Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2016-05-04 08:20:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker" Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2016-04-12 19:38:28.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.docker.new/docker.changes 2016-05-04 08:20:17.000000000 +0200 @@ -1,0 +2,228 @@ +Mon May 2 07:40:22 UTC 2016 - [email protected] + +* Remove conditional Patch directive for SUSE secrets, since conditionally + including patches results in incompatible .src.rpms. The patch is still + applied conditionally. + +------------------------------------------------------------------- +Fri Apr 29 09:04:54 UTC 2016 - [email protected] + +* Update to Docker 1.11.1. Changelog from upstream: + + * Distribution + - Fix schema2 manifest media type to be of type `application/vnd.docker.container.image.v1+json` ([#21949](https://github.com/docker/docker/pull/21949)) + + * Documentation + + Add missing API documentation for changes introduced with 1.11.0 ([#22048](https://github.com/docker/docker/pull/22048)) + + * Builder + * Append label passed to `docker build` as arguments as an implicit `LABEL` command at the end of the processed `Dockerfile` ([#22184](https://github.com/docker/docker/pull/22184)) + + * Networking + - Fix a panic that would occur when forwarding DNS query ([#22261](https://github.com/docker/docker/pull/22261)) + - Fix an issue where OS threads could end up within an incorrect network namespace when using user defined networks ([#22261](https://github.com/docker/docker/pull/22261)) + + * Runtime + - Fix a bug preventing labels configuration to be reloaded via the config file ([#22299](https://github.com/docker/docker/pull/22299)) + - Fix a regression where container mounting `/var/run` would prevent other containers from being removed ([#22256](https://github.com/docker/docker/pull/22256)) + - Fix an issue where it would be impossible to update both `memory-swap` and `memory` value together ([#22255](https://github.com/docker/docker/pull/22255)) + - Fix a regression from 1.11.0 where the `/auth` endpoint would not initialize `serveraddress` if it is not provided ([#22254](https://github.com/docker/docker/pull/22254)) + - Add missing cleanup of container temporary files when cancelling a schedule restart ([#22237](https://github.com/docker/docker/pull/22237)) + - Removed scary error message when no restart policy is specified ([#21993](https://github.com/docker/docker/pull/21993)) + - Fix a panic that would occur when the plugins were activated via the json spec ([#22191](https://github.com/docker/docker/pull/22191)) + - Fix restart backoff logic to correctly reset delay if container ran for at least 10secs ([#22125](https://github.com/docker/docker/pull/22125)) + - Remove error message when a container restart get cancelled ([#22123](https://github.com/docker/docker/pull/22123)) + - Fix an issue where `docker` would not correcly clean up after `docker exec` ([#22121](https://github.com/docker/docker/pull/22121)) + - Fix a panic that could occur when servicing concurrent `docker stats` commands ([#22120](https://github.com/docker/docker/pull/22120))` + - Revert deprecation of non-existing host directories auto-creation ([#22065](https://github.com/docker/docker/pull/22065)) + - Hide misleading rpc error on daemon shutdown ([#22058](https://github.com/docker/docker/pull/22058)) + +------------------------------------------------------------------- +Fri Apr 22 10:43:37 UTC 2016 - [email protected] + +- Add patch to fix vulnerability in Docker <= 1.11.0. This patch is upstream, + but was merged after the 1.11.0 merge window. CVE-2016-3697. bsc#976777. + + cve-2016-3697-numeric-uid.patch + The upstream PR is here[1] and was vendored into Docker here[2]. + + [1]: https://github.com/opencontainers/runc/pull/708 + [2]: https://github.com/docker/docker/pull/21665 + +------------------------------------------------------------------- +Mon Apr 18 19:33:56 UTC 2016 - [email protected] + +- Supplemnent zsh from zsh-completion + * zsh-completion will be automatically installed if zsh and + docker are installed + +------------------------------------------------------------------- +Mon Apr 18 15:44:11 UTC 2016 - [email protected] + +- Remove gcc5_socker_workaround.patch: This patch is not needed anymore + since gcc5 has been updated in all platforms + +------------------------------------------------------------------- +Mon Apr 18 06:19:18 UTC 2016 - [email protected] + +* Removed patches that have been fixed upstream and in gcc-go: + - boltdb_bolt_powerpc.patch + - fix-apparmor.patch + - fix-btrfs-ioctl-structure.patch + - fix-docker-init.patch + - libnetwork_drivers_bridge_powerpc.patch + - ignore-dockerinit-checksum.patch +* Require containerd, as it is the only currently supported Docker execdriver. +* Update docker.socket to require containerd.socket and use --containerd in + docker.service so that the services are self-contained. +* Update to Docker 1.11.0. Changelog from upstream: + + * Builder + - Fix a bug where Docker would not used the correct uid/gid when processing the `WORKDIR` command ([#21033](https://github.com/docker/docker/pull/21033)) + - Fix a bug where copy operations with userns would not use the proper uid/gid ([#20782](https://github.com/docker/docker/pull/20782), [#21162](https://github.com/docker/docker/pull/21162)) + + * Client + * Usage of the `:` separator for security option has been deprecated. `=` should be used instead ([#21232](https://github.com/docker/docker/pull/21232)) + + The client user agent is now passed to the registry on `pull`, `build`, `push`, `login` and `search` operations ([#21306](https://github.com/docker/docker/pull/21306), [#21373](https://github.com/docker/docker/pull/21373)) + * Allow setting the Domainname and Hostname separately through the API ([#20200](https://github.com/docker/docker/pull/20200)) + * Docker info will now warn users if it can not detect the kernel version or the operating system ([#21128](https://github.com/docker/docker/pull/21128)) + - Fix an issue where `docker stats --no-stream` output could be all 0s ([#20803](https://github.com/docker/docker/pull/20803)) + - Fix