diff --git a/.docker.metadata b/.docker.metadata
index e8d4237..d4389c7 100644
--- a/.docker.metadata
+++ b/.docker.metadata
@@ -1,2 +1,2 @@
457742dc6415835983d62716688efb8132200dff SOURCES/docker-02d20af.tar.gz
-6a91fb3da6931f8330c4e063efea715c7b1ded87 SOURCES/docker-man.tar.gz
+46e8e37afb0adf79d0668c552cb3520b499be570 SOURCES/docker-man-1.tar.gz
diff --git a/.gitignore b/.gitignore
index 4b33069..5501697 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
SOURCES/docker-02d20af.tar.gz
-SOURCES/docker-man.tar.gz
+SOURCES/docker-man-1.tar.gz
diff --git a/SOURCES/docker-0.11-remove-subscription-dependency.patch b/SOURCES/docker-0.11-remove-subscription-dependency.patch
deleted file mode 100644
index a31c170..0000000
--- a/SOURCES/docker-0.11-remove-subscription-dependency.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 248d8fe6b6b4b4706d5c8b14035d5a6847e88721 Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Thu, 26 Jun 2014 09:23:14 -0500
-Subject: [PATCH] remove subscription manager sharing between container and
- host
-
----
- daemon/container.go | 12 ++++++------
- daemon/volumes.go | 2 +-
- graph/graph.go | 2 +-
- 3 files changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/daemon/container.go b/daemon/container.go
-index ce84057..c182009 100644
---- a/daemon/container.go
-+++ b/daemon/container.go
-@@ -290,9 +290,9 @@ func (container *Container) Start() (err error) {
- if err := populateCommand(container, env); err != nil {
- return err
- }
-- if err := container.setupSecretFiles(); err != nil {
-- return err
-- }
-+// if err := container.setupSecretFiles(); err != nil {
-+// return err
-+// }
- if err := setupMountsForContainer(container); err != nil {
- return err
- }
-@@ -308,9 +308,9 @@ func (container *Container) Start() (err error) {
- }
-
- // Now the container is running, unmount the secrets on the host
-- if err := system.Unmount(container.secretsPath(), syscall.MNT_DETACH); err != nil {
-- return err
-- }
-+// if err := system.Unmount(container.secretsPath(), syscall.MNT_DETACH); err != nil {
-+// return err
-+// }
-
- return nil
- }
-diff --git a/daemon/volumes.go b/daemon/volumes.go
-index 7d92baf..7e9cadd 100644
---- a/daemon/volumes.go
-+++ b/daemon/volumes.go
-@@ -38,7 +38,7 @@ func setupMountsForContainer(container *Container) error {
- mounts := []execdriver.Mount{
- {container.daemon.sysInitPath, "/.dockerinit", false, true},
- {container.ResolvConfPath, "/etc/resolv.conf", false, true},
-- {container.secretsPath(), "/run/secrets", true, true},
-+// {container.secretsPath(), "/run/secrets", true, true},
- }
-
- if container.HostnamePath != "" {
-diff --git a/graph/graph.go b/graph/graph.go
-index f578ad9..06d714b 100644
---- a/graph/graph.go
-+++ b/graph/graph.go
-@@ -257,7 +257,7 @@ func SetupInitLayer(initLayer string) error {
- "/dev/pts": "dir",
- "/dev/shm": "dir",
- "/proc": "dir",
-- "/run/secrets": "dir",
-+ //"/run/secrets": "dir",
- "/sys": "dir",
- "/.dockerinit": "file",
- "/.dockerenv": "file",
---
-1.8.3.1
-
diff --git a/SOURCES/docker.service b/SOURCES/docker.service
index e2aace1..e66579b 100644
--- a/SOURCES/docker.service
+++ b/SOURCES/docker.service
@@ -2,12 +2,11 @@
Description=Docker Application Container Engine
Documentation=http://docs.docker.io
After=network.target
-Requires=docker.socket
[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/docker
-ExecStart=/usr/bin/docker -d --selinux-enabled -H fd://
+ExecStart=/usr/bin/docker -d --selinux-enabled
Restart=on-failure
LimitNOFILE=1048576
LimitNPROC=1048576
diff --git a/SOURCES/docker.socket b/SOURCES/docker.socket
new file mode 100644
index 0000000..9db5049
--- /dev/null
