Hello community,
here is the log from the commit of package docker.3912 for openSUSE:13.2:Update
checked in at 2015-08-31 15:08:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.2:Update/docker.3912 (Old)
and /work/SRC/openSUSE:13.2:Update/.docker.3912.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker.3912"
Changes:
--------
New Changes file:
--- /dev/null 2015-08-24 19:43:32.284261900 +0200
+++ /work/SRC/openSUSE:13.2:Update/.docker.3912.new/docker.changes
2015-08-31 15:08:51.000000000 +0200
@@ -0,0 +1,1594 @@
+-------------------------------------------------------------------
+Fri Jul 24 14:24:16 UTC 2015 - jmassaguer...@suse.com
+
+- Exclude archs where docker does not build. Otherwise it gets into
+ and infinite loop when building.
+
+ We'll fix that later if we want to release for those archs.
+
+-------------------------------------------------------------------
+Wed Jul 15 08:11:11 UTC 2015 - jmassaguer...@suse.com
+
+- Update to 1.7.1 (2015-07-14) (bnc#938156)
+Runtime
+
+ Fix default user spawning exec process with docker exec
+ Make --bridge=none not to configure the network bridge
+ Publish networking stats properly
+ Fix implicit devicemapper selection with static binaries
+ Fix socket connections that hung intermittently
+ Fix bridge interface creation on CentOS/RHEL 6.6
+ Fix local dns lookups added to resolv.conf
+ Fix copy command mounting volumes
+ Fix read/write privileges in volumes mounted with --volumes-from
+
+Remote API
+
+ Fix unmarshalling of Command and Entrypoint
+ Set limit for minimum client version supported
+ Validate port specification
+ Return proper errors when attach/reattach fail
+
+Distribution
+
+ Fix pulling private images
+ Fix fallback between registry V2 and V1
+
+
+-------------------------------------------------------------------
+Fri Jul 10 11:22:00 UTC 2015 - jmassaguer...@suse.com
+
+- Exclude init scripts other than systemd from the test-package
+
+-------------------------------------------------------------------
+Wed Jul 1 12:38:50 UTC 2015 - jmassaguer...@suse.com
+
+- Exclude intel 32 bits arch. Docker does not built on that. Let's
+ make it explicit.
+
+-------------------------------------------------------------------
+Thu Jun 25 16:49:59 UTC 2015 - dmuel...@suse.com
+
+- rediff ignore-dockerinit-checksum.patch, gcc-go-build-static-libgo.patch
+ to make them apply again.
+- introduce go_arches for architectures that use the go compiler
+ instead of gcc-go
+- add docker-netns-aarch64.patch: Add support for AArch64
+- enable build for aarch64
+
+-------------------------------------------------------------------
+Wed Jun 24 09:02:03 UTC 2015 - fcaste...@suse.com
+
+- Build man pages only on platforms where gc compiler is available.
+
+-------------------------------------------------------------------
+Mon Jun 22 08:48:11 UTC 2015 - fcaste...@suse.com
+
+- Updated to 1.7.0 (2015-06-16) - bnc#935570
+ * Runtime
+ - Experimental feature: support for out-of-process volume plugins
+ - The userland proxy can be disabled in favor of hairpin NAT using the
daemon’s `--userland-proxy=false` flag
+ - The `exec` command supports the `-u|--user` flag to specify the new
process owner
+ - Default gateway for containers can be specified daemon-wide using the
`--default-gateway` and `--default-gateway-v6` flags
+ - The CPU CFS (Completely Fair Scheduler) quota can be set in `docker run`
using `--cpu-quota`
+ - Container block IO can be controlled in `docker run`
using`--blkio-weight`
+ - ZFS support
+ - The `docker logs` command supports a `--since` argument
+ - UTS namespace can be shared with the host with `docker run --uts=host`
+ * Quality
+ - Networking stack was entirely rewritten as part of the libnetwork effort
+ - Engine internals refactoring
+ - Volumes code was entirely rewritten to support the plugins effort
+ - Sending SIGUSR1 to a daemon will dump all goroutines stacks without
exiting
+ * Build
+ - Support ${variable:-value} and ${variable:+value} syntax for environment
variables
+ - Support resource management flags `--cgroup-parent`, `--cpu-period`,
`--cpu-quota`, `--cpuset-cpus`, `--cpuset-mems`
