Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2018-09-05 13:46:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker" Wed Sep 5 13:46:40 2018 rev:80 rq:632984 version:18.06.1_ce Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2018-08-03 12:29:15.766857516 +0200 +++ /work/SRC/openSUSE:Factory/.docker.new/docker.changes 2018-09-05 13:46:43.130072804 +0200 @@ -1,0 +2,73 @@ +Tue Sep 4 08:32:43 UTC 2018 - rbr...@suse.com + +- ExcludeArch i586 for entire docker-kubic flavour + +------------------------------------------------------------------- +Tue Sep 4 07:32:47 UTC 2018 - rbr...@suse.com + +- ExcludeArch i586 for docker-kubic-kubeadm-criconfig subpackage + +------------------------------------------------------------------- +Fri Aug 24 08:17:41 UTC 2018 - asa...@suse.com + +- Add patch to make package reproducible, which is a backport of + https://github.com/docker/cli/pull/1306. boo#1047218 + + bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch + +------------------------------------------------------------------- +Wed Aug 22 09:54:57 UTC 2018 - asa...@suse.com + +- Upgrade to docker-ce v18.06.1-ce. Upstream changelog: + https://github.com/docker/docker-ce/releases/tag/v18.06.1-ce bsc#1102522 +- Remove patches that were merged upstream: + - bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch + +------------------------------------------------------------------- +Tue Aug 21 09:50:01 UTC 2018 - asa...@suse.com + +- Add a backport of https://github.com/docker/engine/pull/29 for the 18.06.0-ce + upgrade. This is a potential security issue (the CRI plugin was enabled by + default, which listens on a TCP port bound to 0.0.0.0) that will be fixed + upstream in the 18.06.1-ce upgrade. bsc#1102522 + + bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch + +------------------------------------------------------------------- +Tue Aug 21 09:39:57 UTC 2018 - rbr...@suse.com + +- Kubic: Make crio default, docker as alternative runtime + (boo#1104821) +- Provide kubernetes CRI config with docker-kubic-kubeadm-criconfig + subpackage + +------------------------------------------------------------------- +Thu Aug 16 02:00:31 UTC 2018 - asa...@suse.com + +- Merge -kubic packages back into the main Virtualization:containers packages. + This is done using _multibuild to add a "kubic" flavour, which is then used + to conditionally compile patches and other kubic-specific features. + bsc#1105000 +- Rework docker-rpmlintrc with the new _multibuild setup. + +------------------------------------------------------------------- +Wed Aug 1 09:40:59 UTC 2018 - asa...@suse.com + +- Enable seccomp support on SLE12, since libseccomp is now a new enough vintage + to work with Docker and containerd. fate#325877 + +------------------------------------------------------------------- +Tue Jul 31 09:48:16 UTC 2018 - asa...@suse.com + +- Upgrade to docker-ce v18.06.0-ce. bsc#1102522 +- Remove systemd-service dependency on containerd, which is now being started + by dockerd to align with upstream defaults. +- Removed the following patches as they are merged upstream: + - bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch + - bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch +- Rebased the following patches: + * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch + * bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch + * bsc1100727-0001-build-add-buildmode-pie.patch + * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch + * secrets-0002-SUSE-implement-SUSE-container-secrets.patch + +------------------------------------------------------------------- @@ -18,5 +90,0 @@ -Wed Jun 13 10:19:23 UTC 2018 - dcass...@suse.com - -- Make use of %license macro - -------------------------------------------------------------------- @@ -29,0 +98,5 @@ +Tue Jun 5 08:41:07 UTC 2018 - dcass...@suse.com + +- Make use of %license macro + +------------------------------------------------------------------- @@ -44,0 +118,12 @@ +Wed May 16 10:12:56 UTC 2018 - jmassaguer...@suse.com + +- Review Obsoletes to fix bsc#1080978 + +------------------------------------------------------------------- +Thu Apr 12 12:49:25 UTC 2018 - fcaste...@suse.com + +- Put docker under the podruntime slice. This the recommended + deployment to allow fine resource control on Kubernetes. + bsc#1086185 + +------------------------------------------------------------------- @@ -69,0 +155,7 @@ +Thu Mar 8 13:14:54 UTC 2018 - vrothb...