commit docker_1_12_6 for openSUSE:Factory

2018-01-09 Thread root
Hello community,

here is the log from the commit of package docker_1_12_6 for openSUSE:Factory 
checked in at 2018-01-09 14:55:02

Comparing /work/SRC/openSUSE:Factory/docker_1_12_6 (Old)
 and  /work/SRC/openSUSE:Factory/.docker_1_12_6.new (New)


Package is "docker_1_12_6"

Tue Jan  9 14:55:02 2018 rev:6 rq:562494 version:1.12.6

Changes:

--- /work/SRC/openSUSE:Factory/docker_1_12_6/docker_1_12_6.changes  
2017-11-30 12:45:05.794561824 +0100
+++ /work/SRC/openSUSE:Factory/.docker_1_12_6.new/docker_1_12_6.changes 
2018-01-09 14:55:07.322376841 +0100
@@ -1,0 +2,29 @@
+Thu Dec 21 12:21:06 UTC 2017 - mj...@suse.com
+
+- Enable libseccomp for Docker package build, bsc#1072367
+
+---
+Tue Dec 19 12:44:25 UTC 2017 - norm...@linux.vnet.ibm.com
+
+- Add buildmode=pie for tests and binary build. bsc#1048046 bsc#1051429
+  (similar as sr#514245 for docker package)
+
+---
+Mon Dec 18 10:32:36 UTC 2017 - vrothb...@suse.com
+
+- Update private-registry mirroring patch to the newest version of the
+  upstream pull request (https://github.com/moby/moby/pull/34319) to
+  improve sanity and consistency checks.
+  * private-registry-0001-Add-private-registry-mirror-support.patch
+
+---
+Tue Dec 12 09:52:24 UTC 2017 - vrothb...@suse.com
+
+- Update private-registry mirroring patch to reflect some feedback from
+  upstream and change the JSON config options to the Prefix/Mirrors one.
+  Notice that this patch is still subject to change until the final pull
+  request (https://github.com/moby/moby/pull/34319) is merged upstream.
+  + private-registry-0001-Implement-private-registry-mirror-support.patch
+  - private-registry-0001-Add-private-registry-mirror-support.patch
+
+---
@@ -30,0 +60 @@
+  fix bsc#1074971

Old:

  private-registry-0001-Implement-private-registry-mirror-support.patch

New:

  private-registry-0001-Add-private-registry-mirror-support.patch



Other differences:
--
++ docker_1_12_6.spec ++
--- /var/tmp/diff_new_pack.lpjzRV/_old  2018-01-09 14:55:09.278285151 +0100
+++ /var/tmp/diff_new_pack.lpjzRV/_new  2018-01-09 14:55:09.278285151 +0100
@@ -95,14 +95,19 @@
 # SUSE-BACKPORT: Patch fixing a DoS bug that makes certain operations fail on
 #a libdm device. bsc#1045628
 Patch500:   
bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
-# SUSE-FEATURE: Add support to mirror non-upstream/private registries.
-Patch600:   
private-registry-0001-Implement-private-registry-mirror-support.patch
+# SUSE-FEATURE: Add support to mirror inofficial/private registries
+#   (https://github.com/moby/moby/pull/34319)
+Patch600:   private-registry-0001-Add-private-registry-mirror-support.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel >= 1.2.68
 BuildRequires:  glibc-devel-static
 BuildRequires:  libapparmor-devel
 BuildRequires:  libbtrfs-devel >= 3.8
+%define with_libseccomp 1
+%if 0%{?with_libseccomp}
+BuildRequires:  libseccomp-devel
+%endif
 BuildRequires:  procps
 BuildRequires:  sqlite3-devel
 BuildRequires:  systemd-devel
@@ -248,7 +253,11 @@
 (cat < docker_build_env
 . ./docker_build_env
@@ -262,6 +271,7 @@
 
 # build the tests binary
 GOPATH=$(pwd)/vendor:$(pwd)/.gopath/ go test \
+-buildmode=pie \
 -tags "$DOCKER_BUILDTAGS daemon autogen" \
 -c github.com/docker/docker/integration-cli -o tests.main
 