+ - git context changes with branches and directories
+ - The .dockerignore file support exclusion rules
+ * Distribution
+ - Client support for v2 mirroring support for the official registry
+ * Bugfixes
+ - Firewalld is now supported and will automatically be used when available
+ - mounting --device recursively
+- Patch 0002-Stripped-dockerinit-binary.patch renamed to fix-docker-init.patch
+ and fixed to build with latest version of docker
+
+-------------------------------------------------------------------
+Tue Jun 9 16:35:46 UTC 2015 - jmassaguer...@suse.com
+
+- Add test subpackage and fix line numbers in patches
+
+-------------------------------------------------------------------
+Fri Jun 5 15:29:45 UTC 2015 - fcaste...@suse.com
+
+- Fixed ppc64le name inside of spec file
+
+-------------------------------------------------------------------
+Fri Jun 5 15:23:47 UTC 2015 - fcaste...@suse.com
+
+- Build docker on PPC and S390x using gcc-go provided by gcc5
+ * added sysconfig.docker.ppc64le: make docker daemon start on ppc64le
+ despite some iptables issues. To be removed soon
+ * ignore-dockerinit-checksum.patch: applied only when building with
+ gcc-go. Required to workaround a limitation of gcc-go
+ * gcc-go-build-static-libgo.patch: used only when building with gcc-go,
+ link libgo statically into docker itself.
+
+-------------------------------------------------------------------
+Wed May 27 10:02:51 UTC 2015 - dmacvi...@suse.de
+
+- build and install man pages
+
+-------------------------------------------------------------------
+Mon May 18 15:08:59 UTC 2015 - fcaste...@suse.com
+
+- Update to version 1.6.2 (2015-05-13) [bnc#931301]
+ * Revert change prohibiting mounting into /sys
+
+-------------------------------------------------------------------
+Fri May 8 15:00:38 UTC 2015 - fcaste...@suse.com
+
+Updated to version 1.6.1 (2015-05-07) [bnc#930235]
+ * Security
+ - Fix read/write /proc paths (CVE-2015-3630)
+ - Prohibit VOLUME /proc and VOLUME / (CVE-2015-3631)
+ - Fix opening of file-descriptor 1 (CVE-2015-3627)
+ - Fix symlink traversal on container respawn allowing local privilege
escalation (CVE-2015-3629)
+ - Prohibit mount of /sys
+ * Runtime
+ - Update Apparmor policy to not allow mounts
+- Updated libcontainer-apparmor-fixes.patch: adapt patch to reflect
+ changes introduced by docker 1.6.1
+
+-------------------------------------------------------------------
+Thu May 7 13:33:03 UTC 2015 - devel...@develop7.info
+
+- Get rid of SocketUser and SocketGroup workarounds for docker.socket
+
+-------------------------------------------------------------------
+Fri Apr 17 14:02:13 UTC 2015 - fcaste...@suse.com
+
+- Updated to version 1.6.0 (2015-04-07) [bnc#908033]
+ * Builder:
+ + Building images from an image ID
+ + build containers with resource constraints, ie `docker build
--cpu-shares=100 --memory=1024m...`
+ + `commit --change` to apply specified Dockerfile instructions while
committing the image
+ + `import --change` to apply specified Dockerfile instructions while
importing the image
+ + basic build cancellation
+ * Client:
+ + Windows Support
+ * Runtime:
+ + Container and image Labels
+ + `--cgroup-parent` for specifying a parent cgroup to place container
cgroup within
+ + Logging drivers, `json-file`, `syslog`, or `none`
+ + Pulling images by ID
+ + `--ulimit` to set the ulimit on a container
+ + `--default-ulimit` option on the daemon which applies to all created
containers (and overwritten by `--ulimit` on run)
+- Updated '0002-Stripped-dockerinit-binary.patch' to reflect changes inside of
+ the latest version of Docker.
+- bnc#908033: support of Docker Registry API v2.
+
+-------------------------------------------------------------------
+Fri Apr 3 19:57:38 UTC 2015 - dmuel...@suse.com
+
+- enable build for armv7l
+
+-------------------------------------------------------------------
+Fri Apr 3 14:59:35 UTC 2015 - fcaste...@suse.com
+
+- Updated docker.spec to fixed building with the latest version of our
+ Go pacakge.
+- Updated 0002-Stripped-dockerinit-binary.patch to fix check made by
+ the docker daemon against the dockerinit binary.
