Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2023-04-27 19:59:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker" Thu Apr 27 19:59:59 2023 rev:130 rq:1083276 version:23.0.5_ce Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2023-03-16 22:57:55.619337323 +0100 +++ /work/SRC/openSUSE:Factory/.docker.new.1533/docker.changes 2023-04-27 20:00:01.313603637 +0200 @@ -1,0 +2,27 @@ +Thu Apr 27 14:09:05 UTC 2023 - Aleksa Sarai <asa...@suse.com> + +- Update to Docker 23.0.5-ce. See upstream changelog online at + <https://docs.docker.com/engine/release-notes/23.0/#2305>. +- Rebase patches: + * cli-0001-docs-include-required-tools-in-source-tree.patch + +------------------------------------------------------------------- +Wed Apr 26 00:31:54 UTC 2023 - Aleksa Sarai <asa...@suse.com> + +- Update to Docker 23.0.4-ce. See upstream changelog online at + <https://docs.docker.com/engine/release-notes/23.0/#2304>. bsc#1208074 +- Rebase patches: + * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + * 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +- Renumbered patches: + - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +- Remove upstreamed patches: + - 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch + - 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch + - 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch +- Backport <https://github.com/docker/cli/pull/4228> to allow man pages to be + built without internet access in OBS. + + cli-0001-docs-include-required-tools-in-source-tree.patch + +------------------------------------------------------------------- Old: ---- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch docker-20.10.23_ce_6051f1429.tar.xz docker-cli-20.10.23_ce.tar.xz docker-libnetwork-05b93e0d3a95952f70c113b0bc5bdb538d7afdd7.tar.xz New: ---- 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch cli-0001-docs-include-required-tools-in-source-tree.patch docker-23.0.5_ce_94d3ad69cc59.tar.xz docker-cli-23.0.5_ce.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.yXKUV6/_old 2023-04-27 20:00:02.205608880 +0200 +++ /var/tmp/diff_new_pack.yXKUV6/_new 2023-04-27 20:00:02.209608904 +0200 @@ -1,7 +1,7 @@ # # spec file for package docker # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,37 +26,16 @@ %define _fillupdir /var/adm/fillup-templates %endif -# Handle _multibuild magic. -%define flavour @BUILD_FLAVOR@%{nil} - -# We split the Name: into "realname" and "name_suffix". -%define realname docker -%if "%flavour" == "" -%define name_suffix %{nil} -%else -%define name_suffix -%{flavour} -%endif - # Used when generating the "build" information for Docker version. The value of # git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define real_version 20.10.23 -%define git_version 6051f1429 -%define git_commit_epoch 1674059068 - -# We require a specific pin of libnetwork because it doesn't really do -# versioning and minor version mismatches in libnetwork can break Docker -# networking. All other key runtime dependencies (containerd, runc) are stable -# enough that this isn't necessary. -%define libnetwork_version 05b93e0d3a95952f70c113b0bc5bdb538d7afdd7 - -%define dist_builddir %{_builddir}/dist-suse -%define cli_builddir %{dist_builddir}/src/github.com/docker/cli -%define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork +%define real_version 23.0.5 +%define git_version 94d3ad69cc59 +%define git_commit_epoch 1682522945 -Name: %{realname}%{name_suffix} +Name: docker Version: %{real_version}_ce # This "nice version" is so that docker --version gives a result that can be # parsed by other people. boo#1182476 @@ -66,9 +45,8 @@ License: Apache-2.0 Group: System/Management URL: http://www.docker.io -Source: %{realname}-%{version}_%{git_version}.tar.xz -Source1: %{realname}-cli-%{version}.tar.xz -Source2: %{realname}-libnetwork-%{libnetwork_version}.tar.xz +Source: %{name}-%{version}_%{git_version}.tar.xz +Source1: %{name}-cli-%{version}.tar.xz Source3: docker-rpmlintrc # TODO: Move