Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2015-05-15 07:44:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker" Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2015-04-10 09:50:52.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.docker.new/docker.changes 2015-05-15 07:44:53.000000000 +0200 @@ -1,0 +2,43 @@ +Fri May 8 15:00:38 UTC 2015 - [email protected] + +Updated to version 1.6.1 (2015-05-07) [bnc#930235] + * Security + - Fix read/write /proc paths (CVE-2015-3630) + - Prohibit VOLUME /proc and VOLUME / (CVE-2015-3631) + - Fix opening of file-descriptor 1 (CVE-2015-3627) + - Fix symlink traversal on container respawn allowing local privilege escalation (CVE-2015-3629) + - Prohibit mount of /sys + * Runtime + - Update Apparmor policy to not allow mounts +- Updated libcontainer-apparmor-fixes.patch: adapt patch to reflect + changes introduced by docker 1.6.1 + +------------------------------------------------------------------- +Thu May 7 13:33:03 UTC 2015 - [email protected] + +- Get rid of SocketUser and SocketGroup workarounds for docker.socket + +------------------------------------------------------------------- +Fri Apr 17 14:02:13 UTC 2015 - [email protected] + +- Updated to version 1.6.0 (2015-04-07) [bnc#908033] + * Builder: + + Building images from an image ID + + build containers with resource constraints, ie `docker build --cpu-shares=100 --memory=1024m...` + + `commit --change` to apply specified Dockerfile instructions while committing the image + + `import --change` to apply specified Dockerfile instructions while importing the image + + basic build cancellation + * Client: + + Windows Support + * Runtime: + + Container and image Labels + + `--cgroup-parent` for specifying a parent cgroup to place container cgroup within + + Logging drivers, `json-file`, `syslog`, or `none` + + Pulling images by ID + + `--ulimit` to set the ulimit on a container + + `--default-ulimit` option on the daemon which applies to all created containers (and overwritten by `--ulimit` on run) +- Updated '0002-Stripped-dockerinit-binary.patch' to reflect changes inside of + the latest version of Docker. +- bnc#908033: support of Docker Registry API v2. + +------------------------------------------------------------------- Old: ---- docker-1.5.0.tar.bz2 New: ---- docker-1.6.1.tar.bz2 docker_systemd_lt_214.socket ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.Eu2UJ7/_old 2015-05-15 07:44:54.000000000 +0200 +++ /var/tmp/diff_new_pack.Eu2UJ7/_new 2015-05-15 07:44:54.000000000 +0200 @@ -16,9 +16,9 @@ # -%define git_version a8a31ef +%define git_version 97cd073 Name: docker -Version: 1.5.0 +Version: 1.6.1 Release: 0 Summary: The Linux container runtime License: Apache-2.0 @@ -28,7 +28,13 @@ Source1: docker.service Source3: 80-docker.rules Source4: sysconfig.docker + +%if 0%{?suse_version} > 1320 Source5: docker.socket +%else +Source5: docker_systemd_lt_214.socket +%endif + Source6: docker-rpmlintrc Source7: README_SUSE.md Patch0: 0002-Stripped-dockerinit-binary.patch ++++++ 0002-Stripped-dockerinit-binary.patch ++++++ --- /var/tmp/diff_new_pack.Eu2UJ7/_old 2015-05-15 07:44:54.000000000 +0200 +++ /var/tmp/diff_new_pack.Eu2UJ7/_new 2015-05-15 07:44:54.000000000 +0200 @@ -15,10 +15,10 @@ hack/make/dynbinary | 1 + 1 file changed, 1 insertion(+) -Index: docker/project/make/.dockerinit +Index: docker/hack/make/.dockerinit =================================================================== ---- docker.orig/project/make/.dockerinit -+++ docker/project/make/.dockerinit +--- docker.orig/hack/make/.dockerinit ++++ docker/hack/make/.dockerinit @@ -25,5 +25,7 @@ else exit 1 fi ++++++ docker-1.5.0.tar.bz2 -> docker-1.6.1.tar.bz2 ++++++ ++++ 102449 lines of diff (skipped) ++++++ docker.socket ++++++ --- /var/tmp/diff_new_pack.Eu2UJ7/_old 2015-05-15 07:44:56.000000000 +0200 +++ /var/tmp/diff_new_pack.Eu2UJ7/_new 2015-05-15 07:44:56.000000000 +0200 @@ -5,12 +5,8 @@ [Socket] ListenStream=/var/run/docker.sock SocketMode=0660 -# TODO: Get rid of workaround below after adopting systemd 214+ by oS Factory -# Socket(User|Group) are available as of systemd 214+ -#SocketUser=root -#SocketGroup=docker -# Fix owner manually -ExecStartPost=/usr/bin/chown root:docker /var/run/docker.sock +SocketUser=root +SocketGroup=docker [Install] WantedBy=sockets.target ++++++ docker_systemd_lt_214.socket ++++++ [Unit] Description=Docker Socket for the API PartOf=docker.service [Socket] ListenStream=/var/run/docker.sock SocketMode=0660 # A Socket(User|Group) replacement workaround for systemd <= 214 ExecStartPost=/usr/bin/chown root:docker /var/run/docker.sock [Install] WantedBy=sockets.target ++++++ libcontainer-apparmor-fixes.patch ++++++ --- /var/tmp/diff_new_pack.Eu2UJ7/_old 2015-05-15 07:44:56.000000000 +0200 +++ /var/tmp/diff_new_pack.Eu2UJ7/_new 2015-05-15 07:44:56.000000000 +0200 @@ -2,33 +2,11 @@ =================================================================== --- docker.orig/vendor/src/github.com/docker/libcontainer/apparmor/gen.go +++ docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go -@@ -25,18 +25,6 @@ profile {{.Name}} flags=(attach_disconne +@@ -25,7 +25,6 @@ profile {{.Name}} flags=(attach_disconne network, capability, file, - umount, -- -- mount fstype=tmpfs, -- mount fstype=mqueue, -- mount fstype=fuse.*, -- mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, -- mount fstype=efivarfs -> /sys/firmware/efi/efivars/, -- mount fstype=fusectl -> /sys/fs/fuse/connections/, -- mount fstype=securityfs -> /sys/kernel/security/, -- mount fstype=debugfs -> /sys/kernel/debug/, -- mount fstype=proc -> /proc/, -- mount fstype=sysfs -> /sys/, deny @{PROC}/sys/fs/** wklx, deny @{PROC}/sysrq-trigger rwklx, -@@ -45,10 +33,6 @@ profile {{.Name}} flags=(attach_disconne - deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx, - deny @{PROC}/sys/kernel/*/** wklx, - -- deny mount options=(ro, remount) -> /, -- deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, -- deny mount fstype=devpts, -- - deny /sys/[^f]*/** wklx, - deny /sys/f[^s]*/** wklx, - deny /sys/fs/[^c]*/** wklx,
