diff --git a/.docker.metadata b/.docker.metadata index c61c129..aaf7132 100644 --- a/.docker.metadata +++ b/.docker.metadata @@ -1,9 +1,8 @@ -fef132ee1f672519a219910a809bd141d2a98c64 SOURCES/047e51b797564227b0bf26f3aa448f563bea5c71.tar.gz -cf725ab452c8786606177979ca0f4470eb3afc58 SOURCES/container-selinux-58209b8.tar.gz +14b58c710ef1134fe96e5ff367a4daa6a3f3a3cd SOURCES/96d83a5ff6ec0eb9bb7b45192c3048fd3aef5e21.tar.gz d735e338ba341bfe9bc47e35ae1940b5b24549d9 SOURCES/containerd-471f03c.tar.gz ab20ee7e721a8c02467b482033a499006a8c6320 SOURCES/docker-lvm-plugin-8647404.tar.gz 24382ff77b251c04672d652758cca2a33cc8c216 SOURCES/docker-novolume-plugin-385ec70.tar.gz -5b62e3b095cc0a7cc4b198546e2f955100b70f94 SOURCES/docker-storage-setup-6709fe6.tar.gz -e6466b4cc5fe1343a51676ebb68949eacb26dfb4 SOURCES/rhel-push-plugin-eb9e6be.tar.gz -5d246c0acb58daba296a01cf097b9c69e56913c8 SOURCES/runc-b8dbc3b.tar.gz +d8264a0060813849dd72d491758e9ff7d94d4951 SOURCES/docker-storage-setup-f7a3746.tar.gz +b73afe2810c735395f2d4d56dc939dbff76c0ddf SOURCES/rhel-push-plugin-70653ed.tar.gz +857a84a3876e729919fc46424709ce5dc774b6f0 SOURCES/runc-81b2542.tar.gz ea4b3d96c46fccb6781d66a6c53c087b179c80fe SOURCES/v1.10-migrator-c417a6a.tar.gz diff --git a/.gitignore b/.gitignore index 174346f..41a50af 100644 --- a/.gitignore +++ b/.gitignore @@ -1,9 +1,8 @@ -SOURCES/047e51b797564227b0bf26f3aa448f563bea5c71.tar.gz -SOURCES/container-selinux-58209b8.tar.gz +SOURCES/96d83a5ff6ec0eb9bb7b45192c3048fd3aef5e21.tar.gz SOURCES/containerd-471f03c.tar.gz SOURCES/docker-lvm-plugin-8647404.tar.gz SOURCES/docker-novolume-plugin-385ec70.tar.gz -SOURCES/docker-storage-setup-6709fe6.tar.gz -SOURCES/rhel-push-plugin-eb9e6be.tar.gz -SOURCES/runc-b8dbc3b.tar.gz +SOURCES/docker-storage-setup-f7a3746.tar.gz +SOURCES/rhel-push-plugin-70653ed.tar.gz +SOURCES/runc-81b2542.tar.gz SOURCES/v1.10-migrator-c417a6a.tar.gz diff --git a/SOURCES/0001-Set-init-processes-as-non-dumpable.patch b/SOURCES/0001-Set-init-processes-as-non-dumpable.patch deleted file mode 100644 index 937ba38..0000000 --- a/SOURCES/0001-Set-init-processes-as-non-dumpable.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001 -From: Michael Crosby -Date: Wed, 7 Dec 2016 15:05:51 -0800 -Subject: [PATCH] Set init processes as non-dumpable - -This sets the init processes that join and setup the container's -namespaces as non-dumpable before they setns to the container's pid (or -any other ) namespace. - -This settings is automatically reset to the default after the Exec in -the container so that it does not change functionality for the -applications that are running inside, just our init processes. - -This prevents parent processes, the pid 1 of the container, to ptrace -the init process before it drops caps and other sets LSMs. - -This patch also ensures that the stateDirFD being used is still closed -prior to exec, even though it is set as O_CLOEXEC, because of the order -in the kernel. - -https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 - -The order during the exec syscall is that the process is set back to -dumpable before O_CLOEXEC are processed. - -Signed-off-by: Michael Crosby ---- - libcontainer/init_linux.go | 3 ++- - libcontainer/nsenter/nsexec.c | 5 +++++ - libcontainer/setns_init_linux.go | 7 ++++++- - libcontainer/standard_init_linux.go | 3 +++ - 4 files changed, 16 insertions(+), 2 deletions(-) - -diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go -index b1e6762..4043d51 100644 ---- a/libcontainer/init_linux.go -+++ b/libcontainer/init_linux.go -@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD int) (initer, error) - switch t { - case initSetns: - return &linuxSetnsInit{ -- config: config, -+ config: config, -+ stateDirFD: stateDirFD, - }, nil - case initStandard: - return &linuxStandardInit{ -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index