these source files to somewhere nicer. Source100: docker.service @@ -87,14 +65,9 @@ Patch101: 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch # SUSE-FEATURE: Add support to mirror unofficial/private registries # <https://github.com/docker/docker/pull/34319>. -Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081 -Patch301: 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch -# SUSE-BACKPORT: Backport of several golang.org/x/crypto updates. -# bsc#1193930 CVE-2021-43565 bsc#1197284 CVE-2022-27191 -Patch302: 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch -# SUSE-BACKPORT: Backport of <https://github.com/containerd/fifo/pull/32>. bsc#1200022 -Patch303: 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch +Patch300: 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +# UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>. +Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -111,17 +84,17 @@ BuildRequires: go-go-md2man BuildRequires: pkgconfig(libsystemd) BuildRequires: sysuser-tools -BuildRequires: golang(API) = 1.18 +BuildRequires: golang(API) = 1.19 Requires: (apparmor-parser or container-selinux) Requires: ca-certificates-mozilla # The docker-proxy binary used to be in a separate package. We obsolete it, # since now docker-proxy is maintained as part of this package. -Obsoletes: docker-libnetwork%{name_suffix} < 0.7.0.2 -Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version} +Obsoletes: docker-libnetwork < 0.7.0.2 +Provides: docker-libnetwork = 0.7.0.2.%{version} # Required to actually run containers. We require the minimum version that is # pinned by Docker, but in order to avoid headaches we allow for updates. -Requires: runc >= 1.1.2 -Requires: containerd >= 1.6.9 +Requires: runc >= 1.1.5 +Requires: containerd >= 1.6.20 # Needed for --init support. We don't use "tini", we use our own implementation # which handles edge-cases better. Requires: catatonit @@ -149,7 +122,6 @@ Recommends: git-core >= 1.7 ExcludeArch: s390 ppc - %description Docker complements LXC with a high-level API which operates at the process level. It runs unix processes with strong guarantees of isolation and @@ -193,38 +165,27 @@ Fish command line completion support for %{name}. %prep -%setup -q -n %{realname}-%{version}_%{git_version} +# docker-cli +%define cli_builddir %{_builddir}/%{name}-cli-%{version} +%setup -q -T -b 1 -n %{name}-cli-%{version} +[ "%{cli_builddir}" = "$PWD" ] +# offline manpages +%patch900 -p1 + +# docker +%define docker_builddir %{_builddir}/%{name}-%{version}_%{git_version} +%setup -q -n %{name}-%{version}_%{git_version} +[ "%{docker_builddir}" = "$PWD" ] +# README_SUSE.md for documentation. +cp %{SOURCE103} . -%if 0%{?is_opensuse} -# nothing -%else +%if 0%{?is_opensuse} == 0 # PATCH-SUSE: Secrets patches. %patch100 -p1 %patch101 -p1 %endif # bsc#1099277 %patch300 -p1 -# bsc#1183855 bsc#1175081 -%patch301 -p1 -# bsc#1193930 CVE-2021-43565 bsc#1197284 CVE-2022-27191 -%patch302 -p1 -# bsc#1200022 -%patch303 -p1 - -# README_SUSE.md for documentation. -cp %{SOURCE103} . - -# Extract the docker-cli source in a subdir. -mkdir -p %{cli_builddir} -pushd %{cli_builddir} -xz -dc %{SOURCE1} | tar -xof - --strip-components=1 -popd - -# Extract the docker-libnetwork source in a subdir. -mkdir -p %{proxy_builddir} -pushd %{proxy_builddir} -xz -dc %{SOURCE2} | tar -xof - --strip-components=1 -popd %build %sysusers_generate_pre %{SOURCE106} %{name} %{name}.conf @@ -239,12 +200,7 @@ BUILDTAGS="libdm_dlsym_deferred_remove $BUILDTAGS" %endif -(cat <<EOF export AUTO_GOPATH=1 -export DOCKER_BUILDTAGS="$BUILDTAGS" -# Until boo#1038493 is fixed properly we need to do this hack to get the -# compiled-into-the-binary GOROOT. -export GOROOT="$(GOROOT= go env GOROOT)" # Make sure we always build PIC code. bsc#1048046 export BUILDFLAGS="-buildmode=pie" # Specify all of the versioning information. We use SOURCE_DATE_EPOCH if it's @@ -255,50 +211,29 @@ export