commit docker for openSUSE:Factory

Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2016-03-31 13:03:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "docker" Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2016-01-01 19:50:59.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.docker.new/docker.changes 2016-03-31 13:03:23.000000000 +0200 @@ -0,0 +1,221 @@ +------------------------------------------------------------------- +Tue Mar 22 15:27:26 UTC 2016 - fcastelli@suse.com + +- Changed systemd unit file and default sysconfig file to include network options, + this is needed to get SDN like flannel to work + +------------------------------------------------------------------- +Tue Mar 15 09:16:55 UTC 2016 - asarai@suse.de + +- docker.spec: update warning to mention that /etc/sysconfig/docker is sourced + by the migration script. + +------------------------------------------------------------------- +Mon Mar 14 10:20:19 UTC 2016 - asarai@suse.de + +- docker.spec: only Reccomends: the docker-image-migrator package as it is no + longer required for our ugly systemctl hacks. +- docker.spec: fix up documentation to refer to the script you need to run in + the migrator package. +- docker.spec: print a warning if you force the DOCKER_FORCE_INSTALL option. + +------------------------------------------------------------------- +Fri Mar 11 08:44:46 UTC 2016 - asarai@suse.de + +- spec: switch to new done file name from docker-image-migrator + +------------------------------------------------------------------- +Fri Mar 11 08:41:49 UTC 2016 - jmassaguerpla@suse.com + +- update to docker 1.10.3 (bnc#970637) + Runtime + Fix Docker client exiting with an "Unrecognized input header" error #20706 + Fix Docker exiting if Exec is started with both AttachStdin and Detach #20647 + Distribution + Fix a crash when pushing multiple images sharing the same layers to the same repository in parallel #20831 + Fix a panic when pushing images to a registry which uses a misconfigured token service #21030 + Plugin system + Fix issue preventing volume plugins to start when SELinux is enabled #20834 + Prevent Docker from exiting if a volume plugin returns a null response for Get requests #20682 + Fix plugin system leaking file descriptors if a plugin has an error #20680 + Security + Fix linux32 emulation to fail during docker build #20672 It was due to the personality syscall being blocked by the default seccomp profile. + Fix Oracle XE 10g failing to start in a container #20981 It was due to the ipc syscall being blocked by the default seccomp profile. + Fix user namespaces not working on Linux From Scratch #20685 + Fix issue preventing daemon to start if userns is enabled and the subuid or subgid files contain comments #20725 + + More at https://github.com/docker/docker/releases/tag/v1.10.3 + +------------------------------------------------------------------- +Thu Mar 10 13:52:54 UTC 2016 - asarai@suse.de + +- spec: improve file-based migration checks to make sure that it doesn't cause + errors if running on a /var/lib/docker without /var/lib/docker/graph. + +------------------------------------------------------------------- +Wed Mar 9 13:45:14 UTC 2016 - asarai@suse.de + +- spec: implement file-based migration checks. The migrator will be updated to + match the warning message's instructions. This looks like it works with my + testing. + +------------------------------------------------------------------- +Mon Mar 7 14:09:17 UTC 2016 - normand@linux.vnet.ibm.com + +- more patches to build on ppc64 architecture + update netlink_gcc_go.patch + new netlink_netns_powerpc.patch + new boltdb_bolt_powerpc.patch + new libnetwork_drivers_bridge_powerpc.patch to replace + deleted fix-ppc64le.patch + +------------------------------------------------------------------- +Tue Mar 1 17:54:41 UTC 2016 - jmassaguerpla@suse.com + +- fix bsc#968972 - let docker manage the cgroups of the processes + that it launches without systemd + +------------------------------------------------------------------- +Tue Mar 1 15:28:56 UTC 2016 - jmassaguerpla@suse.com + +- Require docker-image-migrator (bnc#968933) + +------------------------------------------------------------------- +Tue Feb 23 08:55:17 UTC 2016 - jmassaguerpla@suse.com + +Update to version 1.10.2 (bnc#968933) + + - Runtime + Prevent systemd from deleting containers' cgroups when its configuration is reloaded #20518 + Fix SELinux