commit docker for openSUSE:Factory

Tue, 26 May 2015 03:35:17 -0700 

Hello community,

here is the log from the commit of package docker for openSUSE:Factory checked 
in at 2015-05-26 12:33:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/docker (Old)
 and      /work/SRC/openSUSE:Factory/.docker.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "docker"

Changes:
--------
--- /work/SRC/openSUSE:Factory/docker/docker.changes    2015-05-15 
07:44:53.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.docker.new/docker.changes       2015-05-26 
12:33:40.000000000 +0200
@@ -1,0 +2,6 @@
+Mon May 18 15:08:59 UTC 2015 - [email protected]
+
+- Update to version 1.6.2 (2015-05-13) [bnc#931301]
+  * Revert change prohibiting mounting into /sys
+
+-------------------------------------------------------------------

Old:
----
  docker-1.6.1.tar.bz2

New:
----
  docker-1.6.2.tar.bz2

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ docker.spec ++++++
--- /var/tmp/diff_new_pack.9pcD0e/_old  2015-05-26 12:33:41.000000000 +0200
+++ /var/tmp/diff_new_pack.9pcD0e/_new  2015-05-26 12:33:41.000000000 +0200
@@ -16,9 +16,9 @@
 #
 
 
-%define git_version 97cd073
+%define git_version 7c8fca2
 Name:           docker
-Version:        1.6.1
+Version:        1.6.2
 Release:        0
 Summary:        The Linux container runtime
 License:        Apache-2.0

++++++ docker-1.6.1.tar.bz2 -> docker-1.6.2.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/docker/.pc/.quilt_patches 
new/docker/.pc/.quilt_patches
--- old/docker/.pc/.quilt_patches       1970-01-01 01:00:00.000000000 +0100
+++ new/docker/.pc/.quilt_patches       2015-05-08 16:54:25.000000000 +0200
@@ -0,0 +1 @@
+patches
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/docker/.pc/.quilt_series new/docker/.pc/.quilt_series
--- old/docker/.pc/.quilt_series        1970-01-01 01:00:00.000000000 +0100
+++ new/docker/.pc/.quilt_series        2015-05-08 16:54:25.000000000 +0200
@@ -0,0 +1 @@
+series
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/docker/.pc/.version new/docker/.pc/.version
--- old/docker/.pc/.version     1970-01-01 01:00:00.000000000 +0100
+++ new/docker/.pc/.version     2015-05-08 16:54:25.000000000 +0200
@@ -0,0 +1 @@
+2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/docker/.pc/0002-Stripped-dockerinit-binary.patch/hack/make/.dockerinit 
new/docker/.pc/0002-Stripped-dockerinit-binary.patch/hack/make/.dockerinit
--- old/docker/.pc/0002-Stripped-dockerinit-binary.patch/hack/make/.dockerinit  
1970-01-01 01:00:00.000000000 +0100
+++ new/docker/.pc/0002-Stripped-dockerinit-binary.patch/hack/make/.dockerinit  
2015-05-08 16:27:14.000000000 +0200
@@ -0,0 +1,33 @@
+#!/bin/bash
+set -e
+
+IAMSTATIC="true"
+source "$(dirname "$BASH_SOURCE")/.go-autogen"
+
+# dockerinit still needs to be a static binary, even if docker is dynamic
+go build \
+       -o "$DEST/dockerinit-$VERSION" \
+       "${BUILDFLAGS[@]}" \
+       -ldflags "
+               $LDFLAGS
+               $LDFLAGS_STATIC
+               -extldflags \"$EXTLDFLAGS_STATIC\"
+       " \
+       ./dockerinit
+
+echo "Created binary: $DEST/dockerinit-$VERSION"
+ln -sf "dockerinit-$VERSION" "$DEST/dockerinit"
+
+sha1sum=
+if command -v sha1sum &> /dev/null; then
+       sha1sum=sha1sum
+elif command -v shasum &> /dev/null; then
+       # Mac OS X - why couldn't they just use the same command name and be 
happy?
+       sha1sum=shasum
+else
+       echo >&2 'error: cannot find sha1sum command or equivalent'
+       exit 1
+fi
+
+# sha1 our new dockerinit to ensure separate docker and dockerinit always run 
in a perfect pair compiled for one another
+export DOCKER_INITSHA1="$($sha1sum $DEST/dockerinit-$VERSION | cut -d' ' -f1)"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/docker/.pc/applied-patches 
new/docker/.pc/applied-patches
--- old/docker/.pc/applied-patches      1970-01-01 01:00:00.000000000 +0100
+++ new/docker/.pc/applied-patches      2015-05-08 16:54:31.000000000 +0200
@@ -0,0 +1,2 @@
+0002-Stripped-dockerinit-binary.patch
+libcontainer-apparmor-fixes.patch
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/docker/.pc/libcontainer-apparmor-fixes.patch/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
 