GITCOMMIT="%{git_version}" export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-%{git_commit_epoch}}" export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null | sed -e 's/ /T/')" -# NOTE: This will have to be removed with the next major Docker bump. -export GO111MODULE=off -EOF -) > docker_build_env -. ./docker_build_env - -# Preparing GOPATH so that the client is visible to the compiler -mkdir -p src/github.com/docker/ -ln -s "%{cli_builddir}" "$PWD/src/github.com/docker/cli" -export GOPATH="$GOPATH:$PWD" ################### ## DOCKER ENGINE ## ################### -# Ignore the warning that we compile outside a Docker container. +pushd "%{docker_builddir}" +# use go module for build +ln -s {vendor,go}.mod +ln -s {vendor,go}.sum ./hack/make.sh dynbinary +popd ################### ## DOCKER CLIENT ## ################### -pushd %{cli_builddir} -make dynbinary - -mkdir -p ./man/man1 -go build -buildmode=pie -o gen-manpages github.com/docker/cli/man -./gen-manpages --root "$PWD" --target "$PWD/man/man1" -./man/md2man-all.sh -popd - -################## -## DOCKER PROXY ## -################## - -pushd %{proxy_builddir} -GOPATH="%{dist_builddir}" \ - go build -buildmode=pie -o docker-proxy github.com/docker/libnetwork/cmd/proxy +pushd "%{cli_builddir}" +# use go module for build +ln -s {vendor,go}.mod +ln -s {vendor,go}.sum +make DISABLE_WARN_OUTSIDE_CONTAINER=1 dynbinary manpages popd -# We verify that our libnetwork source is the correct version. This is done -# on-build to make sure that someone doing an update didn't miss anything. -grep 'LIBNETWORK_COMMIT:=%{libnetwork_version}' hack/dockerfile/install/proxy.installer - %install install -Dd -m0755 \ %{buildroot}%{_sysconfdir}/init.d \ @@ -306,30 +241,31 @@ %{buildroot}%{_sbindir} # docker daemon -install -D -m0755 bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd +install -D -m0755 %{docker_builddir}/bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd +# docker proxy +install -D -m0755 %{docker_builddir}/bundles/dynbinary-daemon/docker-proxy %{buildroot}/%{_bindir}/docker-proxy + +# /var/lib/docker install -d %{buildroot}/%{_localstatedir}/lib/docker # daemon.json config file install -D -m0644 %{SOURCE105} %{buildroot}%{_sysconfdir}/docker/daemon.json # docker cli install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker -install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}" -install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}" -install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish" - -# docker proxy -install -D -m0755 %{proxy_builddir}/docker-proxy %{buildroot}/%{_bindir}/docker-proxy +install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{name}" +install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{name}" +install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{name}.fish" # systemd service -install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{realname}.service +install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{name}.service ln -sf service %{buildroot}%{_sbindir}/rcdocker # udev rules that prevents dolphin to show all docker devices and slows down # upstream report https://bugs.kde.org/show_bug.cgi?id=329930 -install -D -m0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules +install -D -m0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{name}.rules # audit rules -install -D -m0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules +install -D -m0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules # sysconfig file install -D -m0644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker @@ -363,17 +299,17 @@ usermod -w 100000000-200000000 dockremap &>/dev/null || \ echo "dockremap:100000000:100000001" >>/etc/subgid ||: -%service_add_pre %{realname}.service +%service_add_pre %{name}.service %post -%service_add_post %{realname}.service +%service_add_post %{name}.service %{fillup_only -n docker} %preun -%service_del_preun %{realname}.service +%service_del_preun %{name}.service %postun -%service_del_postun %{realname}.service +%service_del_postun %{name}.service %files %defattr(-,root,root) @@ -385,15 +321,15 @@ %{_sbindir}/rcdocker %dir %{_localstatedir}/lib/docker/ -%{_unitdir}/%{realname}.service +%{_unitdir}/%{name}.service %{_sysusersdir}/%{name}.conf %dir %{_sysconfdir}/docker %config(noreplace) %{_sysconfdir}/docker/daemon.json %{_fillupdir}/sysconfig.docker -%config %{_sysconfdir}/audit/rules.d/%{realname}.rules -%{_udevrulesdir}/80-%{realname}.rules +%config %{_sysconfdir}/audit/rules.d/%{name}.rules +%{_udevrulesdir}/80-%{name}.rules %{_mandir}/man1/docker-*.1%{ext_man} %{_mandir}/man1/docker.1%{ext_man} @@ -402,14 +338,14 @@ %files bash-completion %defattr(-,root,root) -%{_datarootdir}/bash-completion/completions/%{realname} +%{_datarootdir}/bash-completion/completions/%{name} %files zsh-completion %defattr(-,root,root) -%{_sysconfdir}/zsh_completion.d/_%{realname} +%{_sysconfdir}/zsh_completion.d/_%{name} %files fish-completion %defattr(-,root,root) -%{_datadir}/fish/vendor_completions.d/%{realname}.fish +%{_datadir}/fish/vendor_completions.d/%{name}.fish %changelog ++++++ 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch ++++++ --- /var/tmp/diff_new_pack.yXKUV6/_old 2023-04-27 20:00:02.277609304 +0200 +++ /var/tmp/diff_new_pack.yXKUV6/_new 2023-04-27 20:00:02.281609327 +0200 @@ -1,7 +1,7 @@ -From 823bedd07fac6778a3d94b6f949ac16e6bd12638 Mon Sep 17 00:00:00 2001 +From 5c6812a104e161599fc8569d0b4af04224ef3b5a Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 8 Mar 2017 12:41:54 +1100 -Subject: [PATCH 1/7] SECRETS: daemon: allow directory creation in /run/secrets +Subject: [PATCH 1/3] SECRETS: daemon: allow directory creation in /run/secrets Since FileMode can have the directory bit set, allow a SecretStore implementation to return secrets that are actually directories. This is @@ -10,11 +10,11 @@ Signed-off-by: Antonio Murdaca <run...@redhat.com> Signed-off-by: Aleksa Sarai <asa...@suse.de> --- - daemon/container_operations_unix.go | 24 +++++++++++++++++++++--- - 1 file changed, 21 insertions(+), 3 deletions(-) + daemon/container_operations_unix.go | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go -index 75b4b09b8dc4..583db20aa459 100644 +index 561077b66b60..0b70825dd2ff 100644 --- a/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go @@ -4,6 +4,7 @@ @@ -23,12 +23,12 @@ import ( + "bytes" "fmt" - "io/ioutil" "os" -@@ -13,6 +14,7 @@ import ( - "github.com/docker/docker/container" + "path/filepath" +@@ -14,6 +15,7 @@ import ( "github.com/docker/docker/daemon/links" "github.com/docker/docker/errdefs" + "github.com/docker/docker/libnetwork" + "github.com/docker/docker/pkg/archive" "github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/stringid" @@ -37,13 +37,13 @@ if err != nil { return errors.Wrap(err, "unable to get secret from secret store") } -- if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil { +- if err := os.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil { - return errors.Wrap(err, "error injecting secret") - } uid, err := strconv.Atoi(s.File.UID) if err != nil { -@@ -219,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { +@@ -219,6 +218,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { return err } @@ -55,14 +55,13 @@ + // If the "file" is a directory, then s.File.Data is actually a tar + // archive of the directory. So we just do a tar extraction here. + if err := archive.UntarUncompressed(bytes.NewBuffer(secret.Spec.Data), fPath, &archive.TarOptions{ -+ UIDMaps: daemon.idMapping.UIDs(), -+ GIDMaps: daemon.idMapping.GIDs(), ++ IDMap: daemon.idMapping, + }); err != nil { + return errors.Wrap(err, "error injecting secretdir") + } + } + } else { -+ if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil { ++ if err := os.