b93f827..4b5398b 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -408,6 +408,11 @@ void nsexec(void) - if (pipenum == -1) - return; - -+ /* make the process non-dumpable */ -+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) { -+ bail("failed to set process as non-dumpable"); -+ } -+ - /* Parse all of the netlink configuration. */ - nl_parse(pipenum, &config); - -diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go -index 2a8f345..7f5f182 100644 ---- a/libcontainer/setns_init_linux.go -+++ b/libcontainer/setns_init_linux.go -@@ -5,6 +5,7 @@ package libcontainer - import ( - "fmt" - "os" -+ "syscall" - - "github.com/opencontainers/runc/libcontainer/apparmor" - "github.com/opencontainers/runc/libcontainer/keys" -@@ -16,7 +17,8 @@ import ( - // linuxSetnsInit performs the container's initialization for running a new process - // inside an existing container. - type linuxSetnsInit struct { -- config *initConfig -+ config *initConfig -+ stateDirFD int - } - - func (l *linuxSetnsInit) getSessionRingName() string { -@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error { - if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil { - return err - } -+ // close the statedir fd before exec because the kernel resets dumpable in the wrong order -+ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 -+ syscall.Close(l.stateDirFD) - return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ()) - } -diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go -index 2104f1a..6a65154 100644 ---- a/libcontainer/standard_init_linux.go -+++ b/libcontainer/standard_init_linux.go -@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error { - return newSystemErrorWithCause(err, "init seccomp") - } - } -+ // close the statedir fd before exec because the kernel resets dumpable in the wrong order -+ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 -+ syscall.Close(l.stateDirFD) - if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil { - return newSystemErrorWithCause(err, "exec user process") - } --- -2.11.0 - diff --git a/SOURCES/docker-cleanup.service b/SOURCES/docker-cleanup.service new file mode 100644 index 0000000..3f60331 --- /dev/null +++ b/SOURCES/docker-cleanup.service @@ -0,0 +1,11 @@ +[Unit] +Description=Docker Cleanup +Requires=docker.service + + +[Service] +Type=oneshot +ExecStart=/usr/bin/sh -c "DEAD=`docker ps -aq -f status=dead` && [ -n \"$DEAD\" ] && docker rm $DEAD; exit 0" + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/docker-cleanup.sh b/SOURCES/docker-cleanup.sh deleted file mode 100644 index 9cb8098..0000000 --- a/SOURCES/docker-cleanup.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -# Do nothing if neither docker nor docker-latest service is running -if ! systemctl --quiet is-active docker-latest && ! systemctl --quiet is-active docker; then - exit 0 -fi - -# If there are no dead containers, exit. -DEAD_CONTAINERS=`docker ps -aq -f status=dead` - -[ -z "$DEAD_CONTAINERS" ] && exit 0 - -# Try to cleanup dead containers -docker rm $DEAD_CONTAINERS diff --git a/SOURCES/docker-cleanup.timer b/SOURCES/docker-cleanup.timer new file mode 100644 index 0000000..b4948d4 --- /dev/null +++ b/SOURCES/docker-cleanup.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Run docker-cleanup every hour + +[Timer] +OnCalendar=hourly +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/SOURCES/docker.service b/SOURCES/docker.service index 7a2769f..ae046d4 100644 --- a/SOURCES/docker.service +++ b/SOURCES/docker.service @@ -3,6 +3,8 @@ Description=Docker Application Container Engine Documentation=http://docs.docker.com After=network.target Wants=docker-storage-setup.service +Requires=rhel-push-plugin.socket +Requires=docker-cleanup.timer [Service] Type=notify @@ -16,6 +18,7 @@ Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin ExecStart=/usr/bin/dockerd-current \ --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \ --default-runtime=docker-runc \ + --authorization-plugin=rhel-push-plugin \ --exec-opt native.cgroupdriver=systemd \ --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \ $OPTIONS \ diff --git a/SOURCES/docker.sysconfig b/SOURCES/docker.sysconfig index 22539fc..de10538 100644 --- a/SOURCES/docker.sysconfig +++ b/SOURCES/docker.sysconfig @@ -10,7 +10,7 @@ fi # pull use the ADD_REGISTRY option to list a set of registries, each prepended # with --add-registry flag. The first registry added will be the first registry # searched. -#ADD_REGISTRY='--add-registry registry.access.redhat.com' +ADD_REGISTRY='--add-registry registry.access.redhat.com' # If you want to block registries from being used, uncomment the BLOCK_REGISTRY # option and give it a set of registries, each prepended with --block-registry @@ -40,5 +40,6 @@ fi # docker-latest daemon can be used by starting the docker-latest unitfile. # To use docker-latest client, uncomment below lines #DOCKERBINARY=/usr/bin/docker-latest +#DOCKERDBINARY=/usr/bin/dockerd-latest #DOCKER_CONTAINERD_BINARY=/usr/bin/docker-containerd-latest #DOCKER_CONTAINERD_SHIM_BINARY=/usr/bin/docker-containerd-shim-latest diff --git a/SOURCES/dockerd-common.sh b/SOURCES/dockerd-common.sh new file mode 100644 index 0000000..f18d474 --- /dev/null +++ b/SOURCES/dockerd-common.sh @@ -0,0 +1,20 @@ +#!/bin/sh +. /etc/sysconfig/docker +[ -e "${DOCKERDBINARY}" ] || DOCKERDBINARY=/usr/bin/dockerd-current +if [ ! -f /usr/bin/dockerd-current ]; then + if [ ! -f /usr/bin/dockerd-latest ]; then + echo "You don't have either docker or \ +docker-latest installed. Please install either one and retry." + exit + else + DOCKERDBINARY=/usr/bin/dockerd-latest + fi +fi +if [[ ${DOCKERDBINARY} != "/usr/bin/dockerd-current" && ${DOCKERDBINARY} != "/usr/bin/dockerd-latest" ]]; then + echo "DOCKERDBINARY has been set to an invalid value:" $DOCKERDBINARY + echo "" + echo "Please set DOCKERDBINARY to /usr/bin/dockerd-current or /usr/bin/dockerd-latest +by editing /etc/sysconfig/docker" +else + exec ${DOCKERDBINARY} "$@" +fi diff --git a/SPECS/docker.spec b/SPECS/docker.spec index 52bdf1c..4f21b4f 100644 --- a/SPECS/docker.spec +++ b/SPECS/docker.spec @@ -25,20 +25,14 @@ # docker %global git0 https://github.com/projectatomic/%{repo} -%global commit0 047e51b797564227b0bf26f3aa448f563bea5c71 +%global commit0 96d83a5ff6ec0eb9bb7b45192c3048fd3aef5e21 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # docker_branch used in %%check %global docker_branch %{name}-%{version} -# docker-selinux -%global git1 https://github.com/projectatomic/container-selinux -# use RHEL-1.12 branch -%global commit1 58209b8325161be11d38898d7d1a3c45101b75e4 -%global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) - # d-s-s %global git2 https://github.com/projectatomic/%{repo}-storage-setup -%global commit2 6709fe6c6b0d154063799364eb1a944d065bab93 +%global commit2 f7a37469b09b841e630f06e4c149fae345f66fbd %global shortcommit2 %(c=%{commit2}; echo ${c:0:7}) %global dss_libdir %{_exec_prefix}/lib/%{name}-storage-setup @@ -53,9 +47,9 @@ %global shortcommit4 %(c=%{commit4}; echo ${c:0:7}) # rhel-push-plugin -#%global git5 https://github.com/projectatomic/rhel-push-plugin -#%global commit5 eb9e6beb8767a4a102e011c2d6e70394629dfa91 -#%global shortcommit5 %(c=%{commit5}; echo ${c:0:7}) +%global git5 https://github.com/projectatomic/rhel-push-plugin +%global commit5 70653ed7cbef7623ab850d09f0257a6b670582ce +%global shortcommit5 %(c=%{commit5}; echo ${c:0:7}) # docker-lvm-plugin %global git6 https://github.com/projectatomic/%{repo}-lvm-plugin @@ -64,7 +58,7 @@ # docker-runc %global git7 https://github.com/projectatomic/runc -%global commit7 b8dbc3b8e8d868723aec2fd5082e6547ec66cf58 +%global commit7 81b254244390bc636b20c87c34a3d9e1a8645069 %global