diff --git a/.docker-latest.metadata b/.docker-latest.metadata index 82fd783..34a817e 100644 --- a/.docker-latest.metadata +++ b/.docker-latest.metadata @@ -1,5 +1,5 @@ d735e338ba341bfe9bc47e35ae1940b5b24549d9 SOURCES/containerd-471f03c.tar.gz -fef132ee1f672519a219910a809bd141d2a98c64 SOURCES/docker-047e51b.tar.gz -5b62e3b095cc0a7cc4b198546e2f955100b70f94 SOURCES/docker-storage-setup-6709fe6.tar.gz -5d246c0acb58daba296a01cf097b9c69e56913c8 SOURCES/runc-b8dbc3b.tar.gz +14b58c710ef1134fe96e5ff367a4daa6a3f3a3cd SOURCES/docker-96d83a5.tar.gz +d8264a0060813849dd72d491758e9ff7d94d4951 SOURCES/docker-storage-setup-f7a3746.tar.gz +857a84a3876e729919fc46424709ce5dc774b6f0 SOURCES/runc-81b2542.tar.gz ea4b3d96c46fccb6781d66a6c53c087b179c80fe SOURCES/v1.10-migrator-c417a6a.tar.gz diff --git a/.gitignore b/.gitignore index a18c1b3..00e03ff 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ SOURCES/containerd-471f03c.tar.gz -SOURCES/docker-047e51b.tar.gz -SOURCES/docker-storage-setup-6709fe6.tar.gz -SOURCES/runc-b8dbc3b.tar.gz +SOURCES/docker-96d83a5.tar.gz +SOURCES/docker-storage-setup-f7a3746.tar.gz +SOURCES/runc-81b2542.tar.gz SOURCES/v1.10-migrator-c417a6a.tar.gz diff --git a/SOURCES/0001-Set-init-processes-as-non-dumpable.patch b/SOURCES/0001-Set-init-processes-as-non-dumpable.patch deleted file mode 100644 index 937ba38..0000000 --- a/SOURCES/0001-Set-init-processes-as-non-dumpable.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001 -From: Michael Crosby -Date: Wed, 7 Dec 2016 15:05:51 -0800 -Subject: [PATCH] Set init processes as non-dumpable - -This sets the init processes that join and setup the container's -namespaces as non-dumpable before they setns to the container's pid (or -any other ) namespace. - -This settings is automatically reset to the default after the Exec in -the container so that it does not change functionality for the -applications that are running inside, just our init processes. - -This prevents parent processes, the pid 1 of the container, to ptrace -the init process before it drops caps and other sets LSMs. - -This patch also ensures that the stateDirFD being used is still closed -prior to exec, even though it is set as O_CLOEXEC, because of the order -in the kernel. - -https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 - -The order during the exec syscall is that the process is set back to -dumpable before O_CLOEXEC are processed. - -Signed-off-by: Michael Crosby ---- - libcontainer/init_linux.go | 3 ++- - libcontainer/nsenter/nsexec.c | 5 +++++ - libcontainer/setns_init_linux.go | 7 ++++++- - libcontainer/standard_init_linux.go | 3 +++ - 4 files changed, 16 insertions(+), 2 deletions(-) - -diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go -index b1e6762..4043d51 100644 ---- a/libcontainer/init_linux.go -+++ b/libcontainer/init_linux.go -@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD int) (initer, error) - switch t { - case initSetns: - return &linuxSetnsInit{ -- config: config, -+ config: config, -+ stateDirFD: stateDirFD, - }, nil - case initStandard: - return &linuxStandardInit{ -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index b93f827..4b5398b 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -408,6 +408,11 @@ void nsexec(void) - if (pipenum == -1) - return; - -+ /* make the process non-dumpable */ -+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { -+ bail("failed to set process as non-dumpable"); -+ } -+ - /* Parse all of the netlink configuration. */ - nl_parse(pipenum, &config); - -diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go -index 2a8f345..7f5f182 100644 ---- a/libcontainer/setns_init_linux.go -+++ b/libcontainer/setns_init_linux.go -@@ -5,6 +5,7 @@ package libcontainer - import ( - "fmt" - "os" -+ "syscall" - - "github.com/opencontainers/runc/libcontainer/apparmor" - "github.com/opencontainers/runc/libcontainer/keys" -@@ -16,7 +17,8 @@ import ( - // linuxSetnsInit performs the container's initialization for running a new process - // inside an existing container. - type linuxSetnsInit struct { -- config *initConfig -+ config *initConfig -+ stateDirFD int - } - - func (l *linuxSetnsInit) getSessionRingName() string { -@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error { - if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil { - return err - } -+ // close the statedir fd before exec because the kernel resets dumpable in the wrong order -+ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 -+ syscall.Close(l.stateDirFD) - return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ()) - } -diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go -index 2104f1a..6a65154 100644 ---- a/libcontainer/standard_init_linux.go -+++ b/libcontainer/standard_init_linux.go -@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error { - return newSystemErrorWithCause(err, "init seccomp") - } - } -+ // close the statedir fd before exec because the kernel resets dumpable in the wrong order -+ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 -+ syscall.Close(l.stateDirFD) - if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil { - return newSystemErrorWithCause(err, "exec user process") - } --- -2.11.0 - diff --git a/SOURCES/docker-latest.service b/SOURCES/docker-latest.service index efc4cfb..d59ca00 100644 --- a/SOURCES/docker-latest.service +++ b/SOURCES/docker-latest.service @@ -3,6 +3,7 @@ Description=Docker Application Container Engine Documentation=http://docs.docker.com After=network.target rhel-push-plugin.socket Wants=docker-latest-storage-setup.service +Requires=rhel-push-plugin.socket [Service] Type=notify @@ -16,6 +17,7 @@ Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin ExecStart=/usr/bin/dockerd-latest \ --add-runtime docker-runc=/usr/libexec/docker/docker-runc-latest \ --default-runtime=docker-runc \ + --authorization-plugin=rhel-push-plugin \ --exec-opt native.cgroupdriver=systemd \ --userland-proxy-path=/usr/libexec/docker/docker-proxy-latest \ -g /var/lib/docker-latest \ diff --git a/SOURCES/docker-latest.sysconfig b/SOURCES/docker-latest.sysconfig index 970bbe7..740654e 100644 --- a/SOURCES/docker-latest.sysconfig +++ b/SOURCES/docker-latest.sysconfig @@ -8,7 +8,7 @@ DOCKER_CERT_PATH=/etc/docker # pull use the #ADD_REGISTRY option to list a set of registries, each prepended # with --add-registry flag. The first registry added will be the first registry # searched. -#ADD_REGISTRY='--add-registry registry.access.redhat.com' +ADD_REGISTRY='--add-registry registry.access.redhat.com' # If you want to block registries from being used, uncomment the BLOCK_REGISTRY # option and give it a set of registries, each prepended with --block-registry diff --git a/SPECS/docker-latest.spec b/SPECS/docker-latest.spec index 77dfd9d..8209692 100644 --- a/SPECS/docker-latest.spec +++ b/SPECS/docker-latest.spec @@ -28,19 +28,19 @@ # macros for 'docker' package VR %global docker_epoch 2 -%global docker_ver 1.12.5 -%global docker_rel 14 +%global docker_ver 1.12.6 +%global docker_rel 11 # docker %global git0 https://github.com/projectatomic/%{repo} -%global commit0 047e51b797564227b0bf26f3aa448f563bea5c71 +%global commit0 96d83a5ff6ec0eb9bb7b45192c3048fd3aef5e21 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # docker_branch used in %%check -%global docker_branch docker-1.12.5 +%global docker_branch docker-1.12.6 # d-s-s %global git1 https://github.com/projectatomic/%{repo}-storage-setup/ -%global commit1 6709fe6c6b0d154063799364eb1a944d065bab93 +%global commit1 f7a37469b09b841e630f06e4c149fae345f66fbd %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %global dss_libdir %{_exec_prefix}/lib/%{name}-storage-setup @@ -53,7 +53,7 @@ # docker-runc %global git8 https://github.com/projectatomic/runc -%global commit8 b8dbc3b8e8d868723aec2fd5082e6547ec66cf58 +%global commit8 81b254244390bc636b20c87c34a3d9e1a8645069 %global shortcommit8 %(c=%{commit8}; echo ${c:0:7}) # docker-containerd @@ -61,16 +61,9 @@ %global commit9 471f03c11413d9ab1523de24d3e79ae3a7b8126e %global shortcommit9 %(c=%{commit9}; echo ${c:0:7}) -# Version of SELinux -%if 0%{?fedora} >= 22 -%global selinux_policyver 3.13.1-119 -%else -%global selinux_policyver 3.13.1-97 -%endif - Name: %{repo}-latest -Version: 1.12.5 -Release: 14%{?dist} +Version: 1.12.6 +Release: 11%{?dist} Summary: Automates deployment of containerized applications License: ASL 2.0 URL: https://%{provider}.%{provider_tld}/projectatomic/%{repo} @@ -89,7 +82,6 @@ Source9: README.