Hello community, here is the log from the commit of package docker.3912 for openSUSE:13.2:Update checked in at 2015-08-31 15:08:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/docker.3912 (Old) and /work/SRC/openSUSE:13.2:Update/.docker.3912.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "docker.3912" Changes: -------- New Changes file: --- /dev/null 2015-08-24 19:43:32.284261900 +0200 +++ /work/SRC/openSUSE:13.2:Update/.docker.3912.new/docker.changes 2015-08-31 15:08:51.000000000 +0200 @@ -0,0 +1,1594 @@ +------------------------------------------------------------------- +Fri Jul 24 14:24:16 UTC 2015 - jmassaguerpla@suse.com + +- Exclude archs where docker does not build. Otherwise it gets into + and infinite loop when building. + + We'll fix that later if we want to release for those archs. + +------------------------------------------------------------------- +Wed Jul 15 08:11:11 UTC 2015 - jmassaguerpla@suse.com + +- Update to 1.7.1 (2015-07-14) (bnc#938156) +Runtime + + Fix default user spawning exec process with docker exec + Make --bridge=none not to configure the network bridge + Publish networking stats properly + Fix implicit devicemapper selection with static binaries + Fix socket connections that hung intermittently + Fix bridge interface creation on CentOS/RHEL 6.6 + Fix local dns lookups added to resolv.conf + Fix copy command mounting volumes + Fix read/write privileges in volumes mounted with --volumes-from + +Remote API + + Fix unmarshalling of Command and Entrypoint + Set limit for minimum client version supported + Validate port specification + Return proper errors when attach/reattach fail + +Distribution + + Fix pulling private images + Fix fallback between registry V2 and V1 + + +------------------------------------------------------------------- +Fri Jul 10 11:22:00 UTC 2015 - jmassaguerpla@suse.com + +- Exclude init scripts other than systemd from the test-package + +------------------------------------------------------------------- +Wed Jul 1 12:38:50 UTC 2015 - jmassaguerpla@suse.com + +- Exclude intel 32 bits arch. Docker does not built on that. Let's + make it explicit. + +------------------------------------------------------------------- +Thu Jun 25 16:49:59 UTC 2015 - dmueller@suse.com + +- rediff ignore-dockerinit-checksum.patch, gcc-go-build-static-libgo.patch + to make them apply again. +- introduce go_arches for architectures that use the go compiler + instead of gcc-go +- add docker-netns-aarch64.patch: Add support for AArch64 +- enable build for aarch64 + +------------------------------------------------------------------- +Wed Jun 24 09:02:03 UTC 2015 - fcastelli@suse.com + +- Build man pages only on platforms where gc compiler is available. + +------------------------------------------------------------------- +Mon Jun 22 08:48:11 UTC 2015 - fcastelli@suse.com + +- Updated to 1.7.0 (2015-06-16) - bnc#935570 + * Runtime + - Experimental feature: support for out-of-process volume plugins + - The userland proxy can be disabled in favor of hairpin NAT using the daemon’s `--userland-proxy=false` flag + - The `exec` command supports the `-u|--user` flag to specify the new process owner + - Default gateway for containers can be specified daemon-wide using the `--default-gateway` and `--default-gateway-v6` flags + - The CPU CFS (Completely Fair Scheduler) quota can be set in `docker run` using `--cpu-quota` + - Container block IO can be controlled in `docker run` using`--blkio-weight` + - ZFS support + - The `docker logs` command supports a `--since` argument + - UTS namespace can be shared with the host with `docker run --uts=host` + * Quality + - Networking stack was entirely rewritten as part of the libnetwork effort + - Engine internals refactoring + - Volumes code was entirely rewritten to support the plugins effort + - Sending SIGUSR1 to a daemon will dump all goroutines stacks without exiting + * Build + - Support ${variable:-value} and ${variable:+value} syntax for environment variables + - Support resource management flags `--cgroup-parent`, `--cpu-period`, `--cpu-quota`, `--cpuset-cpus`, `--cpuset-mems` + - git