From cc6bf733b6a1577a45fc1b9132b2dd97b97e2f24 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 17 2017 20:36:22 +0000 Subject: import docker-1.12.5-14.el7 --- diff --git a/.docker.metadata b/.docker.metadata index afdac95..c61c129 100644 --- a/.docker.metadata +++ b/.docker.metadata @@ -1,7 +1,9 @@ -dfdbd5dacd796d96a81b88b42df9f107a00360e5 SOURCES/30bf0b874ebdda9b8d2a7adf36ce1dcbf5a67f1d.tar.gz -465cbdbb00c19fca603448fea67bc80d4951a6bc SOURCES/docker-lvm-plugin-bc03b53.tar.gz -0a34d4a1d429c5c503216b64e7e80d25db8f9529 SOURCES/docker-novolume-plugin-c521254.tar.gz -d2438acc4ffab212f03f0ec7d1c04ed6b6b59f87 SOURCES/docker-selinux-98617f3.tar.gz -eb152601b71074ccf2da0c5524a127d085825285 SOURCES/docker-storage-setup-0d53efa.tar.gz +fef132ee1f672519a219910a809bd141d2a98c64 SOURCES/047e51b797564227b0bf26f3aa448f563bea5c71.tar.gz +cf725ab452c8786606177979ca0f4470eb3afc58 SOURCES/container-selinux-58209b8.tar.gz +d735e338ba341bfe9bc47e35ae1940b5b24549d9 SOURCES/containerd-471f03c.tar.gz +ab20ee7e721a8c02467b482033a499006a8c6320 SOURCES/docker-lvm-plugin-8647404.tar.gz +24382ff77b251c04672d652758cca2a33cc8c216 SOURCES/docker-novolume-plugin-385ec70.tar.gz +5b62e3b095cc0a7cc4b198546e2f955100b70f94 SOURCES/docker-storage-setup-6709fe6.tar.gz e6466b4cc5fe1343a51676ebb68949eacb26dfb4 SOURCES/rhel-push-plugin-eb9e6be.tar.gz +5d246c0acb58daba296a01cf097b9c69e56913c8 SOURCES/runc-b8dbc3b.tar.gz ea4b3d96c46fccb6781d66a6c53c087b179c80fe SOURCES/v1.10-migrator-c417a6a.tar.gz diff --git a/.gitignore b/.gitignore index 91114b6..174346f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,9 @@ -SOURCES/30bf0b874ebdda9b8d2a7adf36ce1dcbf5a67f1d.tar.gz -SOURCES/docker-lvm-plugin-bc03b53.tar.gz -SOURCES/docker-novolume-plugin-c521254.tar.gz -SOURCES/docker-selinux-98617f3.tar.gz -SOURCES/docker-storage-setup-0d53efa.tar.gz +SOURCES/047e51b797564227b0bf26f3aa448f563bea5c71.tar.gz +SOURCES/container-selinux-58209b8.tar.gz +SOURCES/containerd-471f03c.tar.gz +SOURCES/docker-lvm-plugin-8647404.tar.gz +SOURCES/docker-novolume-plugin-385ec70.tar.gz +SOURCES/docker-storage-setup-6709fe6.tar.gz SOURCES/rhel-push-plugin-eb9e6be.tar.gz +SOURCES/runc-b8dbc3b.tar.gz SOURCES/v1.10-migrator-c417a6a.tar.gz diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/0001-Set-init-processes-as-non-dumpable.patch b/SOURCES/0001-Set-init-processes-as-non-dumpable.patch new file mode 100644 index 0000000..937ba38 --- /dev/null +++ b/SOURCES/0001-Set-init-processes-as-non-dumpable.patch @@ -0,0 +1,111 @@ +From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001 +From: Michael Crosby +Date: Wed, 7 Dec 2016 15:05:51 -0800 +Subject: [PATCH] Set init processes as non-dumpable + +This sets the init processes that join and setup the container's +namespaces as non-dumpable before they setns to the container's pid (or +any other ) namespace. + +This settings is automatically reset to the default after the Exec in +the container so that it does not change functionality for the +applications that are running inside, just our init processes. + +This prevents parent processes, the pid 1 of the container, to ptrace +the init process before it drops caps and other sets LSMs. + +This patch also ensures that the stateDirFD being used is still closed +prior to exec, even though it is set as O_CLOEXEC, because of the order +in the kernel. + +https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 + +The order during the exec syscall is that the process is set back to +dumpable before O_CLOEXEC are processed. + +Signed-off-by: Michael Crosby +--- + libcontainer/init_linux.go | 3 ++- + libcontainer/nsenter/nsexec.c | 5 +++++ + libcontainer/setns_init_linux.go | 7 ++++++- + libcontainer/standard_init_linux.go | 3 +++ + 4 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go +index b1e6762..4043d51 100644 +--- a/libcontainer/init_linux.go ++++ b/libcontainer/init_linux.go +@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD int) (initer, error) + switch t { + case initSetns: + return &linuxSetnsInit{ +- config: config, ++ config: config, ++ stateDirFD: stateDirFD, + }, nil + case initStandard: + return &linuxStandardInit{ +diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c +index b93f827..4b5398b 100644 +--- a/libcontainer/nsenter/nsexec.c ++++ b/libcontainer/nsenter/nsexec.c +@@ -408,6 +408,11 @@ void nsexec(void) + if (pipenum == -1) + return; + ++ /* make the process non-dumpable */ ++ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { ++ bail("failed to set process as non-dumpable"); ++ } ++ + /* Parse all of the netlink configuration. */ + nl_parse(pipenum, &config); + +diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go +index 2a8f345..7f5f182 100644 +--- a/libcontainer/setns_init_linux.go ++++ b/libcontainer/setns_init_linux.go +@@ -5,6 +5,7 @@ package libcontainer + import ( + "fmt" + "os" ++ "syscall" + + "github.com/opencontainers/runc/libcontainer/apparmor" + "github.com/opencontainers/runc/libcontainer/keys" +@@ -16,7 +17,8 @@ import ( + // linuxSetnsInit performs the container's initialization for running a new process + // inside an existing container. + type linuxSetnsInit struct { +- config *initConfig ++ config *initConfig ++ stateDirFD int + } + + func (l *linuxSetnsInit) getSessionRingName() string { +@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error { + if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil { + return err + } ++ // close the statedir fd before exec because the kernel resets dumpable in the wrong order ++ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 ++ syscall.Close(l.stateDirFD) + return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ()) + } +diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go +index 2104f1a..6a65154 100644 +--- a/libcontainer/standard_init_linux.go ++++ b/libcontainer/standard_init_linux.go +@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error { + return newSystemErrorWithCause(err, "init seccomp") + } + } ++ // close the statedir fd before exec because the kernel resets dumpable in the wrong order ++ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 ++ syscall.Close(l.stateDirFD) + if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil { + return newSystemErrorWithCause(err, "exec user process") + } +-- +2.11.0 + diff --git a/SOURCES/daemon.json b/SOURCES/daemon.json new file mode 100644 index 0000000..2556de3 --- /dev/null +++ b/SOURCES/daemon.json @@ -0,0 +1,3 @@ +{ + "live-restore": true +} diff --git a/SOURCES/docker-common.sh b/SOURCES/docker-common.sh index b3e0908..34b1245 100644 --- a/SOURCES/docker-common.sh +++ b/SOURCES/docker-common.sh @@ -2,7 +2,13 @@ . /etc/sysconfig/docker [ -e "${DOCKERBINARY}" ] || DOCKERBINARY=/usr/bin/docker-current if [ ! -f /usr/bin/docker-current ]; then - DOCKERBINARY=/usr/bin/docker-latest + if [ ! -f /usr/bin/docker-latest ]; then + echo "You don't have either docker-client or \ +docker-client-latest installed. Please install either one and retry." + exit + else + DOCKERBINARY=/usr/bin/docker-latest + fi fi if [[ ${DOCKERBINARY} != "/usr/bin/docker-current" && ${DOCKERBINARY} != /usr/bin/docker-latest ]]; then echo "DOCKERBINARY has been set to an invalid value:" $DOCKERBINARY diff --git a/SOURCES/docker-containerd-common.sh b/SOURCES/docker-containerd-common.sh new file mode 100644 index 0000000..98e041e --- /dev/null +++ b/SOURCES/docker-containerd-common.sh @@ -0,0 +1,14 @@ +#!/bin/sh +. /etc/sysconfig/docker +[ -e "${DOCKER_CONTAINERD_BINARY}" ] || DOCKER_CONTAINERD_BINARY=/usr/bin/docker-containerd-current +if [ ! -f /usr/bin/docker-containerd-current ]; then + DOCKER_CONTAINERD_BINARY=/usr/bin/docker-containerd-latest +fi +if [[ ${DOCKER_CONTAINERD_BINARY} != "/usr/bin/docker-containerd-current" && ${DOCKER_CONTAINERD_BINARY} != /usr/bin/docker-containerd-latest ]]; then + echo "DOCKER_CONTAINERD_BINARY has been set to an invalid value:" $DOCKER_CONTAINERD_BINARY + echo "" + echo "Please set DOCKER_CONTAINERD_BINARY to /usr/bin/docker-containerd-current or /usr/bin/docker-containerd-latest +by editing /etc/sysconfig/docker" +else + exec ${DOCKER_CONTAINERD_BINARY} "$@" +fi diff --git a/SOURCES/docker-containerd-shim-common.sh b/SOURCES/docker-containerd-shim-common.sh new file mode 100644 index 0000000..c0e6ba3 --- /dev/null +++ b/SOURCES/docker-containerd-shim-common.sh @@ -0,0 +1,14 @@ +#!