commit docker for openSUSE:Factory
Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2016-05-04 08:20:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "docker" Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2016-04-12 19:38:28.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.docker.new/docker.changes 2016-05-04 08:20:17.000000000 +0200 @@ -1,0 +2,228 @@ +Mon May 2 07:40:22 UTC 2016 - asarai@suse.de + +* Remove conditional Patch directive for SUSE secrets, since conditionally + including patches results in incompatible .src.rpms. The patch is still + applied conditionally. + +------------------------------------------------------------------- +Fri Apr 29 09:04:54 UTC 2016 - asarai@suse.de + +* Update to Docker 1.11.1. Changelog from upstream: + + * Distribution + - Fix schema2 manifest media type to be of type `application/vnd.docker.container.image.v1+json` ([#21949](https://github.com/docker/docker/pull/21949)) + + * Documentation + + Add missing API documentation for changes introduced with 1.11.0 ([#22048](https://github.com/docker/docker/pull/22048)) + + * Builder + * Append label passed to `docker build` as arguments as an implicit `LABEL` command at the end of the processed `Dockerfile` ([#22184](https://github.com/docker/docker/pull/22184)) + + * Networking + - Fix a panic that would occur when forwarding DNS query ([#22261](https://github.com/docker/docker/pull/22261)) + - Fix an issue where OS threads could end up within an incorrect network namespace when using user defined networks ([#22261](https://github.com/docker/docker/pull/22261)) + + * Runtime + - Fix a bug preventing labels configuration to be reloaded via the config file ([#22299](https://github.com/docker/docker/pull/22299)) + - Fix a regression where container mounting `/var/run` would prevent other containers from being removed ([#22256](https://github.com/docker/docker/pull/22256)) + - Fix an issue where it would be impossible to update both `memory-swap` and `memory` value together ([#22255](https://github.com/docker/docker/pull/22255)) + - Fix a regression from 1.11.0 where the `/auth` endpoint would not initialize `serveraddress` if it is not provided ([#22254](https://github.com/docker/docker/pull/22254)) + - Add missing cleanup of container temporary files when cancelling a schedule restart ([#22237](https://github.com/docker/docker/pull/22237)) + - Removed scary error message when no restart policy is specified ([#21993](https://github.com/docker/docker/pull/21993)) + - Fix a panic that would occur when the plugins were activated via the json spec ([#22191](https://github.com/docker/docker/pull/22191)) + - Fix restart backoff logic to correctly reset delay if container ran for at least 10secs ([#22125](https://github.com/docker/docker/pull/22125)) + - Remove error message when a container restart get cancelled ([#22123](https://github.com/docker/docker/pull/22123)) + - Fix an issue where `docker` would not correcly clean up after `docker exec` ([#22121](https://github.com/docker/docker/pull/22121)) + - Fix a panic that could occur when servicing concurrent `docker stats` commands ([#22120](https://github.com/docker/docker/pull/22120))` + - Revert deprecation of non-existing host directories auto-creation ([#22065](https://github.com/docker/docker/pull/22065)) + - Hide misleading rpc error on daemon shutdown ([#22058](https://github.com/docker/docker/pull/22058)) + +------------------------------------------------------------------- +Fri Apr 22 10:43:37 UTC 2016 - asarai@suse.de + +- Add patch to fix vulnerability in Docker <= 1.11.0. This patch is upstream, + but was merged after the 1.11.0 merge window. CVE-2016-3697. bsc#976777. + + cve-2016-3697-numeric-uid.patch + The upstream PR is here[1] and was vendored into Docker here[2]. + + [1]: https://github.com/opencontainers/runc/pull/708 + [2]: https://github.com/docker/docker/pull/21665 + +------------------------------------------------------------------- +Mon Apr 18 19:33:56 UTC 2016 - mpluskal@suse.com + +- Supplemnent zsh from zsh-completion + * zsh-completion will be automatically installed if zsh and + docker are installed + +------------------------------------------------------------------- +Mon Apr 18 15:44:11 UTC 2016 - jmassaguerpla@suse.com + +- Remove gcc5_socker_workaround.patch: This patch is not needed anymore + since gcc5 has been