context changes with branches and directories + - The .dockerignore file support exclusion rules + * Distribution + - Client support for v2 mirroring support for the official registry + * Bugfixes + - Firewalld is now supported and will automatically be used when available + - mounting --device recursively +- Patch 0002-Stripped-dockerinit-binary.patch renamed to fix-docker-init.patch + and fixed to build with latest version of docker + +------------------------------------------------------------------- +Tue Jun 9 16:35:46 UTC 2015 - jmassaguerpla@suse.com + +- Add test subpackage and fix line numbers in patches + +------------------------------------------------------------------- +Fri Jun 5 15:29:45 UTC 2015 - fcastelli@suse.com + +- Fixed ppc64le name inside of spec file + +------------------------------------------------------------------- +Fri Jun 5 15:23:47 UTC 2015 - fcastelli@suse.com + +- Build docker on PPC and S390x using gcc-go provided by gcc5 + * added sysconfig.docker.ppc64le: make docker daemon start on ppc64le + despite some iptables issues. To be removed soon + * ignore-dockerinit-checksum.patch: applied only when building with + gcc-go. Required to workaround a limitation of gcc-go + * gcc-go-build-static-libgo.patch: used only when building with gcc-go, + link libgo statically into docker itself. + +------------------------------------------------------------------- +Wed May 27 10:02:51 UTC 2015 - dmacvicar@suse.de + +- build and install man pages + +------------------------------------------------------------------- +Mon May 18 15:08:59 UTC 2015 - fcastelli@suse.com + +- Update to version 1.6.2 (2015-05-13) [bnc#931301] + * Revert change prohibiting mounting into /sys + +------------------------------------------------------------------- +Fri May 8 15:00:38 UTC 2015 - fcastelli@suse.com + +Updated to version 1.6.1 (2015-05-07) [bnc#930235] + * Security + - Fix read/write /proc paths (CVE-2015-3630) + - Prohibit VOLUME /proc and VOLUME / (CVE-2015-3631) + - Fix opening of file-descriptor 1 (CVE-2015-3627) + - Fix symlink traversal on container respawn allowing local privilege escalation (CVE-2015-3629) + - Prohibit mount of /sys + * Runtime + - Update Apparmor policy to not allow mounts +- Updated libcontainer-apparmor-fixes.patch: adapt patch to reflect + changes introduced by docker 1.6.1 + +------------------------------------------------------------------- +Thu May 7 13:33:03 UTC 2015 - develop7@develop7.info + +- Get rid of SocketUser and SocketGroup workarounds for docker.socket + +------------------------------------------------------------------- +Fri Apr 17 14:02:13 UTC 2015 - fcastelli@suse.com + +- Updated to version 1.6.0 (2015-04-07) [bnc#908033] + * Builder: + + Building images from an image ID + + build containers with resource constraints, ie `docker build --cpu-shares=100 --memory=1024m...` + + `commit --change` to apply specified Dockerfile instructions while committing the image + + `import --change` to apply specified Dockerfile instructions while importing the image + + basic build cancellation + * Client: + + Windows Support + * Runtime: + + Container and image Labels + + `--cgroup-parent` for specifying a parent cgroup to place container cgroup within + + Logging drivers, `json-file`, `syslog`, or `none` + + Pulling images by ID + + `--ulimit` to set the ulimit on a container + + `--default-ulimit` option on the daemon which applies to all created containers (and overwritten by `--ulimit` on run) +- Updated '0002-Stripped-dockerinit-binary.patch' to reflect changes inside of + the latest version of Docker. +- bnc#908033: support of Docker Registry API v2. + +------------------------------------------------------------------- +Fri Apr 3 19:57:38 UTC 2015 - dmueller@suse.com + +- enable build for armv7l + +------------------------------------------------------------------- +Fri Apr 3 14:59:35 UTC 2015 - fcastelli@suse.com + +- Updated docker.spec to fixed building with the latest version of our + Go pacakge. +- Updated 0002-Stripped-dockerinit-binary.patch