From a54c276111963504ae43a3494c70fb747ae705e4 Mon Sep 17 00:00:00 2001 From: Johnny Hughes Date: Mar 03 2020 17:14:26 +0000 Subject: import docker-1.13.1-109.gitcccb291.el7_7 --- diff --git a/SOURCES/bz1784228.patch b/SOURCES/bz1784228.patch new file mode 100644 index 0000000..90463e9 --- /dev/null +++ b/SOURCES/bz1784228.patch @@ -0,0 +1,22 @@ +diff -up docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/profiles/seccomp/default.json.bz1784228 docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/profiles/seccomp/default.json +--- docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/profiles/seccomp/default.json.bz1784228 2019-12-20 11:36:58.836002843 +0100 ++++ docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/profiles/seccomp/default.json 2019-12-20 11:10:34.359173999 +0100 +@@ -320,6 +320,7 @@ + "stat64", + "statfs", + "statfs64", ++ "statx", + "symlink", + "symlinkat", + "sync", +diff -up docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/profiles/seccomp/seccomp_default.go.bz1784228 docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/profiles/seccomp/seccomp_default.go +--- docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/profiles/seccomp/seccomp_default.go.bz1784228 2019-12-20 11:37:11.606115942 +0100 ++++ docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/profiles/seccomp/seccomp_default.go 2019-12-20 11:37:25.891242460 +0100 +@@ -314,6 +314,7 @@ func DefaultProfile() *types.Seccomp { + "stat64", + "statfs", + "statfs64", ++ "statx", + "symlink", + "symlinkat", + "sync", diff --git a/SOURCES/docker-1792243.patch b/SOURCES/docker-1792243.patch new file mode 100644 index 0000000..321cad4 --- /dev/null +++ b/SOURCES/docker-1792243.patch @@ -0,0 +1,24 @@ +diff -up ./docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/vendor/github.com/mtrmac/gpgme/gpgme.go.1792243 ./docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/vendor/github.com/mtrmac/gpgme/gpgme.go +--- docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/vendor/github.com/mtrmac/gpgme/gpgme.go.1792243 2020-01-20 14:14:02.247121178 +0100 ++++ docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/vendor/github.com/mtrmac/gpgme/gpgme.go 2020-01-20 14:14:02.249121198 +0100 +@@ -1,7 +1,7 @@ + // Package gpgme provides a Go wrapper for the GPGME library + package gpgme + +-// #cgo LDFLAGS: -lgpgme -lassuan -lgpg-error ++// #cgo LDFLAGS: -lgpgme-pthread -lassuan -lgpg-error + // #cgo CPPFLAGS: -D_FILE_OFFSET_BITS=64 + // #include + // #include +diff -up ./docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/vendor/src/github.com/mtrmac/gpgme/gpgme.go.1792243 ./docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/vendor/src/github.com/mtrmac/gpgme/gpgme.go +--- docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/vendor/src/github.com/mtrmac/gpgme/gpgme.go.1792243 2020-01-20 14:14:02.244121149 +0100 ++++ docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/vendor/src/github.com/mtrmac/gpgme/gpgme.go 2020-01-20 14:14:02.245121159 +0100 +@@ -1,7 +1,7 @@ + // Package gpgme provides a Go wrapper for the GPGME library + package gpgme + +-// #cgo LDFLAGS: -lgpgme -lassuan -lgpg-error ++// #cgo LDFLAGS: -lgpgme-pthread -lassuan -lgpg-error + // #cgo CPPFLAGS: -D_FILE_OFFSET_BITS=64 + // #include + // #include diff --git a/SOURCES/docker-collectmode.patch b/SOURCES/docker-collectmode.patch new file mode 100644 index 0000000..b938b08 --- /dev/null +++ b/SOURCES/docker-collectmode.patch @@ -0,0 +1,12 @@ +diff -up docker-cccb291d3613ade11e2c0b82541452e9db87b835/runc-66aedde759f33c190954815fb765eedc1d782dd9/libcontainer/cgroups/systemd/apply_systemd.go.collectmode docker-cccb291d3613ade11e2c0b82541452e9db87b835/runc-66aedde759f33c190954815fb765eedc1d782dd9/libcontainer/cgroups/systemd/apply_systemd.go +--- docker-cccb291d3613ade11e2c0b82541452e9db87b835/runc-66aedde759f33c190954815fb765eedc1d782dd9/libcontainer/cgroups/systemd/apply_systemd.go.collectmode 2020-01-23 17:04:43.761004295 +0100 ++++ docker-cccb291d3613ade11e2c0b82541452e9db87b835/runc-66aedde759f33c190954815fb765eedc1d782dd9/libcontainer/cgroups/systemd/apply_systemd.go 2020-01-23 17:04:55.584168909 +0100 +@@ -130,8 +130,6 @@ func (m *Manager) Apply(pid int) error { + properties = append(properties, newProp("PIDs", []uint32{uint32(pid)})) + } + +- properties = append(properties, newProp("CollectMode", "inactive-or-failed")) +- + // This is only supported on systemd versions 218 and above. + properties = append(properties, newProp("Delegate", true)) + diff --git a/SOURCES/docker.service b/SOURCES/docker.service index e67f0d2..d6c28fb 100644 --- a/SOURCES/docker.service +++ b/SOURCES/docker.service @@ -1,8 +1,9 @@ [Unit] Description=Docker Application Container Engine Documentation=http://docs.docker.com -After=network.target +After=network.target rhel-push-plugin.service registries.service Wants=docker-storage-setup.service +Requires=rhel-push-plugin.service registries.service Requires=docker-cleanup.timer [Service] @@ -18,6 +19,7 @@ Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin ExecStart=/usr/bin/dockerd-current \ --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \ --default-runtime=docker-runc \ + --authorization-plugin=rhel-push-plugin \ --exec-opt native.cgroupdriver=systemd \ --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \ --init-path=/usr/libexec/docker/docker-init-current \ diff --git a/SOURCES/seccomp.json b/SOURCES/seccomp.json index b9a4564..965a504 100644 --- a/SOURCES/seccomp.json +++ b/SOURCES/seccomp.json @@ -320,6 +320,7 @@ "stat64", "statfs", "statfs64", + "statx", "symlink", "symlinkat", "sync", diff --git a/SPECS/docker.spec b/SPECS/docker.spec index d098c17..fa3fa0a 100644 --- a/SPECS/docker.spec +++ b/SPECS/docker.spec @@ -23,7 +23,7 @@ # docker %global git_docker https://github.com/projectatomic/docker -%global commit_docker 4ef4b30c57f05be26c9387ef0828e86c2ed543b8 +%global commit_docker cccb291d3613ade11e2c0b82541452e9db87b835 %global shortcommit_docker %(c=%{commit_docker}; echo ${c:0:7}) # docker_branch used in %%check %global docker_branch %{name}-%{version} @@ -45,9 +45,9 @@ %global shortcommit_novolume %(c=%{commit_novolume}; echo ${c:0:7}) # rhel-push-plugin -#%global git_rhel_push https://github.com/projectatomic/rhel-push-plugin -#%global commit_rhel_push af9107b2aedb235338e32a3c19507cad3f218b0d -#%global shortcommit_rhel_push %(c=%{commit_rhel_push}; echo ${c:0:7}) +%global git_rhel_push https://github.com/projectatomic/rhel-push-plugin +%global commit_rhel_push