issues by disregarding --read-only when mounting /dev/mqueue #20333 + Fix chown permissions used during docker cp when userns is used #20446 + Fix configuration loading issue with all booleans defaulting to true #20471 + Fix occasional panic with docker logs -f #20522 + + - Distribution + Keep layer reference if deletion failed to avoid a badly inconsistent state #20513 + Handle gracefully a corner case when canceling migration #20372 + Fix docker import on compressed data #20367 + Fix tar-split files corruption during migration that later cause docker push and docker save to fail #20458 + + - Networking + Fix daemon crash if embedded DNS is sent garbage #20510 + + - Volumes + Fix issue with multiple volume references with same name #20381 + + - Security + Fix potential cache corruption and delegation conflict issues #20523 + +link to changelog: + +https://github.com/docker/docker/blob/v1.10.2/CHANGELOG.md + +------------------------------------------------------------------- +Mon Feb 15 09:48:41 UTC 2016 - asarai@suse.com + +- fix-apparmor.patch: switch to a backported version of docker/docker#20305, + which also fixes several potential issues if the major version of apparmor + changes. + +------------------------------------------------------------------- +Mon Feb 15 08:35:43 UTC 2016 - asarai@suse.com + +- Remove 1.10.0 tarball. + +------------------------------------------------------------------- +Fri Feb 12 16:04:19 UTC 2016 - jmassaguerpla@suse.com + +- Update to docker 1.10.1 + It includes some fixes to 1.10.0, see detailed changelog in + +https://github.com/docker/docker/blob/v1.10.1/CHANGELOG.md + +------------------------------------------------------------------- +Tue Feb 9 17:24:46 UTC 2016 - jmassaguerpla@suse.com + +- Update docker to 1.10.0 (bnc#965918) + + Add usernamespace support + Add support for custom seccomp profiles + Improvements in network and volume management + +detailed changelog in + +https://github.com/docker/docker/blob/590d5108bbdaabb05af590f76c9757daceb6d0... + +- removed patches, because code has been merged in 1.10.0 release: + libcontainer-apparmor-fixes.patch: see: https://github.com/docker/docker/blob/release/v1.10/contrib/apparmor/templat... + fix_bnc_958255.patch: see https://github.com/docker/docker/commit/2b4f64e59018c21aacbf311d5c774dd5521b... + use_fs_cgroups_by_default.patch + fix_cgroup.parent_path_sanitisation.patch + add_bolt_ppc64.patch + add_bolt_arm64.patch + add_bolt_s390x.patch + +- remove gcc-go-build-static-libgo.patch: This has been replace by gcc-go-patches.patch + +- removed patches, because arm and ppc are not build using the dynbinary target, but the dyngccgo one: + docker_remove_journald_to_fix_dynbinary_build_on_arm.patch + docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch + docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch + +- added patches: + fix_platform_type_arm.patch: fix build for arm64 and aarch64: set utsname as uint8 for arm64 and aarch64 + gcc5_socket_workaround.patch: gcc5-go in Tumbleweed includes this commit + https://github.com/golang/gofrontend/commit/a850225433a66a58613c22185c3b0962... + Which "fixes" the data type for RawSockaddr.Data + However, docker now expects the "wrong" data type, since docker had a workaround + for that issue. + Thus, we need to workaround the workaround in tumbleweed + netlink_gcc_go.patch: add constants for syscalls TUNSETIFF and TUNSETPERSIST to fix a gcc issue. + This is a workaround for bnc#964468: gcc-go can no longer compile Docker. + fix-apparmor.patch: fix https://github.com/docker/docker/issues/20269 . It affects SLE12 which has apparmor + version 2.8 and not openSUSE which has version 2.9. + fix-ppc64le.patch: Build netlink driver using int8 and not uint8 for the data structure + + +- reviewed patches: + ignore-dockerinit-checksum.patch: review context in patch + fix-docker-init.patch: review patch because build method has been changed in spec file for gcc-go + gcc-go-patches.patch: review context in patch + +- Build requires go >= 1.5: For version 1.9, we could use Go 1.4.3 + see GO_VERSION https://github.com/docker/docker/blob/release/v1.9/Dockerfile + However, for version 1.10, we need go 1.5.3 + see GO_VERSION https://github.com/docker/docker/blob/release/v1.10/Dockerfile + +- fix bnc#965600 - SLES12 SP1 - Static shared memory limit in container + + +------------------------------------------------------------------- +Wed