@@ -328,9 +338,12 @@
| grep -v 'github.com/docker/docker/cmd/dockerd$' \
| grep -v 'github.com/docker/docker/builder/dockerfile/parser$' 
\
| grep -v 'github.com/docker/docker/man$' \
+%if ! 0%{?with_libseccomp}
+   | grep -v 'github.com/docker/docker/profiles/seccomp$' \
+%endif
| grep -v 'github.com/docker/docker/pkg/integration$')
 
-go test -cover -ldflags -w -tags $EXCLUDE_TAGS -a -test.timeout=10m $PKG_LIST
+go test -buildmode=pie -cover -ldflags -w -tags $EXCLUDE_TAGS -a 
-test.timeout=10m $PKG_LIST
 %endif
 
 %install

++ private-registry-0001-Add-private-registry-mirror-support.patch ++
>From cee4836847f76d3f7120489d17fa6e705da197a4 Mon Sep 17 00:00:00 2001
From: Valentin Rothberg 
Date: Fri, 28 Jul 2017 16:15:04 +0200
Subject: [PATCH] Add private-registry mirror support

NOTE: This backport patch does NOT support the prefix semantics as
described below.  Instead, only the host of each prefix will be used.
Therefore, there can only be one prefix for a given host.  The daemon

commit docker_1_12_6 for openSUSE:Factory

2017-11-30 Thread root
Hello community,

here is the log from the commit of package docker_1_12_6 for openSUSE:Factory 
checked in at 2017-11-30 12:45:05

Comparing /work/SRC/openSUSE:Factory/docker_1_12_6 (Old)
 and  /work/SRC/openSUSE:Factory/.docker_1_12_6.new (New)


Package is "docker_1_12_6"

Thu Nov 30 12:45:05 2017 rev:5 rq:546260 version:1.12.6

Changes:

--- /work/SRC/openSUSE:Factory/docker_1_12_6/docker_1_12_6.changes  
2017-11-08 15:14:12.753113981 +0100
+++ /work/SRC/openSUSE:Factory/.docker_1_12_6.new/docker_1_12_6.changes 
2017-11-30 12:45:05.794561824 +0100
@@ -1,0 +2,6 @@
+Thu Nov 23 13:48:28 UTC 2017 - rbr...@suse.com
+
+- Replace references to /var/adm/fillup-templates with new 
+  %_fillupdir macro (boo#1069468)
+
+---



Other differences:
--
++ docker_1_12_6.spec ++
--- /var/tmp/diff_new_pack.MTNpNk/_old  2017-11-30 12:45:07.258508603 +0100
+++ /var/tmp/diff_new_pack.MTNpNk/_new  2017-11-30 12:45:07.262508458 +0100
@@ -17,6 +17,11 @@
 # nodebuginfo
 
 
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir /var/adm/fillup-templates
+%endif
+
 # Check if go_arches is defined in the project configuration
 # Otherwise, define it here
 # In order to define it in the project configuration, see
@@ -377,7 +382,7 @@
 install -D -m 0640 %{SOURCE8} 
%{buildroot}%{_sysconfdir}/audit/rules.d/%{_name}.rules
 
 # sysconfig file
-install -D -m 644 %{SOURCE4} 
%{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.docker
+install -D -m 644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.docker
 
 %ifarch %{go_arches}
 # install manpages
@@ -449,7 +454,7 @@
 %{_unitdir}/%{_name}.service
 %config %{_sysconfdir}/audit/rules.d/%{_name}.rules
 %{_udevrulesdir}/80-%{_name}.rules
-%{_localstatedir}/adm/fillup-templates/sysconfig.docker
+%{_fillupdir}/sysconfig.docker
 %{_localstatedir}/lib/docker/
 %ifarch %{go_arches}
 %{_mandir}/man1/docker-*.1%{ext_man}




commit docker_1_12_6 for openSUSE:Factory

2017-11-08 Thread root
Hello community,

here is the log from the commit of package docker_1_12_6 for openSUSE:Factory 
checked in at 2017-11-08 15:11:05

Comparing /work/SRC/openSUSE:Factory/docker_1_12_6 (Old)
 and  /work/SRC/openSUSE:Factory/.docker_1_12_6.new (New)


Package is "docker_1_12_6"

Wed Nov  8 15:11:05 2017 rev:4 rq:539664 version:1.12.6

Changes:

--- /work/SRC/openSUSE:Factory/docker_1_12_6/docker_1_12_6.changes  
2017-10-19 19:32:25.896048738 +0200
+++ /work/SRC/openSUSE:Factory/.docker_1_12_6.new/docker_1_12_6.changes 
2017-11-08 15:14:12.753113981 +0100
@@ -1,0 +2,17 @@
+Tue Nov  7 16:49:59 UTC 2017 - asa...@suse.com
+
+- Add a backport of https://github.com/moby/moby/pull/35424, which fixes a
+  security issue where a maliciously crafted image could be used to crash a
+  Docker daemon. bsc#1066210 CVE-2017-14992
+  + bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
+
+---
+Tue Nov  7 09:09:11 UTC 2017 - asa...@suse.com
+
+- Add a backport of https://github.com/moby/moby/pull/35399, which fixes a
+  security issue where a Docker container (with a disabled AppArmor profile)
+  could write to /proc/scsi/... and subsequently DoS the host. bsc#1066801
+  CVE-2017-16539
+  + bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
+
+---

New:

  bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
  bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch



Other differences:
--
++ docker_1_12_6.spec ++
--- /var/tmp/diff_new_pack.WgXeIB/_old  2017-11-08 15:14:13.893072370 +0100
+++ /var/tmp/diff_new_pack.WgXeIB/_new  2017-11-08 15:14:13.897072224 +0100
@@ -83,6 +83,10 @@
 Patch412:   bsc1037436-0002-client-check-tty-before-creating-exec-job.patch
 # SUSE-BACKPORT: Patches required to make layerdb operations atomic. 
bsc#1031479
 Patch420:   
bsc1031479-0001-Update-layer-store-to-sync-transaction-files-before-.patch
+# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. 
boo#1066801 CVE-2017-16539
+Patch430:   bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
+# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35424. 
boo#1066210 CVE-2017-14992
+Patch440:   
bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
 # SUSE-BACKPORT: Patch fixing a DoS bug that makes certain operations fail on
 #a libdm device. bsc#1045628
 Patch500:   
bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
@@ -217,6 +221,10 @@
 %patch412 -p1
 # bsc#1031479
 %patch420 -p1
+# boo#1066801 CVE-2017-16539
+%patch430 -p1
+# boo#1066210 CVE-2017-14992
+%patch440 -p1
 # bsc#1045628
 %patch500 -p1
 %patch600 -p1

++ 
bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch 
++
>From 2d49a7a98c42f25229f2daf25c9bf4846e16be61 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai 
Date: Wed, 8 Nov 2017 02:50:52 +1100
Subject: [PATCH] vendor: update to github.com/vbatts/tar-split@v0.10.2

Update to the latest version of tar-split, which includes a change to
fix a memory exhaustion issue where a malformed image could cause the
Docker daemon to crash.

  * tar: asm: store padding in chunks to avoid memory exhaustion

Fixes: CVE-2017-14992
Signed-off-by: Aleksa Sarai 
---
 .../vbatts/tar-split/tar/asm/disassemble.go| 43 ++
 1 file changed, 28 insertions(+), 15 deletions(-)

diff --git a/vendor/src/github.com/vbatts/tar-split/tar/asm/disassemble.go 
b/vendor/src/github.com/vbatts/tar-split/tar/asm/disassemble.go
index 54ef23aed366..009b3f5d8124 100644
--- a/vendor/src/github.com/vbatts/tar-split/tar/asm/disassemble.go
+++ b/vendor/src/github.com/vbatts/tar-split/tar/asm/disassemble.go
@@ -2,7 +2,6 @@ package asm
 
 import (
"io"
-   "io/ioutil"
 
"github.com/vbatts/tar-split/archive/tar"
"github.com/vbatts/tar-split/tar/storage"
@@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp 
storage.FilePutter) (io
}
}
 
-   // it is allowable, and not uncommon that there is further 
padding on the
-   // end of an archive, apart from the expected 1024 null bytes.
-   remainder, err := ioutil.ReadAll(outputRdr)
-   if err != nil && err != io.EOF {
-   pW.CloseWithError(err)
-   return
-   }
-   _, err = p.AddEntry(storage.Entry{
-   Type:storage.SegmentType,
-   Payload: remainder,
-   })
-

commit docker_1_12_6 for openSUSE:Factory

2017-10-19 Thread root
Hello community,

here is the log from the commit of package docker_1_12_6 for openSUSE:Factory 
checked in at 2017-10-19 19:32:23