to fix check made by + the docker daemon against the dockerinit binary. + +------------------------------------------------------------------- +Fri Mar 27 10:29:35 UTC 2015 - fcastelli@suse.com + +- Updated systemd service and socket units to fix socket activation + and to align with best practices recommended by upstram. Moreover + socket activation fixes bnc#920645. + +------------------------------------------------------------------- +Wed Feb 11 13:59:01 UTC 2015 - fcastelli@suse.com + + - Updated to 1.5.0 (2015-02-10): + * Builder: + - Dockerfile to use for a given `docker build` can be specified with + the `-f` flag ++++ 1397 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.docker.3912.new/docker.changes New: ---- 80-docker.rules README_SUSE.md docker-1.7.1.tar.bz2 docker-netns-aarch64.patch docker-rpmlintrc docker.changes docker.service docker.socket docker.spec docker_systemd_lt_214.socket fix-docker-init.patch gcc-go-build-static-libgo.patch ignore-dockerinit-checksum.patch libcontainer-apparmor-fixes.patch sysconfig.docker sysconfig.docker.ppc64le ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ # # spec file for package docker # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define git_version 786b29d %define go_arches %ix86 x86_64 Name: docker Version: 1.7.1 Release: 0 Summary: The Linux container runtime License: Apache-2.0 Group: System/Management Url: http://www.docker.io Source: %{name}-%{version}.tar.bz2 Source1: docker.service Source3: 80-docker.rules Source4: sysconfig.docker %if 0%{?suse_version} > 1320 Source5: docker.socket %else Source5: docker_systemd_lt_214.socket %endif Source6: docker-rpmlintrc Source7: README_SUSE.md # TODO: remove once we figure out what is wrong with iptables on ppc64le Source100: sysconfig.docker.ppc64le Patch0: fix-docker-init.patch # PATCH-FIX-OPENSUSE libcontainer-apparmor-fixes.patch -- mount rules aren't supported in our apparmor Patch1: libcontainer-apparmor-fixes.patch # Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ # Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time # We cannot do that, right now a quick and really dirty way to get it running is # to simply disable this check Patch100: ignore-dockerinit-checksum.patch Patch101: gcc-go-build-static-libgo.patch Patch102: docker-netns-aarch64.patch BuildRequires: bash-completion BuildRequires: device-mapper-devel >= 1.2.68 BuildRequires: glibc-devel-static %ifarch %go_arches BuildRequires: go >= 1.4 BuildRequires: go-go-md2man %else BuildRequires: gcc5-go >= 5.0 %endif BuildRequires: fdupes BuildRequires: libapparmor-devel BuildRequires: libbtrfs-devel >= 3.8 BuildRequires: procps BuildRequires: sqlite3-devel BuildRequires: systemd-devel BuildRequires: zsh Requires: apparmor-parser Requires: bridge-utils Requires: ca-certificates-mozilla # Provides mkfs.ext4 - used by Docker when devicemapper storage driver is used Requires: e2fsprogs Requires: git-core >= 1.7 Requires: iproute2 >= 3.5 Requires: iptables >= 1.4 Requires: kernel >= 3.8.0 Requires: lvm2 >= 2.2.89 Requires: procps Requires: tar >= 1.26 Requires: xz >= 4.9 Conflicts: lxc < 1.0 PreReq: %fillup_prereq BuildRoot: %{_tmppath}/%{name}-%{version}-build ExcludeArch: %ix86 ExcludeArch: s390 ExcludeArch: s390x ExcludeArch: ppc %description Docker complements LXC with a high-level API which operates at the process level. It runs unix processes with strong guarantees of isolation and repeatability across servers. Docker is a great building block for automating distributed systems: large-scale web deployments, database clusters, continuous deployment systems, private PaaS, service-oriented architectures, etc. %package bash-completion Summary: Bash Completion for %{name} Group: System/Management Requires: %{name} = %{version} Requires: bash-completion BuildArch: noarch %description bash-completion Bash command line completion support for %{name}. %package zsh-completion Summary: Zsh Completion for %{name} Group: System/Management Requires: %{name} = %{version} Requires: zsh BuildArch: noarch %description zsh-completion Zsh command line