Hello community,
here is the log from the commit of package docker for openSUSE:Factory checked
in at 2018-06-08 23:11:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/docker (Old)
and /work/SRC/openSUSE:Factory/.docker.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker"
Fri Jun 8 23:11:45 2018 rev:76 rq:614829 version:17.09.1_ce
Changes:
--------
--- /work/SRC/openSUSE:Factory/docker/docker.changes 2018-06-03
12:28:46.624506375 +0200
+++ /work/SRC/openSUSE:Factory/.docker.new/docker.changes 2018-06-08
23:11:48.331994272 +0200
@@ -1,0 +2,14 @@
+Tue Jun 5 11:24:35 UTC 2018 - asa...@suse.com
+
+- Update to AppArmor patch so that signal mediation also works for signals
+ between in-container processes. bsc#1073877
+ * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
+
+-------------------------------------------------------------------
+Tue Jun 5 06:38:40 UTC 2018 - asa...@suse.com
+
+- Remove 'go test' from %check section, as it has only ever caused us problems
+ and hasn't (as far as I remember) ever caught a release-blocking issue. Smoke
+ testing has been far more useful. boo#1095817
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ docker.spec ++++++
--- /var/tmp/diff_new_pack.rlYKqi/_old 2018-06-08 23:11:49.215962354 +0200
+++ /var/tmp/diff_new_pack.rlYKqi/_new 2018-06-08 23:11:49.219962209 +0200
@@ -261,106 +261,20 @@
cd ../..
%check
-. ./docker_build_env
-
-# DOCKER ENGINE
-# go test will look in github.com/docker/docker/vendor for vendored packages
but
-# Docker keeps them in github.com/docker/docker/vendor/src. Let's do it like
-# Docker does it and append github.com/docker/docker/vendor to the GOPATH so
the
-# packages are found by go test.
-export GOPATH=$HOME/go/src/github.com/docker/docker/vendor:$GOPATH
-
-# Create or dir if it doesn't exist already
-mkdir -p $HOME/go/src/github.com/docker
-
-# Remove any existing symlinks.
-rm -rf $HOME/go/src/github.com/docker/*
-
-# go list -e ... doesn't seem to work with symlinks so do a full copy instead.
-cp -ar %{buildroot}/usr/src/docker/engine $HOME/go/src/github.com/docker/docker
-
-cd $HOME/go/src/github.com/docker/docker
-
-# We verify that all of our -git requires are correct. This is done on-build to
-# make sure that someone doing an update didn't miss anything.
+# We used to run 'go test' here, however we found that this actually didn't
+# catch any issues that were caught by smoke testing, and %check would
+# continually cause package builds to fail due to flaky tests. If you ever need
+# to know how the testing was done, you can always look in the package history.
+# boo#1095817
+
+# We verify that all of our -git requires are correct, and match the contents
+# of the upstream vendoring scripts. This is done on-build to make sure that
+# someone doing an update didn't miss anything.
+cd components/engine
grep 'RUNC_COMMIT=%{required_dockerrunc}'
hack/dockerfile/binaries-commits
grep 'CONTAINERD_COMMIT=%{required_containerd}'
hack/dockerfile/binaries-commits
grep 'LIBNETWORK_COMMIT=%{required_libnetwork}'
hack/dockerfile/binaries-commits
-# The command is taken from hack/make/test-unit and various test runs.
-# Everything that follows github.com/docker/pkg/integration-cli are packages
-# containing tests that cannot run in an obs build context. Some tests must be
-# excluded as they will always fail in our build environments.