Comparing /work/SRC/openSUSE:Factory/docker_1_12_6 (Old)
 and  /work/SRC/openSUSE:Factory/.docker_1_12_6.new (New)


Package is "docker_1_12_6"

Thu Oct 19 19:32:23 2017 rev:3 rq:534169 version:1.12.6

Changes:

--- /work/SRC/openSUSE:Factory/docker_1_12_6/docker_1_12_6.changes  
2017-09-23 21:37:18.744283607 +0200
+++ /work/SRC/openSUSE:Factory/.docker_1_12_6.new/docker_1_12_6.changes 
2017-10-19 19:32:25.896048738 +0200
@@ -1,0 +2,8 @@
+Thu Oct 12 12:55:18 UTC 2017 - vrothb...@suse.com
+
+- Add patch to support mirroring of private/non-upstream registries. As soon as
+  the upstream PR (https://github.com/moby/moby/pull/34319) is merged, this
+  patch will be replaced by the backported one from upstream.
+  + private-registry-0001-Implement-private-registry-mirror-support.patch
+
+---

New:

  private-registry-0001-Implement-private-registry-mirror-support.patch



Other differences:
--
++ docker_1_12_6.spec ++
--- /var/tmp/diff_new_pack.ooQzEZ/_old  2017-10-19 19:32:26.860003636 +0200
+++ /var/tmp/diff_new_pack.ooQzEZ/_new  2017-10-19 19:32:26.860003636 +0200
@@ -86,6 +86,8 @@
 # SUSE-BACKPORT: Patch fixing a DoS bug that makes certain operations fail on
 #a libdm device. bsc#1045628
 Patch500:   
bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
+# SUSE-FEATURE: Add support to mirror non-upstream/private registries.
+Patch600:   
private-registry-0001-Implement-private-registry-mirror-support.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel >= 1.2.68
@@ -217,6 +219,7 @@
 %patch420 -p1
 # bsc#1045628
 %patch500 -p1
+%patch600 -p1
 cp %{SOURCE7} .
 cp %{SOURCE10} .
 

++ private-registry-0001-Implement-private-registry-mirror-support.patch 
++
>From 7934aa58e16c030048337513427109a4b920cff9 Mon Sep 17 00:00:00 2001
From: Valentin Rothberg 
Date: Fri, 28 Jul 2017 16:15:04 +0200
Subject: [PATCH] Implement private-registry mirror support

This is a temporary solution until the upstream PR gets merged. It is
not intended to get into any product other than SUSE CaaS Platform,
where we have full control over the necessary configuration steps,
making it independent from low-level docker details.

In order to use mirrors for private registries, the
/etc/docker/daemon.json must be configured as follows:

```json
{
"private-registry-mirrors": [
{
"registry": "quay.io",
"mirrors": ["http://mirror-1.foo.example.com;, 
"http://mirror-2.foo.example.com;]
}
]
}
```

With the upper example, the registry `foo.example.com` will be mirrored
by `mirror-{1,2}.foo.example.com`.

Signed-off-by: Flavio Castelli 
Signed-off-by: Valentin Rothberg 
---
 daemon/config.go|  3 ++
 distribution/pull.go|  3 +-
 distribution/pull_v2.go |  2 +-
 registry/config.go  | 18 --
 registry/service_v2.go  | 91 +
 5 files changed, 83 insertions(+), 34 deletions(-)

diff --git a/daemon/config.go b/daemon/config.go
index bf568efefa5c..89a192b039ee 100644
--- a/daemon/config.go
+++ b/daemon/config.go
@@ -340,6 +340,9 @@ func findConfigurationConflicts(config 
map[string]interface{}, flags *flag.FlagS
// 1. Search keys from the file that we don't recognize as flags.
unknownKeys := make(map[string]interface{})
for key, value := range config {
+   if key == "private-registry-mirrors" {
+   continue
+   }
flagName := "-" + key
if flag := flags.Lookup(flagName); flag == nil {
unknownKeys[key] = value
diff --git a/distribution/pull.go b/distribution/pull.go
index dad93b656d65..707a918e8ae6 100644
--- a/distribution/pull.go
+++ b/distribution/pull.go
@@ -129,10 +129,11 @@ func Pull(ctx context.Context, ref reference.Named, 
imagePullConfig *ImagePullCo
}
}
 
