commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2020-06-29 21:15:17 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.3060 (New) Package is "docker-runc" Mon Jun 29 21:15:17 2020 rev:25 rq:817375 version:1.0.0rc10+gitr3981_dc9208a3303f Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2020-06-05 20:09:21.793573906 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.3060/docker-runc.changes 2020-06-29 21:15:29.389250152 +0200 @@ -1,0 +2,5 @@ +Thu Jun 25 22:34:03 UTC 2020 - Aleksa Sarai + +- Switch to Go 1.13 for build. + +--- Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.Kd0vnF/_old 2020-06-29 21:15:30.917254880 +0200 +++ /var/tmp/diff_new_pack.Kd0vnF/_new 2020-06-29 21:15:30.917254880 +0200 @@ -56,7 +56,9 @@ BuildRequires: libapparmor-devel BuildRequires: libseccomp-devel >= 2.2 BuildRequires: libselinux-devel -BuildRequires: golang(API) >= 1.10 +# Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires +# for 'golang(API) >= 1.13' here, so just require 1.13 exactly. bsc#1172608 +BuildRequires: go1.13 Recommends: criu Obsoletes: runc <= 1.0 # We provide a git revision so that Docker can require it properly.
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2020-06-05 20:06:03 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.3606 (New) Package is "docker-runc" Fri Jun 5 20:06:03 2020 rev:24 rq:89 version:1.0.0rc10+gitr3981_dc9208a3303f Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2020-05-14 23:22:27.616675345 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.3606/docker-runc.changes 2020-06-05 20:09:21.793573906 +0200 @@ -1,0 +2,12 @@ +Tue Jun 2 11:21:30 UTC 2020 - Aleksa Sarai + +- Update to runc v1.0.0-rc10, which is required for Docker 19.03.11-ce. + bsc#1172377 +- Remove upstreamed patches: + - CVE-2019-16884.patch + - CVE-2019-19921.patch +- Synchronise patches with 'runc' package: + + bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch + * bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch + +--- Old: CVE-2019-16884.patch CVE-2019-19921.patch docker-runc-git.3e425f80a8c9.tar.xz New: bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch docker-runc-git.dc9208a3303f.tar.xz Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.Q6h4tZ/_old 2020-06-05 20:09:22.589576474 +0200 +++ /var/tmp/diff_new_pack.Q6h4tZ/_new 2020-06-05 20:09:22.589576474 +0200 @@ -29,21 +29,17 @@ %endif # MANUAL: Update the git_version, git_short, and git_revision -%define git_version 3e425f80a8c931f88e6d94a8c831b9d5aa481657 -%define git_short 3e425f80a8c9 -# How to get the git_revision -# git clone ${url}.git runc-upstream -# cd runc-upstream -# git checkout $git_version -# git_revision=r$(git rev-list HEAD | wc -l) -%define git_revision r3917 +%define git_version dc9208a3303feef5b3839f4323d9beb36df0a9dd +%define git_short dc9208a3303f +# git_revision=r$(git rev-list $COMMIT_ID | wc -l) +%define git_revision r3981 %define go_tool go %define _name runc %define project github.com/opencontainers/%{_name} Name: %{realname}%{name_suffix} -Version:1.0.0rc8+git%{git_revision}_%{git_short} +Version:1.0.0rc10+git%{git_revision}_%{git_short} Release:0 Summary:Tool for spawning and running OCI containers License:Apache-2.0 @@ -51,12 +47,10 @@ URL:https://github.com/opencontainers/runc Source: %{realname}-git.%{git_short}.tar.xz Source1:%{realname}-rpmlintrc -# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2130. -Patch1: CVE-2019-16884.patch -# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2207. -Patch2: CVE-2019-19921.patch +# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/1807. bsc#1149954 +Patch0: bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch # FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2391. bsc#1168481 -Patch3: bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch +Patch1: bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: libapparmor-devel @@ -93,12 +87,10 @@ %prep %setup -q -n %{realname}-git.%{git_short} -# CVE-2019-16884 bsc#1152308 -%patch1 -p1 -# CVE-2019-19921 -%patch2 -p1 +# bsc#1149954 +%patch0 -p1 # bsc#1168481 -%patch3 -p1 +%patch1 -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at ++ _service ++ --- /var/tmp/diff_new_pack.Q6h4tZ/_old 2020-06-05 20:09:22.629576603 +0200 +++ /var/tmp/diff_new_pack.Q6h4tZ/_new 2020-06-05 20:09:22.629576603 +0200 @@ -4,7 +4,7 @@ git docker-runc git.%h -3e425f80a8c931f88e6d94a8c831b9d5aa481657 +dc9208a3303feef5b3839f4323d9beb36df0a9dd .git ++ bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch ++ >From 5d13416879fe0f50c300d94c569ea77950cbee94 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 25 May 2018 18:04:06 +0200 Subject: [PATCH] sd-notify: do not hang when NOTIFY_SOCKET is used with create if NOTIFY_SOCKET is used, do not block the main runc process waiting for events on the notify socket. Bind mount the parent directory of the notify socket, so that "start" can create the socket and it is still accessible from the container. Signed-off-by: Giuseppe Scrivano (cherry picked from commit 25fd4a67571992b9121f77d2a4f0d89d4375f383) --- notify_socket.go | 132 ++
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2020-05-14 23:22:25 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.2738 (New) Package is "docker-runc" Thu May 14 23:22:25 2020 rev:23 rq:804889 version:1.0.0rc8+gitr3917_3e425f80a8c9 Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2020-01-21 20:58:33.848798577 +0100 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.2738/docker-runc.changes 2020-05-14 23:22:27.616675345 +0200 @@ -1,0 +2,7 @@ +Wed May 13 06:49:44 UTC 2020 - Aleksa Sarai + +- Backport https://github.com/opencontainers/runc/pull/2391 to help fix + bsc#1168481. + + bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch + +--- New: bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.7JvLzl/_old 2020-05-14 23:22:28.112676428 +0200 +++ /var/tmp/diff_new_pack.7JvLzl/_new 2020-05-14 23:22:28.116676437 +0200 @@ -55,6 +55,8 @@ Patch1: CVE-2019-16884.patch # FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2207. Patch2: CVE-2019-19921.patch +# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2391. bsc#1168481 +Patch3: bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: libapparmor-devel @@ -95,6 +97,8 @@ %patch1 -p1 # CVE-2019-19921 %patch2 -p1 +# bsc#1168481 +%patch3 -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at ++ bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch ++ 3531 lines (skipped)
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2020-01-21 20:58:22 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.26092 (New) Package is "docker-runc" Tue Jan 21 20:58:22 2020 rev:22 rq:765630 version:1.0.0rc8+gitr3917_3e425f80a8c9 Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2020-01-19 20:53:20.531921176 +0100 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.26092/docker-runc.changes 2020-01-21 20:58:33.848798577 +0100 @@ -1,0 +2,6 @@ +Fri Jan 17 03:02:46 UTC 2020 - Aleksa Sarai + +- Update CVE-2019-19921 patch to match upstream PR. + * CVE-2019-19921.patch + +--- Other differences: -- ++ CVE-2019-19921.patch ++ --- /var/tmp/diff_new_pack.E1BJor/_old 2020-01-21 20:58:36.000799580 +0100 +++ /var/tmp/diff_new_pack.E1BJor/_new 2020-01-21 20:58:36.012799586 +0100 @@ -1,4 +1,4 @@ -From 9975f5238a792586bfa3e36e4c66a8d1154b44ac Mon Sep 17 00:00:00 2001 +From 3291d66b98445bd7f7d02eac7f2bca2ac2c56942 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sat, 21 Dec 2019 23:40:17 +1100 Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories @@ -17,19 +17,19 @@ Fixes: CVE-2019-19921 Signed-off-by: Aleksa Sarai --- - libcontainer/rootfs_linux.go | 14 ++ - 1 file changed, 14 insertions(+) + libcontainer/rootfs_linux.go | 12 + 1 file changed, 12 insertions(+) diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go -index 291021440a1a..6bc0747f9f7e 100644 +index 291021440a1a..106c4c2b98bf 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go -@@ -299,6 +299,20 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b +@@ -299,6 +299,18 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b switch m.Device { case "proc", "sysfs": -+ // If the destination already exists and is not a directory, we remove -+ // it. This is to avoid mounting through a symlink or similar -- which ++ // If the destination already exists and is not a directory, we bail ++ // out This is to avoid mounting through a symlink or similar -- which + // has been a "fun" attack scenario in the past. + // TODO: This won't be necessary once we switch to libpathrs and we can + // stop all of these symlink-exchange attacks. @@ -38,9 +38,7 @@ + return err + } + } else if fi.Mode()&os.ModeDir == 0 { -+ if err := os.Remove(dest); err != nil { -+ return err -+ } ++ return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device) + } if err := os.MkdirAll(dest, 0755); err != nil { return err