Jan 27 23:40:09 UTC 2016 - asarai@suse.com + +- backport 1 bugfix from the upstream 1.10 branch + Added: + fix_json_econnreset_bug.patch (https://github.com/docker/docker/issues/14203) + ++++ 24 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/docker/docker.changes ++++ and /work/SRC/openSUSE:Factory/.docker.new/docker.changes Old: ---- add_bolt_arm64.patch add_bolt_ppc64.patch docker-1.9.1.tar.xz docker_remove_journald_to_fix_dynbinary_build_on_arm.patch docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch gcc-go-build-static-libgo.patch libcontainer-apparmor-fixes.patch New: ---- boltdb_bolt_powerpc.patch docker-1.10.3.tar.xz fix-apparmor.patch fix_platform_type_arm.patch gcc-go-patches.patch gcc5_socket_workaround.patch libnetwork_drivers_bridge_powerpc.patch netlink_gcc_go.patch netlink_netns_powerpc.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.xfQW4h/_old 2016-03-31 13:03:25.000000000 +0200 +++ /var/tmp/diff_new_pack.xfQW4h/_new 2016-03-31 13:03:25.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package docker # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,10 +16,14 @@ # -%define git_version a34a1d5 +%define docker_store /var/lib/docker +%define docker_graph %{docker_store}/graph +%define docker_migration_testfile %{docker_store}/.suse-image-migration-v1to2-complete + +%define git_version 9e83765 %define go_arches %ix86 x86_64 Name: docker -Version: 1.9.1 +Version: 1.10.3 Release: 0 Summary: The Linux container runtime License: Apache-2.0 @@ -41,26 +45,26 @@ Source8: docker-audit.rules # TODO: remove once we figure out what is wrong with iptables on ppc64le Source100: sysconfig.docker.ppc64le -Patch0: fix-docker-init.patch -# PATCH-FIX-OPENSUSE libcontainer-apparmor-fixes.patch -- mount rules aren't supported in our apparmor -Patch1: libcontainer-apparmor-fixes.patch +Patch0: fix_platform_type_arm.patch +Patch1: gcc5_socket_workaround.patch +Patch2: fix-docker-init.patch +Patch3: fix-apparmor.patch # Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ # Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time # We cannot do that, right now a quick and really dirty way to get it running is # to simply disable this check Patch100: ignore-dockerinit-checksum.patch -Patch101: gcc-go-build-static-libgo.patch -Patch102: add_bolt_ppc64.patch -Patch103: docker_remove_journald_to_fix_dynbinary_build_on_arm.patch -Patch104: docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch -Patch105: add_bolt_arm64.patch -Patch106: docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch +Patch101: gcc-go-patches.patch +Patch102: netlink_gcc_go.patch +Patch103: netlink_netns_powerpc.patch +Patch104: boltdb_bolt_powerpc.patch +Patch105: libnetwork_drivers_bridge_powerpc.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: device-mapper-devel >= 1.2.68 BuildRequires: glibc-devel-static %ifarch %go_arches -BuildRequires: go >= 1.4 +BuildRequires: go >= 1.5 BuildRequires: go-go-md2man %else BuildRequires: gcc5-go >= 5.0 @@ -84,6 +88,8 @@ Requires: procps Requires: tar >= 1.26 Requires: xz >= 4.9 +# Not necessary, but must be installed to have a smooth upgrade. +Recommends: docker-image-migrator Conflicts: lxc < 1.0 PreReq: %fillup_prereq BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -140,21 +146,33 @@ Requires: sqlite3-devel BuildArch: noarch +%global __requires_exclude ^libgo.so.*$ + %description test Test package for docker. It contains the source code and the tests. %prep -%setup -q -n docker-%{version} +%setup -q -n %{name}-%{version} %patch0 -p1 +# 1330 is Tumbleweed after leap has been released +# gcc5-go in Tumbleweed includes this commit +# https://github.com/golang/gofrontend/commit/a850225433a66a58613c22185c3b0962... +# Which "fixes" the data type for RawSockaddr.Data +# However, docker now expects the "wrong" data type, since docker had a workaround +# for that issue. +# Thus, we need to workaround the workaroundn in tumbleweed +%if 0%{?suse_version} >= 1330 && 0%{?is_opensuse} == 1 %patch1 -p1 +%endif +%patch2 -p1 +%patch3 -p1 %ifnarch %go_arches -%patch100 -p1 -%patch101 -p0 +%patch101 -p1 %patch102 -p1 %patch103 -p1 %patch104 -p1 %patch105 -p1 -%patch106 -p1 +%patch100 -p1 %endif cp %{SOURCE7} . @@ -174,10 +192,14 @@ EOF ) > docker_build_env . ./docker_build_env -./hack/make.sh dynbinary + %ifarch %go_arches +./hack/make.sh dynbinary man/md2man-all.sh +%else +./hack/make.sh dyngccgo %endif + # remove other