a bug where some newly started container would not appear in a running `docker stats` command ([#20792](https://github.com/docker/docker/pull/20792)) + * Post processing is no longer enabled for linux-cgo terminals ([#20587](https://github.com/docker/docker/pull/20587)) + - Values to `--hostname` are now refused if they do not comply with [RFC1123](https://tools.ietf.org/html/rfc1123) ([#20566](https://github.com/docker/docker/pull/20566)) + + Docker learned how to use a SOCKS proxy ([#20366](https://github.com/docker/docker/pull/20366), [#18373](https://github.com/docker/docker/pull/18373)) + + Docker now supports external credential stores ([#20107](https://github.com/docker/docker/pull/20107)) + * `docker ps` now supports displaying the list of volumes mounted inside a container ([#20017](https://github.com/docker/docker/pull/20017)) + * `docker info` now also report Docker's root directory location ([#19986](https://github.com/docker/docker/pull/19986)) + - Docker now prohibits login in with an empty username (spaces are trimmed) ([#19806](https://github.com/docker/docker/pull/19806)) + * Docker events attributes are now sorted by key ([#19761](https://github.com/docker/docker/pull/19761)) + * `docker ps` no longer show exported port for stopped containers ([#19483](https://github.com/docker/docker/pull/19483)) + - Docker now cleans after itself if a save/export command fails ([#17849](https://github.com/docker/docker/pull/17849)) + * Docker load learned how to display a progress bar ([#17329](https://github.com/docker/docker/pull/17329), [#120078](https://github.com/docker/docker/pull/20078)) + + * Distribution + - Fix a panic that occurred when pulling an images with 0 layers ([#21222](https://github.com/docker/docker/pull/21222)) + - Fix a panic that could occur on error while pushing to a registry with a misconfigured token service ([#21212](https://github.com/docker/docker/pull/21212)) + + All first-level delegation roles are now signed when doing a trusted push ([#21046](https://github.com/docker/docker/pull/21046)) + + OAuth support for registries was added ([#20970](https://github.com/docker/docker/pull/20970)) + * `docker login` now handles token using the implementation found in [docker/distribution](https://github.com/docker/distribution) ([#20832](https://github.com/docker/docker/pull/20832)) + * `docker login` will no longer prompt for an email ([#20565](https://github.com/docker/docker/pull/20565)) + * Docker will now fallback to registry V1 if no basic auth credentials are available ([#20241](https://github.com/docker/docker/pull/20241)) + * Docker will now try to resume layer download where it left off after a network error/timeout ([#19840](https://github.com/docker/docker/pull/19840)) + - Fix generated manifest mediaType when pushing cross-repository ([#19509](https://github.com/docker/docker/pull/19509)) + - Fix docker requesting additional push credentials when pulling an image if Content Trust is enabled ([#20382](https://github.com/docker/docker/pull/20382)) + + * Logging + - Fix a race in the journald log driver ([#21311](https://github.com/docker/docker/pull/21311)) + * Docker syslog driver now uses the RFC-5424 format when emitting logs ([#20121](https://github.com/docker/docker/pull/20121)) + * Docker GELF log driver now allows to specify the compression algorithm and level via the `gelf-compression-type` and `gelf-compression-level` options ([#19831](https://github.com/docker/docker/pull/19831)) + * Docker daemon learned to output uncolorized logs via the `--raw-logs` options ([#19794](https://github.com/docker/docker/pull/19794)) + + Docker, on Windows platform, now includes an ETW (Event Tracing in Windows) logging driver named `etwlogs` ([#19689](https://github.com/docker/docker/pull/19689)) + * Journald log driver learned how to handle tags ([#19564](https://github.com/docker/docker/pull/19564)) + + The fluentd log driver learned the following options: `fluentd-address`, `fluentd-buffer-limit`, `fluentd-retry-wait`, `fluentd-max-retries` and `fluentd-async-connect` ([#19439](https://github.com/docker/docker/pull/19439)) + + Docker learned to send log to Google Cloud via the new `gcplogs` logging driver. ([#18766](https://github.com/docker/docker/pull/18766)) + + * Misc + + When saving linked images together with `docker save` a subsequent `docker load` will correctly restore their parent/child relationship ([#21385](https://github.com/docker/docker/pull/c)) + + Support for building the Docker cli for OpenBSD was added ([#21325](https://github.com/docker/docker/pull/21325)) + + Labels can now be applied at network, volume and image creation ([#21270](https://github.com/docker/docker/pull/21270)) + * The `dockremap` is now created as a system user ([#21266](https://github.com/docker/docker/pull/21266)) + - Fix a few response body leaks ([#21258](https://github.com/docker/docker/pull/21258)) + - Docker, when run as a service with systemd, will now properly manage its processes cgroups ([#20633](https://github.com/docker/docker/pull/20633)) + * Docker info now reports the value of cgroup KernelMemory or emits a warning if it is not supported ([#20863](https://github.com/docker/docker/pull/20863)) + * Docker info now also reports the cgroup driver in use ([#20388](https://github.com/docker/docker/pull/20388)) + * Docker completion is now available on PowerShell ([#19894](https://github.com/docker/docker/pull/19894)) + * `dockerinit` is no more ([#19490](https://github.com/docker/docker/pull/19490),[#19851](https://github.com/docker/docker/pull/19851)) + + Support for building Docker on arm64 was added ([#19013](https://github.com/docker/docker/pull/19013)) + + Experimental support for building docker.exe in a native Windows Docker installation ([#18348](https://github.com/docker/docker/pull/18348)) + + * Networking + - Fix panic if a node is forcibly removed from the cluster ([#21671](https://github.com/docker/docker/pull/21671)) + - Fix "error creating vxlan interface" when starting a container in a Swarm cluster ([#21671](https://github.com/docker/docker/pull/21671)) + * `docker network inspect` will now report all endpoints whether they have an