/bin/sh +. /etc/sysconfig/docker +[ -e "${DOCKER_CONTAINERD_SHIM_BINARY}" ] || DOCKER_CONTAINERD_SHIM_BINARY=/usr/bin/docker-containerd-shim-current +if [ ! -f /usr/bin/docker-containerd-shim-current ]; then + DOCKER_CONTAINERD_SHIM_BINARY=/usr/bin/docker-containerd-shim-latest +fi +if [[ ${DOCKER_CONTAINERD_SHIM_BINARY} != "/usr/bin/docker-containerd-shim-current" && ${DOCKER_CONTAINERD_SHIM_BINARY} != /usr/bin/docker-containerd-shim-latest ]]; then + echo "DOCKER_CONTAINERD_SHIM_BINARY has been set to an invalid value:" $DOCKER_CONTAINERD_SHIM_BINARY + echo "" + echo "Please set DOCKER_CONTAINERD_SHIM_BINARY to /usr/bin/docker-containerd-shim-current or /usr/bin/docker-containerd-shim-latest +by editing /etc/sysconfig/docker" +else + exec ${DOCKER_CONTAINERD_SHIM_BINARY} "$@" +fi diff --git a/SOURCES/docker.service b/SOURCES/docker.service index 43e0de9..00cf140 100644 --- a/SOURCES/docker.service +++ b/SOURCES/docker.service @@ -12,21 +12,27 @@ EnvironmentFile=-/etc/sysconfig/docker EnvironmentFile=-/etc/sysconfig/docker-storage EnvironmentFile=-/etc/sysconfig/docker-network Environment=GOTRACEBACK=crash -ExecStart=/usr/bin/docker-current daemon \ +Environment=DOCKER_HTTP_HOST_COMPAT=1 +Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin +ExecStart=/usr/bin/dockerd-current \ + --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \ + --default-runtime=docker-runc \ --authorization-plugin=rhel-push-plugin \ --exec-opt native.cgroupdriver=systemd \ + --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \ $OPTIONS \ $DOCKER_STORAGE_OPTIONS \ $DOCKER_NETWORK_OPTIONS \ $ADD_REGISTRY \ $BLOCK_REGISTRY \ $INSECURE_REGISTRY +ExecReload=/bin/kill -s HUP $MAINPID LimitNOFILE=1048576 LimitNPROC=1048576 LimitCORE=infinity TimeoutStartSec=0 -MountFlags=slave Restart=on-abnormal +MountFlags=slave [Install] WantedBy=multi-user.target diff --git a/SOURCES/docker.sysconfig b/SOURCES/docker.sysconfig index dab5f48..0e23add 100644 --- a/SOURCES/docker.sysconfig +++ b/SOURCES/docker.sysconfig @@ -1,7 +1,7 @@ # /etc/sysconfig/docker # Modify these options if you want to change the way the docker daemon runs -OPTIONS='--selinux-enabled --log-driver=journald' +OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false' if [ -z "${DOCKER_CERT_PATH}" ]; then DOCKER_CERT_PATH=/etc/docker fi @@ -38,5 +38,7 @@ ADD_REGISTRY='--add-registry registry.access.redhat.com' # # docker-latest daemon can be used by starting the docker-latest unitfile. -# To use docker-latest client, uncomment below line +# To use docker-latest client, uncomment below lines #DOCKERBINARY=/usr/bin/docker-latest +#DOCKER_CONTAINERD_BINARY=/usr/bin/docker-containerd-latest +#DOCKER_CONTAINERD_SHIM_BINARY=/usr/bin/docker-containerd-shim-latest diff --git a/SPECS/docker.spec b/SPECS/docker.spec index 363b1fa..9bca098 100644 --- a/SPECS/docker.spec +++ b/SPECS/docker.spec @@ -19,21 +19,26 @@ %global import_path %{provider}.%{provider_tld}/%{project}/%{repo} +%if ! 0%{?gobuild:1} +%define gobuild(o:) go build -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n')" -a -v -x %{?