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2020-01-19 20:52:39 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.26092 (New) Package is "docker-runc" Sun Jan 19 20:52:39 2020 rev:21 rq:764687 version:1.0.0rc8+gitr3917_3e425f80a8c9 Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2019-10-23 15:47:16.114462304 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.26092/docker-runc.changes 2020-01-19 20:53:20.531921176 +0100 @@ -1,0 +2,6 @@ +Tue Jan 14 04:44:36 UTC 2020 - Aleksa Sarai + +- Add backported fix for CVE-2019-19921. bsc#1160452 + + CVE-2019-19921.patch + +--- New: CVE-2019-19921.patch Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.Qk9OHq/_old 2020-01-19 20:53:21.535921704 +0100 +++ /var/tmp/diff_new_pack.Qk9OHq/_new 2020-01-19 20:53:21.535921704 +0100 @@ -1,7 +1,7 @@ # # spec file for package docker # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -48,11 +48,13 @@ Summary:Tool for spawning and running OCI containers License:Apache-2.0 Group: System/Management -Url:https://github.com/opencontainers/runc +URL:https://github.com/opencontainers/runc Source: %{realname}-git.%{git_short}.tar.xz Source1:%{realname}-rpmlintrc # FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2130. Patch1: CVE-2019-16884.patch +# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2207. +Patch2: CVE-2019-19921.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: libapparmor-devel @@ -91,6 +93,8 @@ %setup -q -n %{realname}-git.%{git_short} # CVE-2019-16884 bsc#1152308 %patch1 -p1 +# CVE-2019-19921 +%patch2 -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at ++ CVE-2019-19921.patch ++ >From 9975f5238a792586bfa3e36e4c66a8d1154b44ac Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sat, 21 Dec 2019 23:40:17 +1100 Subject: [PATCH] rootfs: do not permit /proc mounts to non-directories mount(2) will blindly follow symlinks, which is a problem because it allows a malicious container to trick runc into mounting /proc to an entirely different location (and thus within the attacker's control for a rename-exchange attack). This is just a hotfix (to "stop the bleeding"), and the more complete fix would be finish libpathrs and port runc to it (to avoid these types of attacks entirely, and defend against a variety of other /proc-related attacks). It can be bypased by someone having "/" be a volume controlled by another container. Fixes: CVE-2019-19921 Signed-off-by: Aleksa Sarai --- libcontainer/rootfs_linux.go | 14 ++ 1 file changed, 14 insertions(+) diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go index 291021440a1a..6bc0747f9f7e 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go @@ -299,6 +299,20 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b switch m.Device { case "proc", "sysfs": + // If the destination already exists and is not a directory, we remove + // it. This is to avoid mounting through a symlink or similar -- which + // has been a "fun" attack scenario in the past. + // TODO: This won't be necessary once we switch to libpathrs and we can + // stop all of these symlink-exchange attacks. + if fi, err := os.Lstat(dest); err != nil { + if !os.IsNotExist(err) { + return err + } + } else if fi.Mode()&os.ModeDir == 0 { + if err := os.Remove(dest); err != nil { + return err + } + } if err := os.MkdirAll(dest, 0755); err != nil { return err } -- 2.24.1
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2019-10-23 15:47:10 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.2352 (New) Package is "docker-runc" Wed Oct 23 15:47:10 2019 rev:20 rq:736405 version:1.0.0rc8+gitr3917_3e425f80a8c9 Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2019-06-30 10:19:26.507428221 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.2352/docker-runc.changes 2019-10-23 15:47:16.114462304 +0200 @@ -1,0 +2,15 @@ +Tue Oct 8 23:39:02 UTC 2019 - Aleksa Sarai + +- Update to runc 3e425f80a8c9, which is required for Docker 19.03.3-ce. + bsc#1153367 +- Rebase CVE-2019-16884 fix (3e425f80a8c9 doesn't contain the entire fix). + bsc#1152308 + - CVE-2019-16884.patch + +--- +Thu Sep 26 14:54:07 UTC 2019 - Aleksa Sarai + +- Add backported fix for CVE-2019-16884. bsc#1152308 + + CVE-2019-16884.patch + +--- Old: docker-runc-git.425e105d5a03fabd737a126ad93d62a9eeede87f.tar.xz New: CVE-2019-16884.patch docker-runc-git.3e425f80a8c9.tar.xz Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.zYiheW/_old 2019-10-23 15:47:17.374463666 +0200 +++ /var/tmp/diff_new_pack.zYiheW/_new 2019-10-23 15:47:17.378463670 +0200 @@ -29,14 +29,14 @@ %endif # MANUAL: Update the git_version, git_short, and git_revision -%define git_version 425e105d5a03fabd737a126ad93d62a9eeede87f -%define git_short 425e105d5a03 +%define git_version 3e425f80a8c931f88e6d94a8c831b9d5aa481657 +%define git_short 3e425f80a8c9 # How to get the git_revision # git clone ${url}.git runc-upstream # cd runc-upstream # git checkout $git_version # git_revision=r$(git rev-list HEAD | wc -l) -%define git_revision r3826 +%define git_revision r3917 %define go_tool go %define _name runc @@ -49,8 +49,10 @@ License:Apache-2.0 Group: System/Management Url:https://github.com/opencontainers/runc -Source: %{realname}-git.%{git_version}.tar.xz +Source: %{realname}-git.%{git_short}.tar.xz Source1:%{realname}-rpmlintrc +# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2130. +Patch1: CVE-2019-16884.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: libapparmor-devel @@ -86,7 +88,9 @@ and has grown to become a separate project entirely. %prep -%setup -q -n %{realname}-git.%{git_version} +%setup -q -n %{realname}-git.%{git_short} +# CVE-2019-16884 bsc#1152308 +%patch1 -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at @@ -94,9 +98,9 @@ # will get confused by symlinks. export GOPATH=${HOME}/go export PROJECT=${HOME}/go/src/%project -mkdir -pv $PROJECT +mkdir -p $PROJECT rm -rf $PROJECT/* -cp -av * $PROJECT +cp -a * $PROJECT # Build all features. export BUILDTAGS="apparmor selinux seccomp" ++ CVE-2019-16884.patch ++ >From cb9f5ac65dc00dc8a7f859bc422483950d180e83 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Mon, 30 Sep 2019 00:35:33 +1000 Subject: [PATCH] CVE-2019-16884 This is a backport of the following patches: * e12201c719ac ("vendor: update github.com/opencontainers/selinux") * 5db97bbdef9f ("*: verify that operations on /proc/... are on procfs") SUSE-Bugs: CVE-2019-16884 bsc#1152308 Signed-off-by: Aleksa Sarai --- libcontainer/apparmor/apparmor.go | 10 - libcontainer/utils/utils_unix.go | 44 ++- vendor.conf | 2 +- .../selinux/go-selinux/label/label_selinux.go | 18 +--- .../selinux/go-selinux/selinux_linux.go | 33 ++ .../selinux/go-selinux/selinux_stub.go| 13 ++ 6 files changed, 100 insertions(+), 20 deletions(-) diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go index 7fff0627fa1b..debfc1e489ed 100644 --- a/libcontainer/apparmor/apparmor.go +++ b/libcontainer/apparmor/apparmor.go @@ -6,6 +6,8 @@ import ( "fmt" "io/ioutil" "os" + + "github.com/opencontainers/runc/libcontainer/utils" ) // IsEnabled returns true if apparmor is enabled for the host. @@ -19,7 +21,7 @@ func IsEnabled() bool { return false } -func setprocattr(attr, value string) error { +func setProcAttr(attr, value string) error { // Under AppArmor you can only change your own attr, so use /proc/self/ // instead of /proc// like libapparmor does path := fmt.Sprintf("/proc/self/attr/%s", attr) @@ -30,6 +3