shortcommit7 %(c=%{commit7}; echo ${c:0:7}) # docker-containerd @@ -72,43 +66,18 @@ %global commit8 471f03c11413d9ab1523de24d3e79ae3a7b8126e %global shortcommit8 %(c=%{commit8}; echo ${c:0:7}) -# %%{name}-selinux stuff (prefix with ds_ for version/release etc.) -# Some bits borrowed from the openstack-selinux package -%global selinuxtype targeted -%global moduletype services -%global modulenames container - -# Usage: _format var format -# Expand 'modulenames' into various formats as needed -# Format must contain '$x' somewhere to do anything useful -%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; - -# Relabel files -%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/%{repo}* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/%{repo}.sock %{_localstatedir}/run/%{repo}.pid %{_sysconfdir}/%{repo} %{_localstatedir}/log/%{repo} %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/%{repo}.service %{_unitdir}/%{repo}-containerd.service %{_unitdir}/%{repo}-latest.service %{_unitdir}/%{repo}-latest-containerd.service %{_sysconfdir}/%{repo} %{_libexecdir}/%{repo}* &> /dev/null || : - -# Version of SELinux we were using -%if 0%{?fedora} >= 22 -%global selinux_policyver 3.13.1-119 -%else -%global selinux_policyver 3.13.1-97 -%endif - Name: %{repo} Epoch: 2 -Version: 1.12.5 -Release: 14%{?dist} +Version: 1.12.6 +Release: 11%{?dist} Summary: Automates deployment of containerized applications License: ASL 2.0 URL: https://%{import_path} -# only x86_64 for now: https://%%{provider}.%%{provider_tld}/%%{name}/%%{name}/issues/136 ExclusiveArch: x86_64 -# Branch used available at -# https://%%{provider}.%%{provider_tld}/projectatomic/%%{name}/commits/rhel7-1.10.3 Source0: %{git0}/archive/%{commit0}.tar.gz -Source1: %{git1}/archive/%{commit1}/container-selinux-%{shortcommit1}.tar.gz Source2: %{git2}/archive/%{commit2}/%{repo}-storage-setup-%{shortcommit2}.tar.gz Source4: %{git4}/archive/%{commit4}/%{repo}-novolume-plugin-%{shortcommit4}.tar.gz -#/Source5: %{git5}/archive/%{commit5}/rhel-push-plugin-%{shortcommit5}.tar.gz +Source5: %{git5}/archive/%{commit5}/rhel-push-plugin-%{shortcommit5}.tar.gz Source6: %{git6}/archive/%{commit6}/%{repo}-lvm-plugin-%{shortcommit6}.tar.gz Source8: %{name}.service Source9: %{name}.sysconfig @@ -118,7 +87,6 @@ Source12: %{name}-logrotate.sh Source13: README.%{name}-logrotate Source14: %{name}-common.sh Source15: README-%{name}-common -Source16: %{name}-cleanup.sh Source17: %{git3}/archive/%{commit3}/v1.10-migrator-%{shortcommit3}.tar.gz Source18: v1.10-migrator-helper Source19: %{git7}/archive/%{commit7}/runc-%{shortcommit7}.tar.gz @@ -126,7 +94,9 @@ Source20: %{git8}/archive/%{commit8}/containerd-%{shortcommit8}.tar.gz Source21: %{name}-containerd-common.sh Source22: %{name}-containerd-shim-common.sh Source23: daemon.json -Patch0: 0001-Set-init-processes-as-non-dumpable.patch +Source24: %{name}d-common.sh +Source25: %{name}-cleanup.service +Source26: %{name}-cleanup.timer BuildRequires: git BuildRequires: glibc-static BuildRequires: golang >= 1.7.4 @@ -144,19 +114,16 @@ Requires: %{name}-client = %{epoch}:%{version}-%{release} Requires(post): systemd Requires(preun): systemd Requires(postun): systemd -# need xz to work with ubuntu images Requires: xz Requires: device-mapper-libs >= 7:1.02.97 -#Requires: subscription-manager -#Requires: %{name}-rhel-push-plugin = %{epoch}:%{version}-%{release} +Requires: subscription-manager +Requires: %{name}-rhel-push-plugin = %{epoch}:%{version}-%{release} Requires: oci-register-machine >= 1:0-1.11 -Requires: oci-systemd-hook >= 1:0.1.4-8 +Requires: oci-systemd-hook >= 1:0.1.4-9 Provides: lxc-%{name} = %{epoch}:%{version}-%{release} Provides: %{name}-io = %{epoch}:%{version}-%{release} -# RE: rhbz#1195804 - ensure min NVR for selinux-policy -Requires(pre): selinux-policy >= %{selinux_policyver} -Requires(pre): container-selinux >= %{epoch}:%{version}-%{release} +Requires(pre): container-selinux >= 2:2.9-4 # rhbz#1214070 - update deps for d-s-s Requires: lvm2 >= 2.02.112 @@ -210,21 +177,6 @@ The migration usually runs on daemon startup but it can be quite slow(usually that time. You can run this tool instead while the old daemon is still running and skip checksum calculation on startup. -%package -n container-selinux -Summary: SELinux policies for container runtimes -BuildRequires: selinux-policy >= %{selinux_policyver} -BuildRequires: selinux-policy-devel >= %{selinux_policyver} -Requires(post): selinux-policy-base >= %{selinux_policyver} -Requires(post): selinux-policy-targeted >= %{selinux_policyver} -Requires(post): policycoreutils -Requires(post): policycoreutils-python -Requires(post): libselinux-utils -Provides: %{name}-io-selinux = %{epoch}:%{version}-%{release} -Provides: %{name}-selinux = %{epoch}:%{version}-%{release} - -%description -n container-selinux -SELinux policy modules for use with container runtimes. - %package common Summary: Common files for docker and docker-latest @@ -266,16 +218,16 @@ local volumes defined. In particular, the plugin will block `docker run` with: The only thing allowed will be just bind mounts. -#%package rhel-push-plugin -#License: GPLv2 -#Summary: Avoids pushing a RHEL-based image to docker.io registry +%package rhel-push-plugin +License: GPLv2 +Summary: Avoids pushing a RHEL-based image to docker.io registry -#%description rhel-push-plugin -#In order to use this plugin you must be running at least Docker 1.10 which -#has support for authorization plugins. +%description rhel-push-plugin +In order to use this plugin you must be running at least Docker 1.10 which +has support for authorization plugins. -#This plugin avoids any RHEL based image to be pushed to the default docker.io -#registry preventing users to violate the RH subscription agreement. +This plugin avoids any RHEL based image to be pushed to the default docker.io +registry preventing users to violate the RH subscription agreement. %package lvm-plugin License: LGPLv3 @@ -291,9 +243,6 @@ then be bind mounted into the container using `docker run` command. %prep %setup -q -n %{name}-%{commit0} -# unpack container-selinux -tar zxf %{SOURCE1} - # untar d-s-s tar zxf %{SOURCE2} @@ -301,7 +250,7 @@ tar zxf %{SOURCE2} tar zxf %{SOURCE4} # untar rhel-push-plugin -#tar zxf %{SOURCE5} +tar zxf %{SOURCE5} # untar lvm-plugin tar zxf %{SOURCE6} @@ -333,9 +282,6 @@ tar zxf %{SOURCE17} # untar docker-runc tar zxf %{SOURCE19} -pushd runc-%{commit7} -%patch0 -p1 -popd # untar docker-containerd tar zxf %{SOURCE20} @@ -347,7 +293,7 @@ pushd _build mkdir -p src/%{provider}.%{provider_tld}/{%{name},projectatomic} ln -s $(dirs +1 -l) src/%{import_path} ln -s $(dirs +1 -l)/%{repo}-novolume-plugin-%{commit4} src/%{provider}.%{provider_tld}/projectatomic/%{repo}-novolume-plugin -# ln -s $(dirs +1 -l)/rhel-push-plugin-%{commit5} src/%{provider}.%{provider_tld}/projectatomic/rhel-push-plugin + ln -s $(dirs +1 -l)/rhel-push-plugin-%{commit5} src/%{provider}.%{provider_tld}/projectatomic/rhel-push-plugin ln -s $(dirs +1 -l)/%{repo}-lvm-plugin-%{commit6} src/%{provider}.%{provider_tld}/projectatomic/%{repo}-lvm-plugin popd @@ -356,10 +302,10 @@ pushd $(pwd)/_build/src %gobuild %{provider}.%{provider_tld}/projectatomic/%{repo}-novolume-plugin popd -#export GOPATH=$(pwd)/rhel-push-plugin-%{commit5}/Godeps/_workspace:$(pwd)/_build -#pushd $(pwd)/_build/src -#%gobuild %{provider}.%{provider_tld}/projectatomic/rhel-push-plugin -#popd +export GOPATH=$(pwd)/rhel-push-plugin-%{commit5}/Godeps/_workspace:$(pwd)/_build +pushd $(pwd)/_build/src +%gobuild %{provider}.