+
+-------------------------------------------------------------------
+Fri Mar 27 10:29:35 UTC 2015 - fcaste...@suse.com
+
+- Updated systemd service and socket units to fix socket activation
+ and to align with best practices recommended by upstram. Moreover
+ socket activation fixes bnc#920645.
+
+-------------------------------------------------------------------
+Wed Feb 11 13:59:01 UTC 2015 - fcaste...@suse.com
+
+ - Updated to 1.5.0 (2015-02-10):
+ * Builder:
+ - Dockerfile to use for a given `docker build` can be specified with
+ the `-f` flag
++++ 1397 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:13.2:Update/.docker.3912.new/docker.changes
New:
----
80-docker.rules
README_SUSE.md
docker-1.7.1.tar.bz2
docker-netns-aarch64.patch
docker-rpmlintrc
docker.changes
docker.service
docker.socket
docker.spec
docker_systemd_lt_214.socket
fix-docker-init.patch
gcc-go-build-static-libgo.patch
ignore-dockerinit-checksum.patch
libcontainer-apparmor-fixes.patch
sysconfig.docker
sysconfig.docker.ppc64le
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ docker.spec ++++++
#
# spec file for package docker
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define git_version 786b29d
%define go_arches %ix86 x86_64
Name: docker
Version: 1.7.1
Release: 0
Summary: The Linux container runtime
License: Apache-2.0
Group: System/Management
Url: http://www.docker.io
Source: %{name}-%{version}.tar.bz2
Source1: docker.service
Source3: 80-docker.rules
Source4: sysconfig.docker
%if 0%{?suse_version} > 1320
Source5: docker.socket
%else
Source5: docker_systemd_lt_214.socket
%endif
Source6: docker-rpmlintrc
Source7: README_SUSE.md
# TODO: remove once we figure out what is wrong with iptables on ppc64le
Source100: sysconfig.docker.ppc64le
Patch0: fix-docker-init.patch
# PATCH-FIX-OPENSUSE libcontainer-apparmor-fixes.patch -- mount rules aren't
supported in our apparmor
Patch1: libcontainer-apparmor-fixes.patch
# Required to overcome some limitations of gcc-go:
https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
# Right now docker passes the sha1sum of the dockerinit binary to the docker
binary at build time
# We cannot do that, right now a quick and really dirty way to get it running is
# to simply disable this check
Patch100: ignore-dockerinit-checksum.patch
Patch101: gcc-go-build-static-libgo.patch
Patch102: docker-netns-aarch64.patch
BuildRequires: bash-completion
BuildRequires: device-mapper-devel >= 1.2.68
BuildRequires: glibc-devel-static
%ifarch %go_arches
BuildRequires: go >= 1.4
BuildRequires: go-go-md2man
%else
BuildRequires: gcc5-go >= 5.0
%endif
BuildRequires: fdupes
BuildRequires: libapparmor-devel
BuildRequires: libbtrfs-devel >= 3.8
BuildRequires: procps
BuildRequires: sqlite3-devel
BuildRequires: systemd-devel
BuildRequires: zsh
Requires: apparmor-parser
Requires: bridge-utils
Requires: ca-certificates-mozilla
# Provides mkfs.ext4 - used by Docker when devicemapper storage driver is used
Requires: e2fsprogs
Requires: git-core >= 1.7
Requires: iproute2 >= 3.5
Requires: iptables >= 1.4
Requires: kernel >= 3.8.0
Requires: lvm2 >= 2.2.89
Requires: procps
Requires: tar >= 1.26
Requires: xz >= 4.9
Conflicts: lxc < 1.0
PreReq: %fillup_prereq
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExcludeArch: %ix86
ExcludeArch: s390
ExcludeArch: s390x
ExcludeArch: ppc
%description
Docker complements LXC with a high-level API which operates at the process
level. It runs unix processes with strong guarantees of isolation and
repeatability across servers.
Docker is a great building block for automating distributed systems: large-scale
web deployments, database clusters, continuous deployment systems, private PaaS,
service-oriented architectures, etc.
%package bash-completion
Summary: Bash Completion for %{name}
Group: System/Management
Requires: %{name} = %{version}
Requires: bash-completion
BuildArch: noarch
%description bash-completion
Bash command line completion support for %{name}.