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2019-06-30 10:19:25 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.4615 (New) Package is "docker-runc" Sun Jun 30 10:19:25 2019 rev:19 rq:712299 version:1.0.0rc8+gitr3826_425e105d5a03 Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2019-05-06 21:13:04.168383080 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.4615/docker-runc.changes 2019-06-30 10:19:26.507428221 +0200 @@ -1,0 +2,7 @@ +Fri Jun 28 01:39:44 UTC 2019 - Aleksa Sarai + +- Update to runc 425e105d5a03, which is required for Docker v18.09.7-ce. + bsc#1139649 +- Remove docker-runc-test (it's not useful for actual testing). + +--- Old: docker-runc-git.2b18fe1d885ee5083ef9f0838fee39b62d653e30.tar.xz New: docker-runc-git.425e105d5a03fabd737a126ad93d62a9eeede87f.tar.xz Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.x48kca/_old 2019-06-30 10:19:28.167430800 +0200 +++ /var/tmp/diff_new_pack.x48kca/_new 2019-06-30 10:19:28.191430838 +0200 @@ -29,21 +29,21 @@ %endif # MANUAL: Update the git_version, git_short, and git_revision -%define git_version 2b18fe1d885ee5083ef9f0838fee39b62d653e30 -%define git_short 2b18fe1d885e +%define git_version 425e105d5a03fabd737a126ad93d62a9eeede87f +%define git_short 425e105d5a03 # How to get the git_revision # git clone ${url}.git runc-upstream # cd runc-upstream # git checkout $git_version # git_revision=r$(git rev-list HEAD | wc -l) -%define git_revision r3804 +%define git_revision r3826 %define go_tool go %define _name runc %define project github.com/opencontainers/%{_name} Name: %{realname}%{name_suffix} -Version:1.0.0rc6+git%{git_revision}_%{git_short} +Version:1.0.0rc8+git%{git_revision}_%{git_short} Release:0 Summary:Tool for spawning and running OCI containers License:Apache-2.0 @@ -85,32 +85,6 @@ of Docker. It was originally designed to be a replacement for LXC within Docker, and has grown to become a separate project entirely. -%package test -Summary:Test package for runc -Group: System/Management -BuildRequires: golang(API) = 1.10 -Requires: go-go-md2man -Requires: libapparmor-devel -BuildRequires: libseccomp-devel >= 2.3 -Requires: libselinux-devel -Recommends: criu -BuildArch: noarch -Obsoletes: runc-test <= 1.0 -# KUBIC-SPECIFIC: This was required when upgrading from the original kubic -# packaging, when everything was renamed to -kubic. It also is -# used to ensure that nothing complains too much when using -# -kubic packages. Hopfully it can be removed one day. -%if "%flavour" == "kubic" -# Obsolete older package without -kubic suffix: v2 -> v3 -Obsoletes: %{realname}-test = 0.1.1+gitr2819_50a19c6 -# Conflict with non-kubic package, and provide equivalent -Conflicts: %{realname}-test -Provides: %{realname}-test = %{version} -%endif - -%description test -Test package for runc. It contains the source code and the tests. - %prep %setup -q -n %{realname}-git.%{git_version} @@ -137,7 +111,7 @@ source ./.runc_build_env # Build runc. -make -C $PROJECT EXTRA_FLAGS="-x $BUILDFLAGS" BUILDTAGS="$BUILDTAGS" COMMIT_NO=%{git_version} runc +make -C $PROJECT EXTRA_FLAGS="$BUILDFLAGS" BUILDTAGS="$BUILDTAGS" COMMIT_NO=%{git_version} runc cp $PROJECT/runc %{realname}-%{version} # Build man pages, this can only be done on arches where we can build go-md2man. @@ -155,9 +129,6 @@ # Make sure we install in /usr/sbin/docker-runc install -D -m755 %{realname}-%{version} %{buildroot}%{_sbindir}/%{realname} -install -d -m755 %{buildroot}/usr/src/%{realname}/ -cp -av $HOME/go/src/%{project}/* %{buildroot}/usr/src/%{realname}/ -rm -rf %{buildroot}/usr/src/docker-runc/runc # We have to rename the man pages to docker-runc. install -d -m755 %{buildroot}%{_mandir}/man8 @@ -175,8 +146,4 @@ %{_sbindir}/docker-runc %{_mandir}/man8/docker-runc*.8.gz -%files test -%defattr(-,root,root) -/usr/src/docker-runc/ - %changelog ++ _service ++ --- /var/tmp/diff_new_pack.x48kca/_old 2019-06-30 10:19:28.759431720 +0200 +++ /var/tmp/diff_new_pack.x48kca/_new 2019-06-30 10:19:28.783431757 +0200 @@ -4,7 +4,7 @@ git docker-runc git.%H -2b18fe1d885ee5083ef9f0838fee39b62d653e30 +425e105d5a03fabd737a126ad93d62a9eeede87f .git ++ docker-runc-git.2b18fe1d885ee5083ef9f0838fee39b62d653e30.tar.xz -> docker-runc-git.425e105d5a03fabd737
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2019-05-06 21:13:02 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.5148 (New) Package is "docker-runc" Mon May 6 21:13:02 2019 rev:18 rq:700631 version:1.0.0rc6+gitr3804_2b18fe1d885e Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2019-04-28 19:58:12.438980040 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.5148/docker-runc.changes 2019-05-06 21:13:04.168383080 +0200 @@ -1,0 +2,8 @@ +Fri May 3 13:22:02 UTC 2019 - Aleksa Sarai + +- Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce. + bsc#1128376 boo#1134068 +- Remove patches which were merged upstream: + - bsc1131553-0001-nsenter-cloned_binary-various-cleanups.patch + +--- Old: bsc1131553-0001-nsenter-cloned_binary-various-cleanups.patch docker-runc-git.6635b4f0c6af3810594d2770f662f34ddc15b40d.tar.xz New: docker-runc-git.2b18fe1d885ee5083ef9f0838fee39b62d653e30.tar.xz Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.22OgJa/_old 2019-05-06 21:13:04.576384472 +0200 +++ /var/tmp/diff_new_pack.22OgJa/_new 2019-05-06 21:13:04.580384486 +0200 @@ -29,14 +29,14 @@ %endif # MANUAL: Update the git_version, git_short, and git_revision -%define git_version 6635b4f0c6af3810594d2770f662f34ddc15b40d -%define git_short 6635b4f0c6af +%define git_version 2b18fe1d885ee5083ef9f0838fee39b62d653e30 +%define git_short 2b18fe1d885e # How to get the git_revision # git clone ${url}.git runc-upstream # cd runc-upstream # git checkout $git_version # git_revision=r$(git rev-list HEAD | wc -l) -%define git_revision r3778 +%define git_revision r3804 %define go_tool go %define _name runc @@ -51,14 +51,12 @@ Url:https://github.com/opencontainers/runc Source: %{realname}-git.%{git_version}.tar.xz Source1:%{realname}-rpmlintrc -# SUSE-FIX: Backport of various upstream patches. bsc#1131314 bsc#1131553 -Patch: bsc1131553-0001-nsenter-cloned_binary-various-cleanups.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: libapparmor-devel BuildRequires: libseccomp-devel >= 2.2 BuildRequires: libselinux-devel -BuildRequires: golang(API) = 1.10 +BuildRequires: golang(API) >= 1.10 Recommends: criu Obsoletes: runc <= 1.0 # We provide a git revision so that Docker can require it properly. @@ -115,8 +113,6 @@ %prep %setup -q -n %{realname}-git.%{git_version} -# bsc#1131314 bsc#1131553 -%patch -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at ++ _service ++ --- /var/tmp/diff_new_pack.22OgJa/_old 2019-05-06 21:13:04.604384568 +0200 +++ /var/tmp/diff_new_pack.22OgJa/_new 2019-05-06 21:13:04.604384568 +0200 @@ -4,7 +4,7 @@ git docker-runc git.%H -6635b4f0c6af3810594d2770f662f34ddc15b40d +2b18fe1d885ee5083ef9f0838fee39b62d653e30 .git ++ docker-runc-git.6635b4f0c6af3810594d2770f662f34ddc15b40d.tar.xz -> docker-runc-git.2b18fe1d885ee5083ef9f0838fee39b62d653e30.tar.xz ++ 4256 lines of diff (skipped)
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2019-04-28 19:57:43 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.5536 (New) Package is "docker-runc" Sun Apr 28 19:57:43 2019 rev:17 rq:697553 version:1.0.0rc6+gitr3778_6635b4f0c6af Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2019-03-26 22:28:32.457761988 +0100 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.5536/docker-runc.changes 2019-04-28 19:58:12.438980040 +0200 @@ -1,0 +2,7 @@ +Wed Apr 24 13:50:42 UTC 2019 - Aleksa Sarai + +- Backport various upstream patches to fix some kernel regression related to + O_TMPFILE. bsc#1131314 bsc#1131553 + * bsc1131553-0001-nsenter-cloned_binary-various-cleanups.patch + +--- New: bsc1131553-0001-nsenter-cloned_binary-various-cleanups.patch Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.PpOB4c/_old 2019-04-28 19:58:13.802979218 +0200 +++ /var/tmp/diff_new_pack.PpOB4c/_new 2019-04-28 19:58:13.806979216 +0200 @@ -51,6 +51,8 @@ Url:https://github.com/opencontainers/runc Source: %{realname}-git.%{git_version}.tar.xz Source1:%{realname}-rpmlintrc +# SUSE-FIX: Backport of various upstream patches. bsc#1131314 bsc#1131553 +Patch: bsc1131553-0001-nsenter-cloned_binary-various-cleanups.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: libapparmor-devel @@ -113,6 +115,8 @@ %prep %setup -q -n %{realname}-git.