than systemd # otherwise the resulting package will have extra requires rm -rf hack/make/.build-deb @@ -185,9 +207,14 @@ %install install -d %{buildroot}%{go_contribdir} install -d %{buildroot}%{_bindir} +%ifarch %go_arches install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name} -install -d %{buildroot}/%{_prefix}/lib/docker install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit +%else +install -D -m755 bundles/%{version}/dyngccgo/%{name}-%{version} %{buildroot}/%{_bindir}/%{name} +install -D -m755 bundles/%{version}/dyngccgo/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit +%endif +install -d %{buildroot}/%{_prefix}/lib/docker install -Dd -m 0755 \ %{buildroot}%{_sysconfdir}/init.d \ %{buildroot}%{_sbindir} @@ -233,6 +260,73 @@ %fdupes %{buildroot} %pre +# We're currently inside rpmlint, which will cause us to fail the tests if it +# happens that the Docker install in the builder requires a migration. +if [[ -z "$BUILD_ROOT" ]] +then + # In order to make sure we don't print a scary warning when we shouldn't we + # need to test these things (in this order): + # 1. Check that /var/lib/docker actually exists (docker daemon has run). + # 2. Check that the migrator has *not* finished. + # 3. Check that /var/lib/docker/graph exists (this is a <=1.9.1 thing, but + # will stick around if it has been migrated -- which is why we need the + # MIGRATION_TESTFILE check). + # 4. Check that there are images in the graph/ directory. + if [[ -d "%{docker_store}" && ( ! -f "%{docker_migration_testfile}" ) && -d "%{docker_store}" && -n "$(find "%{docker_store}" -maxdepth 1 -type d 2>/dev/null | grep -Ev '_tmp|^%{docker_store}$')" ]] + then + + if [ -n "$DOCKER_FORCE_INSTALL" ] + then + echo >&2 "*** IGNORING DOWNTIME WARNING! FORCING INSTALLATION. ***" + else + +cat >&2 <<EOF + + *** WARNING *** + +In the migration from docker<1.10.0 to docker>=1.10.0, the Docker image format +has changed to be completely content-addressible. This results in several positive +improvements to image operations (better caching during builds mainly). However, +the migration operation may take several hours if you have a lot of large images +on a Docker host. In order to ensure that you have minimum downtime, this update +of Docker will not complete successfully, and you will have the opportunity to +run a separate migration tool (which will not cause downtime for your Docker +daemon). + +In order to run this migration tool, please install the 'docker-image-migrator' +package. You can run the migration with this command, which will exit after the +migration has been completed: + +$ /usr/lib/docker-image-migrator/do-image-migration-v1to2.sh + +Because the migrator requires information about the storage driver used by Docker, +the migration script will source /etc/sysconfig/docker and use \$DOCKER_OPTS as +arguments to the migrator. If this automated migration fails, it will be re-attempted +with every known storage driver. In addition, the script accepts arguments which +will simiarly be appended to the set of arguments (after \$DOCKER_OPTS) to the +migrator. + +However, if you prefer to not run this separate migration tool, you can force this +update using the following command. THIS WILL CAUSE DOWNTIME, BECAUSE DOCKER WILL +RUN THE MIGRATION ON FIRST START AND YOU WILL BE UNABLE TO START ANY CONTAINERS +OR USE ANY DOCKER COMMANDS (EVEN CONTAINERS WITH RESTART POLICIES ACTIVE): + +$ DOCKER_FORCE_INSTALL=1 sudo -E zypper up docker +EOF + + # Fail the update. + exit 1 + fi + fi + + # In order to make sure that we don't accidentally cause problems with an + # upgrade to docker>=1.10.2, we'll touch the same file we tested in (2). + # -m701 is *not* a typo, it is necessary for certain syscalls with remapped + # root. + [[ -d "%{docker_store}" ]] || install -d -m701 %{docker_store} || : + touch %{docker_migration_testfile} +fi + echo "creating group docker..." groupadd -r docker 2>/dev/null || : %service_add_pre %{name}.service %{name}.socket ++++++ _service ++++++ --- /var/tmp/diff_new_pack.xfQW4h/_old 2016-03-31 13:03:25.000000000 +0200 +++ /var/tmp/diff_new_pack.xfQW4h/_new 2016-03-31 13:03:25.000000000 +0200 @@ -3,8 +3,8 @@ <param name="url">https://github.com/docker/docker.