%{provider_tld}/projectatomic/rhel-push-plugin +popd export GOPATH=$(pwd)/%{repo}-lvm-plugin-%{commit6}/vendor:$(pwd)/_build pushd $(pwd)/_build/src @@ -373,7 +319,7 @@ export GOPATH=$(pwd)/_build:$(pwd)/vendor:%{gopath} # build %%{name} manpages man/md2man-all.sh go-md2man -in %{repo}-novolume-plugin-%{commit4}/man/%{repo}-novolume-plugin.8.md -out %{repo}-novolume-plugin.8 -#go-md2man -in rhel-push-plugin-%{commit5}/man/rhel-push-plugin.8.md -out rhel-push-plugin.8 +go-md2man -in rhel-push-plugin-%{commit5}/man/rhel-push-plugin.8.md -out rhel-push-plugin.8 go-md2man -in %{repo}-lvm-plugin-%{commit6}/man/%{repo}-lvm-plugin.8.md -out %{repo}-lvm-plugin.8 # build %%{name} binary @@ -381,11 +327,6 @@ IAMSTATIC=false DOCKER_DEBUG=1 hack/make.sh dynbinary cp contrib/syntax/vim/LICENSE LICENSE-vim-syntax cp contrib/syntax/vim/README.md README-vim-syntax.md -# build container-selinux -pushd container-selinux-%{commit1} -make SHARE="%{_datadir}" TARGETS="%{modulenames}" -popd - # build v1.10-migrator pushd v1.10-migrator-%{commit3} export GOPATH=$GOPATH:$(pwd)/Godeps/_workspace @@ -452,10 +393,6 @@ install -p -m 644 contrib/completion/fish/%{name}.fish %{buildroot}%{_datadir}/f install -dp %{buildroot}%{_sysconfdir}/cron.daily/ install -p -m 755 %{SOURCE12} %{buildroot}%{_sysconfdir}/cron.daily/%{name}-logrotate -# install dead container cleanup script -install -dp %{buildroot}%{_sysconfdir}/cron.hourly/ -install -p -m 755 %{SOURCE16} %{buildroot}%{_sysconfdir}/cron.hourly/%{name}-cleanup - # install vim syntax highlighting install -d %{buildroot}%{_datadir}/vim/vimfiles/{doc,ftdetect,syntax} install -p -m 644 contrib/syntax/vim/doc/%{name}file.txt %{buildroot}%{_datadir}/vim/vimfiles/doc @@ -476,6 +413,8 @@ install -d -m 700 %{buildroot}%{_sharedstatedir}/%{name} # install systemd/init scripts install -d %{buildroot}%{_unitdir} install -p -m 644 %{SOURCE8} %{buildroot}%{_unitdir} +install -p -m 644 %{SOURCE25} %{buildroot}%{_unitdir} +install -p -m 644 %{SOURCE26} %{buildroot}%{_unitdir} # for additional args install -d %{buildroot}%{_sysconfdir}/sysconfig/ @@ -483,16 +422,6 @@ install -p -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/sysconfig/%{name} install -p -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/%{name}-storage install -p -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/%{name}-network -# install SELinux interfaces -%_format INTERFACES $x.if -install -d %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} -install -p -m 644 container-selinux-%{commit1}/$INTERFACES %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} - -# install policy modules -%_format MODULES $x.pp.bz2 -install -d %{buildroot}%{_datadir}/selinux/packages -install -m 0644 container-selinux-%{commit1}/$MODULES %{buildroot}%{_datadir}/selinux/packages - %if 0%{?with_unit_test} install -d -m 0755 %{buildroot}%{_sharedstatedir}/%{name}-unit-test/ cp -pav VERSION Dockerfile %{buildroot}%{_sharedstatedir}/%{name}-unit-test/. @@ -503,15 +432,12 @@ done rm -rf %{buildroot}%{_sharedstatedir}/%{name}-unit-test/contrib/init/openrc/%{name}.initd %endif -# remove container-selinux rpm spec file -rm -rf container-selinux-%{commit1}/container-selinux.spec - # install secrets dir -#install -d -p -m 750 %{buildroot}/%{_datadir}/rhel/secrets +install -d -p -m 750 %{buildroot}/%{_datadir}/rhel/secrets # rhbz#1110876 - update symlinks for subscription management -#ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement -#ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm -#ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/rhel7.repo +ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement +ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm +ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/rhel7.repo mkdir -p %{buildroot}/etc/%{name}/certs.d/redhat.