af9107b2aedb235338e32a3c19507cad3f218b0d +%global shortcommit_rhel_push %(c=%{commit_rhel_push}; echo ${c:0:7}) # docker-lvm-plugin %global git_lvm https://github.com/projectatomic/%{repo}-lvm-plugin @@ -56,7 +56,7 @@ # docker-runc %global git_runc https://github.com/projectatomic/runc -%global commit_runc e45dd70447fb72ee4e1f6989173aa6c5dd492d87 +%global commit_runc 66aedde759f33c190954815fb765eedc1d782dd9 %global shortcommit_runc %(c=%{commit_runc}; echo ${c:0:7}) # docker-containerd @@ -77,15 +77,15 @@ Name: %{repo} Epoch: 2 Version: 1.13.1 -Release: 108.git%{shortcommit_docker}%{?dist} +Release: 109.git%{shortcommit_docker}%{?dist} Summary: Automates deployment of containerized applications License: ASL 2.0 URL: https://%{import_path} -ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64 %{ix86} +ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64 Source0: %{git_docker}/archive/%{commit_docker}.tar.gz Source2: %{git_dss}/archive/%{commit_dss}/container-storage-setup-%{shortcommit_dss}.tar.gz Source4: %{git_novolume}/archive/%{commit_novolume}/%{repo}-novolume-plugin-%{shortcommit_novolume}.tar.gz -#Source5: %{git_rhel_push}/archive/%{commit_rhel_push}/rhel-push-plugin-%{shortcommit_rhel_push}.tar.gz +Source5: %{git_rhel_push}/archive/%{commit_rhel_push}/rhel-push-plugin-%{shortcommit_rhel_push}.tar.gz Source6: %{git_lvm}/archive/%{commit_lvm}/%{repo}-lvm-plugin-%{shortcommit_lvm}.tar.gz Source8: %{name}.service Source9: %{name}.sysconfig @@ -114,18 +114,21 @@ Patch0: https://github.com/projectatomic/containerd/pull/11/commits/97eff6cf6c9b # https://bugzilla.redhat.com/show_bug.cgi?id=1653292 Patch1: https://github.com/projectatomic/containerd/pull/12/commits/f9a2eeb64054e740fb1ae3048dde153c257113c8.patch Patch2: https://github.com/projectatomic/containerd/pull/12/commits/69518f0bbdb1f11113f46a4d794e09e2f21f5e91.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1732626 -Patch3: https://github.com/projectatomic/docker/pull/363/commits/6eadd954e5a02f2dcf93928484d42f86b6975618.patch +# related: https://bugzilla.redhat.com/show_bug.cgi?id=1766665 there is no CollectMode property in RHEL7 systemd +Patch3: docker-collectmode.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1784228 +Patch4: bz1784228.patch +Patch5: docker-1792243.patch BuildRequires: cmake BuildRequires: sed BuildRequires: git BuildRequires: glibc-static -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?centos} BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} %else BuildRequires: go-toolset-1.10 BuildRequires: openssl-devel -%endif #fedora +%endif BuildRequires: gpgme-devel BuildRequires: device-mapper-devel BuildRequires: pkgconfig(audit) @@ -137,7 +140,7 @@ BuildRequires: libseccomp-devel BuildRequires: libassuan-devel %if 0%{?centos} Requires: subscription-manager-rhsm-certificates -%endif # centos +%endif Requires: %{name}-common = %{epoch}:%{version}-%{release} Requires: %{name}-client = %{epoch}:%{version}-%{release} Requires(post): systemd @@ -194,7 +197,7 @@ Requires: device-mapper-libs >= 7:1.02.97 Requires: oci-umount >= 2:2.3.3-3 Requires: oci-register-machine >= 1:0-5.13 Requires: oci-systemd-hook >= 1:0.1.4-9 -#Requires: %{name}-rhel-push-plugin = %{epoch}:%{version}-%{release} +Requires: %{name}-rhel-push-plugin = %{epoch}:%{version}-%{release} Requires: xz Requires: atomic-registries Requires: container-selinux >= 2:2.51-1 @@ -246,16 +249,16 @@ local volumes defined. In particular, the plugin will block `docker run` with: The only thing allowed will be just bind mounts. -#%package rhel-push-plugin -#License: GPLv2 -#Summary: Avoids pushing a RHEL-based image to docker.io registry +%package rhel-push-plugin +License: GPLv2 +Summary: Avoids pushing a RHEL-based image to docker.io registry -#%description rhel-push-plugin -#In order to use this plugin you must be running at least Docker 1.10 which -#has support for authorization plugins. +%description rhel-push-plugin +In order to use this plugin you must be running at least Docker 1.10 which +has support for authorization plugins. -#This plugin avoids any RHEL based image to be pushed to the default docker.io -#registry preventing users to violate the RH subscription agreement. +This plugin avoids any RHEL based image to be pushed to the default docker.io +registry preventing users to violate the RH subscription agreement. %package lvm-plugin License: LGPLv3 @@ -280,7 +283,7 @@ tar zxf %{SOURCE2} tar zxf %{SOURCE4} # untar rhel-push-plugin -#tar zxf %{SOURCE5} +tar zxf %{SOURCE5} # untar lvm-plugin tar zxf %{SOURCE6} @@ -325,6 +328,8 @@ cd containerd* %patch2 -p1 cd - %patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build # compile docker-proxy first - otherwise deps in gopath conflict with the others below and this fails. Remove libnetwork libs then. @@ -346,7 +351,7 @@ pushd _build mkdir -p src/%{provider}.%{provider_tld}/{%{name},projectatomic} ln -s $(dirs +1 -l) src/%{import_path} ln -s $(dirs +1 -l)/%{repo}-novolume-plugin-%{commit_novolume} src/%{provider}.%{provider_tld}/projectatomic/%{repo}-novolume-plugin -# ln -s $(dirs +1 -l)/rhel-push-plugin-%{commit_rhel_push} src/%{provider}.%{provider_tld}/projectatomic/rhel-push-plugin + ln -s $(dirs +1 -l)/rhel-push-plugin-%{commit_rhel_push} src/%{provider}.%{provider_tld}/projectatomic/rhel-push-plugin ln -s $(dirs +1 -l)/%{repo}-lvm-plugin-%{commit_lvm} src/%{provider}.%{provider_tld}/projectatomic/%{repo}-lvm-plugin popd @@ -355,10 +360,10 @@ pushd $(pwd)/_build/src %gobuild %{provider}.%{provider_tld}/projectatomic/%{repo}-novolume-plugin popd -#export GOPATH=$(pwd)/rhel-push-plugin-%{commit_rhel_push}/Godeps/_workspace:$(pwd)/_build -#pushd $(pwd)/_build/src -#%gobuild %{provider}.%{provider_tld}/projectatomic/rhel-push-plugin -#popd +export GOPATH=$(pwd)/rhel-push-plugin-%{commit_rhel_push}/Godeps/_workspace:$(pwd)/_build +pushd $(pwd)/_build/src +%gobuild %{provider}.%{provider_tld}/projectatomic/rhel-push-plugin +popd export GOPATH=$(pwd)/%{repo}-lvm-plugin-%{commit_lvm}/Godeps/_workspace:$(pwd)/_build pushd $(pwd)/_build/src @@ -381,7 +386,7 @@ export GOPATH=$(pwd)/_build:$(pwd)/vendor # build %%{name} manpages man/md2man-all.sh go-md2man -in %{repo}-novolume-plugin-%{commit_novolume}/man/%{repo}-novolume-plugin.8.md -out %{repo}-novolume-plugin.8 -#go-md2man -in rhel-push-plugin-%{commit_rhel_push}/man/rhel-push-plugin.8.md -out rhel-push-plugin.8 +go-md2man -in rhel-push-plugin-%{commit_rhel_push}/man/rhel-push-plugin.8.md -out rhel-push-plugin.8 go-md2man -in %{repo}-lvm-plugin-%{commit_lvm}/man/%{repo}-lvm-plugin.8.md -out %{repo}-lvm-plugin.8 # build %%{name} binary @@ -546,12 +551,12 @@ install -d %{buildroot}%{_mandir}/man8 install -p -m 644 %{repo}-novolume-plugin.8 %{buildroot}%{_mandir}/man8 # install rhel-push-plugin executable, unitfile, socket and man -#install -d %{buildroot}%{_libexecdir}/%{repo} -#install -p -m 755 _build/src/rhel-push-plugin %{buildroot}%{_libexecdir}/%{repo}/rhel-push-plugin -#install -p -m 644 rhel-push-plugin-%{commit_rhel_push}/systemd/rhel-push-plugin.service %{buildroot}%{_unitdir}/rhel-push-plugin.service -#install -p -m 644 rhel-push-plugin-%{commit_rhel_push}/systemd/rhel-push-plugin.socket %{buildroot}%{_unitdir}/rhel-push-plugin.socket -#install -d %{buildroot}%{_mandir}/man8 -#install -p -m 644 rhel-push-plugin.8 %{buildroot}%{_mandir}/man8 +install -d %{buildroot}%{_libexecdir}/%{repo} +install -p -m 755 _build/src/rhel-push-plugin %{buildroot}%{_libexecdir}/%{repo}/rhel-push-plugin +install -p -m 644 rhel-push-plugin-%{commit_rhel_push}/systemd/rhel-push-plugin.service %{buildroot}%{_unitdir}/rhel-push-plugin.service +install -p -m 644 rhel-push-plugin-%{commit_rhel_push}/systemd/rhel-push-plugin.socket %{buildroot}%{_unitdir}/rhel-push-plugin.socket +install -d %{buildroot}%{_mandir}/man8 +install -p -m 644 rhel-push-plugin.8 %{buildroot}%{_mandir}/man8 # install %%{repo}-lvm-plugin executable, unitfile, socket and man install -d %{buildroot}/%{_libexecdir}/%{repo} @@ -631,14 +636,14 @@ exit 0 %postun novolume-plugin %systemd_postun_with_restart %{name}-novolume-plugin.service -#%post rhel-push-plugin -#%systemd_post rhel-push-plugin.service +%post rhel-push-plugin +%systemd_post rhel-push-plugin.service -#%preun rhel-push-plugin -#%systemd_preun rhel-push-plugin.service +%preun rhel-push-plugin +%systemd_preun rhel-push-plugin.service -#%postun rhel-push-plugin -#%systemd_postun_with_restart rhel-push-plugin.service +%postun rhel-push-plugin +%systemd_postun_with_restart rhel-push-plugin.service %posttrans # Install a default docker-storage-setup based on kernel version. @@ -734,12 +739,12 @@ fi %{_libexecdir}/%{repo}/%{repo}-novolume-plugin %{_unitdir}/%{repo}-novolume-plugin.* -#%files rhel-push-plugin -#%license rhel-push-plugin-%{commit_rhel_push}/LICENSE -#%doc rhel-push-plugin-%{commit_rhel_push}/README.md -#%{_mandir}/man8/rhel-push-plugin.8.gz -#%{_libexecdir}/%{repo}/rhel-push-plugin -#%{_unitdir}/rhel-push-plugin.* +%files rhel-push-plugin +%license rhel-push-plugin-%{commit_rhel_push}/LICENSE +%doc rhel-push-plugin-%{commit_rhel_push}/README.md +%{_mandir}/man8/rhel-push-plugin.8.gz +%{_libexecdir}/%{repo}/rhel-push-plugin +%{_unitdir}/rhel-push-plugin.* %files lvm-plugin %license %{repo}-lvm-plugin-%{commit_lvm}/LICENSE @@ -755,6 +760,13 @@ fi %{_bindir}/%{name}-v1.10-migrator-* %changelog +* Thu Jan 30 2020 Jindrich Novy - 2:1.13.1-109.gitcccb291 +- use runc sources off 66aedde7 commit in docker-1.13.1-rhel branch (#1793486) +- use docker sources off cccb291 commit in docker-1.13.1-rhel branch +- do not use CollectMode systemd property in RHEL7 +- whitelist statx(2) syscall in docker (#1784228) +- assure thread safety for gpgme library (#1792243) + * Fri Dec 13 2019 Jindrich Novy - 2:1.13.1-108.git4ef4b30 - bump release to not to clash with RHEL7.8