**}; +%endif + # docker -%global git0 https://github.com/projectatomic/docker -%global commit0 30bf0b874ebdda9b8d2a7adf36ce1dcbf5a67f1d +%global git0 https://github.com/projectatomic/%{repo} +%global commit0 047e51b797564227b0bf26f3aa448f563bea5c71 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # docker_branch used in %%check -%global docker_branch rhel7-1.10.3 +%global docker_branch %{name}-%{version} # docker-selinux %global git1 https://github.com/projectatomic/container-selinux -%global commit1 98617f3f20e14904d890cb6340c9afb08bace332 +# use RHEL-1.12 branch +%global commit1 58209b8325161be11d38898d7d1a3c45101b75e4 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) # d-s-s -%global git2 https://github.com/projectatomic/docker-storage-setup -%global commit2 0d53efa70ad237596a29496076eaf4ae026d3762 +%global git2 https://github.com/projectatomic/%{repo}-storage-setup +%global commit2 6709fe6c6b0d154063799364eb1a944d065bab93 %global shortcommit2 %(c=%{commit2}; echo ${c:0:7}) %global dss_libdir %{_exec_prefix}/lib/%{name}-storage-setup @@ -44,7 +49,7 @@ # docker-novolume-plugin %global git4 https://github.com/projectatomic/%{repo}-novolume-plugin -%global commit4 c5212546ab01b4b7b62caba888d298ab63f53984 +%global commit4 385ec70baac3ef356f868f391c8d7818140fbd44 %global shortcommit4 %(c=%{commit4}; echo ${c:0:7}) # rhel-push-plugin @@ -54,9 +59,19 @@ # docker-lvm-plugin %global git6 https://github.com/projectatomic/%{repo}-lvm-plugin -%global commit6 bc03b5354aaa70ee14c482c4a861be08630bb755 +%global commit6 8647404eed561d32835d6bc032b1c330ee31ed5b %global shortcommit6 %(c=%{commit6}; echo ${c:0:7}) +# docker-runc +%global git7 https://github.com/projectatomic/runc +%global commit7 b8dbc3b8e8d868723aec2fd5082e6547ec66cf58 +%global shortcommit7 %(c=%{commit7}; echo ${c:0:7}) + +# docker-containerd +%global git8 https://github.com/projectatomic/containerd +%global commit8 471f03c11413d9ab1523de24d3e79ae3a7b8126e +%global shortcommit8 %(c=%{commit8}; echo ${c:0:7}) + # %%{name}-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package %global selinuxtype targeted @@ -69,7 +84,7 @@ %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; # Relabel files -%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/%{name} %{_localstatedir}/run/%{name}.sock %{_localstatedir}/run/%{name}.pid %{_sysconfdir}/%{name} %{_localstatedir}/log/%{name} %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/%{name}.service %{_sysconfdir}/%{name} &> /dev/null || : +%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/%{repo}* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/%{repo}.sock %{_localstatedir}/run/%{repo}.pid %{_sysconfdir}/%{repo} %{_localstatedir}/log/%{repo} %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/%{repo}.service %{_unitdir}/%{repo}-containerd.service %{_unitdir}/%{repo}-latest.service %{_unitdir}/%{repo}-latest-containerd.service %{_sysconfdir}/%{repo} %{_libexecdir}/%{repo}* &> /dev/null || : # Version of SELinux we were using %if 0%{?fedora} >= 22 @@ -80,8 +95,8 @@ Name: %{repo} Epoch: 2 -Version: 1.10.3 -Release: 59%{?dist} +Version: 1.12.5 +Release: 14%{?dist} Summary: Automates deployment of containerized applications License: ASL 2.0 URL: https://%{import_path} @@ -90,11 +105,11 @@ ExclusiveArch: x86_64 # Branch used available at # https://%%{provider}.%%{provider_tld}/projectatomic/%%{name}/commits/rhel7-1.10.3 Source0: %{git0}/archive/%{commit0}.tar.gz -Source1: %{git1}/archive/%{commit1}/%{name}-selinux-%{shortcommit1}.tar.gz -Source2: %{git2}/archive/%{commit2}/%{name}-storage-setup-%{shortcommit2}.tar.gz -Source4: %{git4}/archive/%{commit4}/%{name}-novolume-plugin-%{shortcommit4}.tar.gz +Source1: %{git1}/archive/%{commit1}/container-selinux-%{shortcommit1}.tar.gz +Source2: %{git2}/archive/%{commit2}/%{repo}-storage-setup-%{shortcommit2}.tar.gz +Source4: %{git4}/archive/%{commit4}/%{repo}-novolume-plugin-%{shortcommit4}.tar.gz Source5: %{git5}/archive/%{commit5}/rhel-push-plugin-%{shortcommit5}.tar.gz -Source6: %{git6}/archive/%{commit6}/%{name}-lvm-plugin-%{shortcommit6}.tar.gz +Source6: %{git6}/archive/%{commit6}/%{repo}-lvm-plugin-%{shortcommit6}.tar.gz Source8: %{name}.service Source9: %{name}.sysconfig Source10: %{name}-storage.sysconfig @@ -106,9 +121,16 @@ Source15: README-%{name}-common Source16: %{name}-cleanup.sh Source17: %{git3}/archive/%{commit3}/v1.10-migrator-%{shortcommit3}.tar.gz Source18: v1.10-migrator-helper +Source19: %{git7}/archive/%{commit7}/runc-%{shortcommit7}.tar.gz +Source20: %{git8}/archive/%{commit8}/containerd-%{shortcommit8}.tar.gz +Source21: %{name}-containerd-common.sh +Source22: %{name}-containerd-shim-common.sh +Source23: daemon.json +Patch0: 0001-Set-init-processes-as-non-dumpable.patch BuildRequires: git BuildRequires: glibc-static -BuildRequires: golang >= 1.6.2 +BuildRequires: golang >= 1.7.4 +BuildRequires: gpgme-devel BuildRequires: device-mapper-devel BuildRequires: pkgconfig(audit) BuildRequires: btrfs-progs-devel @@ -116,7 +138,9 @@ BuildRequires: sqlite-devel BuildRequires: go-md2man >= 1.0.4 BuildRequires: pkgconfig(systemd) BuildRequires: libseccomp-devel +BuildRequires: libassuan-devel Requires: %{name}-common = %{epoch}:%{version}-%{release} +Requires: %{name}-client = %{epoch}:%{version}-%{release} Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -125,8 +149,8 @@ Requires: xz Requires: device-mapper-libs >= 7:1.02.97 Requires: subscription-manager Requires: %{name}-rhel-push-plugin = %{epoch}:%{version}-%{release} -Requires: oci-register-machine >= 1:0-1.8 -Requires: oci-systemd-hook >= 1:0.1.4-5 +Requires: oci-register-machine >= 1:0-1.11 +Requires: oci-systemd-hook >= 1:0.1.4-8 Provides: lxc-%{name} = %{epoch}:%{version}-%{release} Provides: %{name}-io = %{epoch}:%{version}-%{release} @@ -141,6 +165,9 @@ Requires: xfsprogs # rhbz#1282898 - obsolete docker-storage-setup Obsoletes: %{name}-storage-setup <= 0.0.4-2 +Requires: skopeo-containers +Requires: gnupg + %description Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will @@ -206,6 +233,14 @@ This package contains the common files %{_bindir}/%{name} which will point to %{_bindir}/%{name}-current or %{_bindir}/%{name}-latest configurable via %{_sysconfdir}/sysconfig/%{repo} +%package client +Summary: Client side files for Docker +License: ASL 2.0 +Requires: %{repo}-common + +%description client +%{summary} + %package novolume-plugin URL: %{git4} License: MIT @@ -254,7 +289,7 @@ This plugin can be used to create lvm volumes of specified size, which can then be bind mounted into the container using `docker run` command. %prep -%autosetup -Sgit -n %{name}-%{commit0} +%setup -q -n %{name}-%{commit0} # unpack container-selinux tar zxf %{SOURCE1} @@ -296,6 +331,15 @@ cp %{SOURCE15} . # untar v1.10-migrator tar zxf %{SOURCE17} +# untar docker-runc +tar zxf %{SOURCE19} +pushd runc-%{commit7} +%patch0 -p1 +popd + +# untar docker-containerd +tar zxf %{SOURCE20} + %build mkdir _build @@ -307,12 +351,24 @@ pushd _build ln -s $(dirs +1 -l)/%{repo}-lvm-plugin-%{commit6} src/%{provider}.%{provider_tld}/projectatomic/%{repo}-lvm-plugin popd +export GOPATH=$(pwd)/%{repo}-novolume-plugin-%{commit4}/Godeps/_workspace:$(pwd)/_build +pushd $(pwd)/_build/src +%gobuild %{provider}.%{provider_tld}/projectatomic/%{repo}-novolume-plugin +popd + +export GOPATH=$(pwd)/rhel-push-plugin-%{commit5}/Godeps/_workspace:$(pwd)/_build +pushd $(pwd)/_build/src +%gobuild %{provider}.%{provider_tld}/projectatomic/rhel-push-plugin +popd + +export GOPATH=$(pwd)/%{repo}-lvm-plugin-%{commit6}/vendor:$(pwd)/_build +pushd $(pwd)/_build/src +%gobuild %{provider}.%{provider_tld}/projectatomic/%{repo}-lvm-plugin +popd + export DOCKER_GITCOMMIT="%{shortcommit0}/%{version}" export DOCKER_BUILDTAGS='selinux seccomp' export GOPATH=$(pwd)/_build:$(pwd)/vendor:%{gopath} -export GOPATH=$GOPATH:$(pwd)/%{repo}-novolume-plugin-%{commit4}/Godeps/_workspace -export GOPATH=$GOPATH:$(pwd)/rhel-push-plugin-%{commit5}/Godeps/_workspace -export GOPATH=$GOPATH:$(pwd)/%{repo}-lvm-plugin-%{commit6}/vendor # build %%{name} manpages man/md2man-all.sh @@ -321,7 +377,6 @@ go-md2man -in rhel-push-plugin-%{commit5}/man/rhel-push-plugin.8.md -out rhel-pu go-md2man -in %{repo}-lvm-plugin-%{commit6}/man/%{repo}-lvm-plugin.8.md -out %{repo}-lvm-plugin.8 # build %%{name} binary -sed -i '/LDFLAGS_STATIC/d' hack/make/.dockerinit IAMSTATIC=false DOCKER_DEBUG=1 hack/make.sh dynbinary cp contrib/syntax/vim/LICENSE LICENSE-vim-syntax cp contrib/syntax/vim/README.md README-vim-syntax.md @@ -331,12 +386,6 @@ pushd container-selinux-%{commit1} make SHARE="%{_datadir}" TARGETS="%{modulenames}" popd -pushd $(pwd)/_build/src -go build -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n')" %{provider}.