoveFct(task *cdmTask) int { diff --git a/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go b/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go new file mode 100644 index 000000000000..5dfb369f1ff8 --- /dev/null +++ b/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go @@ -0,0 +1,128 @@ +// +build linux,cgo,!static_build +// +build libdm_dlsym_deferred_remove,!libdm_no_deferred_remove + +package devicemapper + +/* +#cgo LDFLAGS: -ldl +#include <stdlib.h> +#include <dlfcn.h> +#include <libdevmapper.h> + +// Yes, I know this looks scary. In order to be able to fill our own internal +// dm_info with deferred_remove we need to have a struct definition that is +// correct (regardless of the version of libdm that was used to compile it). To +// this end, we define struct_backport_dm_info. This code comes from lvm2, and +// I have verified that the structure has only ever had elements *appended* to +// it (since 2001). +// +// It is also important that this structure be _larger_ than the dm_info that +// libdevmapper expected. Otherwise libdm might try to write to memory it +// shouldn't (they don't have a "known size" API). +struct backport_dm_info { + int exists; + int suspended; + int live_table; + int inactive_table; + int32_t open_count; + uint32_t event_nr; + uint32_t major; + uint32_t minor; + int read_only; + + int32_t target_count; + + int deferred_remove; + int internal_suspend; + + // Padding, purely for our own safety. This is to avoid cases where libdm + // was updated underneath us and we call into dm_task_get_info() with too + // small of a buffer. + char _[512]; +}; + +// We have to wrap this in CGo, because Go really doesn't like function pointers. +int call_dm_task_deferred_remove(void *fn, struct dm_task *task) +{ + int (*_dm_task_deferred_remove)(struct dm_task *task) = fn; + return _dm_task_deferred_remove(task); +} +*/ +import "C" + +import ( + "unsafe" + + "github.com/sirupsen/logrus" +) + +// dm_task_deferred_remove is not supported by all distributions, due to +// out-dated versions of devicemapper. However, in the case where the +// devicemapper library was updated without rebuilding Docker (which can happen +// in some distributions) then we should attempt to dynamically load the +// relevant object rather than try to link to it. + +// dmTaskDeferredRemoveFct is a "bound" version of dm_task_deferred_remove. +// It is nil if dm_task_deferred_remove was not found in the libdevmapper that +// is currently loaded. +var dmTaskDeferredRemovePtr unsafe.Pointer + +// LibraryDeferredRemovalSupport tells if the feature is supported by the +// current Docker invocation. This value is fixed during init. +var LibraryDeferredRemovalSupport bool + +func init() { + // Clear any errors. + var err *C.char + C.dlerror() + + // The symbol we want to fetch. + symName := C.CString("dm_task_deferred_remove") + defer C.free(unsafe.Pointer(symName)) + + // See if we can find dm_task_deferred_remove. Since we already are linked + // to libdevmapper, we can search our own address space (rather than trying + // to guess what libdevmapper is called). We use NULL here, as RTLD_DEFAULT + // is not available in CGO (even if you set _GNU_SOURCE for some reason). + // The semantics are identical on glibc. + sym := C.dlsym(nil, symName) + err = C.dlerror() + if err != nil { + logrus.Debugf("devmapper: could not load dm_task_deferred_remove: %s", C.GoString(err)) + return + } + + logrus.Debugf("devmapper: found dm_task_deferred_remove at %x", uintptr(sym)) + dmTaskDeferredRemovePtr = sym + LibraryDeferredRemovalSupport = true +} + +func dmTaskDeferredRemoveFct(task *cdmTask) int { + sym := dmTaskDeferredRemovePtr + if sym == nil || !LibraryDeferredRemovalSupport { + return -1 + } + return int(C.call_dm_task_deferred_remove(sym, (*C.struct_dm_task)(task))) +} + +func dmTaskGetInfoWithDeferredFct(task *cdmTask, info *Info) int { + if !LibraryDeferredRemovalSupport { + return -1 + } + + Cinfo := C.struct_backport_dm_info{} + defer func() { + info.Exists = int(Cinfo.exists) + info.Suspended = int(Cinfo.suspended) + info.LiveTable = int(Cinfo.live_table) + info.InactiveTable = int(Cinfo.inactive_table) + info.OpenCount = int32(Cinfo.open_count) + info.EventNr = uint32(Cinfo.event_nr) + info.Major = uint32(Cinfo.major) + info.Minor = uint32(Cinfo.minor) + info.ReadOnly = int(Cinfo.read_only) + info.TargetCount = int32(Cinfo.target_count) + info.DeferredRemove = int(Cinfo.deferred_remove) + }() + return int(C.dm_task_get_info((*C.struct_dm_task)(task), (*C.struct_dm_info)(unsafe.Pointer(&Cinfo)))) +} diff --git a/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go b/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go