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="versionformat">1.9.1</param> - <param name="revision">v1.9.1</param> + <param name="versionformat">1.10.3</param> + <param name="revision">v1.10.3</param> </service> <service name="recompress" mode="disabled"> <param name="file">docker-*.tar</param> ++++++ boltdb_bolt_powerpc.patch ++++++ --- vendor/src/github.com/boltdb/bolt/bolt_ppc64.go | 9 +++++++++ 1 file changed, 9 insertions(+) Index: docker-1.10.2/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go =================================================================== --- /dev/null +++ docker-1.10.2/vendor/src/github.com/boltdb/bolt/bolt_ppc64.go @@ -0,0 +1,9 @@ +// +build ppc64 + +package bolt + +// maxMapSize represents the largest mmap size supported by Bolt. +const maxMapSize = 0xFFFFFFFFFFFF // 256TB + +// maxAllocSize is the size used when creating array pointers. +const maxAllocSize = 0x7FFFFFFF ++++++ docker-1.9.1.tar.xz -> docker-1.10.3.tar.xz ++++++ /work/SRC/openSUSE:Factory/docker/docker-1.9.1.tar.xz /work/SRC/openSUSE:Factory/.docker.new/docker-1.10.3.tar.xz differ: char 26, line 1 ++++++ docker.service ++++++ --- /var/tmp/diff_new_pack.xfQW4h/_old 2016-03-31 13:03:25.000000000 +0200 +++ /var/tmp/diff_new_pack.xfQW4h/_new 2016-03-31 13:03:25.000000000 +0200 @@ -5,12 +5,17 @@ Requires=docker.socket [Service] +# the default is not to use systemd for cgroups because the delegate issues still +# exists and systemd currently does not support the cgroup feature set required +# for containers run by docker EnvironmentFile=/etc/sysconfig/docker -ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_OPTS +ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS MountFlags=slave LimitNOFILE=1048576 LimitNPROC=1048576 LimitCORE=infinity +# set delegate yes so that systemd does not reset the cgroups of docker containers +Delegate=yes [Install] WantedBy=multi-user.target ++++++ fix-apparmor.patch ++++++ Index: docker-1.10.1/contrib/apparmor/main.go =================================================================== --- docker-1.10.1.orig/contrib/apparmor/main.go +++ docker-1.10.1/contrib/apparmor/main.go @@ -11,8 +11,7 @@ import ( ) type profileData struct { - MajorVersion int - MinorVersion int + Version int } func main() { @@ -23,13 +22,12 @@ func main() { // parse the arg apparmorProfilePath := os.Args[1] - majorVersion, minorVersion, err := aaparser.GetVersion() + version, err := aaparser.GetVersion() if err != nil { log.Fatal(err) } data := profileData{ - MajorVersion: majorVersion, - MinorVersion: minorVersion, + Version: version, } fmt.Printf("apparmor_parser is of version %+v\n", data) Index: docker-1.10.1/daemon/execdriver/native/apparmor.go =================================================================== --- docker-1.10.1.orig/daemon/execdriver/native/apparmor.go +++ docker-1.10.1/daemon/execdriver/native/apparmor.go @@ -25,8 +25,7 @@ type data struct { ExecPath string Imports []string InnerImports []string - MajorVersion int - MinorVersion int + Version int } const baseTemplate = ` @@ -64,14 +63,17 @@ profile {{.Name}} flags=(attach_disconne deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, -{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}} +{{if ge .Version 208095}} + # apparmor-2.8.95 is Ubuntu 14.04 LTS (Trusty Tahr) + # apparmor-2.8.95 is apparmor-2.9 beta, which supports ptrace rule + # other apparmor-2.8 versions do not support this rule # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container ptrace (trace,read) peer=docker-default, -{{end}}{{end}} -{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} +{{end}} +{{if ge .Version 209000}} # docker daemon confinement requires explict allow rule for signal signal (receive) set=(kill,term) peer={{.ExecPath}}, -{{end}}{{end}} +{{end}} } ` @@ -91,7 +93,7 @@ func generateProfile(out io.Writer) erro if abstractionsExists() { data.InnerImports = append(data.InnerImports, "#include <abstractions/base>") } - data.MajorVersion, data.MinorVersion, err = aaparser.GetVersion() + data.Version, err = aaparser.GetVersion() if err != nil { return err } Index: docker-1.10.1/pkg/aaparser/aaparser.go =================================================================== --- docker-1.10.1.orig/pkg/aaparser/aaparser.go +++ docker-1.10.1/pkg/aaparser/aaparser.go @@ -1,45 +1,92 @@ +// Package aaparser is a convenience package interacting with `apparmor_parser`. package aaparser import ( "fmt" - "log" "os/exec" + "path/filepath" "strconv" "strings" ) -// GetVersion returns the major and minor version of apparmor_parser -func GetVersion() (int, int, error) { - // get the