%{provider_tld}/projectatomic/%{repo}-novolume-plugin -go build -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n')" %{provider}.%{provider_tld}/projectatomic/rhel-push-plugin -go build -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n')" %{provider}.%{provider_tld}/projectatomic/%{repo}-lvm-plugin -popd - # build v1.10-migrator pushd v1.10-migrator-%{commit3} export GOPATH=$GOPATH:$(pwd)/Godeps/_workspace @@ -344,16 +393,40 @@ sed -i 's/godep //g' Makefile make v1.10-migrator-local popd +# build %%{repo}-runc +pushd runc-%{commit7} +make BUILDTAGS="seccomp selinux" +popd + +# build %%{name}-containerd +pushd _build +ln -s $(dirs +1 -l)/containerd-%{commit8} src/%{provider}.%{provider_tld}/%{repo}/containerd +popd +pushd containerd-%{commit8} +make +popd + %install # install binary install -d %{buildroot}%{_bindir} -install -d %{buildroot}%{_libexecdir}/%{name} +install -d %{buildroot}%{_libexecdir}/%{repo} for x in bundles/latest; do - if ! test -d $x/dynbinary; then + if ! test -d $x/dynbinary-client; then continue fi - install -p -m 755 $x/dynbinary/%{name}-%{version} %{buildroot}%{_bindir}/%{name}-current + rm $x/dynbinary-client/*.{md5,sha256} + install -p -m 755 $x/dynbinary-client/%{repo}-%{version}* %{buildroot}%{_bindir}/%{name}-current + break +done + +for x in bundles/latest; do + if ! test -d $x/dynbinary-daemon; then + continue + fi + rm $x/dynbinary-daemon/*.{md5,sha256} + install -p -m 755 $x/dynbinary-daemon/%{repo}-proxy-* %{buildroot}%{_libexecdir}/%{repo}/%{repo}-proxy-current + install -p -m 755 $x/dynbinary-daemon/%{repo}d-* %{buildroot}%{_bindir}/%{repo}d-current break done @@ -446,25 +519,18 @@ ln -s %{_sysconfdir}/rhsm/ca/redhat-uep.pem %{buildroot}/%{_sysconfdir}/%{name}/ # install %%{name} config directory install -dp %{buildroot}%{_sysconfdir}/%{name}/ +install -p -m 644 %{SOURCE23} %{buildroot}%{_sysconfdir}/%{name}/daemon.json # install %%{name}-storage-setup pushd %{name}-storage-setup-%{commit2} -install -d %{buildroot}%{_bindir} -install -p -m 755 %{name}-storage-setup.sh %{buildroot}%{_bindir}/%{name}-storage-setup -install -d %{buildroot}%{_unitdir} -install -p -m 644 %{name}-storage-setup.service %{buildroot}%{_unitdir} -install -d %{buildroot}%{dss_libdir} -install -p -m 644 %{name}-storage-setup.conf %{buildroot}%{dss_libdir}/%{name}-storage-setup -install -p -m 755 libdss.sh %{buildroot}%{dss_libdir} -install -d %{buildroot}%{_sysconfdir}/sysconfig -install -p -m 644 %{name}-storage-setup-override.conf %{buildroot}%{_sysconfdir}/sysconfig/%{name}-storage-setup -install -d %{buildroot}%{_mandir}/man1 -install -p -m 644 %{name}-storage-setup.1 %{buildroot}%{_mandir}/man1 +make install DESTDIR=%{buildroot} popd -# install %%{_bindir}/%{name} +# install %%{_bindir}/%%{name} install -d %{buildroot}%{_bindir} install -p -m 755 %{SOURCE14} %{buildroot}%{_bindir}/%{name} +install -p -m 755 %{SOURCE21} %{buildroot}%{_bindir}/%{name}-containerd +install -p -m 755 %{SOURCE22} %{buildroot}%{_bindir}/%{name}-containerd-shim # install novolume-plugin executable, unitfile, socket and man install -d %{buildroot}/%{_libexecdir}/%{repo} @@ -497,12 +563,21 @@ install -p -m 700 v1.10-migrator-%{commit3}/v1.10-migrator-local %{buildroot}%{_ # install v1.10-migrator-helper install -p -m 700 %{SOURCE18} %{buildroot}%{_bindir}/%{name}-v1.10-migrator-helper +# install docker-runc +install -d %{buildroot}%{_libexecdir}/%{repo} +install -p -m 755 runc-%{commit7}/runc %{buildroot}%{_libexecdir}/%{repo}/%{repo}-runc-current + +#install docker-containerd +install -p -m 755 containerd-%{commit8}/bin/containerd %{buildroot}%{_bindir}/%{repo}-containerd-current +install -p -m 755 containerd-%{commit8}/bin/containerd-shim %{buildroot}%{_bindir}/%{repo}-containerd-shim-current +install -p -m 755 containerd-%{commit8}/bin/ctr %{buildroot}%{_bindir}/%{repo}-ctr-current + %check [ ! -w /run/%{name}.sock ] || { mkdir test_dir pushd test_dir - git clone https://github.com/projectatomic/docker.git -b %{docker_branch} - pushd %{name} + git clone https://%{provider}.