@suse.com + +- Fix private-registry-0001-Add-private-registry-mirror-support.patch to + deal corretly with TLS configs of 3rd party registries. + fix bsc#1084533 + +------------------------------------------------------------------- @@ -77,0 +170 @@ + * private-registry-0001-Add-private-registry-mirror-support.patch @@ -79,0 +173,30 @@ + +------------------------------------------------------------------- +Mon Feb 12 10:52:33 UTC 2018 - rbr...@suse.com + +- Add ${version} to equivalent non-kubic package provides + +------------------------------------------------------------------- +Thu Feb 8 12:34:51 UTC 2018 - rbr...@suse.com + +- Add Provides for equivalent non-kubic packages + +------------------------------------------------------------------- +Tue Jan 30 12:27:44 UTC 2018 - vrothb...@suse.com + +- Disable all tests for docker/client and docker/pkg/discovery. The unit tests + of those packages broke reproducibly the builds in IBS. + +------------------------------------------------------------------- +Mon Jan 29 14:39:02 UTC 2018 - vrothb...@suse.com + +- Disable flaky tests github.com/docker/docker/pkg/discovery/kv. + +------------------------------------------------------------------- +Fri Jan 26 07:15:53 UTC 2018 - vrothb...@suse.com + +- Add patch to support mirroring of private/non-upstream registries. As soon as + the upstream PR (https://github.com/moby/moby/pull/34319) is merged, this + patch will be replaced by the backported one from upstream. + + private-registry-0001-Add-private-registry-mirror-support.patch + fix bsc#1074971 Old: ---- bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch docker-17.09.1_ce.tar.xz New: ---- _multibuild bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch docker-18.06.1_ce.tar.xz docker-kubic-service.conf kubelet.env private-registry-0001-Add-private-registry-mirror-support.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.kP6hxQ/_old 2018-09-05 13:46:44.246074675 +0200 +++ /var/tmp/diff_new_pack.kP6hxQ/_new 2018-09-05 13:46:44.246074675 +0200 @@ -26,32 +26,46 @@ %define _fillupdir /var/adm/fillup-templates %endif +# Handle _multibuild magic. +%define flavour @BUILD_FLAVOR@%{nil} + +# We split the Name: into "realname" and "name_suffix". +%define realname docker +%if "%flavour" == "" +%define name_suffix %{nil} +%else +%define name_suffix -%{flavour} +%endif + # Used when generating the "build" information for Docker version. The value of # git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define git_version f4ffd2511ce9 -%define git_commit_epoch 1508606827 +%define git_version e68fc7a215d7 +%define git_commit_epoch 1534871791 # These are the git commits required. We verify them against the source to make # sure we didn't miss anything important when doing upgrades. -%define required_containerd 06b9cb35161009dcb7123345749fef02f7cea8e0 -%define required_dockerrunc 3f2f8b84a77f73d38244dd690525642a72156c64 -%define required_libnetwork 7b2b1feb1de4817d522cc372af149ff48d25028e +%define required_containerd 468a545b9edcd5932818eb9de8e72413e616e86e +%define required_dockerrunc 69663f0bd4b60df09991c08812a60108003fa340 +%define required_libnetwork 3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b -Name: docker -Version: 17.09.1_ce +Name: %{realname}%{name_suffix} +Version: 18.06.1_ce Release: 0 Summary: The Linux container runtime License: Apache-2.0 Group: System/Management Url: http://www.docker.io # TODO(VR): check those SOURCE files below -Source: %{name}-%{version}.tar.xz +Source: %{realname}-%{version}.tar.xz Source1: docker.service +# bsc#1086185 -- but we only apply this on Kubic. +Source2: docker-kubic-service.conf Source3: 80-docker.rules Source4: sysconfig.docker +Source5: kubelet.env Source6: docker-rpmlintrc Source7: README_SUSE.md Source8: docker-audit.rules @@ -62,16 +76,17 @@ # branch in http://github.com/suse/docker.mirror. Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35205. bsc#1055676 -Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173 -Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/36822. bsc#1073877 -Patch402: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch +Patch400: bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/37353. bsc#1099277 -Patch403: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch +Patch401: bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727 -Patch404: bsc1100727-0001-build-add-buildmode-pie.patch +Patch402: bsc1100727-0001-build-add-buildmode-pie.patch +# SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1306. boo#1047218 +Patch403: bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch +# SUSE-FEATURE: Add support to mirror inofficial/private registries +# (https://github.com/moby/moby/pull/34319) +Patch500: private-registry-0001-Add-private-registry-mirror-support.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -79,21 +94,7 @@ BuildRequires: glibc-devel-static BuildRequires: libapparmor-devel BuildRequires: libbtrfs-devel >= 3.8 -# enable libseccomp for sle >= sle12sp2 -%if 0%{?sle_version} >= 120200 -%define with_libseccomp 1 -%endif -# enable libseccomp for leap >= 42.2 -%if 0%{?leap_version} >= 420200 -%define with_libseccomp 1 -%endif -# enable libseccomp for Factory -%if 0%{?suse_version} > 1320 -%define with_libseccomp 1 -%endif -%if 0%{?with_libseccomp} -BuildRequires: libseccomp-devel -%endif +BuildRequires: libseccomp-devel >= 2.2 BuildRequires: libtool BuildRequires: procps BuildRequires: sqlite3-devel @@ -104,14 +105,14 @@ # Required in order for networking to work. fix_bsc_1057743 is a work-around # for some old packaging issues (where rpm would delete a binary that was # installed by docker-libnetwork). See bsc#1057743 for more details. -Requires: docker-libnetwork-git = %{required_libnetwork} +Requires: docker-libnetwork%{name_suffix}-git = %{required_libnetwork} Requires: fix_bsc_1057743 # Containerd and runC are required as they are the only currently supported # execdrivers of Docker. NOTE: The version pinning here matches upstream's # vendor.conf to ensure that we don't use a slightly incompatible version of # runC or containerd (which would be bad). -Requires: containerd-git = %{required_containerd} -Requires: docker-runc-git = %{required_dockerrunc} +Requires: containerd%{name_suffix}-git = %{required_containerd} +Requires: docker-runc%{name_suffix}-git = %{required_dockerrunc} # Needed for --init support. We don't use "tini", we use our own implementation # which handles edge-cases better. Requires: catatonit @@ -134,11 +135,26 @@ # different storage-driver than devicemapper Recommends: lvm2 >= 2.2.89 Conflicts: lxc < 1.0 -BuildRoot: %{_tmppath}/%{name}-%{version}-build ExcludeArch: s390 ppc -# Make sure we build with go 1.8 +# Make sure we build with go 1.10 BuildRequires: go-go-md2man -BuildRequires: golang(API) = 1.8 +BuildRequires: golang(API) = 1.10 +# KUBIC-SPECIFIC: This was required when upgrading from the original kubic +# packaging, when everything was renamed to -kubic. It also is +# used to ensure that nothing complains too much when using +# -kubic packages. Hopfully it can be removed one day. +%if "%flavour" == "kubic" +# Obsolete old packege without the -kubic suffix +Obsoletes: %{realname} = 1.12.6 +Obsoletes: %{realname}_1_12_6 +# Conflict with non-kubic package, and provide equivalent +Conflicts: %{realname} +Provides: %{realname} = %{version} +# Kubernetes requires cri-runtime, which should be provided only by the -kubic flavour of this package +Provides: cri-runtime +# No i586 Kubernetes, so docker-kubic must not be built for i586 also +ExcludeArch: i586 +%endif %description Docker complements LXC with a high-level API which operates at the process @@ -153,8 +169,19 @@ Summary: Bash Completion for %{name} Group: System/Management Requires: %{name} = %{version} -Supplements: packageand(docker:bash-completion) +Supplements: packageand(%{name}:bash-completion) BuildArch: noarch +# KUBIC-SPECIFIC: This was required when upgrading from the original kubic +# packaging, when everything was renamed to -kubic. It also is +# used to ensure that nothing complains too much when using +# -kubic packages. Hopfully it can be removed one day. +%if "%flavour" == "kubic" +# Obsolete old packege without the -kubic suffix +Obsoletes: %{realname}-bash-completion = 1.12.6 +# Conflict with non-kubic package, and provide equivalent +Conflicts: %{realname}-bash-completion > 1.12.6 +Provides: %{realname}-bash-completion = %{version} +%endif %description bash-completion Bash command line completion support for %{name}. @@ -163,8 +190,19 @@ Summary: Zsh Completion for %{name} Group: System/Management Requires: %{name} = %{version} -Supplements: packageand(docker:zsh) +Supplements: packageand(%{name}:zsh) BuildArch: noarch +# KUBIC-SPECIFIC: This was required when upgrading from the original kubic +# packaging, when everything was renamed to -kubic. It also is +# used to ensure that nothing complains too much when using +# -kubic packages. Hopfully it can be removed one day. +%if "%flavour" == "kubic" +# Obsolete old packege without the -kubic suffix +Obsoletes: %{realname}-zsh-completion = 1.12.6 +# Conflict with non-kubic package, and provide equivalent +Conflicts: %{realname}-zsh-completion > 1.12.6 +Provides: %{realname}-zsh-completion = %{version} +%endif %description zsh-completion Zsh command line completion support for %{name}. @@ -183,12 +221,37 @@ Requires: procps Requires: sqlite3-devel Requires: golang(API) = 1.8 +# KUBIC-SPECIFIC: This was required when upgrading from the original kubic +# packaging, when everything was renamed to -kubic. It also is +# used to ensure that nothing complains too much when using +# -kubic packages. Hopfully it can be removed one day. +%if "%flavour" == "kubic" +# Obsolete old packege without the -kubic suffix +Obsoletes: %{realname}-test = 1.12.6 +# Conflict with non-kubic package, and provide equivalent +Conflicts: %{realname}-test > 1.12.6 +Provides: %{realname}-test = %{version} +%endif %description test Test package for docker. It contains the source code and the tests. +%if "%flavour" == "kubic" +%package kubeadm-criconfig +Summary: docker container runtime configuration for kubeadm +Group: System/Management +Requires: kubernetes-kubeadm +Requires(post): %fillup_prereq +Supplements: docker-kubic +Provides: kubernetes-kubeadm-criconfig +Conflicts: cri-o-kubeadm-criconfig + +%description kubeadm-criconfig +docker container runtime configuration for kubeadm +%endif + %prep -%setup -q +%setup -q -n %{realname}-%{version} %if 0%{?is_opensuse} # nothing %else @@ -196,25 +259,24 @@ %patch200 -p1 %patch201 -p1 %endif -# bsc#1055676 +# bsc#1073877 %patch400 -p1 -# bsc#1021227 bsc#1029320 bsc#1058173 +# bsc#1099277 %patch401 -p1 -# bsc#1073877 +# bsc#1100727 %patch402 -p1 -# bsc#1099277 +# boo#1047218 %patch403 -p1 -# bsc#1100727 -%patch404 -p1 +%if "%flavour" == "kubic" +# PATCH-SUSE: Mirror patch. +%patch500 -p1 +%endif cp %{SOURCE7} . cp %{SOURCE9} . %build -BUILDTAGS="exclude_graphdriver_aufs apparmor selinux pkcs11" -%if 0%{?with_libseccomp} -BUILDTAGS="seccomp $BUILDTAGS" -%endif +BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11" %if 0%{?sle_version} == 120000 # Provided by patch406, to allow us to build with older distros but still # have deferred removal support at runtime. We only use this when building @@ -279,9 +341,9 @@ # of the upstream vendoring scripts. This is done on-build to make sure that # someone doing an update didn't miss anything. cd components/engine -grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/binaries-commits -grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits -grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits +grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/install/runc.installer +grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/install/containerd.installer +grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/install/proxy.installer %install install -d %{buildroot}%{go_contribdir} @@ -293,8 +355,8 @@ %{buildroot}%{_sysconfdir}/init.d \ %{buildroot}%{_sbindir} -install -D -m0644 components/cli/contrib/completion/bash/docker "%{buildroot}%{_sysconfdir}/bash_completion.d/%{name}" -install -D -m0644 components/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/%{name}" +install -D -m0644 components/cli/contrib/completion/bash/docker "%{buildroot}%{_sysconfdir}/bash_completion.d/%{realname}" +install -D -m0644 components/cli/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/%{realname}" # copy all for the test package install -d %{buildroot}%{_prefix}/src/docker/ cp -a components/engine/. %{buildroot}%{_prefix}/src/docker/engine @@ -303,17 +365,20 @@ # # systemd service # -install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service +install -D -m0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{realname}.service +%if "%flavour" == "kubic" +install -D -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{realname}.service.d/90-kubic.conf +%endif ln -sf service %{buildroot}%{_sbindir}/rcdocker # # udev rules that prevents dolphin to show all docker devices and slows down # upstream report https://bugs.kde.org/show_bug.cgi?id=329930 # -install -D -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}/80-%{name}.rules +install -D -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules # audit rules -install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules +install -D -m 0640 %{SOURCE8} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules # sysconfig file install -D -m 644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.docker @@ -326,21 +391,42 @@ install -d %{buildroot}%{_mandir}/man8 install -p -m 644 components/cli/man/man8/*.8 %{buildroot}%{_mandir}/man8 +%if "%flavour" == "kubic" +# place kubelet.env in fillupdir (for kubeadm-criconfig) +install -D -m 0644 %{SOURCE5} %{buildroot}%{_fillupdir}/sysconfig.kubelet +%endif + %fdupes %{buildroot} %pre getent group docker >/dev/null || groupadd -r docker -%service_add_pre %{name}.service +%service_add_pre %{realname}.service %post -%service_add_post %{name}.service +%service_add_post %{realname}.service %{fillup_only -n docker} +# NOTE: This is a pretty hacky way of getting around the fact we've removed +# containerd.service and now everything is spawned underneath Docker. In +# order to force containerd.service to be stopped on the upgrade we need +# to trick the systemd macros into thinking that this is an "uninstall". +# Hopefully we can remove this soon. +( + FIRST_ARG=0 + %service_del_preun containerd.service containerd.socket + %service_del_postun containerd.service containerd.socket +) + +%if "%flavour" == "kubic" +%post kubeadm-criconfig +%fillup_only -n kubelet +%endif + %preun -%service_del_preun %{name}.service +%service_del_preun %{realname}.service %postun -%service_del_postun %{name}.service +%service_del_postun %{realname}.service %files %defattr(-,root,root) @@ -349,9 +435,13 @@ %{_bindir}/docker %{_bindir}/dockerd %{_sbindir}/rcdocker -%{_unitdir}/%{name}.service -%config %{_sysconfdir}/audit/rules.d/%{name}.rules -%{_udevrulesdir}/80-%{name}.rules +%{_unitdir}/%{realname}.service +%if "%flavour" == "kubic" +%dir %{_unitdir}/%{realname}.service.d/ +%{_unitdir}/%{realname}.service.d/90-kubic.conf +%endif +%config %{_sysconfdir}/audit/rules.d/%{realname}.rules +%{_udevrulesdir}/80-%{realname}.rules %{_fillupdir}/sysconfig.docker %dir %{_localstatedir}/lib/docker/ %{_mandir}/man1/docker-*.1%{ext_man} @@ -361,11 +451,11 @@ %files bash-completion %defattr(-,root,root) -%config %{_sysconfdir}/bash_completion.d/%{name} +%config %{_sysconfdir}/bash_completion.d/%{realname} %files zsh-completion %defattr(-,root,root) -%config %{_sysconfdir}/zsh_completion.d/%{name} +%config %{_sysconfdir}/zsh_completion.d/%{realname} %files test %defattr(-,root,root) @@ -379,4 +469,10 @@ %exclude %{_prefix}/src/docker/engine/contrib/init/sysvinit-redhat %exclude %{_prefix}/src/docker/engine/contrib/init/upstart +%if "%flavour" == "kubic" +%files kubeadm-criconfig +%defattr(-,root,root) +%{_fillupdir}/sysconfig.kubelet +%endif + %changelog ++++++ _multibuild ++++++ <multibuild> <package>kubic</package> </multibuild> ++++++ _service ++++++ --- /var/tmp/diff_new_pack.kP6hxQ/_old 2018-09-05 13:46:44.322074802 +0200 +++ /var/tmp/diff_new_pack.kP6hxQ/_new 2018-09-05 13:46:44.326074810 +0200 @@ -3,8 +3,8 @@ <param name="url">https://github.com/docker/docker-ce.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="versionformat">17.09.1_ce</param> - <param name="revision">v17.09.1-ce</param> + <param name="versionformat">18.06.1_ce</param> + <param name="revision">v18.06.1-ce</param> <param name="filename">docker</param> </service> <service name="recompress" mode="disabled"> ++++++ bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch ++++++ >From d84d2f13c475bf5ff0ce7b080b759b0239d5d345 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Thu, 23 Aug 2018 19:53:55 +1000 Subject: [PATCH] man: obey SOURCE_DATE_EPOCH when generating man pages Previously our man pages included the current time each time they were generated. This causes an issue for reproducible builds, since each re-build of a package that includes the man pages will have different times listed in the man pages. To fix this, add support for SOURCE_DATE_EPOCH (which is a standardised packaging environment variable, designed to be used specifically for this purpose[1]). spf13/cobra doesn't support this natively yet (though I will push a patch for that as well), but it's simpler to fix it directly in docker/cli. [1]: https://reproducible-builds.org/specs/source-date-epoch/ SUSE-Bugs: boo#1047218 Signed-off-by: Aleksa Sarai <asa...