%{git_version} +# bsc#1131314 bsc#1131553 +%patch -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at ++ bsc1131553-0001-nsenter-cloned_binary-various-cleanups.patch ++ >From 6ca2650b8da5e0d9c0d0ae75ca9b6b61da1cf2ef Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 14 Feb 2019 15:56:26 +0100 Subject: [PATCH] nsenter: cloned_binary: various cleanups This is a merged patchset of the following upstream commits, in order to make packaging less of a pain: * bb7d8b1f41f7 ("nsexec (CVE-2019-5736): avoid parsing environ") * 5b775bf297c4 ("nsenter: cloned_binary: detect and handle short copies") * 2429d59352b8 ("nsenter: cloned_binary: expand and add pre-3.11 fallbacks") * af9da0a45082 ("nsenter: cloned_binary: use the runc statedir for O_TMPFILE") * 16612d74de5f ("nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying") * 2d4a37b42716 ("nsenter: cloned_binary: userspace copy fallback if sendfile fails") * 6f714aa9288f ("Use getenv not secure_getenv") SUSE-Bugs: bsc#1131314 bsc#1131553 Signed-off-by: Aleksa Sarai --- libcontainer/container_linux.go | 1 + libcontainer/nsenter/cloned_binary.c | 384 ++- 2 files changed, 317 insertions(+), 68 deletions(-) diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go index ef443f6fc16f..67b31c1a54ca 100644 --- a/libcontainer/container_linux.go +++ b/libcontainer/container_linux.go @@ -481,6 +481,7 @@ func (c *linuxContainer) commandTemplate(p *Process, childPipe *os.File) (*exec. cmd.ExtraFiles = append(cmd.ExtraFiles, childPipe) cmd.Env = append(cmd.Env, fmt.Sprintf("_LIBCONTAINER_INITPIPE=%d", stdioFdCount+len(cmd.ExtraFiles)-1), + fmt.Sprintf("_LIBCONTAINER_STATEDIR=%s", c.root), ) // NOTE: when running a container with no PID namespace and the parent process spawning the container is // PID1 the pdeathsig is being delivered to the container's init process by the kernel for some reason diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c index c8a42c23f73f..ad10f14067b1 100644 --- a/libcontainer/nsenter/cloned_binary.c +++ b/libcontainer/nsenter/cloned_binary.c @@ -27,8 +27,10 @@ #include #include +#include #include #include +#include #include #include @@ -36,18 +38,21 @@ #if !defined(SYS_memfd_create) && defined(__NR_memfd_create) # define SYS_memfd_create __NR_memfd_create #endif -#ifdef SYS_memfd_create -# define HAVE_MEMFD_CREATE /* memfd_create(2) flags -- copied from . */ -# ifndef MFD_CLOEXEC -#define MFD_CLOEXEC 0x0001U -#define MFD_ALLOW_SEALING 0x0002U -# endif +#ifndef MFD_CLOEXEC +# define MFD_CLOEXEC 0x0001U +# define MFD_ALLOW_SEALING 0x0002U +#endif int memfd_create(const char *name, unsigned int flags) { +#ifdef SYS_memfd_create return syscall(SYS_memfd_create, name, flags); -} +#else + errno = ENOSYS; + return -1; #endif +} + /* This comes directly from . */ #ifndef F_LINUX_SPE
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2019-03-26 22:28:28 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.25356 (New) Package is "docker-runc" Tue Mar 26 22:28:28 2019 rev:16 rq:688264 version:1.0.0rc6+gitr3778_6635b4f0c6af Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2019-02-13 09:58:25.693664177 +0100 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.25356/docker-runc.changes 2019-03-26 22:28:32.457761988 +0100 @@ -1,0 +2,7 @@ +Fri Mar 22 11:51:28 UTC 2019 - Sascha Grunert + +- Update to runc 6635b4f0c6af, which is required for Docker v18.09.3-ce. +- Remove patches that were merged upstream: + * CVE-2019-5736.patch + +--- @@ -13,0 +21,11 @@ + This contains changes for rc6: + * https://github.com/opencontainers/runc/releases + Plus additional changes: + * may kill other process when container has been stopped + (https://github.com/opencontainers/runc/commit/87a188996e229bf382c27865584765d1a50c021) + * kill: allow to signal paused containers: + (https://github.com/opencontainers/runc/commit/07d1ad44c83c4274f01e2db18776f31b4dd8e13c) + * Modify check-config.sh in accordance with Moby Project updates + (https://github.com/opencontainers/runc/commit/30817421efbc761c0adcb1d67b8ef84ae32171be) + * cr: get pid from criu notify when restore + (https://github.com/opencontainers/runc/commit/dce70cdff53f576e1334de2a545326599ec824a6) Old: CVE-2019-5736.patch docker-runc-git.96ec2177ae841256168fcf76954f7177af9446eb.tar.xz New: docker-runc-git.6635b4f0c6af3810594d2770f662f34ddc15b40d.tar.xz Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.A1VJSI/_old 2019-03-26 22:28:34.057761601 +0100 +++ /var/tmp/diff_new_pack.A1VJSI/_new 2019-03-26 22:28:34.057761601 +0100 @@ -29,14 +29,14 @@ %endif # MANUAL: Update the git_version, git_short, and git_revision -%define git_version 96ec2177ae841256168fcf76954f7177af9446eb -%define git_short 96ec2177ae84 +%define git_version 6635b4f0c6af3810594d2770f662f34ddc15b40d +%define git_short 6635b4f0c6af # How to get the git_revision # git clone ${url}.git runc-upstream # cd runc-upstream # git checkout $git_version # git_revision=r$(git rev-list HEAD | wc -l) -%define git_revision r3748 +%define git_revision r3778 %define go_tool go %define _name runc @@ -51,8 +51,6 @@ Url:https://github.com/opencontainers/runc Source: %{realname}-git.%{git_version}.tar.xz Source1:%{realname}-rpmlintrc -# FIX-UPSTREAM: Fix for CVE-2019-5736. bsc#1121967 -Patch: CVE-2019-5736.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: libapparmor-devel @@ -115,8 +113,6 @@ %prep %setup -q -n %{realname}-git.%{git_version} -# CVE-2019-5736 bsc#1121967 -%patch -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at ++ _service ++ --- /var/tmp/diff_new_pack.A1VJSI/_old 2019-03-26 22:28:34.093761593 +0100 +++ /var/tmp/diff_new_pack.A1VJSI/_new 2019-03-26 22:28:34.097761592 +0100 @@ -4,7 +4,7 @@ git docker-runc git.%H -96ec2177ae841256168fcf76954f7177af9446eb +6635b4f0c6af3810594d2770f662f34ddc15b40d .git ++ docker-runc-git.96ec2177ae841256168fcf76954f7177af9446eb.tar.xz -> docker-runc-git.6635b4f0c6af3810594d2770f662f34ddc15b40d.tar.xz ++ 131826 lines of diff (skipped)
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2019-02-13 09:58:08 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.28833 (New) Package is "docker-runc" Wed Feb 13 09:58:08 2019 rev:15 rq:673383 version:1.0.0rc6+gitr3748_96ec2177ae84 Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2019-01-21 10:07:15.294867157 +0100 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.28833/docker-runc.changes 2019-02-13 09:58:25.693664177 +0100 @@ -1,0 +2,14 @@ +Wed Feb 6 08:10:47 UTC 2019 - Aleksa Sarai + +- Add fix for CVE-2019-5736 (effectively copying /proc/self/exe during re-exec + to avoid write attacks to the host runc binary). bsc#1121967 + + CVE-2019-5736.patch +- Add docker-runc-rpmlintrc for docker-runc-test. + +--- +Tue Feb 5 12:47:56 UTC 2019 - Aleksa Sarai + +- Update to runc 96ec2177ae84, which is required for Docker v18.09.1-ce. + bsc#1124308 + +--- Old: docker-runc-git.69663f0bd4b60df09991c08812a60108003fa340.tar.xz New: CVE-2019-5736.patch docker-runc-git.96ec2177ae841256168fcf76954f7177af9446eb.tar.xz docker-runc-rpmlintrc Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.SHHgH2/_old 2019-02-13 09:58:26.385664010 +0100 +++ /var/tmp/diff_new_pack.SHHgH2/_new 2019-02-13 09:58:26.389664009 +0100 @@ -29,27 +29,30 @@ %endif # MANUAL: Update the git_version, git_short, and git_revision -%define git_version 69663f0bd4b60df09991c08812a60108003fa340 -%define git_short 69663f0bd4b6 +%define git_version 96ec2177ae841256168fcf76954f7177af9446eb +%define git_short 96ec2177ae84 # How to get the git_revision # git clone ${url}.git runc-upstream # cd runc-upstream # git checkout $git_version # git_revision=r$(git rev-list HEAD | wc -l) -%define git_revision r3562 +%define git_revision r3748 %define go_tool go %define _name runc %define project github.com/opencontainers/%{_name} Name: %{realname}%{name_suffix} -Version:1.0.0rc5+git%{git_revision}_%{git_short} +Version:1.0.0rc6+git%{git_revision}_%{git_short} Release:0 Summary:Tool for spawning and running OCI containers License:Apache-2.0 Group: System/Management Url:https://github.com/opencontainers/runc Source: %{realname}-git.%{git_version}.tar.xz +Source1:%{realname}-rpmlintrc +# FIX-UPSTREAM: Fix for CVE-2019-5736. bsc#1121967 +Patch: CVE-2019-5736.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: libapparmor-devel @@ -112,6 +115,8 @@ %prep %setup -q -n %{realname}-git.