completion support for %{name}. %package test Summary: Test package for docker Group: System/Management Requires: device-mapper-devel >= 1.2.68 Requires: glibc-devel-static %ifarch %go_arches Requires: go >= 1.4 %else Requires: gcc5-go >= 5.0 %endif Requires: apparmor-parser Requires: bash-completion Requires: libapparmor-devel Requires: libbtrfs-devel >= 3.8 Requires: procps Requires: sqlite3-devel BuildArch: noarch %description test Test package for docker. It contains the source code and the tests. %prep %setup -q -n docker-%{version} %patch0 -p1 %patch1 -p1 %ifnarch %go_arches %patch100 %patch101 %endif %patch102 cp %{SOURCE7} . find . -name ".gitignore" | xargs rm %build %ifnarch %go_arches mkdir /tmp/dirty-hack ln -s /usr/bin/go-5 /tmp/dirty-hack/go export PATH=/tmp/dirty-hack:$PATH %endif (cat <<EOF export AUTO_GOPATH=1 export DOCKER_BUILDTAGS="exclude_graphdriver_aufs apparmor selinux" export DOCKER_GITCOMMIT=%{git_version} EOF ) > docker_build_env . ./docker_build_env ./hack/make.sh dynbinary %ifarch %go_arches man/md2man-all.sh %endif # remove other than systemd # otherwise the resulting package will have extra requires rm -rf hack/make/.build-deb %install install -d %{buildroot}%{go_contribdir} install -d %{buildroot}%{_bindir} install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name} install -d %{buildroot}/%{_prefix}/lib/docker install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit install -Dd -m 0755 \ %{buildroot}%{_sysconfdir}/init.d \ %{buildroot}%{_sbindir} install -D -m0644 contrib/completion/bash/docker "%{buildroot}/etc/bash_completion.d/%{name}" install -D -m0644 contrib/completion/zsh/_docker "%{buildroot}/etc/zsh_completion.d/%{name}" # copy all for the test package install -d %{buildroot}/usr/src/docker/ cp -av . %{buildroot}/usr/src/docker/ # # systemd service # install -D -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/%{name}.service install -D -m 0644 %SOURCE5 %{buildroot}%{_unitdir}/%{name}.socket ln -sf /sbin/service $RPM_BUILD_ROOT/usr/sbin/rcdocker # # udev rules that prevents dolphin to show all docker devices and slows down # upstream report https://bugs.kde.org/show_bug.cgi?id=329930 # install -D -m 0644 %SOURCE3 %{buildroot}%{_prefix}/lib/udev/rules.d/80-%{name}.rules # sysconfig file %ifarch ppc64le install -D -m 644 %SOURCE100 %{buildroot}/var/adm/fillup-templates/sysconfig.docker %else install -D -m 644 %SOURCE4 %{buildroot}/var/adm/fillup-templates/sysconfig.docker %endif %ifarch %go_arches # install manpages install -d %{buildroot}%{_mandir}/man1 install -p -m 644 man/man1/*.1 %{buildroot}%{_mandir}/man1 install -d %{buildroot}%{_mandir}/man5 install -p -m 644 man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5 %endif %fdupes %{buildroot} %pre echo "creating group docker..." groupadd -r docker 2>/dev/null || : %service_add_pre %{name}.service %{name}.socket %post %service_add_post %{name}.service %{name}.socket %{fillup_only -n docker} %preun %service_del_preun %{name}.service %{name}.socket %postun %service_del_postun %{name}.service %{name}.socket %files %defattr(-,root,root) %doc README.md LICENSE README_SUSE.md %{_bindir}/docker %{_sbindir}/rcdocker %{_prefix}/lib/docker/ %{_unitdir}/%{name}.service %{_unitdir}/%{name}.socket %{_prefix}/lib/udev/rules.d/80-%{name}.rules /var/adm/fillup-templates/sysconfig.docker %ifarch %go_arches %{_mandir}/man1/docker-*.1.gz %{_mandir}/man1/docker.1.gz %{_mandir}/man5/Dockerfile.5.gz %endif %files bash-completion %defattr(-,root,root) %config %{_sysconfdir}/bash_completion.d/%{name} %files zsh-completion %defattr(-,root,root) %config %{_sysconfdir}/zsh_completion.d/%{name} %files test %defattr(-,root,root) /usr/src/docker/ # exclude binaries %exclude /usr/src/docker/bundles/ # exclude init configurations other than systemd %exclude /usr/src/docker/contrib/init/openrc %exclude /usr/src/docker/contrib/init/sysvinit-debian %exclude /usr/src/docker/contrib/init/sysvinit-redhat %exclude /usr/src/docker/contrib/init/upstart %changelog ++++++ 80-docker.rules ++++++ # hide docker's loopback devices from udisks, and thus from user