diff --git a/.docker.metadata b/.docker.metadata index e8d4237..d4389c7 100644 --- a/.docker.metadata +++ b/.docker.metadata @@ -1,2 +1,2 @@ 457742dc6415835983d62716688efb8132200dff SOURCES/docker-02d20af.tar.gz -6a91fb3da6931f8330c4e063efea715c7b1ded87 SOURCES/docker-man.tar.gz +46e8e37afb0adf79d0668c552cb3520b499be570 SOURCES/docker-man-1.tar.gz diff --git a/.gitignore b/.gitignore index 4b33069..5501697 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/docker-02d20af.tar.gz -SOURCES/docker-man.tar.gz +SOURCES/docker-man-1.tar.gz diff --git a/SOURCES/docker-0.11-remove-subscription-dependency.patch b/SOURCES/docker-0.11-remove-subscription-dependency.patch deleted file mode 100644 index a31c170..0000000 --- a/SOURCES/docker-0.11-remove-subscription-dependency.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 248d8fe6b6b4b4706d5c8b14035d5a6847e88721 Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Thu, 26 Jun 2014 09:23:14 -0500 -Subject: [PATCH] remove subscription manager sharing between container and - host - ---- - daemon/container.go | 12 ++++++------ - daemon/volumes.go | 2 +- - graph/graph.go | 2 +- - 3 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/daemon/container.go b/daemon/container.go -index ce84057..c182009 100644 ---- a/daemon/container.go -+++ b/daemon/container.go -@@ -290,9 +290,9 @@ func (container *Container) Start() (err error) { - if err := populateCommand(container, env); err != nil { - return err - } -- if err := container.setupSecretFiles(); err != nil { -- return err -- } -+// if err := container.setupSecretFiles(); err != nil { -+// return err -+// } - if err := setupMountsForContainer(container); err != nil { - return err - } -@@ -308,9 +308,9 @@ func (container *Container) Start() (err error) { - } - - // Now the container is running, unmount the secrets on the host -- if err := system.Unmount(container.secretsPath(), syscall.MNT_DETACH); err != nil { -- return err -- } -+// if err := system.Unmount(container.secretsPath(), syscall.MNT_DETACH); err != nil { -+// return err -+// } - - return nil - } -diff --git a/daemon/volumes.go b/daemon/volumes.go -index 7d92baf..7e9cadd 100644 ---- a/daemon/volumes.go -+++ b/daemon/volumes.go -@@ -38,7 +38,7 @@ func setupMountsForContainer(container *Container) error { - mounts := []execdriver.Mount{ - {container.daemon.sysInitPath, "/.dockerinit", false, true}, - {container.ResolvConfPath, "/etc/resolv.conf", false, true}, -- {container.secretsPath(), "/run/secrets", true, true}, -+// {container.secretsPath(), "/run/secrets", true, true}, - } - - if container.HostnamePath != "" { -diff --git a/graph/graph.go b/graph/graph.go -index f578ad9..06d714b 100644 ---- a/graph/graph.go -+++ b/graph/graph.go -@@ -257,7 +257,7 @@ func SetupInitLayer(initLayer string) error { - "/dev/pts": "dir", - "/dev/shm": "dir", - "/proc": "dir", -- "/run/secrets": "dir", -+ //"/run/secrets": "dir", - "/sys": "dir", - "/.dockerinit": "file", - "/.dockerenv": "file", --- -1.8.3.1 - diff --git a/SOURCES/docker.service b/SOURCES/docker.service index e2aace1..e66579b 100644 --- a/SOURCES/docker.service +++ b/SOURCES/docker.service @@ -2,12 +2,11 @@ Description=Docker Application Container Engine Documentation=http://docs.docker.io After=network.target -Requires=docker.socket [Service] Type=notify EnvironmentFile=-/etc/sysconfig/docker -ExecStart=/usr/bin/docker -d --selinux-enabled -H fd:// +ExecStart=/usr/bin/docker -d --selinux-enabled Restart=on-failure LimitNOFILE=1048576 LimitNPROC=1048576 diff --git a/SOURCES/docker.socket b/SOURCES/docker.socket new file mode 100644 index 0000000..9db5049 --- /dev/null +++ b/SOURCES/docker.socket @@ -0,0 +1,11 @@ +[Unit] +Description=Docker Socket for the API + +[Socket] +ListenStream=/var/run/docker.sock +SocketMode=0660 +SocketUser=root +SocketGroup=docker + +[Install] +WantedBy=sockets.target diff --git a/SPECS/docker.spec b/SPECS/docker.spec index 9e9eb4f..fbf1641 100644 --- a/SPECS/docker.spec +++ b/SPECS/docker.spec @@ -10,13 +10,11 @@ Name: docker Version: 0.11.1 -Release: 19%{?dist} +Release: 22%{?dist} Summary: Automates deployment of containerized applications License: ASL 2.0 Patch0: remove-vendored-tar.patch -Patch1: docker-0.11-remove-subscription-dependency.patch - URL: http://www.docker.io # only x86_64 for now: https://github.com/dotcloud/docker/issues/136 ExclusiveArch: x86_64 @@ -25,8 +23,10 @@ Source0: https://github.com/lsm5/docker/archive/%{commit}/docker-%{shortc # though final name for sysconf/sysvinit files is simply 'docker', # having .sysvinit and .sysconfig makes things clear Source1: docker.service -Source2: docker-man.tar.gz +Source2: docker-man-1.tar.gz Source3: docker.sysconfig +# Resolves: rhbz#1111760 - CVE-2014-3499 +Source4: docker.socket BuildRequires: gcc BuildRequires: glibc-static # ensure build uses golang 1.2-7 and above @@ -65,8 +65,6 @@ servers, OpenStack clusters, public instances, or combinations of the above. %setup -q -n docker-%{commit} rm -rf vendor %patch0 -p1 -b remove-vendored-tar -%patch1 -p1 -b remove-subscription-dependency - tar zxf %{SOURCE2} %build @@ -124,15 +122,15 @@ install -d -m 700 %{buildroot}%{_sharedstatedir}/docker # install systemd/init scripts install -d %{buildroot}%{_unitdir} install -p -m 644 %{SOURCE1} %{buildroot}%{_unitdir} -install -p -m 644 contrib/init/systemd/socket-activation/docker.socket %{buildroot}%{_unitdir} +#install -p -m 644 %{SOURCE4} %{buildroot}%{_unitdir} # for additional args install -d %{buildroot}%{_sysconfdir}/sysconfig/ install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/docker -# don't install secrets dir -# install -d -p -m 750 %{buildroot}/%{_datadir}/rhel/secrets -# ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement -# ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/rhel7.repo +# install secrets dir +install -d -p -m 750 %{buildroot}/%{_datadir}/rhel/secrets +ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement +ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/rhel7.repo %pre getent group docker > /dev/null || %{_sbindir}/groupadd -r docker @@ -154,14 +152,14 @@ exit 0 %{_mandir}/man1/* %{_mandir}/man5/* %{_bindir}/docker -#%dir %{_datadir}/rhel -#%dir %{_datadir}/rhel/secrets -#%{_datadir}/rhel/secrets/etc-pki-entitlement -#%{_datadir}/rhel/secrets/rhel7.repo +%dir %{_datadir}/rhel +%dir %{_datadir}/rhel/secrets +%{_datadir}/rhel/secrets/etc-pki-entitlement +%{_datadir}/rhel/secrets/rhel7.repo %dir %{_libexecdir}/docker %{_libexecdir}/docker/dockerinit %{_unitdir}/docker.service -%{_unitdir}/docker.socket +#%{_unitdir}/docker.socket %{_sysconfdir}/sysconfig/docker %dir %{_sysconfdir}/bash_completion.d %{_sysconfdir}/bash_completion.d/docker.bash @@ -177,8 +175,12 @@ exit 0 %{_datadir}/vim/vimfiles/syntax/dockerfile.vim %changelog -* Thu Jun 26 2014 Jim Perrin - 0.11.1-19.el7.centos -- Remove subscription sharing between host and container +* Thu Jun 26 2014 Dan Walsh - 0.11.1-22 +- Resolves: rhbz#1111760 - CVE-2014-3499 +- Remove docker.socket unit file until docker-1.0 + +* Tue Jun 24 2014 Lokesh Mandvekar - 0.11.1-20 +- Resolves: rhbz#1111760 - CVE-2014-3499 * Fri Jun 06 2014 Lokesh Mandvekar - 0.11.1-19 - build with golang-github-kr-pty-0-0.19.git98c7b80.el7