%{git_version} +# CVE-2019-5736 bsc#1121967 +%patch -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at ++ CVE-2019-5736.patch ++ >From 0a8e4117e7f715d5fbeef398405813ce8e88558b Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 9 Jan 2019 13:40:01 +1100 Subject: [PATCH] nsenter: clone /proc/self/exe to avoid exposing host binary to container There are quite a few circumstances where /proc/self/exe pointing to a pretty important container binary is a _bad_ thing, so to avoid this we have to make a copy (preferably doing self-clean-up and not being writeable). We require memfd_create(2) -- though there is an O_TMPFILE fallback -- but we can always extend this to use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this approach is no page-cache sharing for the runc binary (which overlayfs would give us) but this is far less complicated. This is only done during nsenter so that it happens transparently to the Go code, and any libcontainer users benefit from it. This also makes ExtraFiles and --preserve-fds handling trivial (because we don't need to worry about it). Fixes: CVE-2019-5736 Co-developed-by: Christian Brauner Signed-off-by: Aleksa Sarai --- libcontainer/nsenter/cloned_binary.c | 268 +++ libcontainer/nsenter/nsexec.c| 11 ++ 2 files changed, 279 insertions(+) create mode 100644 libcontainer/nsenter/cloned_binary.c diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c new file mode 100644 index ..c8a42c23f73f --- /dev/null +++ b/libcontainer/nsenter/cloned_binary.c @@ -0,0 +1,268 @@ +/* + * Copyright (C) 2019 Aleksa Sarai + * Copyright (C) 2019 SUSE LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2019-01-21 10:07:14 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.28833 (New) Package is "docker-runc" Mon Jan 21 10:07:14 2019 rev:14 rq:664602 version:1.0.0rc5+gitr3562_69663f0bd4b6 Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2018-12-24 11:35:37.489759280 +0100 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.28833/docker-runc.changes 2019-01-21 10:07:15.294867157 +0100 @@ -1,0 +2,5 @@ +Fri Jan 11 09:57:32 UTC 2019 - Sascha Grunert + +- Disable leap based builds for kubic flavor. bsc#1121412 + +--- @@ -363 +367,0 @@ - Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.fRFT7H/_old 2019-01-21 10:07:16.638865797 +0100 +++ /var/tmp/diff_new_pack.fRFT7H/_new 2019-01-21 10:07:16.638865797 +0100 @@ -1,7 +1,7 @@ # # spec file for package docker # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # # nodebuginfo @@ -72,6 +72,10 @@ # Conflict with non-kubic package, and provide equivalent Conflicts: %{realname} Provides: %{realname} = %{version} +# Disable leap based builds for kubic flavor (bsc#1121412) +%if 0%{?suse_version} == 1500 && 0%{?is_opensuse} +ExclusiveArch: do_not_build +%endif %endif %description
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2018-12-24 11:35:36 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new.28833 (New) Package is "docker-runc" Mon Dec 24 11:35:36 2018 rev:13 rq:660262 version:1.0.0rc5+gitr3562_69663f0bd4b6 Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2018-11-12 09:49:17.704476354 +0100 +++ /work/SRC/openSUSE:Factory/.docker-runc.new.28833/docker-runc.changes 2018-12-24 11:35:37.489759280 +0100 @@ -1,0 +2,10 @@ +Wed Dec 19 19:43:30 UTC 2018 - c...@suse.com + +- Update go requirements to >= go1.10 to fix + * bsc#1118897 CVE-2018-16873 +go#29230 cmd/go: remote command execution during "go get -u" + * bsc#1118898 CVE-2018-16874 +go#29231 cmd/go: directory traversal in "go get" via curly braces in import paths + * bsc#1118899 CVE-2018-16875 +go#29233 crypto/x509: CPU denial of service +--- Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.Tky33u/_old 2018-12-24 11:35:38.201758647 +0100 +++ /var/tmp/diff_new_pack.Tky33u/_new 2018-12-24 11:35:38.201758647 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # # nodebuginfo
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2018-11-12 09:49:17 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new (New) Package is "docker-runc" Mon Nov 12 09:49:17 2018 rev:12 rq:646382 version:1.0.0rc5+gitr3562_69663f0bd4b6 Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2018-09-05 13:45:54.477991690 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new/docker-runc.changes 2018-11-12 09:49:17.704476354 +0100 @@ -19 +19 @@ - required for the Docker v18.06.0-ce upgrade. bsc#1102522 + required for the Docker v18.06.0-ce upgrade. bsc#1102522 bsc#1113313 Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.uiPm8L/_old 2018-11-12 09:49:18.220475577 +0100 +++ /var/tmp/diff_new_pack.uiPm8L/_new 2018-11-12 09:49:18.224475571 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # # nodebuginfo
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2018-09-05 13:45:49 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new (New) Package is "docker-runc" Wed Sep 5 13:45:49 2018 rev:11 rq:630775 version:1.0.0rc5+gitr3562_69663f0bd4b6 Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2018-06-22 13:16:16.233063592 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new/docker-runc.changes 2018-09-05 13:45:54.477991690 +0200 @@ -1,0 +2,25 @@ +Thu Aug 16 02:00:31 UTC 2018 - asa...@suse.com + +- Merge -kubic packages back into the main Virtualization:containers packages. + This is done using _multibuild to add a "kubic" flavour, which is then used + to conditionally compile patches and other kubic-specific features. + bsc#1105000 + +--- +Wed Aug 1 09:40:59 UTC 2018 - asa...@suse.com + +- Enable seccomp support on SLE12, since libseccomp is now a new enough vintage + to work with Docker and containerd. fate#325877 + +--- +Wed Jul 25 08:46:05 UTC 2018 - asa...@suse.com + +- Upgrade to docker-runc 69663f0bd4b60df09991c08812a60108003fa340 which is + required for the Docker v18.06.0-ce upgrade. bsc#1102522 +- Switch to Go 1.10 for building. +- Removed the following patches because they were merged upstream in the + meantime: + - bsc1094680-0001-Avoid-race-when-opening-exec-fifo.patch + - bsc1053532-0001-makefile-drop-usage-of-install.patch + +--- @@ -18,0 +44,15 @@ + +--- +Wed May 16 09:32:26 UTC 2018 - jmassaguer...@suse.com + +- Fix Obsoletes to fix bsc#1080978 + +--- +Mon Feb 12 10:52:27 UTC 2018 - rbr...@suse.com + +- Add ${version} to equivalent non-kubic package provides + +--- +Thu Feb 8 12:35:05 UTC 2018 - rbr...@suse.com + +- Add Provides for equivalent non-kubic packages Old: bsc1053532-0001-makefile-drop-usage-of-install.patch bsc1094680-0001-Avoid-race-when-opening-exec-fifo.patch docker-runc-git.3f2f8b84a77f73d38244dd690525642a72156c64.tar.xz New: _multibuild docker-runc-git.69663f0bd4b60df09991c08812a60108003fa340.tar.xz Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.R98SuH/_old 2018-09-05 13:45:54.989992454 +0200 +++ /var/tmp/diff_new_pack.R98SuH/_new 2018-09-05 13:45:55.001992472 +0200 @@ -1,5 +1,5 @@ # -# spec file for package docker-runc +# spec file for package docker # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # @@ -17,59 +17,62 @@ # nodebuginfo +# Handle _multibuild magic. +%define flavour @BUILD_FLAVOR@%{nil} + +# We split the Name: into "realname" and "name_suffix". +%define realname docker-runc +%if "%flavour" == "" +%define name_suffix %{nil} +%else +%define name_suffix -%{flavour} +%endif + # MANUAL: Update the git_version, git_short, and git_revision -%define git_version 3f2f8b84a77f73d38244dd690525642a72156c64 -%define git_short 3f2f8b84a77f +%define git_version 69663f0bd4b60df09991c08812a60108003fa340 +%define git_short 69663f0bd4b6 # How to get the git_revision # git clone ${url}.git runc-upstream # cd runc-upstream # git checkout $git_version # git_revision=r$(git rev-list HEAD | wc -l) -%define git_revision r3338 +%define git_revision r3562 %define go_tool go %define _name runc %define project github.com/opencontainers/%{_name} -# enable libseccomp for sle >= sle12sp2 -%if 0%{?sle_version} >= 120200 -%define with_libseccomp 1 -%endif -# enable libseccomp for leap >= 42.2 -%if 0%{?leap_version} >= 420200 -%define with_libseccomp 1 -%endif -# enable libseccomp for Factory -%if 0%{?suse_version} > 1320 -%define with_libseccomp 1 -%endif - -Name: docker-runc -Version:1.0.0rc4+git%{git_revision}_%{git_short} +Name: %{realname}%{name_suffix} +Version:1.0.0rc5+git%{git_revision}_%{git_short} Release:0 Summary:Tool for spawning and running OCI containers License:Apache-2.0 Group: System/Management Url:https://github.com/opencontainers/runc -Source: %{name}-git.%{git_version}.tar.xz -# SUSE-FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/1555. bsc#1053532 -Patch100: bsc1053532-0001-makefile-drop-usage-of-install.patch -# SUSE-FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/1698. bsc