desktops SUBSYSTEM=="block", ENV{DM_NAME}=="docker-*", ENV{UDISKS_PRESENTATION_HIDE}="1", ENV{UDISKS_IGNORE}="1" SUBSYSTEM=="block", DEVPATH=="/devices/virtual/block/loop*", ATTR{loop/backing_file}=="/var/lib/docker/*", ENV{UDISKS_PRESENTATION_HIDE}="1", ENV{UDISKS_IGNORE}="1" ++++++ README_SUSE.md ++++++ # Abstract Docker is a lightweight "virtualization" method to run multiple virtual units (containers, akin to “chroot”) simultaneously on a single control host. Containers are isolated with Kernel Control Groups (cgroups) and Kernel Namespaces. Docker provides an operating system-level virtualization where the Kernel controls the isolated containers. With other full virtualization solutions like Xen, KVM, or libvirt the processor simulates a complete hardware environment and controls its virtual machines. # Terminology ## chroot A change root (chroot, or change root jail) is a section in the file system which is isolated from the rest of the file system. For this purpose, the chroot command is used to change the root of the file system. A program which is executed in such a “chroot jail” cannot access files outside the designated directory tree. ## cgroups Kernel Control Groups (commonly referred to as just “cgroups”) are a Kernel feature that allows aggregating or partitioning tasks (processes) and all their children into hierarchical organized groups to isolate resources. ## Image A "virtual machine" on the host server that can run any Linux system, for example openSUSE, SUSE Linux Enterprise Desktop, or SUSE Linux Enterprise Server. A Docker image is made by a series of layers built one over the other. Each layer corresponds to a permanent change committed from a container to the image. For more details checkout [Docker's official documentation](http://docs.docker.com/terms/image/). ## Image Name A name that refers to an image. The name is used by the docker commands. ## Container A running Docker Image. ## Container ID A ID that refers to a container. The ID is used by the docker commands. ## TAG A string associated to a Image. It commonly used to identify a specific version of a Image (like tags in version control systems). It is also possible to refer the same Image with different TAGs. ## Kernel Namespaces A Kernel feature to isolate some resources like network, users, and others for a group of processes. ## Docker Host Server The system that runs the Docker daemon, provides the images, and the management control capabilities through cgroups. # Overview Docker is a platform that allows developers and sysadmins to manage the complete lifecycle of images. Docker makes incredibly easy to build, ship and run images containing applications. Benefits of Docker: * Isolating applications and operating systems through containers. * Providing nearly native performance as Docker manages allocation of resources in real-time. * Controlling network interfaces and applying resources inside containers through cgroups. * Versioning of images. * Building images based on existing ones. * Sharining/storing on [public](http://docs.docker.com/docker-hub/) or [private](http://docs.docker.com/userguide/dockerrepos/#private-repositories) repositories. Limitations of Docker: * All Docker containers are running inside the host system's Kernel and not with a different Kernel. * Only allows Linux "guest" operating systems. * Docker is not a full virtualization stack like Xen, KVM, or libvirt. * Security depends on the host system. Refer to the [official documentation](http://docs.docker.com/articles/security/) for more details. ## Container drivers Docker has different backend drivers to handle the containers. The recommended on is [libcontainer](https://github.com/docker/libcontainer), which is also the default choice. This driver provides direct access with cgroups. The Docker packages ships also a LXC driver which handles containers using the LXC tools. At the time of writing, upstream is working on a `libvirt-lxc` driver. ## Storage drivers Docker supports different storage drivers: * `vfs`: this driver is automatically used when the Docker host