%{provider_tld}/projectatomic/%{repo}.git -b %{docker_branch} + pushd %{repo} make test popd popd @@ -518,7 +593,10 @@ exit 0 %post -n container-selinux # Install all modules in a single transaction %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 -%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES -X 100 -r %{repo} -X 200 -r %{repo} -X 400 -r %{repo} > /dev/null +%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null +%{_sbindir}/semodule -n -s %{selinuxtype} -d %{repo} 2> /dev/null +%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null +%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES > /dev/null if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy %relabel_files @@ -550,11 +628,15 @@ fi %doc AUTHORS CHANGELOG.md CONTRIBUTING.md MAINTAINERS NOTICE README*.md %config(noreplace) %{_sysconfdir}/sysconfig/%{name}-* %dir %{_sysconfdir}/%{name} +%{_bindir}/%{name}d-current +%{_bindir}/%{name}-storage-setup +%{_bindir}/%{name}-containerd-current +%{_bindir}/%{name}-containerd-shim-current +%{_bindir}/%{name}-ctr-current %{_sysconfdir}/%{name}/certs.d %{_mandir}/man1/%{name}*.1.gz %{_mandir}/man5/*.5.gz -%{_mandir}/man8/%{name}-daemon.8.gz -%{_bindir}/%{name}-* +%{_mandir}/man8/%{name}d.8.gz %dir %{_datadir}/rhel %{_datadir}/rhel/* %{_unitdir}/%{name}.service @@ -574,6 +656,11 @@ fi %{_datadir}/zsh/site-functions/_%{name} %dir %{dss_libdir} %{dss_libdir}/* +# 1.12 specific +%dir %{_libexecdir}/%{repo} +%{_libexecdir}/%{repo}/%{repo}-runc-current +%{_libexecdir}/%{repo}/%{repo}-proxy-current +#%%{_unitdir}/%%{repo}-containerd.service %if 0%{?with_unit_test} %files unit-test @@ -590,10 +677,18 @@ fi %files common %doc README-%{name}-common -%{_bindir}/%{name} %config(noreplace) %{_sysconfdir}/sysconfig/%{name} +%config(noreplace) %{_sysconfdir}/%{name}/daemon.json +%{_bindir}/%{name} +%{_bindir}/%{name}-containerd +%{_bindir}/%{name}-containerd-shim +%dir %{_libexecdir}/%{repo} %{_sysconfdir}/cron.hourly/%{name}-cleanup +%files client +%license LICENSE* +%{_bindir}/%{name}-current + %files novolume-plugin %license %{repo}-novolume-plugin-%{commit4}/LICENSE %doc %{repo}-novolume-plugin-%{commit4}/README.md @@ -622,6 +717,148 @@ fi %{_bindir}/%{name}-v1.10-migrator-* %changelog +* Wed Jan 11 2017 Lokesh Mandvekar - 2:1.12.5-14 +- reference correct container-selinux commit id (58209b8) +in 2:1.12.5-13 changelog + +* Wed Jan 11 2017 Lokesh Mandvekar - 2:1.12.5-13 +- Resolves: #1412385 - SELinux issues +- built container-selinux origin/RHEL-1.12 commit 58209b8 + +* Tue Jan 10 2017 Lokesh Mandvekar - 2:1.12.5-12 +- relabel docker-latest unitfiles as well + +* Tue Jan 10 2017 Lokesh Mandvekar - 2:1.12.5-11 +- enforce min version-release for oci-register-machine and oci-systemd-hook + +* Tue Jan 10 2017 Lokesh Mandvekar - 2:1.12.5-10 +- Resolves: #1409706 - *CVE-2016-9962* - set init processes as non-dumpable, +runc patch from Michael Crosby + +* Thu Jan 05 2017 Lokesh Mandvekar - 2:1.12.5-9 +- Resolves: #1403264 - friendlier error message if no /usr/bin/docker-current +or /usr/bin/docker-latest found. +- Resolves: #1410434 - fix panic on push +- built docker @projectatomic/docker-1.12.5 commit 047e51b +- built container-selinux commit a85092b +- built d-s-s commit 6709fe6 +- built v1.10-migrator commit c417a6a +- built docker-novolume-plugin commit 385ec70 +- built rhel-push-plugin commit eb9e6be +- built docker-lvm-plugin commit 8647404 +- built docker-runc commit b8dbc3b +- built docker-containerd commit 471f03c + +* Wed Dec 21 2016 Dan Walsh - 2:1.12.5-8 +- Fix handling of container-selinux update and relabel +- Resolves: #1404372, #1395401, #1368092, #1405464, #1400372, #1381929, +- Resolves: #1351609, #1404298, #1368426, #1399398, #1244300, #1374514, +- Resolves: #1400228, #1405306, #1405888, #1403270 + +* Tue Dec 20 2016 Lokesh Mandvekar - 2:1.12.5-7 +- remove DOCKER_PROXY_BINARY