{com,io} ln -s %{_sysconfdir}/rhsm/ca/redhat-uep.pem %{buildroot}/%{_sysconfdir}/%{name}/certs.d/redhat.com/redhat-ca.crt @@ -529,6 +455,7 @@ popd # install %%{_bindir}/%%{name} install -d %{buildroot}%{_bindir} install -p -m 755 %{SOURCE14} %{buildroot}%{_bindir}/%{name} +install -p -m 755 %{SOURCE24} %{buildroot}%{_bindir}/%{name}d install -p -m 755 %{SOURCE21} %{buildroot}%{_bindir}/%{name}-containerd install -p -m 755 %{SOURCE22} %{buildroot}%{_bindir}/%{name}-containerd-shim @@ -540,12 +467,12 @@ install -d %{buildroot}%{_mandir}/man8 install -p -m 644 %{repo}-novolume-plugin.8 %{buildroot}%{_mandir}/man8 # install rhel-push-plugin executable, unitfile, socket and man -#install -d %{buildroot}%{_libexecdir}/%{repo} -#install -p -m 755 _build/src/rhel-push-plugin %{buildroot}%{_libexecdir}/%{repo}/rhel-push-plugin -#install -p -m 644 rhel-push-plugin-%{commit5}/systemd/rhel-push-plugin.service %{buildroot}%{_unitdir}/rhel-push-plugin.service -#install -p -m 644 rhel-push-plugin-%{commit5}/systemd/rhel-push-plugin.socket %{buildroot}%{_unitdir}/rhel-push-plugin.socket -#install -d %{buildroot}%{_mandir}/man8 -#install -p -m 644 rhel-push-plugin.8 %{buildroot}%{_mandir}/man8 +install -d %{buildroot}%{_libexecdir}/%{repo} +install -p -m 755 _build/src/rhel-push-plugin %{buildroot}%{_libexecdir}/%{repo}/rhel-push-plugin +install -p -m 644 rhel-push-plugin-%{commit5}/systemd/rhel-push-plugin.service %{buildroot}%{_unitdir}/rhel-push-plugin.service +install -p -m 644 rhel-push-plugin-%{commit5}/systemd/rhel-push-plugin.socket %{buildroot}%{_unitdir}/rhel-push-plugin.socket +install -d %{buildroot}%{_mandir}/man8 +install -p -m 644 rhel-push-plugin.8 %{buildroot}%{_mandir}/man8 # install %%{repo}-lvm-plugin executable, unitfile, socket and man install -d %{buildroot}/%{_libexecdir}/%{repo} @@ -590,35 +517,38 @@ exit 0 %post %systemd_post %{name}.service -%post -n container-selinux -# Install all modules in a single transaction -%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 -%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null -%{_sbindir}/semodule -n -s %{selinuxtype} -d %{repo} 2> /dev/null -%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null -%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES > /dev/null -if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy - %relabel_files - if [ $1 -eq 1 ]; then - restorecon -R %{_sharedstatedir}/%{name} &> /dev/null || : - fi -fi - %preun %systemd_preun %{name}.service %postun %systemd_postun_with_restart %{name}.service -%postun -n container-selinux -if [ $1 -eq 0 ]; then -%{_sbindir}/semodule -X 200 -n -r %{modulenames} &> /dev/null || : -if %{_sbindir}/selinuxenabled ; then -%{_sbindir}/load_policy -%relabel_files -fi -fi +%post lvm-plugin +%systemd_post %{name}-lvm-plugin.service + +%preun lvm-plugin +%systemd_preun %{name}-lvm-plugin.service + +%postun lvm-plugin +%systemd_postun_with_restart %{name}-lvm-plugin.service + +%post novolume-plugin +%systemd_post %{name}-novolume-plugin.service + +%preun novolume-plugin +%systemd_preun %{name}-novolume-plugin.service + +%postun novolume-plugin +%systemd_postun_with_restart %{name}-novolume-plugin.service + +%post rhel-push-plugin +%systemd_post rhel-push-plugin.service + +%preun rhel-push-plugin +%systemd_preun rhel-push-plugin.service + +%postun rhel-push-plugin +%systemd_postun_with_restart rhel-push-plugin.service #define license tag if not already defined %{!?_licensedir:%global license %doc} @@ -637,10 +567,12 @@ fi %{_mandir}/man1/%{name}*.1.gz %{_mandir}/man5/*.5.gz %{_mandir}/man8/%{name}d.8.gz -#%dir %{_datadir}/rhel -#%{_datadir}/rhel/* +%dir %{_datadir}/rhel +%{_datadir}/rhel/* %{_unitdir}/%{name}.service %{_unitdir}/%{name}-storage-setup.service +%{_unitdir}/%{name}-cleanup.service +%{_unitdir}/%{name}-cleanup.timer %{_datadir}/bash-completion/completions/%{name} %dir %{_sharedstatedir}/%{name} %{_udevrulesdir}/80-%{name}.rules @@ -671,19 +603,15 @@ fi %doc README.