%package zsh-completion
Summary: Zsh Completion for %{name}
Group: System/Management
Requires: %{name} = %{version}
Requires: zsh
BuildArch: noarch
%description zsh-completion
Zsh command line completion support for %{name}.
%package test
Summary: Test package for docker
Group: System/Management
Requires: device-mapper-devel >= 1.2.68
Requires: glibc-devel-static
%ifarch %go_arches
Requires: go >= 1.4
%else
Requires: gcc5-go >= 5.0
%endif
Requires: apparmor-parser
Requires: bash-completion
Requires: libapparmor-devel
Requires: libbtrfs-devel >= 3.8
Requires: procps
Requires: sqlite3-devel
BuildArch: noarch
%description test
Test package for docker. It contains the source code and the tests.
%prep
%setup -q -n docker-%{version}
%patch0 -p1
%patch1 -p1
%ifnarch %go_arches
%patch100
%patch101
%endif
%patch102
cp %{SOURCE7} .
find . -name ".gitignore" | xargs rm
%build
%ifnarch %go_arches
mkdir /tmp/dirty-hack
ln -s /usr/bin/go-5 /tmp/dirty-hack/go
export PATH=/tmp/dirty-hack:$PATH
%endif
(cat <<EOF
export AUTO_GOPATH=1
export DOCKER_BUILDTAGS="exclude_graphdriver_aufs apparmor selinux"
export DOCKER_GITCOMMIT=%{git_version}
EOF
) > docker_build_env
. ./docker_build_env
./hack/make.sh dynbinary
%ifarch %go_arches
man/md2man-all.sh
%endif
# remove other than systemd
# otherwise the resulting package will have extra requires
rm -rf hack/make/.build-deb
%install
install -d %{buildroot}%{go_contribdir}
install -d %{buildroot}%{_bindir}
install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version}
%{buildroot}/%{_bindir}/%{name}
install -d %{buildroot}/%{_prefix}/lib/docker
install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version}
%{buildroot}/%{_prefix}/lib/docker/dockerinit
install -Dd -m 0755 \
%{buildroot}%{_sysconfdir}/init.d \
%{buildroot}%{_sbindir}
install -D -m0644 contrib/completion/bash/docker
"%{buildroot}/etc/bash_completion.d/%{name}"
install -D -m0644 contrib/completion/zsh/_docker
"%{buildroot}/etc/zsh_completion.d/%{name}"
# copy all for the test package
install -d %{buildroot}/usr/src/docker/
cp -av . %{buildroot}/usr/src/docker/
#
# systemd service
#
install -D -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/%{name}.service
install -D -m 0644 %SOURCE5 %{buildroot}%{_unitdir}/%{name}.socket
ln -sf /sbin/service $RPM_BUILD_ROOT/usr/sbin/rcdocker
#
# udev rules that prevents dolphin to show all docker devices and slows down
# upstream report https://bugs.kde.org/show_bug.cgi?id=329930
#
install -D -m 0644 %SOURCE3
%{buildroot}%{_prefix}/lib/udev/rules.d/80-%{name}.rules
# sysconfig file
%ifarch ppc64le
install -D -m 644 %SOURCE100
%{buildroot}/var/adm/fillup-templates/sysconfig.docker
%else
install -D -m 644 %SOURCE4
%{buildroot}/var/adm/fillup-templates/sysconfig.docker
%endif
%ifarch %go_arches
# install manpages
install -d %{buildroot}%{_mandir}/man1
install -p -m 644 man/man1/*.1 %{buildroot}%{_mandir}/man1
install -d %{buildroot}%{_mandir}/man5
install -p -m 644 man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
%endif
%fdupes %{buildroot}
%pre
echo "creating group docker..."
