Hello community, here is the log from the commit of package docker-kubic for openSUSE:Factory checked in at 2018-06-29 22:36:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker-kubic (Old) and /work/SRC/openSUSE:Factory/.docker-kubic.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker-kubic" Fri Jun 29 22:36:55 2018 rev:13 rq:619751 version:17.09.1_ce Changes: -------- --- /work/SRC/openSUSE:Factory/docker-kubic/docker-kubic.changes 2018-06-08 23:17:41.723231616 +0200 +++ /work/SRC/openSUSE:Factory/.docker-kubic.new/docker-kubic.changes 2018-06-29 22:36:58.105972238 +0200 @@ -1,0 +2,9 @@ +Fri Jun 29 08:35:56 UTC 2018 - [email protected] + +- Update the AppArmor patchset again to fix a separate issue where changed + AppArmor profiles don't actually get applied on Docker daemon reboot. + bsc#1099277 + * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch + + bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch + +------------------------------------------------------------------- New: ---- bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker-kubic.spec ++++++ --- /var/tmp/diff_new_pack.tA0cYO/_old 2018-06-29 22:36:58.617971794 +0200 +++ /var/tmp/diff_new_pack.tA0cYO/_new 2018-06-29 22:36:58.621971791 +0200 @@ -68,10 +68,13 @@ Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173 Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877 +Patch402: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277 +Patch403: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch # SUSE-FEATURE: Add support to mirror inofficial/private registries # (https://github.com/moby/moby/pull/34319) Patch500: private-registry-0001-Add-private-registry-mirror-support.patch -Patch501: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -221,10 +224,12 @@ %patch400 -p1 # bsc#1021227 bsc#1029320 bsc#1058173 %patch401 -p1 +# bsc#1073877 +%patch402 -p1 +# bsc#1099277 +%patch403 -p1 # PATCH-SUSE: Mirror patch. %patch500 -p1 -# bsc#1073877 -%patch501 -p1 cp %{SOURCE7} . cp %{SOURCE9} . ++++++ bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch ++++++ --- /var/tmp/diff_new_pack.tA0cYO/_old 2018-06-29 22:36:58.665971753 +0200 +++ /var/tmp/diff_new_pack.tA0cYO/_new 2018-06-29 22:36:58.665971753 +0200 @@ -1,7 +1,7 @@ From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Sun, 8 Apr 2018 20:21:30 +1000 -Subject: [PATCH] apparmor: allow receiving of signals from 'docker kill' +Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill' In newer kernels, AppArmor will reject attempts to send signals to a container because the signal originated from outside of that AppArmor @@ -32,5 +32,5 @@ deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc/<number>/** or /proc/sys/** -- -2.16.3 +2.17.1 ++++++ bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch ++++++ >From 8edc54753ab5ea9294c55ec32b49c9eb7cdf3892 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Fri, 29 Jun 2018 17:59:30 +1000 Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start In the process of making docker-default reloading far less expensive, 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles") mistakenly made the initial profile load at dockerd start-up lazy. As a result, if you have a running Docker daemon and upgrade it to a new one with an updated AppArmor profile the new profile will not take effect (because the old one is still loaded). The fix for this is quite trivial, and just requires us to clobber the profile on start-up. Fixes: 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles") SUSE-Bugs: bsc#1099277 Signed-off-by: Aleksa Sarai <[email protected]> --- components/engine/daemon/apparmor_default.go | 14 ++++++++++---- .../engine/daemon/apparmor_default_unsupported.go | 4 ++++ components/engine/daemon/daemon.go | 4 +++- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/components/engine/daemon/apparmor_default.go b/components/engine/daemon/apparmor_default.go index 2a418b25c241..c3e271ee4774 100644 --- a/components/engine/daemon/apparmor_default.go +++ b/components/engine/daemon/apparmor_default.go @@ -14,6 +14,15 @@ const ( defaultApparmorProfile = "docker-default" ) +func clobberDefaultAppArmorProfile() error { + if apparmor.IsEnabled() { + if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil { + return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err) + } + } + return nil +} + func ensureDefaultAppArmorProfile() error { if apparmor.IsEnabled() { loaded, err := aaprofile.IsLoaded(defaultApparmorProfile) @@ -27,10 +36,7 @@ func ensureDefaultAppArmorProfile() error { } // Load the profile. - if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil { - return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err) - } + return clobberDefaultAppArmorProfile() } - return nil } diff --git a/components/engine/daemon/apparmor_default_unsupported.go b/components/engine/daemon/apparmor_default_unsupported.go index cd2dd9702ef2..17584063c711 100644 --- a/components/engine/daemon/apparmor_default_unsupported.go +++ b/components/engine/daemon/apparmor_default_unsupported.go @@ -2,6 +2,10 @@ package daemon +func clobberDefaultAppArmorProfile() error { + return nil +} + func ensureDefaultAppArmorProfile() error { return nil } diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go index a11a1f8691cc..6f8846b19f57 100644 --- a/components/engine/daemon/daemon.go +++ b/components/engine/daemon/daemon.go @@ -594,7 +594,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe logrus.Warnf("Failed to configure golang's threads limit: %v", err) } - if err := ensureDefaultAppArmorProfile(); err != nil { + // Make sure we clobber any pre-existing docker-default profile to ensure + // that upgrades to the profile actually work smoothly. + if err := clobberDefaultAppArmorProfile(); err != nil { logrus.Errorf(err.Error()) } -- 2.17.1