updated in all platforms + +------------------------------------------------------------------- +Mon Apr 18 06:19:18 UTC 2016 - asarai@suse.de + +* Removed patches that have been fixed upstream and in gcc-go: + - boltdb_bolt_powerpc.patch + - fix-apparmor.patch + - fix-btrfs-ioctl-structure.patch + - fix-docker-init.patch + - libnetwork_drivers_bridge_powerpc.patch + - ignore-dockerinit-checksum.patch +* Require containerd, as it is the only currently supported Docker execdriver. +* Update docker.socket to require containerd.socket and use --containerd in + docker.service so that the services are self-contained. +* Update to Docker 1.11.0. Changelog from upstream: + + * Builder + - Fix a bug where Docker would not used the correct uid/gid when processing the `WORKDIR` command ([#21033](https://github.com/docker/docker/pull/21033)) + - Fix a bug where copy operations with userns would not use the proper uid/gid ([#20782](https://github.com/docker/docker/pull/20782), [#21162](https://github.com/docker/docker/pull/21162)) + + * Client + * Usage of the `:` separator for security option has been deprecated. `=` should be used instead ([#21232](https://github.com/docker/docker/pull/21232)) + + The client user agent is now passed to the registry on `pull`, `build`, `push`, `login` and `search` operations ([#21306](https://github.com/docker/docker/pull/21306), [#21373](https://github.com/docker/docker/pull/21373)) + * Allow setting the Domainname and Hostname separately through the API ([#20200](https://github.com/docker/docker/pull/20200)) + * Docker info will now warn users if it can not detect the kernel version or the operating system ([#21128](https://github.com/docker/docker/pull/21128)) + - Fix an issue where `docker stats --no-stream` output could be all 0s ([#20803](https://github.com/docker/docker/pull/20803)) + - Fix a bug where some newly started container would not appear in a running `docker stats` command ([#20792](https://github.com/docker/docker/pull/20792)) + * Post processing is no longer enabled for linux-cgo terminals ([#20587](https://github.com/docker/docker/pull/20587)) + - Values to `--hostname` are now refused if they do not comply with [RFC1123](https://tools.ietf.org/html/rfc1123) ([#20566](https://github.com/docker/docker/pull/20566)) + + Docker learned how to use a SOCKS proxy ([#20366](https://github.com/docker/docker/pull/20366), [#18373](https://github.com/docker/docker/pull/18373)) + + Docker now supports external credential stores ([#20107](https://github.com/docker/docker/pull/20107)) + * `docker ps` now supports displaying the list of volumes mounted inside a container ([#20017](https://github.com/docker/docker/pull/20017)) + * `docker info` now also report Docker's root directory location ([#19986](https://github.com/docker/docker/pull/19986)) + - Docker now prohibits login in with an empty username (spaces are trimmed) ([#19806](https://github.com/docker/docker/pull/19806)) + * Docker events attributes are now sorted by key ([#19761](https://github.com/docker/docker/pull/19761)) + * `docker ps` no longer show exported port for stopped containers ([#19483](https://github.com/docker/docker/pull/19483)) + - Docker now cleans after itself if a save/export command fails ([#17849](https://github.com/docker/docker/pull/17849)) + * Docker load learned how to display a progress bar ([#17329](https://github.com/docker/docker/pull/17329), [#120078](https://github.com/docker/docker/pull/20078)) + + * Distribution + - Fix a panic that occurred when pulling an images with 0 layers ([#21222](https://github.com/docker/docker/pull/21222)) + - Fix a panic that could occur on error while pushing to a registry with a misconfigured token service ([#21212](https://github.com/docker/docker/pull/21212)) + + All first-level delegation roles are now signed when doing a trusted push ([#21046](https://github.com/docker/docker/pull/21046)) + + OAuth support for registries was added ([#20970](https://github.com/docker/docker/pull/20970)) + * `docker login` now handles token using the implementation found in [docker/distribution](https://github.com/docker/distribution) ([#20832](https://github.com/docker/docker/pull/20832)) + * `docker login` will no longer prompt for an email ([#20565](https://github.com/docker/docker/pull/20565)) + * Docker will now fallback to registry V1 if no basic auth