filesystem does not support copy-on-write. This is a simple driver which does not offer some of the advantages of Docker (like sharing layers, more on that in the next sections). It is highly reliable but also slow. * `devicemapper`: this driver relies on the device-mapper thin provisioning module. It supports copy-on-write, hence it offers all the advantages of Docker. * `btrfs`: this driver relies on Btrfs to provide all the features required by Docker. To use this driver the `/var/lib/docker` directory must be on a btrfs filesystem. * `AUFS`: this driver relies on AUFS union filesystem. Neither the upstream kernel nor the SUSE one supports this filesystem. Hence the AUFS driver is not built into the SUSE Docker package. It is possible to specify which driver to use by changing the value of the `DOCKER_OPTS` variable defined inside of the `/etc/sysconfig/docker` file. This can be done either manually or using &yast; by browsing to: * System * /etc/sysconfig Editor * System * Management * DOCKER_OPTS menu and entering the `-s storage_driver` string. For example, to force the usage of the `devicemapper` driver enter the following text: ``` DOCKER_OPTS="-s devicemapper ``` It is recommended to have `/var/lib/docker` mounted on a different filesystem to not affect the Docker host OS in case of a filesystem corruption. # Setting up a Docker host Prepare the host: 1. Install the `docker` package. 2. Automatically start the Docker daemon at boot: `sudo systemctl enable docker` 3. Start the Docker daemon: `sudo systemctl start docker` The Docker daemon listens on a local socket which is accessible only by the `root` user and by the members of the `docker` group. The `docker` group is automatically created at package installation time. To allow a certain user to connect to the local Docker daemon use the following command: ``` sudo /usr/sbin/usermod -aG docker <username> ``` The user will be able to communicate with the local Docker daemon upon his next login. ## Networking If you want your containers to be able to access the external network you must enable the `net.ipv4.ip_forward` rule. This can be done using YaST by browsing to the `Network Devices -> Network Settings -> Routing` menu and ensuring that the `Enable IPv4 Forwarding` box is checked. This option cannot be changed when networking is handled by the Network Manager. In such cases the `/etc/sysconfig/SuSEfirewall2` file needs to be edited by hand to ensure the `FW_ROUTE` flag is set to `yes` like so: ``` FW_ROUTE="yes" ``` # Basic Docker operations Images can be pulled from [Docker's central index](http://index.docker.io) using the following command: ``` docker pull <image name> ``` Containers can be started using the `docker run` command. Please refer to the [official documentation](http://docs.docker.com/) for more details. # Building Docker containers using KIWI Starting from version 5.06.8 KIWI can be used to build Docker images. Please refer to KIWI's [official documentation](https://doc.opensuse.org/projects/kiwi/doc/#chap.lxc). The official `kiwi-doc` package contains examples of Docker images. ## Docker build system versus KIWI Docker has an [internal build system](http://docs.docker.com/reference/builder/) which makes incredibly easy to create new images based on existing ones. Some users might be confused about what to use. The right approach is to build the [base images](http://docs.docker.com/terms/image/#base-image-def) using KIWI and then use them as foundation blocks inside of your Docker's build system. That two advantages: 1. Be able to use docker specific directives (like `ENTRYPOINT`, `EXPOSE`, ...). 