Hello community,
here is the log from the commit of package docker for openSUSE:Factory checked in at 2017-09-07 22:11:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/docker (Old)
and /work/SRC/openSUSE:Factory/.docker.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker"
Thu Sep 7 22:11:56 2017 rev:59 rq:521899 version:17.04.0_ce
Changes:
--------
--- /work/SRC/openSUSE:Factory/docker/docker.changes 2017-08-17 11:44:05.589963477 +0200
+++ /work/SRC/openSUSE:Factory/.docker.new/docker.changes 2017-09-07 22:12:01.872978684 +0200
@@ -1,0 +2,20 @@
+Wed Sep 6 11:42:31 UTC 2017 - asarai@suse.com
+
+- devicemapper: add patch to make the dm storage driver remove a container's
+ rootfs mountpoint before attempting to do libdm operations on it. This helps
+ avoid complications when live mounts will leak into containers. Backport of
+ https://github.com/moby/moby/pull/34573. bsc#1045628
+ + bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
+
+-------------------------------------------------------------------
+Wed Aug 30 14:58:52 UTC 2017 - asarai@suse.com
+
+- Fix a regression in our SUSE secrets patches, which caused the copied files
+ to not carry the correct {uid,gid} mapping when using user namespaces. This
+ would not cause any bugs (SUSEConnect does the right thing anyway) but it's
+ possible some programs would not treat the files correctly. This is
+ tangentially related to bsc#1055676.
+ * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
+ * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
+
+-------------------------------------------------------------------
New:
----
bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ docker.spec ++++++
--- /var/tmp/diff_new_pack.4KXeCw/_old 2017-09-07 22:12:03.100805638 +0200
+++ /var/tmp/diff_new_pack.4KXeCw/_new 2017-09-07 22:12:03.104805074 +0200
@@ -58,6 +58,8 @@
Patch400: bsc1037436-0001-client-check-tty-before-creating-exec-job.patch
# PATCH-FIX-UPSTREAM: Backport of https://github.com/moby/moby/pull/33250 (bsc#1037607).
Patch401: bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch
+# PATCH-FIX-UPSTREAM: Backport of https://github.com/moby/moby/pull/34573 (bsc#1045628)
+Patch402: bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
BuildRequires: audit
BuildRequires: bash-completion
BuildRequires: ca-certificates
@@ -176,8 +178,12 @@
%patch201 -p1
%endif
%patch300 -p1
+# bsc#1037436
%patch400 -p1
+# bsc#1037607
%patch401 -p1
+# bsc#1045628
+%patch402 -p1
cp %{SOURCE7} .
cp %{SOURCE10} .
++++++ bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch ++++++
From be9eaee9e25e6b389fcfacd8829bc1235269527b Mon Sep 17 00:00:00 2001
From: Aleksa Sarai
Date: Sun, 20 Aug 2017 13:50:52 +1000
Subject: [PATCH] devicemapper: remove container rootfs mountPath after umount
libdm currently has a fairly substantial DoS bug that makes certain
operations fail on a libdm device if the device has active references
through mountpoints. This is a significant problem with the advent of
mount namespaces and MS_PRIVATE, and can cause certain --volume mounts
to cause libdm to no longer be able to remove containers:
% docker run -d --name testA busybox top
% docker run -d --name testB -v /var/lib/docker:/docker busybox top
% docker rm -f testA
[fails on libdm with dm_task_run errors.]
This also solves the problem of unprivileged users being able to DoS
docker by using unprivileged mount namespaces to preseve mounts that
Docker has dropped.
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1045628
SUSE-Backport: https://github.com/moby/moby/pull/34573
Signed-off-by: Aleksa Sarai
---
daemon/graphdriver/devmapper/deviceset.go | 12 ++++++++++++
daemon/graphdriver/devmapper/driver.go | 4 +++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/daemon/graphdriver/devmapper/deviceset.go b/daemon/graphdriver/devmapper/deviceset.go
index ba845d4d01d4..fe8103683b9b 100644
--- a/daemon/graphdriver/devmapper/deviceset.go
+++ b/daemon/graphdriver/devmapper/deviceset.go
@@ -2402,6 +2402,18 @@ func (devices *DeviceSet) UnmountDevice(hash, mountPath string) error {
}
logrus.Debug("devmapper: Unmount done")
+ // Remove the mountpoint here. Removing the mountpoint (in newer kernels)
+ // will cause all other instances of this mount in other mount namespaces
+ // to be killed (this is an anti-DoS measure that is necessary for things
+ // like devicemapper). This is necessary to avoid cases where a libdm mount
+ // that is present in another namespace will cause subsequent RemoveDevice
+ // operations to fail. We ignore any errors here because this may fail on
+ // older kernels which don't have
+ // torvalds/linux@8ed936b5671bfb33d89bc60bdcc7cf0470ba52fe applied.