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2018-06-22 13:16:11 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new (New) Package is "docker-runc" Fri Jun 22 13:16:11 2018 rev:10 rq:617458 version:1.0.0rc4+gitr3338_3f2f8b84a77f Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2018-06-08 23:09:45.016446735 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new/docker-runc.changes 2018-06-22 13:16:16.233063592 +0200 @@ -1,0 +2,12 @@ +Thu Jun 7 06:42:21 UTC 2018 - asa...@suse.com + +- Backport of https://github.com/opencontainers/runc/pull/1698 to help fix + bsc#1094680, which is caused by the race described in the upstream issue. + * bsc1094680-0001-Avoid-race-when-opening-exec-fifo.patch + +--- +Tue Jun 5 08:46:09 UTC 2018 - dcass...@suse.com + +- Make use of %license macro + +--- New: bsc1094680-0001-Avoid-race-when-opening-exec-fifo.patch Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.ugNCnR/_old 2018-06-22 13:16:16.989035560 +0200 +++ /var/tmp/diff_new_pack.ugNCnR/_new 2018-06-22 13:16:16.993035411 +0200 @@ -54,6 +54,8 @@ Source: %{name}-git.%{git_version}.tar.xz # SUSE-FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/1555. bsc#1053532 Patch100: bsc1053532-0001-makefile-drop-usage-of-install.patch +# SUSE-FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/1698. bsc#1094680 +Patch101: bsc1094680-0001-Avoid-race-when-opening-exec-fifo.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: libapparmor-devel @@ -96,6 +98,8 @@ %setup -q -n %{name}-git.%{git_version} # bsc#1053532 %patch100 -p1 +# bsc#1094680 +%patch101 -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at @@ -159,7 +163,8 @@ %files %defattr(-,root,root) -%doc README.md LICENSE +%doc README.md +%license LICENSE %{_sbindir}/docker-runc %{_mandir}/man8/docker-runc*.8.gz ++ bsc1094680-0001-Avoid-race-when-opening-exec-fifo.patch ++ >From 331f9819f515be7d8a1bdd7a68d9dac0c87f3015 Mon Sep 17 00:00:00 2001 From: Will Martin Date: Mon, 22 Jan 2018 17:03:02 + Subject: [PATCH] Avoid race when opening exec fifo When starting a container with `runc start` or `runc run`, the stub process (runc[2:INIT]) opens a fifo for writing. Its parent runc process will open the same fifo for reading. In this way, they synchronize. If the stub process exits at the wrong time, the parent runc process will block forever. This can happen when racing 2 runc operations against each other: `runc run/start`, and `runc delete`. It could also happen for other reasons, e.g. the kernel's OOM killer may select the stub process. This commit resolves this race by racing the opening of the exec fifo from the runc parent process against the stub process exiting. If the stub process exits before we open the fifo, we return an error. Another solution is to wait on the stub process. However, it seems it would require more refactoring to avoid calling wait multiple times on the same process, which is an error. SUSE-Bugs: bsc#1094680 Signed-off-by: Craig Furman Signed-off-by: Aleksa Sarai --- libcontainer/container_linux.go | 70 +++-- 1 file changed, 61 insertions(+), 9 deletions(-) diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go index d7e7516e5493..1ffbff70ba5a 100644 --- a/libcontainer/container_linux.go +++ b/libcontainer/container_linux.go @@ -5,6 +5,7 @@ package libcontainer import ( "bytes" "encoding/json" + "errors" "fmt" "io" "io/ioutil" @@ -236,20 +237,71 @@ func (c *linuxContainer) Exec() error { func (c *linuxContainer) exec() error { path := filepath.Join(c.root, execFifoFilename) - f, err := os.OpenFile(path, os.O_RDONLY, 0) - if err != nil { - return newSystemErrorWithCause(err, "open exec fifo for reading") + + fifoOpen := make(chan struct{}) + select { + case <-awaitProcessExit(c.initProcess.pid(), fifoOpen): + return errors.New("container process is already dead") + case result := <-awaitFifoOpen(path): + close(fifoOpen) + if result.err != nil { + return result.err + } + f := result.file + defer f.Close() + if err := readFromExecFifo(f); err != nil { +
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2018-06-08 23:09:41 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new (New) Package is "docker-runc" Fri Jun 8 23:09:41 2018 rev:9 rq:614153 version:1.0.0rc4+gitr3338_3f2f8b84a77f Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2018-02-05 10:45:45.448679524 +0100 +++ /work/SRC/openSUSE:Factory/.docker-runc.new/docker-runc.changes 2018-06-08 23:09:45.016446735 +0200 @@ -1,0 +2,7 @@ +Tue Jun 5 06:38:40 UTC 2018 - asa...@suse.com + +- Remove 'go test' from %check section, as it has only ever caused us problems + and hasn't (as far as I remember) ever caught a release-blocking issue. Smoke + testing has been far more useful. boo#1095817 + +--- Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.GQlWvT/_old 2018-06-08 23:09:46.288400812 +0200 +++ /var/tmp/diff_new_pack.GQlWvT/_new 2018-06-08 23:09:46.296400523 +0200 @@ -133,23 +133,11 @@ man/md2man-all.sh %check -source ./.runc_build_env -cd $HOME/go/src/%project - -PKG_LIST=$(go list ./... \ - | grep -v '%{project}/libcontainer/cgroups/fs$' \ - | grep -v '%{project}/libcontainer$' \ - | grep -v '%{project}/libcontainer/integration$' \ - | grep -v '%{project}/libcontainer/label$' \ - | grep -v '%{project}/libcontainer/nsenter$' \ - | grep -v '%{project}/libcontainer/user$' \ - | grep -v '%{project}/libcontainer/xattr$' \ -%if ! 0%{?with_libseccomp} - | grep -v '%{project}/libcontainer/seccomp$' \ - | grep -v 'github.com/seccomp/libseccomp-golang$' \ -%endif - ) -%go_tool test -buildmode=pie -tags "$BUILDTAGS" -timeout 3m -v $PKG_LIST +# We used to run 'go test' here, however we found that this actually didn't +# catch any issues that were caught by smoke testing, and %check would +# continually cause package builds to fail due to flaky tests. If you ever need +# to know how the testing was done, you can always look in the package history. +# boo#1095817 %install source ./.runc_build_env
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2018-02-05 10:45:38 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new (New) Package is "docker-runc" Mon Feb 5 10:45:38 2018 rev:8 rq:571972 version:1.0.0rc4+gitr3338_3f2f8b84a77f Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2018-01-13 21:34:37.558497264 +0100 +++ /work/SRC/openSUSE:Factory/.docker-runc.new/docker-runc.changes 2018-02-05 10:45:45.448679524 +0100 @@ -1,0 +2,5 @@ +Thu Feb 1 16:57:40 CET 2018 - r...@suse.de + +- do not build on s390, only on s390x (no go on s390) + +--- Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.sv9sFB/_old 2018-02-05 10:45:46.268641133 +0100 +++ /var/tmp/diff_new_pack.sv9sFB/_new 2018-02-05 10:45:46.276640759 +0100 @@ -67,6 +67,7 @@ Obsoletes: runc <= 1.0 # We provide a git revision so that Docker can require it properly. Provides: %{name}-git = %{git_version} +ExcludeArch:s390 %description runc is a CLI tool for spawning and running containers according to the OCI