active container or not ([#21160](https://github.com/docker/docker/pull/21160)) + + Experimental support for the MacVlan and IPVlan network drivers have been added ([#21122](https://github.com/docker/docker/pull/21122)) + * Output of `docker network ls` is now sorted by network name ([#20383](https://github.com/docker/docker/pull/20383)) + - Fix a bug where Docker would allow a network to be created with the reserved `default` name ([#19431](https://github.com/docker/docker/pull/19431)) + * `docker network inspect` returns whether a network is internal or not ([#19357](https://github.com/docker/docker/pull/19357)) + + Control IPv6 via explicit option when creating a network (`docker network create --ipv6`). This shows up as a new `EnableIPv6` field in `docker network inspect` ([#17513](https://github.com/docker/docker/pull/17513)) + * Support for AAAA Records (aka IPv6 Service Discovery) in embedded DNS Server ([#21396](https://github.com/docker/docker/pull/21396)) + - Fix to not forward docker domain IPv6 queries to external servers ([#21396](https://github.com/docker/docker/pull/21396)) + * Multiple A/AAAA records from embedded DNS Server for DNS Round robin ([#21019](https://github.com/docker/docker/pull/21019)) + - Fix endpoint count inconsistency after an ungraceful dameon restart ([#21261](https://github.com/docker/docker/pull/21261)) + - Move the ownership of exposed ports and port-mapping options from Endpoint to Sandbox ([#21019](https://github.com/docker/docker/pull/21019)) + - Fixed a bug which prevents docker reload when host is configured with ipv6.disable=1 ([#21019](https://github.com/docker/docker/pull/21019)) + - Added inbuilt nil IPAM driver ([#21019](https://github.com/docker/docker/pull/21019)) + - Fixed bug in iptables.Exists() logic [#21019](https://github.com/docker/docker/pull/21019) + - Fixed a Veth interface leak when using overlay network ([#21019](https://github.com/docker/docker/pull/21019)) + - Fixed a bug which prevents docker reload after a network delete during shutdown ([#20214](https://github.com/docker/docker/pull/20214)) + - Make sure iptables chains are recreated on firewalld reload ([#20419](https://github.com/docker/docker/pull/20419)) + - Allow to pass global datastore during config reload ([#20419](https://github.com/docker/docker/pull/20419)) + - For anonymous containers use the alias name for IP to name mapping, ie:DNS PTR record ([#21019](https://github.com/docker/docker/pull/21019)) + - Fix a panic when deleting an entry from /etc/hosts file ([#21019](https://github.com/docker/docker/pull/21019)) + - Source the forwarded DNS queries from the container net namespace ([#21019](https://github.com/docker/docker/pull/21019)) + - Fix to retain the network internal mode config for bridge networks on daemon reload ([#21780] (https://github.com/docker/docker/pull/21780)) + - Fix to retain IPAM driver option configs on daemon reload ([#21914] (https://github.com/docker/docker/pull/21914)) + + * Plugins + - Fix a file descriptor leak that would occur every time plugins were enumerated ([#20686](https://github.com/docker/docker/pull/20686)) + - Fix an issue where Authz plugin would corrupt the payload body when faced with a large amount of data ([#20602](https://github.com/docker/docker/pull/20602)) + + * Runtime + - Fix a panic that could occur when cleanup after a container started with invalid parameters ([#21716](https://github.com/docker/docker/pull/21716)) + - Fix a race with event timers stopping early ([#21692](https://github.com/docker/docker/pull/21692)) + - Fix race conditions in the layer store, potentially corrupting the map and crashing the process ([#21677](https://github.com/docker/docker/pull/21677)) + - Un-deprecate auto-creation of host directories for mounts. This feature was marked deprecated in ([#21666](https://github.com/docker/docker/pull/21666)) + Docker 1.9, but was decided to be too much of an backward-incompatible change, so it was decided to keep the feature. + + It is now possible for containers to share the NET and IPC namespaces when `userns` is enabled ([#21383](https://github.com/docker/docker/pull/21383)) + + `docker inspect <image-id>` will now expose the rootfs layers ([#21370](https://github.com/docker/docker/pull/21370)) + + Docker Windows gained a minimal `top` implementation ([#21354](https://github.com/docker/docker/pull/21354)) + * Docker learned to report the faulty exe when a container cannot be started due to its condition ([#21345](https://github.com/docker/docker/pull/21345)) + * Docker with device mapper will now refuse to run if `udev sync` is not available ([#21097](https://github.com/docker/docker/pull/21097)) + - Fix a bug where Docker would not validate the config file upon configuration reload ([#21089](https://github.com/docker/docker/pull/21089)) + - Fix a hang that would happen on attach if initial start was to fail ([#21048](https://github.com/docker/docker/pull/21048)) + - Fix an issue where registry service options in the daemon configuration file were not properly taken into account ([#21045](https://github.com/docker/docker/pull/21045)) + - Fix a race between the exec and resize operations ([#21022](https://github.com/docker/docker/pull/21022)) + - Fix an issue where nanoseconds were not correctly taken in account when filtering Docker events ([#21013](https://github.com/docker/docker/pull/21013)) + - Fix the handling of Docker command when passed a 64 bytes id ([#21002](https://github.com/docker/docker/pull/21002)) + * Docker will now return a `204` (i.e http.StatusNoContent) code when it successfully deleted a network ([#20977](https://github.com/docker/docker/pull/20977)) + - Fix a bug where the daemon would wait indefinitely in case the process it was about to killed had already exited on its own ([#20967](https://github.com/docker/docker/pull/20967) + * The devmapper driver learned the `dm.min_free_space` option. If the mapped device free space reaches the passed value, new device creation will be prohibited. ([#20786](https://github.com/docker/docker/pull/20786)) + + Docker can now prevent processes in container to gain new privileges via the `--security-opt=no-new-privileges` flag ([#20727](https://github.com/docker/docker/pull/20727)) + - Starting a container with the `--device` option will now correctly resolves symlinks ([#20684](https://github.com/docker/docker/pull/20684)) + + Docker now relies on [`containerd`](https://github.com/docker/containerd) and [`runc`](https://github.com/opencontainers/runc) to spawn containers. ([#20662](https://github.com/docker/docker/pull/20662)) + - Fix docker configuration reloading to only alter value present in the given config file ([#20604](https://github.com/docker/docker/pull/20604)) + + Docker now allows setting a container hostname via the `--hostname` flag when `--net=host` ([#20177](https://github.com/docker/docker/pull/20177)) + + Docker now allows executing privileged container while running with `--userns-remap` if both `--privileged` and the new `--userns=host` flag are specified ([#20111](https://github.com/docker/docker/pull/20111)) + - Fix Docker not cleaning up correctly old containers upon restarting after a crash ([#19679](https://github.com/docker/docker/pull/19679)) + * Docker will now error out if it doesn't recognize a configuration key within the config file ([#19517](https://github.com/docker/docker/pull/19517)) + - Fix container loading, on daemon startup, when they depends on a plugin running within a container ([#19500](https://github.com/docker/docker/pull/19500)) ++++ 400 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/docker/docker.changes ++++ and /work/SRC/openSUSE:Factory/.docker.new/docker.changes Old: ---- boltdb_bolt_powerpc.patch docker-1.10.3.tar.xz fix-apparmor.patch fix-btrfs-ioctl-structure.patch fix-docker-init.patch gcc5_socket_workaround.patch ignore-dockerinit-checksum.patch libnetwork_drivers_bridge_powerpc.patch New: ---- cve-2016-3697-numeric-uid.patch docker-1.11.1.tar.xz docker-mount-secrets.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.n7u6hl/_old 2016-05-04 08:20:18.000000000 +0200 +++ /var/tmp/diff_new_pack.n7u6hl/_new 2016-05-04 08:20:18.000000000 +0200 @@ -22,8 +22,10 @@ %define git_version 9e83765 %define go_arches %ix86 x86_64 aarch64 +%define version_unconverted 1.11.1 + Name: docker -Version: 1.10.3 +Version: 1.11.1 Release: 0 Summary: The Linux container runtime License: Apache-2.0 @@ -45,22 +47,16 @@ Source8: docker-audit.rules # TODO: remove once we figure out what is wrong with iptables on ppc64le Source100: sysconfig.docker.ppc64le -Patch1: gcc5_socket_workaround.patch -Patch2: fix-docker-init.patch -Patch3: fix-apparmor.patch -# TODO: Remove this once we update to Docker 1.11.0. This has been merged in -# https://github.com/docker/docker/pull/21723 -Patch4: fix-btrfs-ioctl-structure.patch +# The mount-secrets patch is be a SLE-specific feature. As such, it is disabled by default on openSUSE. +# PATCH-FEATURE-SLE docker-mount-secrets.patch -- pass the SCC machine credentials and the /etc/SUSEConnect file to containers +Patch200: docker-mount-secrets.patch # Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ -# Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time -# We cannot do that, right now a quick and really dirty way to get it running is -# to simply disable this check -Patch100: ignore-dockerinit-checksum.patch Patch101: gcc-go-patches.patch Patch102: netlink_gcc_go.patch Patch103: netlink_netns_powerpc.patch -Patch104: boltdb_bolt_powerpc.patch -Patch105: libnetwork_drivers_bridge_powerpc.patch +# This fixes bsc#976777. While the fix is upstream, it isn't in Docker 1.10.3 or +# Docker 1.11.0. This patch was squashed and cherry-picked from runc#708. +Patch301: cve-2016-3697-numeric-uid.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: device-mapper-devel >= 1.2.68 @@ -90,6 +86,8 @@ Requires: procps Requires: tar >= 1.26 Requires: xz >= 4.9 +# Containerd is required as it is the only currently supported execdriver of Docker. +Requires: containerd # Not necessary, but must be installed to have a smooth upgrade. Recommends: docker-image-migrator Conflicts: lxc < 1.0 @@ -97,7 +95,9 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build ExcludeArch: %ix86 ExcludeArch: s390 +%if 0%{?is_opensuse} ExcludeArch: s390x +%endif ExcludeArch: ppc %description @@ -123,7 +123,7 @@ Summary: Zsh Completion for %{name} Group: System/Management Requires: %{name} = %{version} -Requires: zsh +Supplements: packageand(docker:zsh) BuildArch: noarch %description zsh-completion @@ -155,27 +155,18 @@ %prep %setup -q -n %{name}-%{version} -# 1330 is Tumbleweed after leap has been released -# gcc5-go in Tumbleweed includes this commit -# https://github.com/golang/gofrontend/commit/a850225433a66a58613c22185c3b09626f5545eb -# Which "fixes" the data type for RawSockaddr.Data -# However, docker now expects the "wrong" data type, since docker had a workaround -# for that issue. -# Thus, we need to workaround the workaroundn in tumbleweed -%if 0%{?suse_version} >= 1330 && 0%{?is_opensuse} == 1 -%patch1 -p1 -%endif -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 +%if 0%{?is_opensuse} +# nothing +%else +%patch200 -p1 +%endif %ifnarch %go_arches %patch101 -p1 %patch102 -p1 %patch103 -p1 -%patch104 -p1 -%patch105 -p1 -%patch100 -p1 %endif +# bsc#976777 +%patch301 -p1 cp %{SOURCE7} . %build @@ -211,10 +202,8 @@ install -d %{buildroot}%{_bindir} %ifarch %go_arches install -D -m755 bundles/%{version}/dynbinary/%{name}-%{version} %{buildroot}/%{_bindir}/%{name} -install -D -m755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit %else install -D -m755 bundles/%{version}/dyngccgo/%{name}-%{version} %{buildroot}/%{_bindir}/%{name} -install -D -m755 bundles/%{version}/dyngccgo/dockerinit-%{version} %{buildroot}/%{_prefix}/lib/docker/dockerinit %endif install -d %{buildroot}/%{_prefix}/lib/docker install -Dd -m 0755 \ @@ -349,7 +338,6 @@ %{_bindir}/docker %{_sbindir}/rcdocker %{_prefix}/lib/docker/ -%{_prefix}/lib/docker/dockerinit %{_unitdir}/%{name}.service %{_unitdir}/%{name}.socket %config %{_sysconfdir}/audit/rules.d/%{name}.rules ++++++ _service ++++++ --- /var/tmp/diff_new_pack.n7u6hl/_old 2016-05-04 08:20:18.000000000 +0200 +++ /var/tmp/diff_new_pack.n7u6hl/_new 2016-05-04 08:20:18.000000000 +0200 @@ -3,8 +3,8 @@ <param name="url">https://github.com/docker/docker.