%{name}-logrotate %{_sysconfdir}/cron.daily/%{name}-logrotate -%files -n container-selinux -%doc container-selinux-%{commit1}/README.md -%{_datadir}/selinux/* - %files common %doc README-%{name}-common %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %config(noreplace) %{_sysconfdir}/%{name}/daemon.json %{_bindir}/%{name} +%{_bindir}/%{name}d %{_bindir}/%{name}-containerd %{_bindir}/%{name}-containerd-shim %dir %{_libexecdir}/%{repo} -%{_sysconfdir}/cron.hourly/%{name}-cleanup %files client %license LICENSE* @@ -696,12 +624,12 @@ fi %{_libexecdir}/%{repo}/%{repo}-novolume-plugin %{_unitdir}/%{repo}-novolume-plugin.* -#%files rhel-push-plugin -#%license rhel-push-plugin-%{commit5}/LICENSE -#%doc rhel-push-plugin-%{commit5}/README.md -#%{_mandir}/man8/rhel-push-plugin.8.gz -#%{_libexecdir}/%{repo}/rhel-push-plugin -#%{_unitdir}/rhel-push-plugin.* +%files rhel-push-plugin +%license rhel-push-plugin-%{commit5}/LICENSE +%doc rhel-push-plugin-%{commit5}/README.md +%{_mandir}/man8/rhel-push-plugin.8.gz +%{_libexecdir}/%{repo}/rhel-push-plugin +%{_unitdir}/rhel-push-plugin.* %files lvm-plugin %license %{repo}-lvm-plugin-%{commit6}/LICENSE @@ -717,8 +645,73 @@ fi %{_bindir}/%{name}-v1.10-migrator-* %changelog -* Mon Jan 23 2017 Johnny Hughes - 2:1.12.5-14 -- Manual CentOS Debranding +* Thu Feb 23 2017 Lokesh Mandvekar - 2:1.12.6-11 +- Resolves: #1426290 +- built docker @projectatomic/docker-1.12.6 commit 96d83a5 + +* Tue Feb 21 2017 Lokesh Mandvekar - 2:1.12.6-10 +- Resolves: #1360892 +- From: Luwen Su + +* Tue Feb 21 2017 Lokesh Mandvekar - 2:1.12.6-9 +- Resolves: #1420147 +- built docker @projectatomic/docker-1.12.6 commit 7f3e2af +- require container-selinux >= 2:2.9-4 + +* Mon Feb 20 2017 Lokesh Mandvekar - 2:1.12.6-8 +- bump to -8 for consistent nvr with docker-latest + +* Mon Feb 20 2017 Lokesh Mandvekar - 2:1.12.6-7 +- require container-selinux >= 2:2.9-3 + +* Thu Feb 16 2017 Lokesh Mandvekar - 2:1.12.6-6 +- Resolves: #1415850 + +* Wed Feb 15 2017 Lokesh Mandvekar - 2:1.12.6-5 +- Resolves: #1421714 +- built docker @projectatomic/docker-1.12.6 commit ddff1c3 +- built v1.10-migrator commit c417a6a +- built docker-novolume-plugin commit 385ec70 +- built rhel-push-plugin commit 70653ed +- built docker-lvm-plugin commit 8647404 +- built docker-runc @projectatomic/docker-1.12.6 commit 81b2542 +- built docker-containerd @projectatomic/docker-1.12.4 commit 471f03c + +* Tue Feb 14 2017 Lokesh Mandvekar - 2:1.12.6-4 +- Resolves: #1360892 - handle plugin restart +- From: Dan Walsh + +* Mon Feb 13 2017 Lokesh Mandvekar - 2:1.12.6-3 +- Resolves: #1420591 +- requires: container-selinux >= 2:2.9-1 + +* Tue Feb 07 2017 Lokesh Mandvekar - 2:1.12.6-2 +- built docker @projectatomic/docker-1.12.6 commit dfc4aea +- built v1.10-migrator commit c417a6a +- built docker-novolume-plugin commit 385ec70 +- built rhel-push-plugin commit 70653ed +- built docker-lvm-plugin commit 8647404 +- built docker-runc commit 81b2542 +- built docker-containerd commit 471f03c + +* Wed Jan 18 2017 Lokesh Mandvekar - 2:1.12.6-1 +- Resolves: #1413535 - container-selinux should obsolete docker-selinux +- Resolves: #1411980 - honor the --default-runtime flag +- Resolves: #1414250 - /usr/bin/dockerd execs dockerd-[current|latest] +- Resolves: #1414436 - enable --restart=on-failure +- Resolves: #1381929 - update manpages for '--format' example +- built docker @projectatomic/docker-1.12.6 commit 037a2f5 +- built container-selinux commit 1169298 +- built d-s-s commit f7a3746 +- built v1.10-migrator commit c417a6a +- built docker-novolume-plugin commit 385ec70 +- built rhel-push-plugin commit eb9e6be +- built docker-lvm-plugin commit 8647404 +- built docker-runc commit 81b2542 +- built docker-containerd commit 471f03c + +* Thu Jan 12 2017 Lokesh Mandvekar - 2:1.12.5-15 +- use oci-systemd-hook >= 1:0.1.4-9 * Wed Jan 11 2017 Lokesh Mandvekar - 2:1.12.5-14 - reference correct container-selinux commit id (58209b8)