env var + +* Tue Dec 20 2016 Lokesh Mandvekar - 2:1.12.5-6 +- version-release consistent with docker-latest + +* Tue Dec 20 2016 Lokesh Mandvekar - 2:1.12.5-5 +- Resolves: #1406460 - add --userland-proxy-path option to unitfile +- Resolves: #1406446 - add --signature-verification=false to $OPTIONS in +/etc/sysconfig/docker + +* Mon Dec 19 2016 Lokesh Mandvekar - 2:1.12.5-4 +- Resolves: #1405989 +- From: Jan Pazdziora + +* Fri Dec 16 2016 Lokesh Mandvekar - 2:1.12.5-3 +- built docker @projectatomic/docker-1.12.5 commit 6009905 +- built container-selinux commit a85092b +- built d-s-s commit b7175b4 +- built v1.10-migrator commit c417a6a +- built docker-novolume-plugin commit 385ec70 +- built rhel-push-plugin commit eb9e6be +- built docker-lvm-plugin commit d918081 +- built docker-runc commit b8dbc3b +- built docker-containerd commit 471f03c + +* Fri Dec 16 2016 Lokesh Mandvekar - 2:1.12.5-2 +- built docker @projectatomic/docker-1.12.5 commit 6009905 +- built container-selinux commit a85092b +- built d-s-s commit b7175b4 +- built v1.10-migrator commit c417a6a +- built docker-novolume-plugin commit 385ec70 +- built rhel-push-plugin commit eb9e6be +- built docker-lvm-plugin commit d918081 +- built docker-runc commit b8dbc3b +- built docker-containerd commit 471f03c + +* Fri Dec 16 2016 Lokesh Mandvekar - 2:1.12.5-1 +- built docker @projectatomic/docker-1.12.5 commit 6009905 +- built container-selinux commit a85092b +- built d-s-s commit b7175b4 +- built v1.10-migrator commit c417a6a +- built docker-novolume-plugin commit 385ec70 +- built rhel-push-plugin commit eb9e6be +- built docker-lvm-plugin commit d918081 +- built docker-runc commit b8dbc3b +- built docker-containerd commit 471f03c + +* Tue Dec 13 2016 Lokesh Mandvekar - 2:1.12.4-3 +- docker requires docker-client + +* Tue Dec 13 2016 Lokesh Mandvekar - 2:1.12.4-2 +- built docker @projectatomic/docker-1.12.4 commit 1b5971a +- built container-selinux commit cc14935 +- built d-s-s commit 0d53efa +- built v1.10-migrator commit c417a6a +- built docker-novolume-plugin commit 385ec70 +- built rhel-push-plugin commit eb9e6be +- built docker-lvm-plugin commit d918081 +- built docker-runc commit b8dbc3b +- built docker-containerd commit 471f03c + +* Tue Dec 13 2016 Lokesh Mandvekar - 2:1.12.4-1 +- Resolves: #1403264 - packaging fixes (from runcom@redhat.com) +- Resolves: #1403843 - disable any existing gear modules (from +dwalsh@redhat.com) +- built docker @projectatomic/docker-1.12.4 commit 1b5971a +- built container-selinux commit cc14935 +- built d-s-s commit 0d53efa +- built v1.10-migrator commit c417a6a +- built docker-novolume-plugin commit 385ec70 +- built rhel-push-plugin commit eb9e6be +- built docker-lvm-plugin commit d918081 +- built docker-runc commit b8dbc3b +- built docker-containerd commit 471f03c + +* Mon Dec 12 2016 Lokesh Mandvekar - 2:1.12.3-11 +- Resolves: #1403370 - fix relabeling of /usr/bin/docker* +- built docker @projectatomic/docker-1.12.3 commit 0423d89 +- built container-selinux commit 554f844 +- built d-s-s commit 0d53efa +- built v1.10-migrator commit c417a6a +- built docker-novolume-plugin commit 385ec70 +- built rhel-push-plugin commit eb9e6be +- built docker-lvm-plugin commit d918081 +- built docker-runc commit b8dbc3b +- built docker-containerd commit 9f45393 + +* Thu Dec 08 2016 Lokesh Mandvekar - 2:1.12.3-10 +- move docker-proxy to /usr/libexec/docker/ +- append '-current' to files inside /usr/libexec/docker/ + +* Wed Dec 07 2016 Lokesh Mandvekar - 2:1.12.3-9 +- Resolves: #1402677 - create a docker-client subpackage +- built docker @projectatomic/docker-1.12.3 commit 3abc089 +- built container-selinux commit bdad20c +- built d-s-s commit 0d53efa +- built v1.10-migrator commit c417a6a +- built docker-novolume-plugin commit 385ec70 +- built rhel-push-plugin commit eb9e6be +- built docker-lvm-plugin commit d918081 +- built docker-runc commit b8dbc3b +- built docker-containerd commit 9f45393 + * Sat Nov 19 2016 Lokesh Mandvekar - 2:1.10.3-59 - correct typo