-PKG_LIST=$(go list -e \
- -f '{{if ne .Name "github.com/docker/docker"}} {{.ImportPath}}
- {{end}}' \
- -tags "$DOCKER_BUILDTAGS" \
- -a "${BUILDFLAGS[@]}" ... \
- | grep 'github.com/docker/docker' \
- | grep -Ev 'vendor/(.+/)?github.com/docker/docker' \
- | grep -v 'github.com/docker/docker/vendor' \
- | grep -v 'github.com/docker/docker/builder$' \
- | grep -v 'github.com/docker/docker/builder/dockerfile$' \
- | grep -v 'github.com/docker/docker/builder/dockerfile/parser$'
\
- | grep -v 'github.com/docker/docker/builder/remotecontext' \
- | grep -v 'github.com/docker/docker/cmd/dockerd$' \
-%ifarch s390x
- | grep -v 'github.com/docker/docker/container' \
-%endif
- | grep -v 'github.com/docker/docker/daemon$' \
- | grep -v 'github.com/docker/docker/daemon/graphdriver' \
- | grep -Pv 'github.com/docker/docker/daemon/logger(?!/gelf)' \
- | grep -v 'github.com/docker/docker/integration' \
- | grep -v 'github.com/docker/docker/integration-cli' \
- | grep -v 'github.com/docker/docker/man$' \
- | grep -v 'github.com/docker/docker/pkg/archive$' \
- | grep -v 'github.com/docker/docker/pkg/chrootarchive$' \
-%if 0%{?sle_version} == 120000
- | grep -v 'github.com/docker/docker/pkg/devicemapper$' \
-%endif
- | grep -v 'github.com/docker/docker/pkg/gitutils$' \
- | grep -v 'github.com/docker/docker/pkg/idtools$' \
- | grep -v 'github.com/docker/docker/pkg/integration$' \
- | grep -v 'github.com/docker/docker/pkg/jsonlog$' \
- | grep -v 'github.com/docker/docker/pkg/mount$' \
- | grep -v 'github.com/docker/docker/pkg/sysinfo$' \
- | grep -v 'github.com/docker/docker/pkg/testutil' \
-%if ! 0%{?with_libseccomp}
- | grep -v 'github.com/docker/docker/profiles/seccomp$' \
-%endif
- | grep -v 'github.com/docker/docker/registry$' \
- | grep -v 'github.com/docker/docker/volume/local$' \
- )
-# PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER!
-rm ./pkg/system/rm_test.go
-go test -buildmode=pie -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a
-test.timeout=10m $PKG_LIST
-
-# DOCKER CLIENT
-find $(go env GOROOT) -type d
-
-cp -ar %{buildroot}/usr/src/docker/cli $HOME/go/src/github.com/docker/cli
-cd $HOME/go/src/github.com/docker/cli
-PKG_LIST=$(go list ./... \
- | grep 'github.com/docker/cli' \
- | grep -v 'github.com/docker/cli/vendor' \
- | grep -Ev 'vendor/(.+/)?github.com/docker/cli' \
- | grep -v 'github.com/docker/cli/cli/command/idresolver' \
- | grep -v 'github.com/docker/cli/cli/command/image' \
- | grep -v 'github.com/docker/cli/cli/image' \
- | grep -v 'github.com/docker/cli/cmd/docker' \
- | grep -v 'github.com/docker/cli/e2e' \
- | grep -v 'github.com/docker/cli/cli/image' \
- )
-# PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER!
-
-# We cannot use -buildmode=pie here becaue (for some reason) 'go test' will
-# produce really odd errors about packages missing (this only happens if we
-# have a lot of packages in the cmdline). So just avoid running these tests if
-# we're on ppc64le (which requires -buildmode=pie).
-%ifnarch ppc64le
-go test -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m
$PKG_LIST
-%endif
-
%install
install -d %{buildroot}%{go_contribdir}
install -d %{buildroot}%{_bindir}
++++++
bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch
++++++
--- /var/tmp/diff_new_pack.rlYKqi/_old 2018-06-08 23:11:49.307959032 +0200
+++ /var/tmp/diff_new_pack.rlYKqi/_new 2018-06-08 23:11:49.307959032 +0200
@@ -1,4 +1,4 @@
-From fb59d17b2617ebee34f91786428f63571a19bb74 Mon Sep 17 00:00:00 2001
+From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asa...@suse.de>
Date: Sun, 8 Apr 2018 20:21:30 +1000
Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill'
@@ -11,20 +11,22 @@
Signed-off-by: Goldwyn Rodrigues <rgold...@suse.com>
Signed-off-by: Aleksa Sarai <asa...@suse.de>
---
- components/engine/profiles/apparmor/template.go | 4 ++++
- 1 file changed, 4 insertions(+)
+ components/engine/profiles/apparmor/template.go | 6 ++++++
+ 1 file changed, 6 insertions(+)
diff --git a/components/engine/profiles/apparmor/template.go
b/components/engine/profiles/apparmor/template.go
-index c5ea4584de6b..47c1b0659a15 100644
+index c5ea4584de6b..082638e85903 100644
--- a/components/engine/profiles/apparmor/template.go
+++ b/components/engine/profiles/apparmor/template.go
-@@ -17,6 +17,10 @@ profile {{.Name}}
flags=(attach_disconnected,mediate_deleted) {
+@@ -17,6 +17,12 @@ profile {{.Name}}
flags=(attach_disconnected,mediate_deleted) {
capability,
file,
umount,
+{{if ge .Version 208096}}
+{{/* Allow 'docker kill' to actually send signals to container processes. */}}
+ signal (receive) peer=unconfined,
++{{/* And allow signals to be sent inside the container. */}}
++ signal (send,receive) peer={{.Name}},
+{{end}}
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a
subdir)