credentials are available ([#20241](https://github.com/docker/docker/pull/20241)) + * Docker will now try to resume layer download where it left off after a network error/timeout ([#19840](https://github.com/docker/docker/pull/19840)) + - Fix generated manifest mediaType when pushing cross-repository ([#19509](https://github.com/docker/docker/pull/19509)) + - Fix docker requesting additional push credentials when pulling an image if Content Trust is enabled ([#20382](https://github.com/docker/docker/pull/20382)) + + * Logging + - Fix a race in the journald log driver ([#21311](https://github.com/docker/docker/pull/21311)) + * Docker syslog driver now uses the RFC-5424 format when emitting logs ([#20121](https://github.com/docker/docker/pull/20121)) + * Docker GELF log driver now allows to specify the compression algorithm and level via the `gelf-compression-type` and `gelf-compression-level` options ([#19831](https://github.com/docker/docker/pull/19831)) + * Docker daemon learned to output uncolorized logs via the `--raw-logs` options ([#19794](https://github.com/docker/docker/pull/19794)) + + Docker, on Windows platform, now includes an ETW (Event Tracing in Windows) logging driver named `etwlogs` ([#19689](https://github.com/docker/docker/pull/19689)) + * Journald log driver learned how to handle tags ([#19564](https://github.com/docker/docker/pull/19564)) + + The fluentd log driver learned the following options: `fluentd-address`, `fluentd-buffer-limit`, `fluentd-retry-wait`, `fluentd-max-retries` and `fluentd-async-connect` ([#19439](https://github.com/docker/docker/pull/19439)) + + Docker learned to send log to Google Cloud via the new `gcplogs` logging driver. ([#18766](https://github.com/docker/docker/pull/18766)) + + * Misc + + When saving linked images together with `docker save` a subsequent `docker load` will correctly restore their parent/child relationship ([#21385](https://github.com/docker/docker/pull/c)) + + Support for building the Docker cli for OpenBSD was added ([#21325](https://github.com/docker/docker/pull/21325)) + + Labels can now be applied at network, volume and image creation ([#21270](https://github.com/docker/docker/pull/21270)) + * The `dockremap` is now created as a system user ([#21266](https://github.com/docker/docker/pull/21266)) + - Fix a few response body leaks ([#21258](https://github.com/docker/docker/pull/21258)) + - Docker, when run as a service with systemd, will now properly manage its processes cgroups ([#20633](https://github.com/docker/docker/pull/20633)) + * Docker info now reports the value of cgroup KernelMemory or emits a warning if it is not supported ([#20863](https://github.com/docker/docker/pull/20863)) + * Docker info now also reports the cgroup driver in use ([#20388](https://github.com/docker/docker/pull/20388)) + * Docker completion is now available on PowerShell ([#19894](https://github.com/docker/docker/pull/19894)) + * `dockerinit` is no more ([#19490](https://github.com/docker/docker/pull/19490),[#19851](https://github.com/docker/docker/pull/19851)) + + Support for building Docker on arm64 was added ([#19013](https://github.com/docker/docker/pull/19013)) + + Experimental support for building docker.exe in a native Windows Docker installation ([#18348](https://github.com/docker/docker/pull/18348)) + + * Networking + - Fix panic if a node is forcibly removed from the cluster ([#21671](https://github.com/docker/docker/pull/21671)) + - Fix "error creating vxlan interface" when starting a container in a Swarm cluster ([#21671](https://github.com/docker/docker/pull/21671)) + * `docker network inspect` will now report all endpoints whether they have an active container or not ([#21160](https://github.com/docker/docker/pull/21160)) + + Experimental support for the MacVlan and IPVlan network drivers have been added ([#21122](https://github.com/docker/docker/pull/21122)) + * Output of `docker network ls` is now sorted by network name ([#20383](https://github.com/docker/docker/pull/20383)) + - Fix a bug where Docker would allow a network to be created with the reserved `default` name ([#19431](https://github.com/docker/docker/pull/19431)) + * `docker network inspect` returns whether a network is internal or not ([#19357](https://github.com/docker/docker/pull/19357)) + + Control IPv6 via explicit option when creating a network (`docker network create --ipv6`). This shows up as a new `EnableIPv6` field in `docker network inspect` ([#17513](https://github.com/docker/docker/pull/17513)) + * Support for AAAA Records (aka IPv6 Service Discovery) in embedded DNS Server ([#21396](https://github.com/docker/docker/pull/21396)) + - Fix to not forward docker domain IPv6 queries to external servers ([#21396](https://github.com/docker/docker/pull/21396)) + * Multiple A/AAAA records from embedded DNS Server for DNS Round robin ([#21019](https://github.com/docker/docker/pull/21019)) + - Fix endpoint count inconsistency after an ungraceful dameon restart ([#21261](https://github.com/docker/docker/pull/21261)) + - Move the ownership of exposed ports and port-mapping options from Endpoint to Sandbox ([#21019](https://github.com/docker/docker/pull/21019)) + - Fixed a bug which prevents docker reload when host is configured with ipv6.disable=1 ([#21019](https://github.com/docker/docker/pull/21019)) + - Added inbuilt nil IPAM driver ([#21019](https://github.com/docker/docker/pull/21019)) + - Fixed bug in iptables.Exists() logic [#21019](https://github.com/docker/docker/pull/21019) + - Fixed a Veth interface leak when using overlay network ([#21019](https://github.com/docker/docker/pull/21019)) + - Fixed a bug which prevents docker reload after a network delete during shutdown ([#20214](https://github.com/docker/docker/pull/20214)) + - Make sure iptables chains are recreated on firewalld reload ([#20419](https://github.com/docker/docker/pull/20419)) + - Allow to pass global datastore during config reload ([#20419](https://github.com/docker/docker/pull/20419)) + - For anonymous containers use the alias name for IP to name mapping, ie:DNS PTR record ([#21019](https://github.com/docker/docker/pull/21019)) + - Fix a panic when deleting an entry from /etc/hosts file ([#21019](https://github.com/docker/docker/pull/21019)) + - Source the forwarded DNS queries from the container net namespace ([#21019](https://github.com/docker/docker/pull/21019)) + - Fix to retain the network internal mode config for bridge networks on daemon reload ([#21780] (https://github.com/docker/docker/pull/21780)) + - Fix to retain IPAM driver option configs on daemon reload ([#21914] (https://github.com/docker/docker/pull/21914)) + + * Plugins + - Fix a file descriptor leak that would occur every time plugins were enumerated ([#20686](https://github.com/docker/docker/pull/20686)) + - Fix an issue where Authz plugin would corrupt the payload body when faced with a large amount of data ([#20602](https://github.com/docker/docker/pull/20602)) + + * Runtime + - Fix a panic that could occur when cleanup after a container started with invalid parameters ([#21716](https://github.com/docker/docker/pull/21716)) + - Fix a race with event timers stopping early ([#21692](https://github.com/docker/docker/pull/21692)) + - Fix race conditions in the layer store, potentially corrupting the map and crashing the process ([#21677](https://github.com/docker/docker/pull/21677)) + - Un-deprecate auto-creation of host directories for mounts. This feature was marked deprecated in ([#21666](https://github.com/docker/docker/pull/21666)) + Docker 1.9, but was decided to be too much of an backward-incompatible change, so it was decided to keep the feature. + + It is now possible for containers to share the NET and IPC namespaces when `userns` is enabled ([#21383](https://github.com/docker/docker/pull/21383)) + + `docker inspect <image-id>` will now expose the rootfs layers ([#21370](https://github.com/docker/docker/pull/21370)) + + Docker Windows gained a minimal `top` implementation ([#21354](https://github.com/docker/docker/pull/21354)) + * Docker learned to report the faulty exe when a container cannot be started due to its condition ([#21345](https://github.com/docker/docker/pull/21345)) + * Docker with device mapper will now refuse to run if `udev sync` is not available ([#21097](https://github.com/docker/docker/pull/21097)) + - Fix a bug where Docker would not validate the config file upon configuration reload ([#21089](https://github.com/docker/docker/pull/21089)) + - Fix a hang that would happen on attach if initial start was to fail ([#21048](https://github.com/docker/docker/pull/21048)) + - Fix an issue where registry service options in the daemon configuration file were not properly taken into account ([#21045](https://github.com/docker/docker/pull/21045)) + - Fix a race between the exec and resize operations ([#21022](https://github.com/docker/docker/pull/21022)) + - Fix an issue where nanoseconds were not correctly taken in account when filtering Docker events ([#21013](https://github.com/docker/docker/pull/21013)) + - Fix the handling of Docker command when passed a 64 bytes id ([#21002](https://github.com/docker/docker/pull/21002)) + * Docker will now return a `204` (i.e http.StatusNoContent) code when it successfully deleted a network ([#20977](https://github.com/docker/docker/pull/20977)) + - Fix a bug where the daemon would wait indefinitely in case the process it was about to killed had already exited on its own ([#20967](https://github.com/docker/docker/pull/20967) + * The devmapper driver learned the `dm.min_free_space` option. If the mapped device free space reaches the passed value, new device creation will be prohibited. ([#20786](https://github.com/docker/docker/pull/20786)) + + Docker can now prevent processes in container to gain new privileges via the `--security-opt=no-new-privileges` flag ([#20727](https://github.com/docker/docker/pull/20727)) + - Starting a container with the `--device` option will now correctly resolves symlinks ([#20684](https://github.com/docker/docker/pull/20684)) + + Docker now relies on [`containerd`](https://github.com/docker/containerd) and [`runc`](https://github.com/opencontainers/runc) to spawn containers. ([#20662](https://github.com/docker/docker/pull/20662)) + - Fix docker configuration reloading to only alter value present in the given config file ([#20604](https://github.com/docker/docker/pull/20604)) + + Docker now allows setting a container hostname via the `--hostname` flag when `--net=host` ([#20177](https://github.com/docker/docker/pull/20177)) + + Docker now allows executing privileged container while running with `--userns-remap` if both `--privileged` and the new `--userns=host` flag are specified ([#20111](https://github.com/docker/docker/pull/20111)) + - Fix Docker not cleaning up correctly old containers upon restarting after a crash ([#19679](https://github.com/docker/docker/pull/19679)) + * Docker will now error out if it doesn't recognize a configuration key within the config file ([#19517](https://github.com/docker/docker/pull/19517)) + - Fix container loading, on daemon startup, when they depends on a plugin running within a container ([#19500](https://github.com/docker/docker/pull/19500)) ++++ 400 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/docker/docker.changes ++++ and /work/SRC/openSUSE:Factory/.docker.new/docker.changes Old: ---- boltdb_bolt_powerpc.patch docker-1.10.3.tar.xz fix-apparmor.patch fix-btrfs-ioctl-structure.patch fix-docker-init.patch gcc5_socket_workaround.patch ignore-dockerinit-checksum.patch libnetwork_drivers_bridge_powerpc.patch New: ---- cve-2016-3697-numeric-uid.patch docker-1.11.1.tar.xz docker-mount-secrets.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.n7u6hl/_old 2016-05-04 08:20:18.000000000 +0200 +++ /var/tmp/diff_new_pack.n7u6hl/_new 2016-05-04 08:20:18.000000000 +0200 @@ -22,8 +22,10 @@ %define git_version 9e83765 %define go_arches %ix86 x86_64 aarch64 +%define version_unconverted 1.11.1 + Name: docker -Version: 1.10.3 +Version: 1.11.1 Release: 0 Summary: The Linux container runtime License: Apache-2.0 @@ -45,22 +47,16 @@ Source8: docker-audit.rules # TODO: remove once we figure out what is wrong with iptables on ppc64le Source100: sysconfig.docker.ppc64le -Patch1: gcc5_socket_workaround.patch -Patch2: fix-docker-init.patch -Patch3: fix-apparmor.patch -# TODO: Remove this once we update to Docker 1.11.0. This has been merged in -# https://github.com/docker/docker/pull/21723 -Patch4: fix-btrfs-ioctl-structure.patch +# The mount-secrets patch is be a SLE-specific feature. As such, it is disabled by default on openSUSE. +# PATCH-FEATURE-SLE docker-mount-secrets.patch -- pass the SCC machine credentials and the /etc/SUSEConnect file to containers +Patch200: docker-mount-secrets.patch # Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ -# Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time -# We cannot do that, right now a quick and really dirty way to get it running is -# to simply disable this check -Patch100: ignore-dockerinit-checksum.patch Patch101: gcc-go-patches.patch Patch102: netlink_gcc_go.patch Patch103: netlink_netns_powerpc.patch -Patch104: boltdb_bolt_powerpc.patch -Patch105: libnetwork_drivers_bridge_powerpc.patch +# This fixes bsc#976777. While the fix is upstream, it isn't in Docker 1.10.3 or +# Docker 1.11.0. This patch was squashed and cherry-picked from runc#708. +Patch301: cve-2016-3697-numeric-uid.