index a880fec8c499..80b034b3ff17 100644 --- a/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go +++ b/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go @@ -1,8 +1,10 @@ -// +build linux,cgo,libdm_no_deferred_remove +// +build linux,cgo +// +build !libdm_dlsym_deferred_remove,libdm_no_deferred_remove package devicemapper -// LibraryDeferredRemovalSupport tells if the feature is enabled in the build +// LibraryDeferredRemovalSupport tells if the feature is supported by the +// current Docker invocation. const LibraryDeferredRemovalSupport = false func dmTaskDeferredRemoveFct(task *cdmTask) int { -- 2.15.1 ++++++ bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch ++++++ --- /var/tmp/diff_new_pack.ufTQlA/_old 2017-12-21 11:25:17.503403303 +0100 +++ /var/tmp/diff_new_pack.ufTQlA/_new 2017-12-21 11:25:17.503403303 +0100 @@ -1,4 +1,4 @@ -From 6f18798a72d330f282ff7beb554d298f30531c8f Mon Sep 17 00:00:00 2001 +From a24b98c0fc45d640b4eed8105033b313b8145e35 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Sun, 15 Oct 2017 17:06:20 +1100 Subject: [PATCH] daemon: oci: obey CL_UNPRIVILEGED for user namespaced daemon @@ -21,13 +21,13 @@ 1 file changed, 46 insertions(+) diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go -index 9cf6674dfe11..0f1dabc31100 100644 +index 0f8a392c2621..89ac627ff090 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go -@@ -27,6 +27,7 @@ import ( - "github.com/opencontainers/runc/libcontainer/devices" - "github.com/opencontainers/runc/libcontainer/user" - specs "github.com/opencontainers/runtime-spec/specs-go" +@@ -26,6 +26,7 @@ import ( + "github.com/opencontainers/runc/libcontainer/user" + specs "github.com/opencontainers/runtime-spec/specs-go" + "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" ) @@ -71,7 +71,7 @@ var ( mountPropagationMap = map[string]int{ "private": mount.PRIVATE, -@@ -573,6 +606,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c +@@ -575,6 +608,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c opts = append(opts, mountPropagationReverseMap[pFlag]) } @@ -92,5 +92,5 @@ s.Mounts = append(s.Mounts, mt) } -- -2.14.2 +2.15.0 ++++++ docker-17.07.0_ce.tar.xz -> docker-17.09.1_ce.tar.xz ++++++ ++++ 247114 lines of diff (skipped) ++++++ secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch ++++++ --- /var/tmp/diff_new_pack.ufTQlA/_old 2017-12-21 11:25:20.499257227 +0100 +++ /var/tmp/diff_new_pack.ufTQlA/_new 2017-12-21 11:25:20.499257227 +0100 @@ -1,4 +1,4 @@ -From 102c28e548a544d672163300334d01240cfc965b Mon Sep 17 00:00:00 2001 +From 5022c3554723040682444e324cd26ec8e2500131 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 8 Mar 2017 12:41:54 +1100 Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets @@ -14,7 +14,7 @@ 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go -index 84b7eb352f1a..dc3a48bfe47a 100644 +index 954c194ea836..3ef1e0262edc 100644 --- a/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go @@ -3,6 +3,7 @@ @@ -26,7 +26,7 @@ "fmt" "io/ioutil" @@ -13,6 +14,7 @@ import ( - "github.com/Sirupsen/logrus" + "github.com/docker/docker/container" "github.com/docker/docker/daemon/links" + "github.com/docker/docker/pkg/archive" @@ -70,5 +70,5 @@ return errors.Wrap(err, "error setting ownership for secret") } -- -2.15.0 +2.15.1 ++++++ secrets-0002-SUSE-implement-SUSE-container-secrets.patch ++++++ --- /var/tmp/diff_new_pack.ufTQlA/_old 2017-12-21 11:25:20.511256642 +0100 +++ /var/tmp/diff_new_pack.ufTQlA/_new 2017-12-21 11:25:20.511256642 +0100 @@ -1,4 +1,4 @@ -From c62fb8fa766b6917839987b7e1323f0523166d32 Mon Sep 17 00:00:00 2001 +From a84aa9152b50ea1fd73a7d09246ac056534d0e48 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 8 Mar 2017 11:43:29 +1100 Subject: [PATCH 2/2] SUSE: implement SUSE container secrets @@ -19,7 +19,7 @@ create mode 100644 daemon/suse_secrets.go diff --git a/daemon/start.go b/daemon/start.go -index 55438cf2c45f..7dfa6cd1d055 100644 +index de32a649d7ed..2b6137d315e9 100644 --- a/daemon/start.go +++ b/daemon/start.go @@ -147,6 +147,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint @@ -33,7 +33,7 @@ + spec, err := daemon.createSpec(container) if err != nil { - return err + return systemError{err} diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go new file mode 100644 index 000000000000..9d0788f0410d @@ -74,7 +74,7 @@ + "github.com/docker/docker/pkg/archive" + "github.com/docker/docker/pkg/idtools" + "github.com/opencontainers/go-digest" -+ "github.com/Sirupsen/logrus" ++ "github.com/sirupsen/logrus" + + swarmtypes "github.com/docker/docker/api/types/swarm" + swarmexec "github.com/docker/swarmkit/agent/exec" @@ -432,5 +432,5 @@ + return nil +} -- -2.15.0 +2.15.1