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2018-01-13 21:34:36 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new (New) Package is "docker-runc" Sat Jan 13 21:34:36 2018 rev:7 rq:563291 version:1.0.0rc4+gitr3338_3f2f8b84a77f Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2018-01-07 17:21:36.448616585 +0100 +++ /work/SRC/openSUSE:Factory/.docker-runc.new/docker-runc.changes 2018-01-13 21:34:37.558497264 +0100 @@ -68 +68 @@ -- rename runc to docker-runc +- rename runc to docker-runc (bsc#1069758) Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.4l07Fn/_old 2018-01-13 21:34:38.390458313 +0100 +++ /var/tmp/diff_new_pack.4l07Fn/_new 2018-01-13 21:34:38.398457938 +0100 @@ -1,7 +1,7 @@ # # spec file for package docker-runc # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2018-01-07 17:21:34 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new (New) Package is "docker-runc" Sun Jan 7 17:21:34 2018 rev:6 rq:561516 version:1.0.0rc4+gitr3338_3f2f8b84a77f Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2017-12-21 11:25:22.343167320 +0100 +++ /work/SRC/openSUSE:Factory/.docker-runc.new/docker-runc.changes 2018-01-07 17:21:36.448616585 +0100 @@ -1,0 +2,8 @@ +Wed Dec 27 11:24:27 UTC 2017 - dims...@opensuse.org + +- Fix build with RPM 4.14: exclude is not meant for files to NOT be + packaged, but should only be used if the files are to be excluded + from a glob when they end up in a different package. Rather + remove the unwanted files in the install section. + +--- Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.3HqTgz/_old 2018-01-07 17:21:37.044588650 +0100 +++ /var/tmp/diff_new_pack.3HqTgz/_new 2018-01-07 17:21:37.048588463 +0100 @@ -157,6 +157,7 @@ install -D -m755 %{name}-%{version} %{buildroot}%{_sbindir}/%{name} install -d -m755 %{buildroot}/usr/src/%{name}/ cp -av $HOME/go/src/%{project}/* %{buildroot}/usr/src/%{name}/ +rm -rf %{buildroot}/usr/src/docker-runc/runc # We have to rename the man pages to docker-runc. install -d -m755 %{buildroot}%{_mandir}/man8 @@ -176,7 +177,5 @@ %files test %defattr(-,root,root) /usr/src/docker-runc/ -%exclude /usr/src/docker-runc/runc -%exclude /usr/src/docker-runc/runc/Godeps/_workspace/pkg %changelog
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2017-12-21 11:25:20 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new (New) Package is "docker-runc" Thu Dec 21 11:25:20 2017 rev:5 rq:558282 version:1.0.0rc4+gitr3338_3f2f8b84a77f Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2017-10-20 14:39:25.490334421 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new/docker-runc.changes 2017-12-21 11:25:22.343167320 +0100 @@ -1,0 +2,7 @@ +Mon Dec 11 12:31:09 UTC 2017 - asa...@suse.com + +- Update to docker-runc 0351df1c5a66838d0c392b4ac4cf9450de844e2d requirement + for Docker v17.09.1-ce. This also includes a switch to the upstream + opencontainers sources. + +--- Old: docker-runc-git.2d41c047c83e09a6d61d464906feb2a2f3c52aa4.tar.xz New: docker-runc-git.3f2f8b84a77f73d38244dd690525642a72156c64.tar.xz Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.heXnxb/_old 2017-12-21 11:25:22.959137286 +0100 +++ /var/tmp/diff_new_pack.heXnxb/_new 2017-12-21 11:25:22.963137091 +0100 @@ -18,14 +18,14 @@ # MANUAL: Update the git_version, git_short, and git_revision -%define git_version 2d41c047c83e09a6d61d464906feb2a2f3c52aa4 -%define git_short 2d41c04 +%define git_version 3f2f8b84a77f73d38244dd690525642a72156c64 +%define git_short 3f2f8b84a77f # How to get the git_revision # git clone ${url}.git runc-upstream # cd runc-upstream # git checkout $git_version # git_revision=r$(git rev-list HEAD | wc -l) -%define git_revision r3201 +%define git_revision r3338 %define go_tool go %define _name runc @@ -45,7 +45,7 @@ %endif Name: docker-runc -Version:1.0.0rc3+git%{git_revision}_%{git_short} +Version:1.0.0rc4+git%{git_revision}_%{git_short} Release:0 Summary:Tool for spawning and running OCI containers License:Apache-2.0 @@ -65,6 +65,8 @@ Recommends: criu BuildRoot: %{_tmppath}/%{name}-%{version}-build Obsoletes: runc <= 1.0 +# We provide a git revision so that Docker can require it properly. +Provides: %{name}-git = %{git_version} %description runc is a CLI tool for spawning and running containers according to the OCI @@ -98,10 +100,11 @@ # Do not use symlinks. If you want to run the unit tests for this package at # some point during the build and you need to directly use go list directly it # will get confused by symlinks. -export GOPATH=${HOME}/go:${HOME}/go/src/%project/Godeps/_workspace -mkdir -pv $HOME/go/src/%project -rm -rf $HOME/go/src/%project/* -cp -av * $HOME/go/src/%project +export GOPATH=${HOME}/go +export PROJECT=${HOME}/go/src/%project +mkdir -pv $PROJECT +rm -rf $PROJECT/* +cp -av * $PROJECT # Additionally enable seccomp. %if 0%{?with_libseccomp} @@ -122,8 +125,8 @@ source ./.runc_build_env # Build runc. -make -C "$HOME/go/src/%project" EXTRA_FLAGS="-x $BUILDFLAGS" BUILDTAGS="$BUILDTAGS" COMMIT_NO="%{git_version}" runc -mv "$HOME/go/src/%project/runc" %{name}-%{version} +make -C $PROJECT EXTRA_FLAGS="-x $BUILDFLAGS" BUILDTAGS="$BUILDTAGS" COMMIT_NO=%{git_version} runc +cp $PROJECT/runc %{name}-%{version} # Build man pages, this can only be done on arches where we can build go-md2man. man/md2man-all.sh ++ _service ++ --- /var/tmp/diff_new_pack.heXnxb/_old 2017-12-21 11:25:22.987135920 +0100 +++ /var/tmp/diff_new_pack.heXnxb/_new 2017-12-21 11:25:22.987135920 +0100 @@ -1,10 +1,10 @@ -https://github.com/docker/runc.git +https://github.com/opencontainers/runc.git git docker-runc git.%H -2d41c047c83e09a6d61d464906feb2a2f3c52aa4 +3f2f8b84a77f73d38244dd690525642a72156c64 .git ++ bsc1053532-0001-makefile-drop-usage-of-install.patch ++ --- /var/tmp/diff_new_pack.heXnxb/_old 2017-12-21 11:25:22.995135530 +0100 +++ /var/tmp/diff_new_pack.heXnxb/_new 2017-12-21 11:25:22.995135530 +0100 @@ -1,29 +1,24 @@ -From 87d1669e9704cff42dab0ea4b564a86ab6f026e6 Mon Sep 17 00:00:00 2001 -From: Valentin Rothberg -Date: Tue, 12 Sep 2017 12:07:21 +0200 +From 6581d0f488b3bfa00760cc71c5f1fccfee302b0d Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Mon, 14 Aug 2017 00:10:28 +1000 Subject: [PATCH] makefile: drop usage of --install The "go build -i" invocation may slightly help with incremental recompilation, but it will cause builds to fail if $GOROOT is not -writeable by the current user. While this does appear to work sometim -it's a concern for external build systems where "-i" causes build err +writeable by the current user. While this does appea
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2017-10-20 14:39:23 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new (New) Package is "docker-runc" Fri Oct 20 14:39:23 2017 rev:4 rq:535047 version:1.0.0rc3+gitr3201_2d41c04 Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2017-09-09 20:22:48.325629947 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new/docker-runc.changes 2017-10-20 14:39:25.490334421 +0200 @@ -1,0 +2,18 @@ +Mon Oct 16 11:02:24 UTC 2017 - asa...@suse.com + +- Drop backport of https://github.com/opencontainers/runc/pull/1603. bsc#1055676 + It's going to be fixed in Docker instead. + - bsc1055676-0001-rootfs-preserve-old-mount-flags-when-remounting-bind.patch + +--- +Mon Oct 9 11:07:35 UTC 2017 - asa...@suse.com + +- Update to docker-runc 2d41c047c83e09a6d61d464906feb2a2f3c52aa4, which is + required for Docker v17.07-ce. +- Add backport of https://github.com/opencontainers/runc/pull/1603. bsc#1055676 + + bsc1055676-0001-rootfs-preserve-old-mount-flags-when-remounting-bind.patch +- Remove fix for CVE-2016-9962, as the patches are now included in the upstream + source. bsc#1012568 + - CVE-2016-9962.patch + +--- Old: CVE-2016-9962.patch docker-runc-git.9c2d8d184e5da67c95d601382adf14862e4f2228.tar.xz New: docker-runc-git.2d41c047c83e09a6d61d464906feb2a2f3c52aa4.tar.xz Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.rDur3e/_old 2017-10-20 14:39:27.306249446 +0200 +++ /var/tmp/diff_new_pack.rDur3e/_new 2017-10-20 14:39:27.306249446 +0200 @@ -18,14 +18,14 @@ # MANUAL: Update the git_version, git_short, and git_revision -%define git_version 9c2d8d184e5da67c95d601382adf14862e4f2228 -%define git_short 9c2d8d1 +%define git_version 2d41c047c83e09a6d61d464906feb2a2f3c52aa4 +%define git_short 2d41c04 # How to get the git_revision # git clone ${url}.git runc-upstream # cd runc-upstream # git checkout $git_version # git_revision=r$(git rev-list HEAD | wc -l) -%define git_revision r2947 +%define git_revision r3201 %define go_tool go %define _name runc @@ -45,19 +45,16 @@ %endif Name: docker-runc -Version:0.1.1+git%{git_revision}_%{git_short} +Version:1.0.0rc3+git%{git_revision}_%{git_short} Release:0 Summary:Tool for spawning and running OCI containers License:Apache-2.0 Group: System/Management Url:https://github.com/opencontainers/runc Source: %{name}-git.%{git_version}.tar.xz -# SUSE-FIX-UPSTREAM: Backport of CVE-2016-9962 fix. bsc#1012568 -Patch0: CVE-2016-9962.patch # SUSE-FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/1555. bsc#1053532 Patch100: bsc1053532-0001-makefile-drop-usage-of-install.patch BuildRequires: fdupes -# Make sure we require go 1.7 BuildRequires: go-go-md2man BuildRequires: libapparmor-devel BuildRequires: golang(API) = 1.7 @@ -77,7 +74,6 @@ %package test Summary:Test package for runc -# Make sure we require go 1.7 Group: System/Management BuildRequires: golang(API) = 1.7 Requires: go-go-md2man @@ -95,8 +91,6 @@ %prep %setup -q -n %{name}-git.