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="versionformat">1.10.3</param> - <param name="revision">v1.10.3</param> + <param name="versionformat">1.11.1</param> + <param name="revision">v1.11.1</param> </service> <service name="recompress" mode="disabled"> <param name="file">docker-*.tar</param> ++++++ cve-2016-3697-numeric-uid.patch ++++++ >From d67c0bf0caf26358f5345d6c0ac039026c46bd1e Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Fri, 22 Apr 2016 20:36:43 +1000 Subject: [PATCH] libcontainer: user: always treat numeric ids numerically Most shadow-related tools don't treat numeric ids as potential usernames, so change our behaviour to match that. Previously, using an explicit specification like 111:222 could result in the UID and GID not being 111 and 222 respectively (which is confusing). Some of the code was quite confusing inside libcontainer/user, so refactor and comment it so future maintainers can understand what's going and what edge cases we have to deal with. This fixes CVE-2016-3697. Signed-off-by: Aleksa Sarai <[email protected]> --- .../runc/libcontainer/user/lookup.go | 3 + .../opencontainers/runc/libcontainer/user/user.go | 149 ++++++++++++--------- 2 files changed, 89 insertions(+), 63 deletions(-) diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go b/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go index 6f8a982..7062940 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go @@ -9,6 +9,9 @@ import ( var ( // The current operating system does not provide the required data for user lookups. ErrUnsupported = errors.New("user lookup: operating system does not provide passwd-formatted data") + // No matching entries found in file. + ErrNoPasswdEntries = errors.New("no matching entries in passwd file") + ErrNoGroupEntries = errors.New("no matching entries in group file") ) func lookupUser(filter func(u User) bool) (User, error) { diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go b/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go index e6375ea..43fd39e 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go @@ -15,7 +15,7 @@ const ( ) var ( - ErrRange = fmt.Errorf("Uids and gids must be in range %d-%d", minId, maxId) + ErrRange = fmt.Errorf("uids and gids must be in range %d-%d", minId, maxId) ) type User struct { @@ -42,29 +42,30 @@ func parseLine(line string, v ...interface{}) { parts := strings.Split(line, ":") for i, p := range parts { + // Ignore cases where we don't have enough fields to populate the arguments. + // Some configuration files like to misbehave. if len(v) <= i { - // if we have more "parts" than we have places to put them, bail for great "tolerance" of naughty configuration files break } + // Use the type of the argument to figure out how to parse it, scanf() style. + // This is legit. switch e := v[i].(type) { case *string: - // "root", "adm", "/bin/bash" *e = p case *int: - // "0", "4", "1000" - // ignore string to int conversion errors, for great "tolerance" of naughty configuration files + // "numbers", with conversion errors ignored because of some misbehaving configuration files. *e, _ = strconv.Atoi(p) case *[]string: - // "", "root", "root,adm,daemon" + // Comma-separated lists. if p != "" { *e = strings.Split(p, ",") } else { *e = []string{} } default: - // panic, because this is a programming/logic error, not a runtime one - panic("parseLine expects only pointers! argument " + strconv.Itoa(i) + " is not a pointer!") + // Someone goof'd when writing code using this function. Scream so they can hear us. + panic(fmt.Sprintf("parseLine only accepts {*string, *int, *[]string} as arguments! %#v is not a pointer!", e)) } } } @@ -106,8 +107,8 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) { return nil, err } - text := strings.TrimSpace(s.Text()) - if text == "" { + line := strings.TrimSpace(s.Text()) + if line == "" { continue } @@ -117,10 +118,7 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) { // root:x:0:0:root:/root:/bin/bash // adm:x:3:4:adm:/var/adm:/bin/false p := User{} - parseLine( - text, - &p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell, - ) + parseLine(line, &p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell) if filter == nil || filter(p) { out = append(out, p) @@ -135,6 +133,7 @@ func ParseGroupFile(path string) ([]Group, error) { if err != nil { return nil, err } + defer group.Close() return ParseGroup(group) } @@ -178,10 +177,7 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) { // root:x:0:root // adm:x:4:root,adm,daemon p := Group{} - parseLine( - text, - &p.Name, &p.Pass, &p.Gid, &p.List, - ) + parseLine(text, &p.Name, &p.Pass, &p.Gid, &p.List) if filter == nil || filter(p) { out = append(out, p) @@ -192,9 +188,10 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) { } type ExecUser struct { - Uid, Gid int - Sgids []int - Home string + Uid int + Gid int + Sgids []int + Home string } // GetExecUserPath is a wrapper for GetExecUser. It reads data from each of the @@ -235,12 +232,12 @@ func GetExecUserPath(userSpec string, defaults *ExecUser, passwdPath, groupPath // * "uid:gid // * "user:gid" // * "uid:group" +// +// It should be noted that if you specify a numeric user or group id, they will +// not be evaluated as usernames (only the metadata will be filled). So attempting +// to parse a user with user.Name = "1337" will produce the user with a UID of +// 1337. func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (*ExecUser, error) { - var ( - userArg, groupArg string - name string - ) - if defaults == nil { defaults = new(ExecUser) } @@ -258,87 +255,113 @@ func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) ( user.Sgids = []int{} } - // allow for userArg to have either "user" syntax, or optionally "user:group" syntax + // Allow for userArg to have either "user" syntax, or optionally "user:group" syntax + var userArg, groupArg string parseLine(userSpec, &userArg, &groupArg) + // Convert userArg and groupArg to be numeric, so we don't have to execute + // Atoi *twice* for each iteration over lines. + uidArg, uidErr := strconv.Atoi(userArg) + gidArg, gidErr := strconv.Atoi(groupArg) + + // Find the matching