2. Be able to reuse already existing layers. Sharing the common layers between different images makes possible to: * Use less disk space on the Docker hosts. * Make the deployments faster: only the requested layers are sent over the network (it is like upgrading installed packages using delta rpms). * Take full advantage of caching while building Docker images: this will result in faster executions of `docker build` command. To recap: KIWI is not to be intended as a replacement for Docker's build system. It rather complements with it. ++++++ docker-netns-aarch64.patch ++++++ --- /dev/null +++ vendor/src/github.com/vishvananda/netns/netns_linux_arm64.go @@ -0,0 +1,7 @@ +// +build linux,arm64 + +package netns + +const ( + SYS_SETNS = 268 +) ++++++ docker-rpmlintrc ++++++ addFilter ("^docker.x86_64: W: statically-linked-binary /usr/lib64/docker/dockerinit") addFilter ("^docker-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash") addFilter ("^docker.x86_64: W: statically-linked-binary /usr/lib/docker/dockerinit") addFilter ("^docker.x86_64: W: unstripped-binary-or-object /usr/lib/docker/dockerinit") addFilter ("^docker.x86_64: W: no-manual-page-for-binary docker") addFilter ("^docker.x86_64: W: no-manual-page-for-binary nsinit") addFilter ("test.noarch.*: E: devel-file-in-non-devel-package") addFilter ("test.noarch.*: W: pem-certificate") addFilter ("test.noarch.*: W: non-executable-script") addFilter ("test.noarch.*: W: hidden-file-or-dir") addFilter ("test.noarch.*: W: files-duplicate") addFilter ("test.noarch.*: W: script-without-shebang /usr/src/docker/docs/README.md") addFilter ("test.noarch.*: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash") addFilter ("test.noarch.*: W: suse-filelist-forbidden-fhs23 /usr/src/docker") ++++++ docker.service ++++++ [Unit] Description=Docker Application Container Engine Documentation=http://docs.docker.com After=network.target docker.socket Requires=docker.socket [Service] EnvironmentFile=/etc/sysconfig/docker ExecStart=/usr/bin/docker -d -H fd:// $DOCKER_OPTS MountFlags=slave LimitNOFILE=1048576 LimitNPROC=1048576 LimitCORE=infinity [Install] WantedBy=multi-user.target ++++++ docker.socket ++++++ [Unit] Description=Docker Socket for the API PartOf=docker.service [Socket] ListenStream=/var/run/docker.sock SocketMode=0660 SocketUser=root SocketGroup=docker [Install] WantedBy=sockets.target ++++++ docker_systemd_lt_214.socket ++++++ [Unit] Description=Docker Socket for the API PartOf=docker.service [Socket] ListenStream=/var/run/docker.sock SocketMode=0660 # A Socket(User|Group) replacement workaround for systemd <= 214 ExecStartPost=/usr/bin/chown root:docker /var/run/docker.sock [Install] WantedBy=sockets.target ++++++ fix-docker-init.patch ++++++ Index: docker/hack/make/.dockerinit =================================================================== --- docker.orig/hack/make/.dockerinit +++ docker/hack/make/.dockerinit @@ -29,5 +29,7 @@ else exit 1 fi +/usr/bin/strip -s $DEST/dockerinit-$VERSION + # sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1) ++++++ gcc-go-build-static-libgo.patch ++++++ --- hack/make/binary +++ hack/make/binary @@ -9,6 +9,7 @@ echo "Building: $DEST/$BINARY_FULLNAME" go build \ + -gccgoflags="-static-libgo" \ -o "$DEST/$BINARY_FULLNAME" \ "${BUILDFLAGS[@]}" \ -ldflags " ++++++ ignore-dockerinit-checksum.patch ++++++ --- utils/utils.go +++ utils/utils.go @@ -76,7 +76,7 @@ } return os.SameFile(targetFileInfo, selfPathFileInfo) } - return dockerversion.INITSHA1 != "" && dockerInitSha1(target) == dockerversion.INITSHA1 + return true } // Figure out the path of our dockerinit (which may be SelfPath()) ++++++ libcontainer-apparmor-fixes.patch ++++++ Index: docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go =================================================================== --- docker.orig/vendor/src/github.com/docker/libcontainer/apparmor/gen.go +++ docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go @@ -25,7 +25,6 @@ profile {{.Name}} flags=(attach_disconne network, capability, file, - umount, deny @{PROC}/sys/fs/** wklx, deny @{PROC}/sysrq-trigger rwklx, ++++++ sysconfig.docker ++++++ ## Path : System/Management ## Description : Extra cli switches for docker daemon ## Type : string ## Default : "" ## ServiceRestart : docker # DOCKER_OPTS="" ++++++ sysconfig.docker.ppc64le ++++++ ## Path : System/Management ## Description : Extra cli switches for docker daemon ## Type : string ## Default : "" ## ServiceRestart : docker # # TODO: remove it once we fix the real issue DOCKER_OPTS=" -iptables=false "