groupadd -r docker 2>/dev/null || :
%service_add_pre %{name}.service %{name}.socket
%post
%service_add_post %{name}.service %{name}.socket
%{fillup_only -n docker}
%preun
%service_del_preun %{name}.service %{name}.socket
%postun
%service_del_postun %{name}.service %{name}.socket
%files
%defattr(-,root,root)
%doc README.md LICENSE README_SUSE.md
%{_bindir}/docker
%{_sbindir}/rcdocker
%{_prefix}/lib/docker/
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}.socket
%{_prefix}/lib/udev/rules.d/80-%{name}.rules
/var/adm/fillup-templates/sysconfig.docker
%ifarch %go_arches
%{_mandir}/man1/docker-*.1.gz
%{_mandir}/man1/docker.1.gz
%{_mandir}/man5/Dockerfile.5.gz
%endif
%files bash-completion
%defattr(-,root,root)
%config %{_sysconfdir}/bash_completion.d/%{name}
%files zsh-completion
%defattr(-,root,root)
%config %{_sysconfdir}/zsh_completion.d/%{name}
%files test
%defattr(-,root,root)
/usr/src/docker/
# exclude binaries
%exclude /usr/src/docker/bundles/
# exclude init configurations other than systemd
%exclude /usr/src/docker/contrib/init/openrc
%exclude /usr/src/docker/contrib/init/sysvinit-debian
%exclude /usr/src/docker/contrib/init/sysvinit-redhat
%exclude /usr/src/docker/contrib/init/upstart
%changelog
++++++ 80-docker.rules ++++++
# hide docker's loopback devices from udisks, and thus from user desktops
SUBSYSTEM=="block", ENV{DM_NAME}=="docker-*",
ENV{UDISKS_PRESENTATION_HIDE}="1", ENV{UDISKS_IGNORE}="1"
SUBSYSTEM=="block", DEVPATH=="/devices/virtual/block/loop*",
ATTR{loop/backing_file}=="/var/lib/docker/*",
ENV{UDISKS_PRESENTATION_HIDE}="1", ENV{UDISKS_IGNORE}="1"
++++++ README_SUSE.md ++++++
# Abstract
Docker is a lightweight "virtualization" method to run multiple virtual units
(containers, akin to “chroot”) simultaneously on a single control host.
Containers are isolated with Kernel Control Groups (cgroups) and Kernel
Namespaces.
Docker provides an operating system-level virtualization where the Kernel
controls the isolated containers. With other full virtualization solutions
like Xen, KVM, or libvirt the processor simulates a complete hardware
environment and controls its virtual machines.
# Terminology
## chroot
A change root (chroot, or change root jail) is a section in the file system
which is isolated from the rest of the file system. For this purpose, the chroot
command is used to change the root of the file system. A program which is
executed in such a “chroot jail” cannot access files outside the designated
directory tree.
## cgroups
Kernel Control Groups (commonly referred to as just “cgroups”) are a Kernel
feature that allows aggregating or partitioning tasks (processes) and all their
children into hierarchical organized groups to isolate resources.
## Image
A "virtual machine" on the host server that can run any Linux system, for
example openSUSE, SUSE Linux Enterprise Desktop, or SUSE Linux Enterprise
Server.
A Docker image is made by a series of layers built one over the other. Each
layer
corresponds to a permanent change committed from a container to the image.
For more details checkout [Docker's official
documentation](http://docs.docker.com/terms/image/).
## Image Name
A name that refers to an image. The name is used by the docker commands.
## Container
A running Docker Image.
## Container ID
A ID that refers to a container. The ID is used by the docker commands.
## TAG
A string associated to a Image. It commonly used to identify a specific version
of a Image (like tags in version control systems). It is also possible to refer
the same Image with different TAGs.
## Kernel Namespaces
A Kernel feature to isolate some resources like network, users, and others for
a group of processes.
## Docker Host Server
The system that runs the Docker daemon, provides the images, and the management
control capabilities through cgroups.
# Overview
Docker is a platform that allows developers and sysadmins to manage the complete
lifecycle of images.
Docker makes incredibly easy to build, ship and run images containing
applications.
Benefits of Docker:
* Isolating applications and operating systems through containers.
* Providing nearly native performance as Docker manages allocation of
resources
in real-time.
* Controlling network interfaces and applying resources inside containers
through cgroups.
* Versioning of images.
* Building images based on existing ones.
* Sharining/storing on [public](http://docs.docker.com/docker-hub/) or
[private](http://docs.docker.com/userguide/dockerrepos/#private-repositories)
repositories.
Limitations of Docker:
* All Docker containers are running inside the host system's Kernel and not
with
a different Kernel.
* Only allows Linux "guest" operating systems.
* Docker is not a full virtualization stack like Xen, KVM, or libvirt.
* Security depends on the host system. Refer to the [official
documentation](http://docs.docker.com/articles/security/)
for more details.
## Container drivers
Docker has different backend drivers to handle the containers. The recommended
on is [libcontainer](https://github.com/docker/libcontainer), which is also the
default choice. This driver provides direct access with cgroups.