@suse.de> --- components/cli/man/generate.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/components/cli/man/generate.go b/components/cli/man/generate.go index 4197558a2225..4a3e98fb22c1 100644 --- a/components/cli/man/generate.go +++ b/components/cli/man/generate.go @@ -6,6 +6,8 @@ import ( "log" "os" "path/filepath" + "strconv" + "time" "github.com/docker/cli/cli/command" "github.com/docker/cli/cli/command/commands" @@ -24,6 +26,17 @@ func generateManPages(opts *options) error { Source: "Docker Community", } + // If SOURCE_DATE_EPOCH is set, in order to allow reproducible package + // builds, we explicitly set the build time to SOURCE_DATE_EPOCH. + if epoch := os.Getenv("SOURCE_DATE_EPOCH"); epoch != "" { + unixEpoch, err := strconv.ParseInt(epoch, 10, 64) + if err != nil { + return fmt.Errorf("invalid SOURCE_DATE_EPOCH: %v", err) + } + now := time.Unix(unixEpoch, 0) + header.Date = &now + } + stdin, stdout, stderr := term.StdStreams() dockerCli := command.NewDockerCli(stdin, stdout, stderr, false) cmd := &cobra.Command{Use: "docker"} -- 2.18.0 ++++++ bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch ++++++ --- /var/tmp/diff_new_pack.kP6hxQ/_old 2018-09-05 13:46:44.338074830 +0200 +++ /var/tmp/diff_new_pack.kP6hxQ/_new 2018-09-05 13:46:44.338074830 +0200 @@ -1,4 +1,4 @@ -From 2cc9da975798847cd0a37d1571d8a0f1d72b522d Mon Sep 17 00:00:00 2001 +From 3464bd58d266b0640774952e825558044ffc64e2 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Sun, 8 Apr 2018 20:21:30 +1000 Subject: [PATCH 1/2] apparmor: allow receiving of signals from 'docker kill' @@ -15,7 +15,7 @@ 1 file changed, 6 insertions(+) diff --git a/components/engine/profiles/apparmor/template.go b/components/engine/profiles/apparmor/template.go -index c5ea4584de6b..082638e85903 100644 +index c00a3f70e993..772c4a4873f6 100644 --- a/components/engine/profiles/apparmor/template.go +++ b/components/engine/profiles/apparmor/template.go @@ -17,6 +17,12 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { @@ -32,5 +32,5 @@ deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc/<number>/** or /proc/sys/** -- -2.17.1 +2.18.0 ++++++ bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch ++++++ --- /var/tmp/diff_new_pack.kP6hxQ/_old 2018-09-05 13:46:44.346074843 +0200 +++ /var/tmp/diff_new_pack.kP6hxQ/_new 2018-09-05 13:46:44.346074843 +0200 @@ -1,4 +1,4 @@ -From 8edc54753ab5ea9294c55ec32b49c9eb7cdf3892 Mon Sep 17 00:00:00 2001 +From 0954810e947abf0b4e5d8f6c78598c5d66b43952 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Fri, 29 Jun 2018 17:59:30 +1000 Subject: [PATCH 2/2] apparmor: clobber docker-default profile on start @@ -21,7 +21,7 @@ 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/components/engine/daemon/apparmor_default.go b/components/engine/daemon/apparmor_default.go -index 2a418b25c241..c3e271ee4774 100644 +index 461f5c7f96b2..8f21c5c0c566 100644 --- a/components/engine/daemon/apparmor_default.go +++ b/components/engine/daemon/apparmor_default.go @@ -14,6 +14,15 @@ const ( @@ -53,12 +53,12 @@ return nil } diff --git a/components/engine/daemon/apparmor_default_unsupported.go b/components/engine/daemon/apparmor_default_unsupported.go -index cd2dd9702ef2..17584063c711 100644 +index 51f9c526b350..97d7758442ee 100644 --- a/components/engine/daemon/apparmor_default_unsupported.go +++ b/components/engine/daemon/apparmor_default_unsupported.go @@ -2,6 +2,10 @@ - package daemon + package daemon // import "github.com/docker/docker/daemon" +func clobberDefaultAppArmorProfile() error { + return nil @@ -68,10 +68,10 @@ return nil } diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go -index a11a1f8691cc..6f8846b19f57 100644 +index 5e5f586ae085..6ca6a7aaa268 100644 --- a/components/engine/daemon/daemon.go +++ b/components/engine/daemon/daemon.go -@@ -594,7 +594,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe +@@ -660,7 +660,9 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe logrus.Warnf("Failed to configure golang's threads limit: %v", err) } @@ -83,5 +83,5 @@ } -- -2.17.1 +2.18.0 ++++++ bsc1100727-0001-build-add-buildmode-pie.patch ++++++ --- /var/tmp/diff_new_pack.kP6hxQ/_old 2018-09-05 13:46:44.354074857 +0200 +++ /var/tmp/diff_new_pack.kP6hxQ/_new 2018-09-05 13:46:44.354074857 +0200 @@ -1,4 +1,4 @@ -From d39172ffc6b245f02da1898793ccaef20bb6858a Mon Sep 17 00:00:00 2001 +From 547870ff2904a75fa3e0ee96fa264d53a81d4c01 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Mon, 30 Jul 2018 19:34:01 +1000 Subject: [PATCH] build: add -buildmode=pie @@ -7,6 +7,7 @@ security benefits and can help with flaky builds on POWER architectures). +SUSE-Bugs: bsc#1100727 Signed-off-by: Aleksa Sarai <asa...