new/docker/.pc/libcontainer-apparmor-fixes.patch/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
--- 
old/docker/.pc/libcontainer-apparmor-fixes.patch/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
  1970-01-01 01:00:00.000000000 +0100
+++ 
new/docker/.pc/libcontainer-apparmor-fixes.patch/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
  2015-05-08 16:54:31.000000000 +0200
@@ -0,0 +1,81 @@
+package apparmor
+
+import (
+       "io"
+       "os"
+       "text/template"
+)
+
+type data struct {
+       Name         string
+       Imports      []string
+       InnerImports []string
+}
+
+const baseTemplate = `
+{{range $value := .Imports}}
+{{$value}}
+{{end}}
+
+profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+{{range $value := .InnerImports}}
+  {{$value}}
+{{end}}
+
+  network,
+  capability,
+  file,
+  umount,
+
+  deny @{PROC}/sys/fs/** wklx,
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kmem rwklx,
+  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
+  deny @{PROC}/sys/kernel/*/** wklx,
+
+  deny mount,
+
+  deny /sys/[^f]*/** wklx,
+  deny /sys/f[^s]*/** wklx,
+  deny /sys/fs/[^c]*/** wklx,
+  deny /sys/fs/c[^g]*/** wklx,
+  deny /sys/fs/cg[^r]*/** wklx,
+  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/kernel/security/** rwklx,
+}
+`
+
+func generateProfile(out io.Writer) error {
+       compiled, err := template.New("apparmor_profile").Parse(baseTemplate)
+       if err != nil {
+               return err
+       }
+       data := &data{
+               Name: "docker-default",
+       }
+       if tunablesExists() {
+               data.Imports = append(data.Imports, "#include 
<tunables/global>")
+       } else {
+               data.Imports = append(data.Imports, "@{PROC}=/proc/")
+       }
+       if abstractionsExists() {
+               data.InnerImports = append(data.InnerImports, "#include 
<abstractions/base>")
+       }
+       if err := compiled.Execute(out, data); err != nil {
+               return err
+       }
+       return nil
+}
+
+// check if the tunables/global exist
+func tunablesExists() bool {
+       _, err := os.Stat("/etc/apparmor.d/tunables/global")
+       return err == nil
+}
+
+// check if abstractions/base exist
+func abstractionsExists() bool {
+       _, err := os.Stat("/etc/apparmor.d/abstractions/base")
+       return err == nil
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/docker/CHANGELOG.md new/docker/CHANGELOG.md
--- old/docker/CHANGELOG.md     2015-05-08 16:27:13.000000000 +0200
+++ new/docker/CHANGELOG.md     2015-05-18 17:08:27.000000000 +0200
@@ -1,5 +1,10 @@
 # Changelog
 
+## 1.6.2 (2015-05-13)
+
+####  Runtime
+- Revert change prohibiting mounting into /sys
+
 ## 1.6.1 (2015-05-07)
 
 ####  Security
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/docker/VERSION new/docker/VERSION
--- old/docker/VERSION  2015-05-08 16:27:12.000000000 +0200
+++ new/docker/VERSION  2015-05-18 17:08:29.000000000 +0200
@@ -1 +1 @@
-1.6.1
+1.6.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/docker/hack/vendor.sh new/docker/hack/vendor.sh
--- old/docker/hack/vendor.sh   2015-05-08 16:27:14.000000000 +0200
+++ new/docker/hack/vendor.sh   2015-05-18 17:08:27.000000000 +0200
@@ -75,7 +75,7 @@
 mkdir -p src/github.com/docker/distribution
 mv tmp-digest src/github.com/docker/distribution/digest
 