apparmor_version version - cmd := exec.Command("apparmor_parser", "--version") +const ( + binary = "apparmor_parser" +) + +// GetVersion returns the major and minor version of apparmor_parser. +func GetVersion() (int, error) { + output, err := cmd("", "--version") + if err != nil { + return -1, err + } + + return parseVersion(output) +} - output, err := cmd.CombinedOutput() +// LoadProfile runs `apparmor_parser -r -W` on a specified apparmor profile to +// replace and write it to disk. +func LoadProfile(profilePath string) error { + _, err := cmd(filepath.Dir(profilePath), "-r", "-W", filepath.Base(profilePath)) if err != nil { - log.Fatalf("getting apparmor_parser version failed: %s (%s)", err, output) + return err } + return nil +} + +// cmd runs `apparmor_parser` with the passed arguments. +func cmd(dir string, arg ...string) (string, error) { + c := exec.Command(binary, arg...) + c.Dir = dir - // parse the version from the output + output, err := c.CombinedOutput() + if err != nil { + return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), string(output), err) + } + + return string(output), nil +} + +// parseVersion takes the output from `apparmor_parser --version` and returns +// a representation of the {major, minor, patch} version as a single number of +// the form MMmmPPP {major, minor, patch}. +func parseVersion(output string) (int, error) { // output is in the form of the following: // AppArmor parser version 2.9.1 // Copyright (C) 1999-2008 Novell Inc. // Copyright 2009-2012 Canonical Ltd. - lines := strings.SplitN(string(output), "\n", 2) + + lines := strings.SplitN(output, "\n", 2) words := strings.Split(lines[0], " ") version := words[len(words)-1] + // split by major minor version v := strings.Split(version, ".") - if len(v) < 2 { - return -1, -1, fmt.Errorf("parsing major minor version failed for %q", version) + if len(v) == 0 || len(v) > 3 { + return -1, fmt.Errorf("parsing version failed for output: `%s`", output) } + // Default the versions to 0. + var majorVersion, minorVersion, patchLevel int + majorVersion, err := strconv.Atoi(v[0]) if err != nil { - return -1, -1, err + return -1, err } - minorVersion, err := strconv.Atoi(v[1]) - if err != nil { - return -1, -1, err + + if len(v) > 1 { + minorVersion, err = strconv.Atoi(v[1]) + if err != nil { + return -1, err + } + } + if len(v) > 2 { + patchLevel, err = strconv.Atoi(v[2]) + if err != nil { + return -1, err + } } - return majorVersion, minorVersion, nil + // major*10^5 + minor*10^3 + patch*10^0 + numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel + return numericVersion, nil } Index: docker-1.10.1/contrib/apparmor/template.go =================================================================== --- docker-1.10.1.orig/contrib/apparmor/template.go +++ docker-1.10.1/contrib/apparmor/template.go @@ -20,11 +20,11 @@ profile /usr/bin/docker (attach_disconne umount, pivot_root, -{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} +{{if ge .Version 209000}} signal (receive) peer=@{profile_name}, signal (receive) peer=unconfined, signal (send), -{{end}}{{end}} +{{end}} network, capability, owner /** rw, @@ -46,12 +46,12 @@ profile /usr/bin/docker (attach_disconne /etc/ld.so.cache r, /etc/passwd r, -{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} +{{if ge .Version 209000}} ptrace peer=@{profile_name}, ptrace (read) peer=docker-default, deny ptrace (trace) peer=docker-default, deny ptrace peer=/usr/bin/docker///bin/ps, -{{end}}{{end}} +{{end}} /usr/lib/** rm, /lib/** rm, @@ -72,11 +72,11 @@ profile /usr/bin/docker (attach_disconne /sbin/zfs rCx, /sbin/apparmor_parser rCx, -{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} +{{if ge .Version 209000}} # Transitions change_profile -> docker-*, change_profile -> unconfined, -{{end}}{{end}} +{{end}} profile /bin/cat (complain) { /etc/ld.so.cache r, @@ -98,10 +98,10 @@ profile /usr/bin/docker (attach_disconne /dev/null rw, /bin/ps mr, -{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} +{{if ge .Version 209000}} # We don't need ptrace so we'll deny and ignore the error. deny ptrace (read, trace), -{{end}}{{end}} +{{end}} # Quiet dac_override denials deny capability dac_override, @@ -119,15 +119,15 @@ profile /usr/bin/docker (attach_disconne /proc/tty/drivers r, } profile /sbin/iptables (complain) { -{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} +{{if ge .Version 209000}} signal (receive) peer=/usr/bin/docker, -{{end}}{{end}} +{{end}} capability net_admin, } profile /sbin/auplink flags=(attach_disconnected, complain) { -{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} +{{if ge .Version 209000}} signal (receive) peer=/usr/bin/docker, -{{end}}{{end}} +{{end}} capability sys_admin, capability dac_override, @@ -146,9 +146,9 @@ profile /usr/bin/docker (attach_disconne /proc/[0-9]*/mounts rw, } profile /sbin/modprobe /bin/kmod (complain) { -{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} +{{if ge .Version 209000}} signal (receive) peer=/usr/bin/docker, -{{end}}{{end}} +{{end}} capability sys_module, /etc/ld.so.cache r, /lib/** rm, @@ -162,9 +162,9 @@ profile /usr/bin/docker (attach_disconne } # xz works via pipes, so we do not need access to the filesystem. profile /usr/bin/xz (complain) { -{{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}} +{{if ge .Version 209000}} signal (receive) peer=/usr/bin/docker, -{{end}}{{end}} +{{end}} /etc/ld.so.cache r, /lib/** rm, /usr/bin/xz rm, ++++++ fix-docker-init.patch ++++++ --- /var/tmp/diff_new_pack.xfQW4h/_old 2016-03-31 13:03:25.000000000 +0200 +++ /var/tmp/diff_new_pack.xfQW4h/_new 2016-03-31 13:03:25.000000000 +0200 @@ -8,3 +8,14 @@ +/usr/bin/strip -s $DEST/dockerinit-$VERSION # sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1) +diff --git a/hack/make/.dockerinit-gccgo b/hack/make/.dockerinit-gccgo +index 3caa526..f272d29 100644 +--- a/hack/make/.dockerinit-gccgo ++++ b/hack/make/.dockerinit-gccgo +@@ -27,5 +27,6 @@ else + exit 1 + fi + ++/usr/bin/strip -s $DEST/dockerinit-$VERSION + # sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another + export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1) ++++++ fix_platform_type_arm.patch ++++++ diff --git a/pkg/platform/utsname_int8.go b/pkg/platform/utsname_int8.go index 5dcbadf..a022a35 100644 --- a/pkg/platform/utsname_int8.go +++ b/pkg/platform/utsname_int8.go @@ -1,4 +1,4 @@ -// +build linux,386 linux,amd64 linux,arm64 +// +build linux,386 linux,amd64 // see golang's sources src/syscall/ztypes_linux_*.go that use int8 package platform diff --git a/pkg/platform/utsname_uint8.go b/pkg/platform/utsname_uint8.go index c9875cf..0ee937a 100644 --- a/pkg/platform/utsname_uint8.go +++ b/pkg/platform/utsname_uint8.go @@ -1,4 +1,4 @@ -// +build linux,arm linux,ppc64 linux,ppc64le s390x +// +build linux,arm linux,ppc64 linux,ppc64le s390x linux,arm64 linux,aarch64 // see golang's sources src/syscall/ztypes_linux_*.go that use uint8 package platform ++++++ gcc-go-patches.patch ++++++ diff --git a/hack/make/gccgo b/hack/make/gccgo index 878c814..84b7f69 100644 --- a/hack/make/gccgo +++ b/hack/make/gccgo @@ -1,5 +1,5 @@ #!/bin/bash -set -e +set -ex BINARY_NAME="docker-$VERSION" BINARY_EXTENSION="$(binary_extension)" @@ -16,9 +16,11 @@ go build -compiler=gccgo \ "${BUILDFLAGS[@]}" \ -gccgoflags " -g + -Wl,--add-needed -Wl,--no-as-needed $EXTLDFLAGS_STATIC + -static-libgo -Wl,--no-export-dynamic - -ldl + -ldl -lselinux -lsystemd -pthread " \ ./docker ++++++ gcc5_socket_workaround.patch ++++++ diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go index 007ccb2..65f638f 100644 --- a/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go +++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux.go @@ -22,7 +22,7 @@ type ifreqIndex struct { type ifreqHwaddr struct { IfrnName [ifNameSize]byte - IfruHwaddr syscall.RawSockaddr + IfruHwaddr patchedRawSockAddr } var rnd = rand.New(rand.NewSource(time.Now().UnixNano())) diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go new file mode 100644 index 0000000..118f7bf --- /dev/null +++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_ppc64xe_type.go @@ -0,0 +1,11 @@ +// Copyright (c) 2015 SUSE LLC. All rights reserved. + +// +build linux +// +build ppc64 ppc64le + +package bridge + +type patchedRawSockAddr struct { + Family uint16 + Data [14]int8 +} diff --git a/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go new file mode 100644 index 0000000..cdba329 --- /dev/null +++ b/vendor/src/github.com/docker/libnetwork/drivers/bridge/patched_socket_type.go @@ -0,0 +1,10 @@ +// Copyright (c) 2015 SUSE LLC. All rights reserved. + +// +build linux,!ppc64,!ppc64le + +package bridge + +type patchedRawSockAddr struct { + Family uint16 + Data [14]int8 +} ++++++ ignore-dockerinit-checksum.patch ++++++ --- /var/tmp/diff_new_pack.xfQW4h/_old 2016-03-31 13:03:25.000000000 +0200 +++ /var/tmp/diff_new_pack.xfQW4h/_new 