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: device-mapper-devel >= 1.2.68 @@ -90,6 +86,8 @@ Requires: procps Requires: tar >= 1.26 Requires: xz >= 4.9 +# Containerd is required as it is the only currently supported execdriver of Docker. +Requires: containerd # Not necessary, but must be installed to have a smooth upgrade. Recommends: docker-image-migrator Conflicts: lxc < 1.0 @@ -97,7 +95,9 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build ExcludeArch: %ix86 ExcludeArch: s390 +%if 0%{?is_opensuse} ExcludeArch: s390x +%endif ExcludeArch: ppc %description @@ -123,7 +123,7 @@ Summary: Zsh Completion for %{name} Group: System/Management Requires: %{name} = %{version} -Requires: zsh +Supplements: packageand(docker:zsh) BuildArch: noarch %description zsh-completion @@ -155,27 +155,18 @@ %prep %setup -q -n %{name}-%{version} -# 1330 is Tumbleweed after leap has been released -# gcc5-go in Tumbleweed includes this commit -# https://github.com/golang/gofrontend/commit/a850225433a66a58613c22185c3b0962... -# Which "fixes" the data type for RawSockaddr.Data -# However, docker now expects the "wrong" data type, since docker had a workaround -# for that issue. -# Thus, we need to workaround the workaroundn in tumbleweed -%if 0%{?suse_version} >= 1330 && 0%{?is_opensuse} == 1 -%patch1 -p1 -%endif -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 +%if 0%{?is_opensuse} +# nothing +%else +%patch200 -p1 +%endif %ifnarch %go_arches %patch101 -p1 %patch102 -p1 %patch103 -p1 -%patch104 -p1 -%patch105 -p1 -%patch100 -p1 %endif +# bsc#976777 +%patch301 -p1 cp %{SOURCE7} . %build @@ -211,10 +202,8 @@ install -d %{buildroot}%{_bindir} %ifarch %go_arches install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name} -install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit %else install -D -m755 bundles/%{version}/dyngccgo/%{name}-%{version} %{buildroot}/%{_bindir}/%{name} -install -D -m755 bundles/%{version}/dyngccgo/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit %endif install -d %{buildroot}/%{_prefix}/lib/docker install -Dd -m 0755 \ @@ -349,7 +338,6 @@ %{_bindir}/docker %{_sbindir}/rcdocker %{_prefix}/lib/docker/ -%{_prefix}/lib/docker/dockerinit %{_unitdir}/%{name}.service %{_unitdir}/%{name}.socket %config %{_sysconfdir}/audit/rules.d/%{name}.rules ++++++ _service ++++++ --- /var/tmp/diff_new_pack.n7u6hl/_old 2016-05-04 08:20:18.000000000 +0200 +++ /var/tmp/diff_new_pack.n7u6hl/_new 2016-05-04 08:20:18.000000000 +0200 @@ -3,8 +3,8 @@ <param name="url">https://github.com/docker/docker.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="versionformat">1.10.3</param> - <param name="revision">v1.10.3</param> + <param name="versionformat">1.11.1</param> + <param name="revision">v1.11.1</param> </service> <service name="recompress" mode="disabled"> <param name="file">docker-*.tar</param> ++++++ cve-2016-3697-numeric-uid.patch ++++++
From d67c0bf0caf26358f5345d6c0ac039026c46bd1e Mon Sep 17 00:00:00 2001 From: Aleksa Sarai
Date: Fri, 22 Apr 2016 20:36:43 +1000 Subject: [PATCH] libcontainer: user: always treat numeric ids numerically
Most shadow-related tools don't treat numeric ids as potential
usernames, so change our behaviour to match that. Previously, using an
explicit specification like 111:222 could result in the UID and GID not
being 111 and 222 respectively (which is confusing).
Some of the code was quite confusing inside libcontainer/user, so
refactor and comment it so future maintainers can understand what's
going and what edge cases we have to deal with.
This fixes CVE-2016-3697.
Signed-off-by: Aleksa Sarai
From fb84d5a3fbc3f1fad7dfc961b5dace3915eae7f9 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai
Date: Mon, 11 Apr 2016 22:54:35 +1000 Subject: [PATCH] SUSE: implement SUSE container secrets
This allows for us to pass in host credentials to a container, allowing
for SUSEConnect to work with containers.
THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
Signed-off-by: Aleksa Sarai
participants (1)
-
root@hilbert.suse.de