@suse.de> --- components/cli/scripts/build/dynbinary | 2 +- ++++++ docker-17.09.1_ce.tar.xz -> docker-18.06.1_ce.tar.xz ++++++ /work/SRC/openSUSE:Factory/docker/docker-17.09.1_ce.tar.xz /work/SRC/openSUSE:Factory/.docker.new/docker-18.06.1_ce.tar.xz differ: char 25, line 1 ++++++ docker-kubic-service.conf ++++++ [Service] # Put docker under the podruntime slice. This the recommended # deployment to allow fine resource control on Kubernetes. Slice=podruntime.slice ++++++ docker-rpmlintrc ++++++ --- /var/tmp/diff_new_pack.kP6hxQ/_old 2018-09-05 13:46:44.414074957 +0200 +++ /var/tmp/diff_new_pack.kP6hxQ/_new 2018-09-05 13:46:44.414074957 +0200 @@ -1,7 +1,9 @@ -addFilter ("^docker.x86_64: W: statically-linked-binary /usr/lib64/docker/dockerinit") -addFilter ("^docker-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash") -addFilter ("^docker.x86_64: W: statically-linked-binary /usr/lib/docker/dockerinit") -addFilter ("^docker.x86_64: W: unstripped-binary-or-object /usr/lib/docker/dockerinit") -addFilter ("^docker.x86_64: W: no-manual-page-for-binary docker") -addFilter ("^docker.x86_64: W: no-manual-page-for-binary nsinit") -addFilter ("^docker-test.*") +# This is intentional, since we use _multibuild for the flavours. +addFilter ("^docker-kubic.src: W: invalid-spec-name") + +# The #! comes from upstream. +addFilter ("^docker(-kubic)?-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash") +addFilter ("^docker(-kubic)?-zsh-completion.noarch: W: sourced-script-with-shebang /etc/zsh_completion.d/docker zsh") + +# -test is something that is used internally and isn't actually shipped -- it's a pseduo-source package. +addFilter ("^docker(-kubic)?-test.*") ++++++ docker.service ++++++ --- /var/tmp/diff_new_pack.kP6hxQ/_old 2018-09-05 13:46:44.442075004 +0200 +++ /var/tmp/diff_new_pack.kP6hxQ/_new 2018-09-05 13:46:44.442075004 +0200 @@ -1,8 +1,7 @@ [Unit] Description=Docker Application Container Engine Documentation=http://docs.docker.com -After=network.target containerd.socket containerd.service lvm2-monitor.service SuSEfirewall2.service -Requires=containerd.socket containerd.service +After=network.target lvm2-monitor.service SuSEfirewall2.service [Service] EnvironmentFile=/etc/sysconfig/docker @@ -11,7 +10,7 @@ # enabled by default because enabling socket activation means that on boot your # containers won't start until someone tries to administer the Docker daemon. Type=notify -ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS +ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS ExecReload=/bin/kill -s HUP $MAINPID # Having non-zero Limit*s causes performance problems due to accounting overhead ++++++ kubelet.env ++++++ KUBELET_EXTRA_ARGS="--cni-bin-dir=/usr/lib/cni" ++++++ private-registry-0001-Add-private-registry-mirror-support.patch ++++++ ++++ 1163 lines (skipped) ++++++ secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch ++++++ --- /var/tmp/diff_new_pack.kP6hxQ/_old 2018-09-05 13:46:44.486075078 +0200 +++ /var/tmp/diff_new_pack.kP6hxQ/_new 2018-09-05 13:46:44.486075078 +0200 @@ -1,4 +1,4 @@ -From c607825b73e5f850b3804a10e9f3c8684cb29d16 Mon Sep 17 00:00:00 2001 +From 95a40e4f18c80cce91f16c6dff08e13642de54da Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 8 Mar 2017 12:41:54 +1100 Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets @@ -14,26 +14,26 @@ 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go -index 954c194ea836..3ef1e0262edc 100644 +index bc7ee452332b..d34129dfd80b 100644 --- a/components/engine/daemon/container_operations_unix.go +++ b/components/engine/daemon/container_operations_unix.go @@ -3,6 +3,7 @@ - package daemon + package daemon // import "github.com/docker/docker/daemon" import ( + "bytes" "context" "fmt" "io/ioutil" -@@ -13,6 +14,7 @@ import ( - +@@ -14,6 +15,7 @@ import ( "github.com/docker/docker/container" "github.com/docker/docker/daemon/links" + "github.com/docker/docker/errdefs" + "github.com/docker/docker/pkg/archive" "github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/mount" "github.com/docker/docker/pkg/stringid" -@@ -216,9 +218,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { +@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { if err != nil { return errors.Wrap(err, "unable to get secret from secret store") } @@ -43,7 +43,7 @@ uid, err := strconv.Atoi(s.File.UID) if err != nil { -@@ -229,6 +228,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { +@@ -219,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { return err } @@ -70,5 +70,5 @@ return errors.Wrap(err, "error setting ownership for secret") } -- -2.17.0 +2.18.0 ++++++ secrets-0002-SUSE-implement-SUSE-container-secrets.patch ++++++ --- /var/tmp/diff_new_pack.kP6hxQ/_old 2018-09-05 13:46:44.494075091 +0200 +++ /var/tmp/diff_new_pack.kP6hxQ/_new 2018-09-05 13:46:44.494075091 +0200 @@ -1,4 +1,4 @@ -From a7533a3084e925eb478148ef30bec0d1f1b81ae3 Mon Sep 17 00:00:00 2001 +From f178392f98b42bf36ff8d8c6a23c8caab9ac10f7 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 8 Mar 2017 11:43:29 +1100 Subject: [PATCH 2/2] SUSE: implement SUSE container secrets @@ -10,36 +10,36 @@ SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT MAKES BUILDS NOT ENTIRELY REPRODUCIBLE. -SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702 +SUSE-Bugs: bsc#1057743 bsc#1055676 bsc#1030702 Signed-off-by: Aleksa Sarai <asa...@suse.de> --- components/engine/daemon/start.go | 5 + - components/engine/daemon/suse_secrets.go | 399 +++++++++++++++++++++++ - 2 files changed, 404 insertions(+) + components/engine/daemon/suse_secrets.go | 396 +++++++++++++++++++++++ + 2 files changed, 401 insertions(+) create mode 100644 components/engine/daemon/suse_secrets.go diff --git a/components/engine/daemon/start.go b/components/engine/daemon/start.go -index 55438cf2c45f..7dfa6cd1d055 100644 +index c00bd9ceb22b..aa705888df39 100644 --- a/components/engine/daemon/start.go +++ b/components/engine/daemon/start.go -@@ -147,6 +147,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint +@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint return err } + // SUSE:secrets -- inject the SUSE secret store + if err := daemon.injectSuseSecretStore(container); err != nil { -+ return err ++ return errdefs.System(err) + } + spec, err := daemon.createSpec(container) if err != nil { - return systemError{err} + return errdefs.System(err) diff --git a/components/engine/daemon/suse_secrets.go b/components/engine/daemon/suse_secrets.go new file mode 100644 -index 000000000000..00e485368b47 +index 000000000000..817cd5561023 --- /dev/null +++ b/components/engine/daemon/suse_secrets.go -@@ -0,0 +1,399 @@ +@@ -0,0 +1,396 @@ +/* + * suse-secrets: patch for Docker to implement SUSE secrets + * Copyright (C) 2017 SUSE LLC. @@ -143,10 +143,6 @@ + var suseFiles []*SuseFakeFile + + path := filepath.Join(prefix, dir) -+ if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) { -+ // If the path doesn't exist at all we don't inject anything. -+ return nil, nil -+ } + fi, err := os.Stat(path) + if err != nil { + // Ignore dangling symlinks. @@ -263,10 +259,6 @@ +// readFile returns a secret given a file under a given prefix. +func readFile(prefix, file string) ([]*SuseFakeFile, error) { + path := filepath.Join(prefix, file) -+ if _, err := os.Lstat(path); err != nil && os.IsNotExist(err) { -+ // If the path doesn't exist at all we don't inject anything. -+ return nil, nil -+ } + fi, err := os.Stat(path) + if err != nil { + // Ignore dangling symlinks. @@ -430,7 +422,12 @@ + // to the mount list. This causes clashes because of duplicate namespaces. + // If we see an existing mount that will clash with the in-built secrets + // mount we assume it's our fault. -+ for _, intendedMount := range c.SecretMounts() { ++ intendedMounts, err := c.SecretMounts() ++ if err != nil { ++ logrus.Warnf("SUSE:secrets :: fetching old secret mounts: %v", err) ++ return err ++ } ++ for _, intendedMount := range intendedMounts { + mountPath := intendedMount.Destination + if volume, ok := c.MountPoints[mountPath]; ok { + logrus.Debugf("SUSE:secrets :: removing pre-existing %q mount: %#v", mountPath, volume) @@ -440,5 +437,5 @@ + return nil +} -- -2.17.0 +2.18.0