%{git_version} -# bsc#1012568 -%patch0 -p1 # bsc#1053532 %patch100 -p1 ++ _service ++ --- /var/tmp/diff_new_pack.rDur3e/_old 2017-10-20 14:39:27.350247387 +0200 +++ /var/tmp/diff_new_pack.rDur3e/_new 2017-10-20 14:39:27.350247387 +0200 @@ -4,14 +4,11 @@ git docker-runc git.%H -9c2d8d184e5da67c95d601382adf14862e4f2228 +2d41c047c83e09a6d61d464906feb2a2f3c52aa4 .git *.tar xz - -runc - ++ bsc1053532-0001-makefile-drop-usage-of-install.patch ++ --- /var/tmp/diff_new_pack.rDur3e/_old 2017-10-20 14:39:27.358247012 +0200 +++ /var/tmp/diff_new_pack.rDur3e/_new 2017-10-20 14:39:27.362246826 +0200 @@ -1,12 +1,12 @@ -From 678f31ecf967c4d859e47b76ec93d6f124d58266 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Mon, 14 Aug 2017 00:10:28 +1000 +From 87d1669e9704cff42dab0ea4b564a86ab6f026e6 Mon Sep 17 00:00:00 2001 +From: Valentin Rothberg +Date: Tue, 12 Sep 2017 12:07:21 +0200 Subject: [PATCH] makefile: drop usage of --install The "go build -i" invocation may slightly help with incremental recompilation, but it will cause builds to fail if $GOROOT is not -writeable by the current user. While this does appear to work sometimes, -it's a concern for external build systems where "-i" causes build errors +w
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2017-09-09 20:22:47 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new (New) Package is "docker-runc" Sat Sep 9 20:22:47 2017 rev:3 rq:521673 version:0.1.1+gitr2947_9c2d8d1 Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2017-08-17 11:44:32.446173063 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new/docker-runc.changes 2017-09-09 20:22:48.325629947 +0200 @@ -1,0 +2,6 @@ +Tue Sep 5 16:04:26 UTC 2017 - th...@suse.de + +- Update bsc1053532-0001-makefile-drop-usage-of-install.patch + + replace missing target "all" with "runc" + +--- Other differences: -- ++ bsc1053532-0001-makefile-drop-usage-of-install.patch ++ --- /var/tmp/diff_new_pack.9ceYoM/_old 2017-09-09 20:22:48.849556099 +0200 +++ /var/tmp/diff_new_pack.9ceYoM/_new 2017-09-09 20:22:48.849556099 +0200 @@ -19,10 +19,10 @@ Makefile | 17 + 1 file changed, 9 insertions(+), 8 deletions(-) -diff --git a/Makefile b/Makefile -index 779be925546f..c4bbdd3291d2 100644 a/Makefile -+++ b/Makefile +Index: docker-runc-git.9c2d8d184e5da67c95d601382adf14862e4f2228/Makefile +=== +--- docker-runc-git.9c2d8d184e5da67c95d601382adf14862e4f2228.orig/Makefile docker-runc-git.9c2d8d184e5da67c95d601382adf14862e4f2228/Makefile @@ -2,6 +2,8 @@ localtest localunittest localintegration \ test unittest integration @@ -32,7 +32,8 @@ PREFIX := $(DESTDIR)/usr/local BINDIR := $(PREFIX)/sbin GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null) -@@ -27,10 +29,10 @@ VERSION := ${shell cat ./VERSION} +@@ -26,11 +28,11 @@ VERSION := ${shell cat ./VERSION} + SHELL := $(shell command -v bash 2>/dev/null) -all: $(RUNC_LINK) @@ -67,15 +68,23 @@ man: man/md2man-all.sh -@@ -84,7 +85,7 @@ unittest: runcimage +@@ -83,13 +84,13 @@ localtest: + unittest: runcimage docker run -e TESTFLAGS -ti --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) make localunittest - localunittest: all +-localunittest: all - go test -timeout 3m -tags "$(BUILDTAGS)" ${TESTFLAGS} -v ./... ++localunittest: runc + $(GO) test -timeout 3m -tags "$(BUILDTAGS)" ${TESTFLAGS} -v ./... integration: runcimage docker run -e TESTFLAGS -t --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) make localintegration + +-localintegration: all ++localintegration: runc + bats -t tests/integration${TESTFLAGS} + + install: @@ -119,6 +120,6 @@ clean: validate: @@ -84,6 +93,3 @@ + $(GO) vet ./... ci: validate localtest --- -2.14.0 -
commit docker-runc for openSUSE:Factory
Hello community, here is the log from the commit of package docker-runc for openSUSE:Factory checked in at 2017-08-17 11:44:29 Comparing /work/SRC/openSUSE:Factory/docker-runc (Old) and /work/SRC/openSUSE:Factory/.docker-runc.new (New) Package is "docker-runc" Thu Aug 17 11:44:29 2017 rev:2 rq:517266 version:0.1.1+gitr2947_9c2d8d1 Changes: --- /work/SRC/openSUSE:Factory/docker-runc/docker-runc.changes 2017-07-19 12:21:31.923931100 +0200 +++ /work/SRC/openSUSE:Factory/.docker-runc.new/docker-runc.changes 2017-08-17 11:44:32.446173063 +0200 @@ -1,0 +2,19 @@ +Sun Aug 13 14:25:32 UTC 2017 - asa...@suse.com + +- Use the upstream Makefile, to ensure that we always include the version and + commit information in runc. This was confusing users (and Docker). + bsc#1053532 +- Add a backported patch to fix a Makefile bug. This also includes some other + changes to make the docker-runc.spec mirror the newer runc.spec (which + required additional patching to the Makefile). + https://github.com/opencontainers/runc/pull/1555 + + bsc1053532-0001-makefile-drop-usage-of-install.patch + +--- +Wed Aug 2 13:51:43 UTC 2017 - asa...@suse.com + +- Use -buildmode=pie for tests and binary build. bsc#1048046 bsc#1051429 +- Cleanup seccomp builds similar to bsc#1028638 +- Remove the usage of 'cp -r' to reduce noise in the build logs. + +--- Old: docker-runc-git.9c2d8d1.tar.xz New: bsc1053532-0001-makefile-drop-usage-of-install.patch docker-runc-git.9c2d8d184e5da67c95d601382adf14862e4f2228.tar.xz Other differences: -- ++ docker-runc.spec ++ --- /var/tmp/diff_new_pack.q7d133/_old 2017-08-17 11:44:33.857973806 +0200 +++ /var/tmp/diff_new_pack.q7d133/_new 2017-08-17 11:44:33.861973242 +0200 @@ -1,5 +1,5 @@ # -# spec file for package runc +# spec file for package docker-runc # # Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # @@ -14,41 +14,54 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # +# nodebuginfo -%define go_tool go - -# MANUAL: Update the git_version and git_revision -# FIX-OPENSUSE: This will be removed as soon as we move Docker's runC fork into -# a separate package. This whole versioning mess is caused by -# Docker vendoring non-releases of runC. -%define git_version 9c2d8d1 +# MANUAL: Update the git_version, git_short, and git_revision +%define git_version 9c2d8d184e5da67c95d601382adf14862e4f2228 +%define git_short 9c2d8d1 # How to get the git_revision # git clone ${url}.git runc-upstream # cd runc-upstream # git checkout $git_version # git_revision=r$(git rev-list HEAD | wc -l) %define git_revision r2947 -%define version_unconverted %{git_version} +%define go_tool go %define _name runc +%define project github.com/opencontainers/%{_name} + +# enable libseccomp for sle >= sle12sp2 +%if 0%{?sle_version} >= 120200 +%define with_libseccomp 1 +%endif +# enable libseccomp for leap >= 42.2 +%if 0%{?leap_version} >= 420200 +%define with_libseccomp 1 +%endif +# enable libseccomp for Factory +%if 0%{?suse_version} > 1320 +%define with_libseccomp 1 +%endif Name: docker-runc -Version:0.1.1+git%{git_revision}_%{git_version} +Version:0.1.1+git%{git_revision}_%{git_short} Release:0 Summary:Tool for spawning and running OCI containers License:Apache-2.0 Group: System/Management Url:https://github.com/opencontainers/runc Source: %{name}-git.%{git_version}.tar.xz +# SUSE-FIX-UPSTREAM: Backport of CVE-2016-9962 fix. bsc#1012568 Patch0: CVE-2016-9962.patch +# SUSE-FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/1555. bsc#1053532 +Patch100: bsc1053532-0001-makefile-drop-usage-of-install.patch BuildRequires: fdupes # Make sure we require go 1.7 BuildRequires: go-go-md2man BuildRequires: libapparmor-devel BuildRequires: golang(API) = 1.7 -# Seccomp isn't supported on aarch64. -%ifnarch aarch64 +%if 0%{?with_libseccomp} BuildRequires: libseccomp-devel %endif BuildRequires: libselinux-devel @@ -69,80 +82,98 @@ BuildRequires: golang(API) = 1.7 Requires: go-go-md2man Requires: libapparmor-devel -# Seccomp isn't supported on aarch64. -%ifnarch aarch64 -Requires: libseccomp-devel +%if 0%{?with_libseccomp} +BuildRequires: libseccomp-devel %endif Requires: libselinux-devel Recommends: criu BuildArch: noarch -Obsoletes: runc <= 1.0 +Obsoletes: runc-test <= 1.0 %description test Test package for runc. It contains the source code and the tests. %prep %setup -q