+++ b/SOURCES/docker.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=Docker Socket for the API
+
+[Socket]
+ListenStream=/var/run/docker.sock
+SocketMode=0660
+SocketUser=root
+SocketGroup=docker
+
+[Install]
+WantedBy=sockets.target
diff --git a/SPECS/docker.spec b/SPECS/docker.spec
index 9e9eb4f..fbf1641 100644
--- a/SPECS/docker.spec
+++ b/SPECS/docker.spec
@@ -10,13 +10,11 @@
Name: docker
Version: 0.11.1
-Release: 19%{?dist}
+Release: 22%{?dist}
Summary: Automates deployment of containerized applications
License: ASL 2.0
Patch0: remove-vendored-tar.patch
-Patch1: docker-0.11-remove-subscription-dependency.patch
-
URL: http://www.docker.io
# only x86_64 for now: https://github.com/dotcloud/docker/issues/136
ExclusiveArch: x86_64
@@ -25,8 +23,10 @@ Source0: https://github.com/lsm5/docker/archive/%{commit}/docker-%{shortc
# though final name for sysconf/sysvinit files is simply 'docker',
# having .sysvinit and .sysconfig makes things clear
Source1: docker.service
-Source2: docker-man.tar.gz
+Source2: docker-man-1.tar.gz
Source3: docker.sysconfig
+# Resolves: rhbz#1111760 - CVE-2014-3499
+Source4: docker.socket
BuildRequires: gcc
BuildRequires: glibc-static
# ensure build uses golang 1.2-7 and above
@@ -65,8 +65,6 @@ servers, OpenStack clusters, public instances, or combinations of the above.
%setup -q -n docker-%{commit}
rm -rf vendor
%patch0 -p1 -b remove-vendored-tar
-%patch1 -p1 -b remove-subscription-dependency
-
tar zxf %{SOURCE2}
%build
@@ -124,15 +122,15 @@ install -d -m 700 %{buildroot}%{_sharedstatedir}/docker
# install systemd/init scripts
install -d %{buildroot}%{_unitdir}
install -p -m 644 %{SOURCE1} %{buildroot}%{_unitdir}
-install -p -m 644 contrib/init/systemd/socket-activation/docker.socket %{buildroot}%{_unitdir}
+#install -p -m 644 %{SOURCE4} %{buildroot}%{_unitdir}
# for additional args
install -d %{buildroot}%{_sysconfdir}/sysconfig/
install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/docker
-# don't install secrets dir
-# install -d -p -m 750 %{buildroot}/%{_datadir}/rhel/secrets
-# ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement
-# ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/rhel7.repo
+# install secrets dir
+install -d -p -m 750 %{buildroot}/%{_datadir}/rhel/secrets
+ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement
+ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/rhel7.repo
%pre
getent group docker > /dev/null || %{_sbindir}/groupadd -r docker
@@ -154,14 +152,14 @@ exit 0
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_bindir}/docker
-#%dir %{_datadir}/rhel
-#%dir %{_datadir}/rhel/secrets
-#%{_datadir}/rhel/secrets/etc-pki-entitlement
-#%{_datadir}/rhel/secrets/rhel7.repo
+%dir %{_datadir}/rhel
+%dir %{_datadir}/rhel/secrets
+%{_datadir}/rhel/secrets/etc-pki-entitlement
+%{_datadir}/rhel/secrets/rhel7.repo
%dir %{_libexecdir}/docker
%{_libexecdir}/docker/dockerinit
%{_unitdir}/docker.service
-%{_unitdir}/docker.socket
+#%{_unitdir}/docker.socket
%{_sysconfdir}/sysconfig/docker
%dir %{_sysconfdir}/bash_completion.d
%{_sysconfdir}/bash_completion.d/docker.bash
@@ -177,8 +175,12 @@ exit 0
%{_datadir}/vim/vimfiles/syntax/dockerfile.vim
%changelog
-* Thu Jun 26 2014 Jim Perrin <jperrin@centos.org> - 0.11.1-19.el7.centos
-- Remove subscription sharing between host and container
+* Thu Jun 26 2014 Dan Walsh <dwalsh@redhat.com> - 0.11.1-22
+- Resolves: rhbz#1111760 - CVE-2014-3499
+- Remove docker.socket unit file until docker-1.0
+
+* Tue Jun 24 2014 Lokesh Mandvekar <lsm5@fedoraproject.org> - 0.11.1-20
+- Resolves: rhbz#1111760 - CVE-2014-3499
* Fri Jun 06 2014 Lokesh Mandvekar <lsm5@redhat.com> - 0.11.1-19
- build with golang-github-kr-pty-0-0.19.git98c7b80.el7