The Docker packages ships also a LXC driver which handles containers using the
LXC tools.
At the time of writing, upstream is working on a `libvirt-lxc` driver.
## Storage drivers
Docker supports different storage drivers:
* `vfs`: this driver is automatically used when the Docker host filesystem
does not support copy-on-write. This is a simple driver which does not offer
some of the advantages of Docker (like sharing layers, more on that in the
next sections). It is highly reliable but also slow.
* `devicemapper`: this driver relies on the device-mapper thin provisioning
module. It supports copy-on-write, hence it offers all the advantages of
Docker.
* `btrfs`: this driver relies on Btrfs to provide all the features required
by Docker. To use this driver the `/var/lib/docker` directory must be on a
btrfs filesystem.
* `AUFS`: this driver relies on AUFS union filesystem. Neither the upstream
kernel nor the SUSE one supports this filesystem. Hence the AUFS driver is
not built into the SUSE Docker package.
It is possible to specify which driver to use by changing the value of the
`DOCKER_OPTS` variable defined inside of the `/etc/sysconfig/docker` file.
This can be done either manually or using &yast; by browsing to:
* System
* /etc/sysconfig Editor
* System
* Management
* DOCKER_OPTS
menu and entering the `-s storage_driver` string.
For example, to force the usage of the `devicemapper` driver
enter the following text:
```
DOCKER_OPTS="-s devicemapper
```
It is recommended to have `/var/lib/docker` mounted on a different filesystem
to not affect the Docker host OS in case of a filesystem corruption.
# Setting up a Docker host
Prepare the host:
1. Install the `docker` package.
2. Automatically start the Docker daemon at boot:
`sudo systemctl enable docker`
3. Start the Docker daemon:
`sudo systemctl start docker`
The Docker daemon listens on a local socket which is accessible only by the
`root`
user and by the members of the `docker` group.
The `docker` group is automatically created at package installation time. To
allow a certain user to connect to the local Docker daemon use the following
command:
```
sudo /usr/sbin/usermod -aG docker <username>
```
The user will be able to communicate with the local Docker daemon upon his next
login.
## Networking
If you want your containers to be able to access the external network you must
enable the `net.ipv4.ip_forward` rule.
This can be done using YaST by browsing to the
`Network Devices -> Network Settings -> Routing` menu and ensuring that the
`Enable IPv4 Forwarding` box is checked.
This option cannot be changed when networking is handled by the Network Manager.
In such cases the `/etc/sysconfig/SuSEfirewall2` file needs to be edited by
hand to ensure the `FW_ROUTE` flag is set to `yes` like so:
```
FW_ROUTE="yes"
```
# Basic Docker operations
Images can be pulled from [Docker's central index](http://index.docker.io) using
the following command:
```
docker pull <image name>
```
Containers can be started using the `docker run` command.
Please refer to the [official documentation](http://docs.docker.com/)
for more details.
# Building Docker containers using KIWI
Starting from version 5.06.8 KIWI can be used to build Docker images.
Please refer to KIWI's [official
documentation](https://doc.opensuse.org/projects/kiwi/doc/#chap.lxc).
The official `kiwi-doc` package contains examples of Docker images.
## Docker build system versus KIWI
Docker has an [internal build system](http://docs.docker.com/reference/builder/)
which makes incredibly easy to create new images based on existing ones.
Some users might be confused about what to use. The right approach is to build
the [base images](http://docs.docker.com/terms/image/#base-image-def) using KIWI
and then use them as foundation blocks inside of your Docker's build system.
That two advantages:
1. Be able to use docker specific directives (like `ENTRYPOINT`, `EXPOSE`,
...).
2. Be able to reuse already existing layers.
Sharing the common layers between different images makes possible to:
* Use less disk space on the Docker hosts.
* Make the deployments faster: only the requested layers are sent over the
network (it is like upgrading installed packages using delta rpms).
* Take full advantage of caching while building Docker images: this will
result
in faster executions of `docker build` command.
To recap: KIWI is not to be intended as a replacement for Docker's build system.
It rather complements with it.