user. users, err := ParsePasswdFilter(passwd, func(u User) bool { if userArg == "" { + // Default to current state of the user. return u.Uid == user.Uid } - return u.Name == userArg || strconv.Itoa(u.Uid) == userArg + + if uidErr == nil { + // If the userArg is numeric, always treat it as a UID. + return uidArg == u.Uid + } + + return u.Name == userArg }) + + // If we can't find the user, we have to bail. if err != nil && passwd != nil { if userArg == "" { userArg = strconv.Itoa(user.Uid) } - return nil, fmt.Errorf("Unable to find user %v: %v", userArg, err) + return nil, fmt.Errorf("unable to find user %s: %v", userArg, err) } - haveUser := users != nil && len(users) > 0 - if haveUser { - // if we found any user entries that matched our filter, let's take the first one as "correct" - name = users[0].Name + var matchedUserName string + if len(users) > 0 { + // First match wins, even if there's more than one matching entry. + matchedUserName = users[0].Name user.Uid = users[0].Uid user.Gid = users[0].Gid user.Home = users[0].Home } else if userArg != "" { - // we asked for a user but didn't find them... let's check to see if we wanted a numeric user - user.Uid, err = strconv.Atoi(userArg) - if err != nil { - // not numeric - we have to bail - return nil, fmt.Errorf("Unable to find user %v", userArg) + // If we can't find a user with the given username, the only other valid + // option is if it's a numeric username with no associated entry in passwd. + + if uidErr != nil { + // Not numeric. + return nil, fmt.Errorf("unable to find user %s: %v", userArg, ErrNoPasswdEntries) } + user.Uid = uidArg // Must be inside valid uid range. if user.Uid < minId || user.Uid > maxId { return nil, ErrRange } - // if userArg couldn't be found in /etc/passwd but is numeric, just roll with it - this is legit + // Okay, so it's numeric. We can just roll with this. } - if groupArg != "" || name != "" { + // On to the groups. If we matched a username, we need to do this because of + // the supplementary group IDs. + if groupArg != "" || matchedUserName != "" { groups, err := ParseGroupFilter(group, func(g Group) bool { - // Explicit group format takes precedence. - if groupArg != "" { - return g.Name == groupArg || strconv.Itoa(g.Gid) == groupArg + // If the group argument isn't explicit, we'll just search for it. + if groupArg == "" { + // Check if user is a member of this group. + for _, u := range g.List { + if u == matchedUserName { + return true + } + } + return false } - // Check if user is a member. - for _, u := range g.List { - if u == name { - return true - } + if gidErr == nil { + // If the groupArg is numeric, always treat it as a GID. + return gidArg == g.Gid } - return false + return g.Name == groupArg }) if err != nil && group != nil { - return nil, fmt.Errorf("Unable to find groups for user %v: %v", users[0].Name, err) + return nil, fmt.Errorf("unable to find groups for spec %v: %v", matchedUserName, err) } - haveGroup := groups != nil && len(groups) > 0 + // Only start modifying user.Gid if it is in explicit form. if groupArg != "" { - if haveGroup { - // if we found any group entries that matched our filter, let's take the first one as "correct" + if len(groups) > 0 { + // First match wins, even if there's more than one matching entry. user.Gid = groups[0].Gid - } else { - // we asked for a group but didn't find id... let's check to see if we wanted a numeric group - user.Gid, err = strconv.Atoi(groupArg) - if err != nil { - // not numeric - we have to bail - return nil, fmt.Errorf("Unable to find group %v", groupArg) + } else if groupArg != "" { + // If we can't find a group with the given name, the only other valid + // option is if it's a numeric group name with no associated entry in group. + + if gidErr != nil { + // Not numeric. + return nil, fmt.Errorf("unable to find group %s: %v", groupArg, ErrNoGroupEntries) } + user.Gid = gidArg - // Ensure gid is inside gid range. + // Must be inside valid gid range. if user.Gid < minId || user.Gid > maxId { return nil, ErrRange } - // if groupArg couldn't be found in /etc/group but is numeric, just roll with it - this is legit + // Okay, so it's numeric. We can just roll with this. } - } else if haveGroup { - // If implicit group format, fill supplementary gids. + } else if len(groups) > 0 { + // Supplementary group ids only make sense if in the implicit form. user.Sgids = make([]int, len(groups)) for i, group := range groups { user.Sgids[i] = group.Gid -- 2.8.1 ++++++ docker-1.10.3.tar.xz -> docker-1.11.1.tar.xz ++++++ /work/SRC/openSUSE:Factory/docker/docker-1.10.3.tar.xz /work/SRC/openSUSE:Factory/.docker.new/docker-1.11.1.tar.xz differ: char 25, line 1 ++++++ docker-mount-secrets.patch ++++++ >From fb84d5a3fbc3f1fad7dfc961b5dace3915eae7f9 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Mon, 11 Apr 2016 22:54:35 +1000 Subject: [PATCH] SUSE: implement SUSE container secrets This allows for us to pass in host credentials to a container, allowing for SUSEConnect to work with containers. THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT MAKES BUILDS NOT ENTIRELY REPRODUCIBLE. Signed-off-by: Aleksa Sarai <[email protected]> --- container/container_unix.go | 63 ++++++++++++ daemon/container_operations_unix.go | 50 ++++++++++ daemon/daemon_unix.go | 6 +- daemon/oci_linux.go | 7 ++ daemon/start.go | 6 ++ daemon/suse_secrets.go | 184 ++++++++++++++++++++++++++++++++++++ 6 files changed, 314 insertions(+), 2 deletions(-) create mode 100644 daemon/suse_secrets.go Index: docker-1.11.0/container/container_unix.go =================================================================== --- docker-1.11.0.orig/container/container_unix.go +++ docker-1.11.0/container/container_unix.go @@ -34,6 +34,8 @@ type Container struct { HostsPath string ShmPath string ResolvConfPath string + // SUSE:secrets :: We need to add the container-specific secrets path here. + SuseSecretsPath string SeccompProfile string NoNewPrivileges bool } @@ -243,6 +245,67 @@ func (container *Container) IpcMounts() return mounts } +// SUSE:secrets :: SuseSecretsResourcePath returns the path to the container's +// personal /run/secrets tmpfs. +func (container *Container) SuseSecretsResourcePath() (string, error) { + return container.GetRootResourcePath("suse:secrets") +} + +// SUSE:secrets :: SuseSecretMounts returns the list of mounts required for the +// SUSE-specific /run/secrets patch. The container's personal /run/secrets tmpfs +// has already been set up at this point. +func (container *Container) SuseSecretMounts() []Mount { + var mounts []Mount + + logrus.WithFields(logrus.Fields{ + "container": container.ID, + "path": container.SuseSecretsPath, + "hasmount": container.HasMountFor("/run/secrets"), + }).Debug("SUSE:secrets :: adding container secrets to mountpoint") + + // TODO(SUSE): How do we register for HasMountFor(). + if !container.HasMountFor("/run/secrets") { + label.SetFileLabel(container.SuseSecretsPath, container.MountLabel) + mounts = append(mounts, Mount{ + Source: container.SuseSecretsPath, + Destination: "/run/secrets", + Writable: true, + Propagation: volume.DefaultPropagationMode, + }) + } + + return mounts +} + +// SUSE:secrets :: Unmounts the container's personal /run/secrets tmpfs using the +// provided function. This is done to clean up the mountpoints properly. +func (container *Container) UnmountSuseSecretMounts(unmount func(string) error) { + logrus.WithFields(logrus.Fields{ + "container": container.ID, + "hasmount": container.HasMountFor("/run/secrets"), + }).Debug("SUSE:secrets :: requested to clean up container secrets") + + if !container.HasMountFor("/run/secrets") { + logrus.Debugf("SUSE:secrets :: cleaning up secrets mount for container") + + suseSecretsPath, err := container.SuseSecretsResourcePath() + if err != nil { + logrus.Error("SUSE:secrets :: failed to clean up secrets mounts: no secrets resource path found for container %v: %v", container.ID, err) + } + + if suseSecretsPath != "" { + logrus.WithFields(logrus.Fields{ + "path": suseSecretsPath, + }).Debugf("SUSE:secrets :: actually unmounting conatiner secrets") + + if err := unmount(suseSecretsPath); err != nil && !os.IsNotExist(err) { + // We can't error out here. + logrus.Warnf("SUSE:secrets :: failed to clean up secrets mounts: failed to umount %s: %v", suseSecretsPath, err) + } + } + } +} + // UpdateContainer updates configuration of a container. func (container *Container) UpdateContainer(hostConfig *containertypes.HostConfig) error { container.Lock() Index: docker-1.11.0/daemon/container_operations_unix.go =================================================================== --- docker-1.11.0.orig/daemon/container_operations_unix.go +++ docker-1.11.0/daemon/container_operations_unix.go @@ -182,6 +182,56 @@ func (daemon *Daemon) getIpcContainer(co return c, nil } +// SUSE:secrets :: Create a container's personal /run/secrets tmpfs and fill it +// with the host's credentials. +func (daemon *Daemon) setupSuseSecrets(c *container.Container) (err error) { + c.SuseSecretsPath, err = c.SuseSecretsResourcePath() + if err != nil { + return err + } + + if !c.HasMountFor("/run/secrets") { + rootUID, rootGID := daemon.GetRemappedUIDGID() + if err = idtools.MkdirAllAs(c.SuseSecretsPath, 0700, rootUID, rootGID); err != nil { + return fmt.Errorf("SUSE:secrets :: failed to create container secret: %v", err) + } + if err = syscall.Mount("tmpfs", c.SuseSecretsPath, "tmpfs", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), label.FormatMountLabel("", c.GetMountLabel())); err != nil { + return fmt.Errorf("SUSE:secrets :: mounting secrets tmpfs: %v", err) + } + // We need to defer a cleanup, to make sure errors that occur before the container + // starts don't cause wasted memory due to tmpfs-es that aren't being used. + defer func() { + if err != nil { + logrus.Infof("SUSE::secrets :: cleaning up secrets mount due to failed setup") + c.UnmountSuseSecretMounts(detachMounted) + } + }() + if err = os.Chown(c.SuseSecretsPath, rootUID, rootGID); err != nil { + return fmt.Errorf("SUSE:secrets :: failed to chown container secret to (uid=%d,gid=%d): %v", rootUID, rootGID, err) + } + + // Now we need to inject the credentials. But in order to play properly with + // user namespaces, they must be owned by rootUID:rootGID. + + data, err := getHostSuseSecretData() + if err != nil { + return fmt.Errorf("SUSE:secrets :: failed to get host secret data: %v", err) + } + + uidMap, gidMap := daemon.GetUIDGIDMaps() + for _, s := range data { + if err := s.SaveTo(c.SuseSecretsPath, uidMap, gidMap); err != nil { + logrus.WithFields(logrus.Fields{ + "s.path": s.Path, + "path": c.SuseSecretsPath, + }).Errorf("SUSE:secrets :: failed to save secret data: %v", err) + } + } + } + + return +} + func (daemon *Daemon) setupIpcDirs(c *container.Container) error { var err error Index: docker-1.11.0/daemon/daemon_unix.go =================================================================== --- docker-1.11.0.orig/daemon/daemon_unix.go +++ docker-1.11.0/daemon/daemon_unix.go @@ -786,8 +786,10 @@ func initBridgeDriver(controller libnetw // the container from unwanted side-effects on the rw layer. func setupInitLayer(initLayer string, rootUID, rootGID int) error { for pth, typ := range map[string]string{ - "/dev/pts": "dir", - "/dev/shm": "dir", + "/dev/pts": "dir", + "/dev/shm": "dir", + // SUSE:secrets :: We need to add the mountpoint in the init layer. + "/run/secrets": "dir", "/proc": "dir", "/sys": "dir", "/.dockerenv": "file", Index: docker-1.11.0/daemon/oci_linux.go =================================================================== --- docker-1.11.0.orig/daemon/oci_linux.go +++ docker-1.11.0/daemon/oci_linux.go @@ -634,12 +634,19 @@ func (daemon *Daemon) createSpec(c *cont return nil, err } + // SUSE:secrets :: We need to set up the container-specific secrets tmpfs here. + if err := daemon.setupSuseSecrets(c); err != nil { + return nil, err + } + mounts, err := daemon.setupMounts(c) if err != nil { return nil, err } mounts = append(mounts, c.IpcMounts()...) mounts = append(mounts, c.TmpfsMounts()...) + // SUSE:secrets :: We add the mounts to the OCI config which containerd then uses. + mounts = append(mounts, c.SuseSecretMounts()...) if err := setMounts(daemon, &s, c, mounts); err != nil { return nil, fmt.Errorf("linux mounts: %v", err) } Index: docker-1.11.0/daemon/start.go =================================================================== --- docker-1.11.0.orig/daemon/start.go +++ docker-1.11.0/daemon/start.go @@ -164,6 +164,12 @@ func (daemon *Daemon) Cleanup(container container.UnmountIpcMounts(detachMounted) + // TODO(SUSE): Make sure this gets called by containerCleanup. Do we need to + // port this part of the patch there as well? + + // SUSE:secrets :: We need to unmount stuff here so that we clean up properly. + container.UnmountSuseSecretMounts(detachMounted) + if err := daemon.conditionalUnmountOnCleanup(container); err != nil { // FIXME: remove once reference counting for graphdrivers has been refactored // Ensure that all the mounts are gone Index: docker-1.11.0/daemon/suse_secrets.go =================================================================== --- /dev/null +++ docker-1.11.0/daemon/suse_secrets.go @@ -0,0 +1,184 @@ +package daemon + +// SUSE:secrets :: This is a set of functions to copy host credentials into a +// container's /run/secrets. + +import ( + "io/ioutil" + "os" + "path/filepath" + "syscall" + + "github.com/Sirupsen/logrus" + "github.com/docker/docker/pkg/idtools" +) + +// TODO(SUSE): We need to reimplement this to use tar. Immediately. + +// Creating a fake file. +type SuseFakeFile struct { + Path string + Uid int + Gid int + Mode os.FileMode + Data []byte +} + +func (s *SuseFakeFile) SaveTo(dir string, uidMap, gidMap []idtools.IDMap) error { + // Create non-existant path components with an owner of root (other FakeFiles + // will clean this up if the owner is critical). + rootUid, rootGid, err := idtools.GetRootUIDGID(uidMap, gidMap) + + path := filepath.Join(dir, s.Path) + if err := idtools.MkdirAllNewAs(filepath.Dir(path), 0755, rootUid, rootGid); err != nil && !os.IsExist(err) { + return err + } + + uid, err := idtools.ToHost(s.Uid, uidMap) + if err != nil { + return err + } + + gid, err := idtools.ToHost(s.Gid, gidMap) + if err != nil { + return err + } + + if s.Mode.IsDir() { + if err := idtools.MkdirAs(path, s.Mode, uid, gid); err != nil { + return err + } + } else { + if err := ioutil.WriteFile(path, s.Data, s.Mode); err != nil { + return err + } + } + + return os.Chown(path, uid, gid) +} + +// readDir will recurse into a directory prefix/dir, and return the set of secrets +// in that directory. The Path attribute of each has the prefix stripped. Symlinks +// are evaluated. +func readDir(prefix, dir string) ([]*SuseFakeFile, error) { + var suseFiles []*SuseFakeFile + + path := filepath.Join(prefix, dir) + + fi, err := os.Stat(path) + if err != nil { + // Ignore dangling symlinks. + if os.IsNotExist(err) { + logrus.Warnf("SUSE:secrets :: dangling symlink: %s", path) + return suseFiles, nil + } + return nil, err + } + + stat, ok := fi.Sys().(*syscall.Stat_t) + if !ok { + logrus.Warnf("SUSE:secrets :: failed to cast directory stat_t: defaulting to owned by root:root: %s", path) + } + + suseFiles = append(suseFiles, &SuseFakeFile{ + Path: dir, + Uid: int(stat.Uid), + Gid: int(stat.Gid), + Mode: fi.Mode(), + }) + + files, err := ioutil.ReadDir(path) + if err != nil { + return nil, err + } + + for _, f := range files { + subpath := filepath.Join(dir, f.Name()) + + if f.IsDir() { + secrets, err := readDir(prefix, subpath) + if err != nil { + return nil, err + } + suseFiles = append(suseFiles, secrets...) + } else { + secrets, err := readFile(prefix, subpath) + if err != nil { + return nil, err + } + suseFiles = append(suseFiles, secrets...) + } + } + + return suseFiles, nil +} + +func readFile(prefix, file string) ([]*SuseFakeFile, error) { + var suseFiles []*SuseFakeFile + + path := filepath.Join(prefix, file) + fi, err := os.Stat(path) + if err != nil { + // Ignore dangling symlinks. + if os.IsNotExist(err) { + logrus.Warnf("SUSE:secrets :: dangling symlink: %s", path) + return suseFiles, nil + } + return nil, err + } + + stat, ok := fi.Sys().(*syscall.Stat_t) + if !ok { + logrus.Warnf("SUSE:secrets :: failed to cast file stat_t: defaulting to owned by root:root: %s", path) + } + + if fi.IsDir() { + secrets, err := readDir(prefix, file) + if err != nil { + return nil, err + } + suseFiles = append(suseFiles, secrets...) + } else { + bytes, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + suseFiles = append(suseFiles, &SuseFakeFile{ + Path: file, + Uid: int(stat.Uid), + Gid: int(stat.Gid), + Mode: fi.Mode(), + Data: bytes, + }) + } + + return suseFiles, nil +} + +func getHostSuseSecretData() ([]*SuseFakeFile, error) { + secrets := []*SuseFakeFile{} + + credentials, err := readDir("/etc/zypp", "credentials.d") + if err != nil { + if os.IsNotExist(err) { + credentials = []*SuseFakeFile{} + } else { + logrus.Errorf("SUSE:secrets :: error while reading zypp credentials: %s", err) + return nil, err + } + } + secrets = append(secrets, credentials...) + + suseConnect, err := readFile("/etc", "SUSEConnect") + if err != nil { + if os.IsNotExist(err) { + suseConnect = []*SuseFakeFile{} + } else { + logrus.Errorf("SUSE:secrets :: error while reading /etc/SUSEConnect: %s", err) + return nil, err + } + } + secrets = append(secrets, suseConnect...) + + return secrets, nil +} ++++++ docker.service ++++++ --- /var/tmp/diff_new_pack.n7u6hl/_old 2016-05-04 08:20:18.000000000 +0200 +++ /var/tmp/diff_new_pack.n7u6hl/_new 2016-05-04 08:20:18.000000000 +0200 @@ -1,21 +1,15 @@ [Unit] Description=Docker Application Container Engine Documentation=http://docs.docker.com -After=network.target docker.socket -Requires=docker.socket +After=network.target docker.socket containerd.socket +Requires=docker.socket containerd.socket [Service] -# the default is not to use systemd for cgroups because the delegate issues still -# exists and systemd currently does not support the cgroup feature set required -# for containers run by docker EnvironmentFile=/etc/sysconfig/docker -ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS -MountFlags=slave +ExecStart=/usr/bin/docker daemon -H fd:// --containerd /run/containerd/containerd.sock $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS LimitNOFILE=1048576 LimitNPROC=1048576 LimitCORE=infinity -# set delegate yes so that systemd does not reset the cgroups of docker containers -Delegate=yes [Install] WantedBy=multi-user.target