-clone git github.com/docker/libcontainer 
1b471834b45063b61e0aedefbb1739a8f34b414e
+clone git github.com/docker/libcontainer 
227771c8f611f03639f0eeb169428761d9504ab5
 # see src/github.com/docker/libcontainer/update-vendor.sh which is the "source 
of truth" for libcontainer deps (just like this file)
 rm -rf src/github.com/docker/libcontainer/vendor
 eval "$(grep '^clone ' src/github.com/docker/libcontainer/update-vendor.sh | 
grep -v 'github.com/codegangsta/cli' | grep -v 'github.com/Sirupsen/logrus')"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/docker/integration-cli/docker_cli_run_test.go 
new/docker/integration-cli/docker_cli_run_test.go
--- old/docker/integration-cli/docker_cli_run_test.go   2015-05-08 
16:27:14.000000000 +0200
+++ new/docker/integration-cli/docker_cli_run_test.go   2015-05-18 
17:08:27.000000000 +0200
@@ -3499,9 +3499,9 @@
 
 func TestMountIntoSys(t *testing.T) {
        defer deleteAllContainers()
-       code, err := runCommand(exec.Command(dockerBinary, "run", "-v", 
"/sys/", "busybox", "true"))
-       if err == nil || code == 0 {
-               t.Fatal("container should not be able to mount into /sys")
+       _, err := runCommand(exec.Command(dockerBinary, "run", "-v", 
"/sys/fs/cgroup", "busybox", "true"))
+       if err != nil {
+               t.Fatal("container should be able to mount into /sys")
        }
        logDone("run - mount into sys")
 }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/docker/vendor/src/github.com/docker/libcontainer/process_linux.go 
new/docker/vendor/src/github.com/docker/libcontainer/process_linux.go
--- old/docker/vendor/src/github.com/docker/libcontainer/process_linux.go       
2015-05-08 16:27:14.000000000 +0200
+++ new/docker/vendor/src/github.com/docker/libcontainer/process_linux.go       
2015-05-18 17:08:28.000000000 +0200
@@ -119,6 +119,9 @@
 // terminate sends a SIGKILL to the forked process for the setns routine then 
waits to
 // avoid the process becomming a zombie.
 func (p *setnsProcess) terminate() error {
+       if p.cmd.Process == nil {
+               return nil
+       }
        err := p.cmd.Process.Kill()
        if _, werr := p.wait(); err == nil {
                err = werr
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/docker/vendor/src/github.com/docker/libcontainer/rootfs_linux.go 
new/docker/vendor/src/github.com/docker/libcontainer/rootfs_linux.go
--- old/docker/vendor/src/github.com/docker/libcontainer/rootfs_linux.go        
2015-05-08 16:27:14.000000000 +0200
+++ new/docker/vendor/src/github.com/docker/libcontainer/rootfs_linux.go        
2015-05-18 17:08:28.000000000 +0200
@@ -150,7 +150,6 @@
        }
        invalidDestinations := []string{
                "/proc",
-               "/sys",
        }
        for _, invalid := range invalidDestinations {
                path, err := filepath.Rel(filepath.Join(rootfs, invalid), dest)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/docker/vendor/src/github.com/docker/libcontainer/rootfs_linux_test.go 
new/docker/vendor/src/github.com/docker/libcontainer/rootfs_linux_test.go
--- old/docker/vendor/src/github.com/docker/libcontainer/rootfs_linux_test.go   
2015-05-08 16:27:14.000000000 +0200
+++ new/docker/vendor/src/github.com/docker/libcontainer/rootfs_linux_test.go   
2015-05-18 17:08:28.000000000 +0200
@@ -15,8 +15,8 @@
 func TestCheckMountDestInSys(t *testing.T) {
        dest := "/rootfs//sys/fs/cgroup"
        err := checkMountDestination("/rootfs", dest)
-       if err == nil {
-               t.Fatal("destination inside proc should return an error")
+       if err != nil {
+               t.Fatal("destination inside /sys should not return an error")
        }
 }

Reply via email to