2016-03-31 13:03:25.000000000 +0200 @@ -1,11 +1,12 @@ -diff -Naur a/utils/utils.go b/utils/utils.go ---- a/utils/utils.go 2015-08-11 18:35:27.000000000 +0200 -+++ b/utils/utils.go 2015-08-12 18:06:47.930445696 +0200 -@@ -76,7 +76,7 @@ +diff --git a/utils/utils.go b/utils/utils.go +index 340b9e4..70a85a6 100644 +--- a/utils/utils.go ++++ b/utils/utils.go +@@ -75,7 +75,7 @@ func isValidDockerInitPath(target string, selfPath string) bool { // target and } return os.SameFile(targetFileInfo, selfPathFileInfo) } -- return dockerversion.INITSHA1 != "" && dockerInitSha1(target) == dockerversion.INITSHA1 +- return dockerversion.InitSHA1 != "" && dockerInitSha1(target) == dockerversion.InitSHA1 + return true } ++++++ libnetwork_drivers_bridge_powerpc.patch ++++++ --- vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go | 2 +- vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Index: docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go =================================================================== --- docker-1.10.2.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go +++ docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_armppc64.go @@ -1,4 +1,4 @@ -// +build arm ppc64 ppc64le +// +build arm,!ppc64,!ppc64le package bridge Index: docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go =================================================================== --- docker-1.10.2.orig/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go +++ docker-1.10.2/vendor/src/github.com/docker/libnetwork/drivers/bridge/netlink_deprecated_linux_notarm.go @@ -1,4 +1,4 @@ -// +build !arm,!ppc64,!ppc64le +// +build !arm ppc64 ppc64le package bridge ++++++ netlink_gcc_go.patch ++++++ diff --git a/vendor/src/github.com/vishvananda/netlink/link_linux.go b/vendor/src/github.com/vishvananda/netlink/link_linux.go index 3aa9124..6ad7c2b 100644 --- a/vendor/src/github.com/vishvananda/netlink/link_linux.go +++ b/vendor/src/github.com/vishvananda/netlink/link_linux.go @@ -415,11 +415,11 @@ func LinkAdd(link Link) error { req.Flags |= syscall.IFF_TUN_EXCL copy(req.Name[:15], base.Name) req.Flags |= uint16(tuntap.Mode) - _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, file.Fd(), uintptr(syscall.TUNSETIFF), uintptr(unsafe.Pointer(&req))) + _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, file.Fd(), uintptr(syscall_TUNSETIFF), uintptr(unsafe.Pointer(&req))) if errno != 0 { return fmt.Errorf("Tuntap IOCTL TUNSETIFF failed, errno %v", errno) } - _, _, errno = syscall.Syscall(syscall.SYS_IOCTL, file.Fd(), uintptr(syscall.TUNSETPERSIST), 1) + _, _, errno = syscall.Syscall(syscall.SYS_IOCTL, file.Fd(), uintptr(syscall_TUNSETPERSIST), 1) if errno != 0 { return fmt.Errorf("Tuntap IOCTL TUNSETPERSIST failed, errno %v", errno) } diff --git a/vendor/src/github.com/vishvananda/netlink/link_linux_others.go b/vendor/src/github.com/vishvananda/netlink/link_linux_others.go new file mode 100644 index 0000000..feb6070 --- /dev/null +++ b/vendor/src/github.com/vishvananda/netlink/link_linux_others.go @@ -0,0 +1,9 @@ +// +build linux +// +build x86_64 arm64 s390x + +package netlink + +const ( + syscall_TUNSETIFF = 0x400454ca + syscall_TUNSETPERSIST = 0x400454ca +) diff --git a/vendor/src/github.com/vishvananda/netlink/link_linux_powerpc.go b/vendor/src/github.com/vishvananda/netlink/link_linux_powerpc.go new file mode 100644 index 0000000..fac7c06 --- /dev/null +++ b/vendor/src/github.com/vishvananda/netlink/link_linux_powerpc.go @@ -0,0 +1,9 @@ +// +build linux +// +build ppc64 ppc64le + +package netlink + +const ( + syscall_TUNSETIFF = 0x800454ca + syscall_TUNSETPERSIST = 0x800454ca +) ++++++ netlink_netns_powerpc.patch ++++++ --- vendor/src/github.com/vishvananda/netns/netns_linux_ppc64.go | 7 +++++++ 1 file changed, 7 insertions(+) Index: docker-1.10.2/vendor/src/github.com/vishvananda/netns/netns_linux_ppc64.go =================================================================== --- /dev/null +++ docker-1.10.2/vendor/src/github.com/vishvananda/netns/netns_linux_ppc64.go @@ -0,0 +1,7 @@ +// +build linux,ppc64 + +package netns + +const ( + SYS_SETNS = 350 +) ++++++ sysconfig.docker ++++++ --- /var/tmp/diff_new_pack.xfQW4h/_old 2016-03-31 13:03:25.000000000 +0200 +++ /var/tmp/diff_new_pack.xfQW4h/_new 2016-03-31 13:03:25.000000000 +0200 @@ -6,3 +6,5 @@ ## ServiceRestart : docker # DOCKER_OPTS="" + +DOCKER_NETWORK_OPTIONS=""
participants (1)
-
root@hilbert.suse.de