%{name}-logrotate Source10: %{name}-network.sysconfig Source11: %{git8}/archive/%{commit8}/runc-%{shortcommit8}.tar.gz Source12: %{git9}/archive/%{commit9}/containerd-%{shortcommit9}.tar.gz -Patch0: 0001-Set-init-processes-as-non-dumpable.patch #Source13: %%{repo}-containerd.service BuildRequires: git BuildRequires: glibc-static @@ -105,15 +97,12 @@ BuildRequires: libassuan-devel BuildRequires: pkgconfig(systemd) Requires: device-mapper-libs >= 7:1.02.97 -# RE: rhbz#1195804 - ensure min NVR for selinux-policy -Requires(pre): selinux-policy >= %{selinux_policyver} - -Requires(pre): container-selinux >= %{docker_epoch}:%{docker_ver}-%{docker_rel} +Requires(pre): container-selinux >= 2:2.9-4 Requires: %{repo}-common >= %{docker_epoch}:%{docker_ver}-%{docker_rel} Requires: %{repo}-client-latest = %{version}-%{release} -#Requires: %{repo}-rhel-push-plugin >= %{docker_epoch}:%{docker_ver}-%{docker_rel} +Requires: %{repo}-rhel-push-plugin >= %{docker_epoch}:%{docker_ver}-%{docker_rel} Requires: oci-register-machine >= 1:0-1.11 -Requires: oci-systemd-hook >= 1:0.1.4-8 +Requires: oci-systemd-hook >= 1:0.1.4-9 Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -198,9 +187,9 @@ Requires: %{repo}-common cp %{SOURCE9} . # rhel debranding for centos -#%if 0%{?centos} -#sed -i 's/ADD_REGISTRY/#ADD_REGISTRY/' %{SOURCE6} -#%endif +%if 0%{?centos} +sed -i 's/ADD_REGISTRY/#ADD_REGISTRY/' %{SOURCE6} +%endif # untar d-s-s tar zxf %{SOURCE1} @@ -217,11 +206,8 @@ tar zxf %{SOURCE2} # untar docker-runc tar zxf %{SOURCE11} -pushd runc-%{commit8} -%patch0 -p1 -popd -## untar docker-containerd +# untar docker-containerd tar zxf %{SOURCE12} # docker-containerd unitfile @@ -341,11 +327,11 @@ install -p contrib/udev/80-%{repo}.rules %{buildroot}%{_udevrulesdir}/80-%{name} install -d %{buildroot}%{_sharedstatedir}/%{name} # install secret patch directory -#install -d -p -m 750 %{buildroot}/%{_datadir}/rhel/secrets +install -d -p -m 750 %{buildroot}/%{_datadir}/rhel/secrets # rhbz#1110876 - update symlinks for subscription management -#ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement -#ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm -#ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/rhel7.repo +ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement +ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm +ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/rhel7.repo mkdir -p %{buildroot}%{_sysconfdir}/%{name}/certs.d/redhat.{com,io} ln -s %{_sysconfdir}/rhsm/ca/redhat-uep.pem %{buildroot}%{_sysconfdir}/%{name}/certs.d/redhat.com/redhat-ca.crt @@ -455,8 +441,8 @@ exit 0 %{_unitdir}/%{name}.service %{_unitdir}/%{name}-storage-setup.service %{_datadir}/bash-completion/completions/%{name} -#%dir %{_datadir}/rhel -#%{_datadir}/rhel/* +%dir %{_datadir}/rhel +%{_datadir}/rhel/* %dir %{_sharedstatedir}/%{name} %{_udevrulesdir}/80-%{name}.rules %{_sysconfdir}/%{name} @@ -503,9 +489,40 @@ exit 0 %endif # with_migrator %changelog -* Mon Jan 23 2017 Johnny Hughes - 1.12.5-14 -- Manual CentOS Debranding - +* Thu Feb 23 2017 Lokesh Mandvekar - 1.12.6-11 +- built docker @projectatomic/docker-1.12.6 commit 96d83a5 + +* Tue Feb 21 2017 Lokesh Mandvekar - 1.12.6-10 +- version-release consistent with docker + +* Tue Feb 21 2017 Lokesh Mandvekar - 1.12.6-9 +- built docker @projectatomic/docker-1.12.6 commit 7f3e2af +- require container-selinux >= 2:2.9-4 + +* Mon Feb 20 2017 Lokesh Mandvekar - 1.12.6-8 +- keep version-release consistent with docker + +* Mon Feb 20 2017 Lokesh Mandvekar - 1.12.6-7 +- require container-selinux >= 2:2.9-3 +- keep version-release consistent with docker + +* Tue Feb 14 2017 Lokesh Mandvekar - 1.12.6-4 +- keep version-release consistent with docker + +* Mon Feb 13 2017 Lokesh Mandvekar - 1.12.6-3 +- requires: container-selinux >= 2:2.9-1 + +* Tue Feb 07 2017 Lokesh Mandvekar - 1.12.6-2 +- Resolves: #1420094 - update to latest 1.12.6 + projectatomic patches +- built docker @projectatomic/docker-1.12.6 commit dfc4aea +- built d-s-s commit f7a3746 +- built v1.10-migrator commit c417a6a +- built docker-runc commit 81b2542 +- built docker-containerd commit 471f03c + +* Thu Jan 12 2017 Lokesh Mandvekar - 1.12.5-15 +- use oci-systemd-hook >= 1:0.1.4-9 + * Wed Jan 11 2017 Lokesh Mandvekar - 1.12.5-14 - keep version-release consistent with docker