-   logrus.Debugf("Trying to pull %s from %s %s", repoInfo.Name(), 
endpoint.URL, endpoint.Version)
+   logrus.Infof("Trying to pull %s from %s %s", repoInfo.Name(), 
endpoint.URL, endpoint.Version)
 
puller, err := newPuller(endpoint, repoInfo, imagePullConfig)
if err != nil {
+   logrus.Infof("Error pulling %s from %s %s: %v", 
repoInfo.Name(), endpoint.URL, endpoint.Version, err)
lastErr = err
   

commit docker_1_12_6 for openSUSE:Factory

2017-09-23 Thread root
Hello community,

here is the log from the commit of package docker_1_12_6 for openSUSE:Factory 
checked in at 2017-09-23 21:37:12

Comparing /work/SRC/openSUSE:Factory/docker_1_12_6 (Old)
 and  /work/SRC/openSUSE:Factory/.docker_1_12_6.new (New)


Package is "docker_1_12_6"

Sat Sep 23 21:37:12 2017 rev:2 rq:528270 version:1.12.6

Changes:

--- /work/SRC/openSUSE:Factory/docker_1_12_6/docker_1_12_6.changes  
2017-09-15 22:31:54.462424976 +0200
+++ /work/SRC/openSUSE:Factory/.docker_1_12_6.new/docker_1_12_6.changes 
2017-09-23 21:37:18.744283607 +0200
@@ -1,0 +2,10 @@
+Fri Sep 22 09:58:47 UTC 2017 - vrothb...@suse.com
+
+- Fix bsc#1059011
+
+  The systemd service helper script used a timeout of 60 seconds to
+  start the daemon, which is insufficient in cases where the daemon
+  takes longer to start. Instead, set the service type from 'simple' to
+  'notify' and remove the now superfluous helper script.
+
+---

Old:

  docker_service_helper.sh



Other differences:
--
++ docker_1_12_6.spec ++
--- /var/tmp/diff_new_pack.Rhtjb3/_old  2017-09-23 21:37:20.456042872 +0200
+++ /var/tmp/diff_new_pack.Rhtjb3/_new  2017-09-23 21:37:20.460042310 +0200
@@ -1,5 +1,5 @@
 #
-# spec file for package docker
+# spec file for package docker_1_12_6
 #
 # Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
@@ -60,7 +60,6 @@
 Source8:docker-audit.rules
 Source9:docker-update-message.txt
 Source10:   tests.sh
-Source11:   docker_service_helper.sh
 # Fixes for architecture-specific issues (gcc-go).
 Patch100:   gcc-go-patches.patch
 Patch102:   netlink_netns_powerpc.patch
@@ -126,11 +125,11 @@
 Conflicts:  docker-libnetwork
 Conflicts:  docker > 1.12.6
 Provides:   docker = 1.12.6
-BuildRoot:  %{_tmppath}/%{_name}-%{version}-build
+BuildRoot:  %{_tmppath}/%{name}-%{version}-build
 ExcludeArch:%ix86 s390 ppc
 %ifarch %{go_arches}
-BuildRequires:  golang(API) = 1.6
 BuildRequires:  go-go-md2man
+BuildRequires:  golang(API) = 1.6
 %else
 BuildRequires:  gcc6-go >= 6.1
 %endif
@@ -356,7 +355,6 @@
 #
 install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{_name}.service
 ln -sf service %{buildroot}%{_sbindir}/rcdocker
-install -D -m 0755 %{SOURCE11} %{buildroot}/%{_libexecdir}/docker/
 
 #
 # udev rules that prevents dolphin to show all docker devices and slows down

++ docker.service ++
--- /var/tmp/diff_new_pack.Rhtjb3/_old  2017-09-23 21:37:20.664013624 +0200
+++ /var/tmp/diff_new_pack.Rhtjb3/_new  2017-09-23 21:37:20.664013624 +0200
@@ -10,9 +10,8 @@
 # While Docker has support for socket activation (-H fd://), this is not
 # enabled by default because enabling socket activation means that on boot your
 # containers won't start until someone tries to administer the Docker daemon.
-Type=simple
+Type=notify
 ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock 
--add-runtime oci=/usr/bin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
-ExecStartPost=/usr/lib/docker/docker_service_helper.sh wait
 ExecReload=/bin/kill -s HUP $MAINPID
 
 # Having non-zero Limit*s causes performance problems due to accounting 
overhead