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil { + return errors.Wrap(err, "error injecting secret") + } + } @@ -70,6 +69,6 @@ return errors.Wrap(err, "error setting ownership for secret") } -- -2.38.1 +2.40.0 ++++++ 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch ++++++ --- /var/tmp/diff_new_pack.yXKUV6/_old 2023-04-27 20:00:02.301609445 +0200 +++ /var/tmp/diff_new_pack.yXKUV6/_new 2023-04-27 20:00:02.305609468 +0200 @@ -1,7 +1,7 @@ -From fa24396cbecbb6cdc7c734559389486849c2268c Mon Sep 17 00:00:00 2001 +From 4138c02a19fbd3d3ff50f0b364bf4b99adc47298 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 8 Mar 2017 11:43:29 +1100 -Subject: [PATCH 2/7] SECRETS: SUSE: implement SUSE container secrets +Subject: [PATCH 2/3] SECRETS: SUSE: implement SUSE container secrets This allows for us to pass in host credentials to a container, allowing for SUSEConnect to work with containers. @@ -14,12 +14,12 @@ Signed-off-by: Aleksa Sarai <asa...@suse.de> --- daemon/start.go | 5 + - daemon/suse_secrets.go | 410 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 415 insertions(+) + daemon/suse_secrets.go | 415 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 420 insertions(+) create mode 100644 daemon/suse_secrets.go diff --git a/daemon/start.go b/daemon/start.go -index d9bc082b1078..091dae2ae65e 100644 +index 9d6f7812b67c..53c42082c5bf 100644 --- a/daemon/start.go +++ b/daemon/start.go @@ -150,6 +150,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint @@ -36,10 +36,10 @@ return errdefs.System(err) diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go new file mode 100644 -index 000000000000..9ee33adf7497 +index 000000000000..32b0ece91b59 --- /dev/null +++ b/daemon/suse_secrets.go -@@ -0,0 +1,410 @@ +@@ -0,0 +1,415 @@ +/* + * suse-secrets: patch for Docker to implement SUSE secrets + * Copyright (C) 2017-2021 SUSE LLC. @@ -75,8 +75,8 @@ + "github.com/docker/docker/pkg/idtools" + + swarmtypes "github.com/docker/docker/api/types/swarm" -+ swarmexec "github.com/docker/swarmkit/agent/exec" -+ swarmapi "github.com/docker/swarmkit/api" ++ swarmexec "github.com/moby/swarmkit/v2/agent/exec" ++ swarmapi "github.com/moby/swarmkit/v2/api" + + "github.com/opencontainers/go-digest" + "github.com/sirupsen/logrus" @@ -113,7 +113,7 @@ + } +} + -+func (s SuseFakeFile) toSecretReference(idMaps *idtools.IdentityMapping) *swarmtypes.SecretReference { ++func (s SuseFakeFile) toSecretReference(idMaps idtools.IdentityMapping) *swarmtypes.SecretReference { + // Figure out the host-facing {uid,gid} based on the provided maps. Fall + // back to root if the UID/GID don't match (we are guaranteed that root is + // mapped). @@ -345,6 +345,7 @@ + suseEmptyStore struct{} + suseEmptySecret struct{} + suseEmptyConfig struct{} ++ suseEmptyVolume struct{} +) + +// In order to reduce the amount of code touched outside of this file, we @@ -356,14 +357,17 @@ + emptyStore swarmexec.DependencyGetter = suseEmptyStore{} + emptySecret swarmexec.SecretGetter = suseEmptySecret{} + emptyConfig swarmexec.ConfigGetter = suseEmptyConfig{} ++ emptyVolume swarmexec.VolumeGetter = suseEmptyVolume{} +) + +var errSuseEmptyStore = fmt.Errorf("SUSE:secrets :: tried to get a resource from empty store [this is a bug]") + +func (_ suseEmptyConfig) Get(_ string) (*swarmapi.Config, error) { return nil, errSuseEmptyStore } +func (_ suseEmptySecret) Get(_ string) (*swarmapi.Secret, error) { return nil, errSuseEmptyStore } ++func (_ suseEmptyVolume) Get(_ string) (string, error) { return "", errSuseEmptyStore } +func (_ suseEmptyStore) Secrets() swarmexec.SecretGetter { return emptySecret } +func (_ suseEmptyStore) Configs() swarmexec.ConfigGetter { return emptyConfig } ++func (_ suseEmptyStore) Volumes() swarmexec.VolumeGetter { return emptyVolume } + +type suseDependencyStore struct { + dfl swarmexec.DependencyGetter @@ -373,6 +377,7 @@ +// The following are effectively dumb wrappers that return ourselves, or the +// default. +func (s *suseDependencyStore) Secrets() swarmexec.SecretGetter { return s } ++func (s *suseDependencyStore) Volumes() swarmexec.VolumeGetter { return emptyVolume } +func (s *suseDependencyStore) Configs() swarmexec.ConfigGetter { return s.dfl.Configs() } + +// Get overrides the underlying DependencyGetter with our own secrets (falling @@ -451,6 +456,6 @@ + return nil +} -- -2.38.1 +2.40.0 ++++++ 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch -> 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch ++++++ --- /work/SRC/openSUSE:Factory/docker/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch 2022-12-08 16:50:01.731127933 +0100 +++ /work/SRC/openSUSE:Factory/.docker.new.1533/0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch 2023-04-27 20:00:00.513598934 +0200 @@ -1,7 +1,7 @@ -From bc52d15141402d94eeaee618f1df0b540f527b98 Mon Sep 17 00:00:00 2001 +From 3e37bbad6f0a0c2576ad0b9dfe7a4a9290aa2aa0 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Fri, 29 Jun 2018 17:59:30 +1000 -Subject: [PATCH 4/7] bsc1073877: apparmor: clobber docker-default profile on +Subject: [PATCH 3/3] bsc1073877: apparmor: clobber docker-default profile on start In the process of making docker-default reloading far less expensive, @@ -22,7 +22,7 @@ 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go -index 21813ec14f8f..0de75b32b7fa 100644 +index 6376001613f7..5fde21a4af8a 100644 --- a/daemon/apparmor_default.go +++ b/daemon/apparmor_default.go @@ -24,6 +24,15 @@ func DefaultApparmorProfile() string { @@ -30,7 +30,7 @@ } +func clobberDefaultAppArmorProfile() error { -+ if apparmor.IsEnabled() { ++ if apparmor.HostSupports() { + if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil { + return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err) + } @@ -39,7 +39,7 @@ +} + func ensureDefaultAppArmorProfile() error { - if apparmor.IsEnabled() { + if apparmor.HostSupports() { loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile) @@ -37,10 +46,7 @@ func ensureDefaultAppArmorProfile() error { } @@ -69,10 +69,10 @@ return nil } diff --git a/daemon/daemon.go b/daemon/daemon.go -index f15a4b038498..2f0c23bc62c9 100644 +index 40abbe8cc19c..05c6db818c30 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go -@@ -857,8 +857,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S +@@ -807,8 +807,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S logrus.Warnf("Failed to configure golang's threads limit: %v", err) } @@ -85,5 +85,5 @@ } -- -2.38.1 +2.40.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.yXKUV6/_old 2023-04-27 20:00:02.417610127 +0200 +++ /var/tmp/diff_new_pack.yXKUV6/_new 2023-04-27 20:00:02.421610150 +0200 @@ -3,26 +3,18 @@ <param name="url">https://github.com/moby/moby.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="versionformat">20.10.23_ce_%h</param> - <param name="revision">v20.10.23</param> + <param name="versionformat">23.0.5_ce_%h</param> + <param name="revision">v23.0.5</param> <param name="filename">docker</param> </service> <service name="tar_scm" mode="disabled"> <param name="url">https://github.com/docker/cli.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="versionformat">20.10.23_ce</param> - <param name="revision">v20.10.23</param> + <param name="versionformat">23.0.5_ce</param> + <param name="revision">v23.0.5</param> <param name="filename">docker-cli</param> </service> - <service name="tar_scm" mode="disabled"> - <param name="url">https://github.com/docker/libnetwork.git</param> - <param name="scm">git</param> - <param name="exclude">.git</param> - <param name="versionformat">%H</param> - <param name="revision">05b93e0d3a95952f70c113b0bc5bdb538d7afdd7</param> - <param name="filename">docker-libnetwork</param> - </service> <service name="recompress" mode="disabled"> <param name="file">docker-*.tar</param> <param name="compression">xz</param> ++++++ cli-0001-docs-include-required-tools-in-source-tree.patch ++++++ ++++ 23757 lines (skipped) ++++++ docker-20.10.23_ce_6051f1429.tar.xz -> docker-23.0.5_ce_94d3ad69cc59.tar.xz ++++++ /work/SRC/openSUSE:Factory/docker/docker-20.10.23_ce_6051f1429.tar.xz /work/SRC/openSUSE:Factory/.docker.new.1533/docker-23.0.5_ce_94d3ad69cc59.tar.xz differ: char 15, line 1 ++++++ docker-cli-20.10.23_ce.tar.xz -> docker-cli-23.0.5_ce.tar.xz ++++++ ++++ 1097346 lines of diff (skipped)