++++++ docker-netns-aarch64.patch ++++++
--- /dev/null
+++ vendor/src/github.com/vishvananda/netns/netns_linux_arm64.go
@@ -0,0 +1,7 @@
+// +build linux,arm64
+
+package netns
+
+const (
+ SYS_SETNS = 268
+)
++++++ docker-rpmlintrc ++++++
addFilter ("^docker.x86_64: W: statically-linked-binary
/usr/lib64/docker/dockerinit")
addFilter ("^docker-bash-completion.noarch: W: sourced-script-with-shebang
/etc/bash_completion.d/docker bash")
addFilter ("^docker.x86_64: W: statically-linked-binary
/usr/lib/docker/dockerinit")
addFilter ("^docker.x86_64: W: unstripped-binary-or-object
/usr/lib/docker/dockerinit")
addFilter ("^docker.x86_64: W: no-manual-page-for-binary docker")
addFilter ("^docker.x86_64: W: no-manual-page-for-binary nsinit")
addFilter ("test.noarch.*: E: devel-file-in-non-devel-package")
addFilter ("test.noarch.*: W: pem-certificate")
addFilter ("test.noarch.*: W: non-executable-script")
addFilter ("test.noarch.*: W: hidden-file-or-dir")
addFilter ("test.noarch.*: W: files-duplicate")
addFilter ("test.noarch.*: W: script-without-shebang
/usr/src/docker/docs/README.md")
addFilter ("test.noarch.*: W: sourced-script-with-shebang
/etc/bash_completion.d/docker bash")
addFilter ("test.noarch.*: W: suse-filelist-forbidden-fhs23 /usr/src/docker")
++++++ docker.service ++++++
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
Requires=docker.socket
[Service]
EnvironmentFile=/etc/sysconfig/docker
ExecStart=/usr/bin/docker -d -H fd:// $DOCKER_OPTS
MountFlags=slave
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
[Install]
WantedBy=multi-user.target
++++++ docker.socket ++++++
[Unit]
Description=Docker Socket for the API
PartOf=docker.service
[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target
++++++ docker_systemd_lt_214.socket ++++++
[Unit]
Description=Docker Socket for the API
PartOf=docker.service
[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
# A Socket(User|Group) replacement workaround for systemd <= 214
ExecStartPost=/usr/bin/chown root:docker /var/run/docker.sock
[Install]
WantedBy=sockets.target
++++++ fix-docker-init.patch ++++++
Index: docker/hack/make/.dockerinit
===================================================================
--- docker.orig/hack/make/.dockerinit
+++ docker/hack/make/.dockerinit
@@ -29,5 +29,7 @@ else
exit 1
fi
+/usr/bin/strip -s $DEST/dockerinit-$VERSION
+
# sha1 our new dockerinit to ensure separate docker and dockerinit always run
in a perfect pair compiled for one another
export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1)
++++++ gcc-go-build-static-libgo.patch ++++++
--- hack/make/binary
+++ hack/make/binary
@@ -9,6 +9,7 @@
echo "Building: $DEST/$BINARY_FULLNAME"
go build \
+ -gccgoflags="-static-libgo" \
-o "$DEST/$BINARY_FULLNAME" \
"${BUILDFLAGS[@]}" \
-ldflags "
++++++ ignore-dockerinit-checksum.patch ++++++
--- utils/utils.go
+++ utils/utils.go
@@ -76,7 +76,7 @@
}
return os.SameFile(targetFileInfo, selfPathFileInfo)
}
- return dockerversion.INITSHA1 != "" && dockerInitSha1(target) ==
dockerversion.INITSHA1
+ return true
}
// Figure out the path of our dockerinit (which may be SelfPath())
++++++ libcontainer-apparmor-fixes.patch ++++++
Index: docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
===================================================================
--- docker.orig/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
+++ docker/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
@@ -25,7 +25,6 @@ profile {{.Name}} flags=(attach_disconne
network,
capability,
file,
- umount,
deny @{PROC}/sys/fs/** wklx,
deny @{PROC}/sysrq-trigger rwklx,
++++++ sysconfig.docker ++++++
## Path : System/Management
## Description : Extra cli switches for docker daemon
## Type : string
## Default : ""
## ServiceRestart : docker
#
DOCKER_OPTS=""
++++++ sysconfig.docker.ppc64le ++++++
## Path : System/Management
## Description : Extra cli switches for docker daemon
## Type : string
## Default : ""
## ServiceRestart : docker
#
# TODO: remove it once we fix the real issue
DOCKER_OPTS=" -iptables=false "