+ if err := os.Remove(mountPath); err != nil {
+ logrus.Debugf("devmapper: error doing a remove on unmounted device %s: %v", mountPath, err)
+ }
+
return devices.deactivateDevice(info)
}
diff --git a/daemon/graphdriver/devmapper/driver.go b/daemon/graphdriver/devmapper/driver.go
index 91de5cd12a0f..69a3b3184933 100644
--- a/daemon/graphdriver/devmapper/driver.go
+++ b/daemon/graphdriver/devmapper/driver.go
@@ -227,10 +227,12 @@ func (d *Driver) Put(id string) error {
if count := d.ctr.Decrement(mp); count > 0 {
return nil
}
+
err := d.DeviceSet.UnmountDevice(id, mp)
if err != nil {
- logrus.Errorf("devmapper: Error unmounting device %s: %s", id, err)
+ logrus.Errorf("devmapper: Error unmounting device %s: %v", id, err)
}
+
return err
}
--
2.14.1
++++++ secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch ++++++
--- /var/tmp/diff_new_pack.4KXeCw/_old 2017-09-07 22:12:03.308776327 +0200
+++ /var/tmp/diff_new_pack.4KXeCw/_new 2017-09-07 22:12:03.308776327 +0200
@@ -58,5 +58,5 @@
return errors.Wrap(err, "error setting ownership for secret")
}
--
-2.13.0
+2.14.1
++++++ secrets-0002-SUSE-implement-SUSE-container-secrets.patch ++++++
--- /var/tmp/diff_new_pack.4KXeCw/_old 2017-09-07 22:12:03.324774072 +0200
+++ /var/tmp/diff_new_pack.4KXeCw/_new 2017-09-07 22:12:03.324774072 +0200
@@ -1,4 +1,4 @@
-From a6d2f9f43ea02d93534867271f7fa7cf0f77e70c Mon Sep 17 00:00:00 2001
+From 9b33a267ec637d7d8a29259246033bfe1b5f47bc Mon Sep 17 00:00:00 2001
From: Aleksa Sarai
Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
@@ -13,8 +13,8 @@
Signed-off-by: Aleksa Sarai
---
daemon/start.go | 5 +
- daemon/suse_secrets.go | 246 +++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 251 insertions(+)
+ daemon/suse_secrets.go | 260 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 265 insertions(+)
create mode 100644 daemon/suse_secrets.go
diff --git a/daemon/start.go b/daemon/start.go
@@ -35,10 +35,10 @@
return err
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
new file mode 100644
-index 000000000000..99bdbefdebcc
+index 000000000000..b577b7081976
--- /dev/null
+++ b/daemon/suse_secrets.go
-@@ -0,0 +1,246 @@
+@@ -0,0 +1,260 @@
+/*
+ * suse-secrets: patch for Docker to implement SUSE secrets
+ * Copyright (C) 2017 SUSE LLC.
@@ -67,6 +67,7 @@
+
+ "github.com/Sirupsen/logrus"
+ "github.com/docker/docker/container"
++ "github.com/docker/docker/pkg/idtools"
+ "github.com/opencontainers/go-digest"
+
+ swarmtypes "github.com/docker/docker/api/types/swarm"
@@ -102,14 +103,26 @@
+ }
+}
+
-+func (s SuseFakeFile) toSecretReference() *swarmtypes.SecretReference {
++func (s SuseFakeFile) toSecretReference(uidMaps, gidMaps []idtools.IDMap) *swarmtypes.SecretReference {
++ // Figure out the host-facing {uid,gid} based on the provided maps. Fall
++ // back to root if the UID/GID don't match (we are guaranteed that root is
++ // mapped).
++ hostUid, hostGid, _ := idtools.GetRootUIDGID(uidMaps, gidMaps)
++ if uid, err := idtools.ToHost(s.Uid, uidMaps); err == nil {
++ hostUid = uid
++ }
++ if gid, err := idtools.ToHost(s.Gid, gidMaps); err == nil {
++ hostGid = gid
++ }
++
++ // Return the secret reference as a file target.
+ return &swarmtypes.SecretReference{
+ SecretID: s.id(),
+ SecretName: s.id(),
+ File: &swarmtypes.SecretReferenceFileTarget{
+ Name: s.Path,
-+ UID: fmt.Sprintf("%d", s.Uid),
-+ GID: fmt.Sprintf("%d", s.Gid),
++ UID: fmt.Sprintf("%d", hostUid),
++ GID: fmt.Sprintf("%d", hostGid),
+ Mode: s.Mode,
+ },
+ }
@@ -277,14 +290,15 @@
+ return err
+ }
+
++ uidMaps, gidMaps := daemon.GetUIDGIDMaps()
+ for _, secret := range secrets {
+ newSecretStore.secrets[secret.id()] = secret.toSecret()
-+ c.SecretReferences = append(c.SecretReferences, secret.toSecretReference())
++ c.SecretReferences = append(c.SecretReferences, secret.toSecretReference(uidMaps, gidMaps))
+ }
+
+ c.SecretStore = newSecretStore
+ return nil
+}
--
-2.13.0
+2.14.1