diff --git a/base/containerd/config.toml b/base/containerd/config.toml new file mode 100644 index 0000000..fc3f9f7 --- /dev/null +++ b/base/containerd/config.toml @@ -0,0 +1,15 @@ +#root = "/var/lib/containerd" +#state = "/run/containerd" +#subreaper = true +#oom_score = 0 + +#[grpc] +# address = "/run/containerd/containerd.sock" +# uid = 0 +# gid = 0 + +#[debug] +# address = "/run/containerd/debug.sock" +# uid = 0 +# gid = 0 +# level = "info" diff --git a/base/containerd/containerd-1.4.0-Update-path-to-use-packaged-daemon-executable-in-ser.patch b/base/containerd/containerd-1.4.0-Update-path-to-use-packaged-daemon-executable-in-ser.patch new file mode 100644 index 0000000..0e86c96 --- /dev/null +++ b/base/containerd/containerd-1.4.0-Update-path-to-use-packaged-daemon-executable-in-ser.patch @@ -0,0 +1,26 @@ +From b5190a190d133660b3bba2187c6b5186a1655224 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Tue, 15 Sep 2020 17:40:30 +0000 +Subject: [PATCH] Update path to use packaged daemon executable in service unit + +Signed-off-by: Jamie Anderson +--- + containerd.service | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/containerd.service b/containerd.service +index 38a345945..4e262acb3 100644 +--- a/containerd.service ++++ b/containerd.service +@@ -21,7 +21,7 @@ After=network.target local-fs.target + #uncomment to enable the experimental sbservice (sandboxed) version of containerd/cri integration + #Environment="ENABLE_CRI_SANDBOXES=sandboxed" + ExecStartPre=-/sbin/modprobe overlay +-ExecStart=/usr/local/bin/containerd ++ExecStart=/usr/bin/containerd + + Type=notify + Delegate=yes +-- +2.40.1 + diff --git a/base/containerd/containerd.spec b/base/containerd/containerd.spec new file mode 100644 index 0000000..6343f9e --- /dev/null +++ b/base/containerd/containerd.spec @@ -0,0 +1,308 @@ +%bcond_with btrfs +%bcond_without seccomp +%bcond_without systemd + +%define golang_set_gopath(d:) \ +export GOPATH="%{-d:%{-d*}}%{!-d:$(pwd -P)}"; \ +export PATH="$PATH:$GOPATH/bin"; \ +export GO111MODULE=off + +%define golang_init_gopath(d:) \ +%{golang_set_gopath} \ +rm -rf "${GOPATH}/"{src,pkg,bin} \ +install -d "${GOPATH}"/{src,pkg,bin} + +%define golang_src_path(p:) ${GOPATH:-.}/src/%{-p*} +%define gobuilddir %{golang_src_path} + +%define golang_prep(p:s:S:) \ +install -d "$GOPATH/src/%{-p*}" && \ +tar -x %{-S:--strip-components=%{-S*}} -C "%{golang_src_path -p %{-p*}}" -f %{-s*} + +%define golang_install(p:s:S:) %{golang_prep}\ +go install %{-p*} + +%define containerd_release 1.7.2 +%define containerd_commit 0cae528dd6cb557f7201036e9f43420650207b58 +%global containerd_short_sha %(c=%containerd_commit; echo ${c:0:7}) +%define containerd_package github.com/containerd/containerd +%define containerd_src %{golang_src_path -p %containerd_package} + +## Pre/Post release VCS metadata, for NVR when unmatched with a +## release tag. +# Update date to datestamp when containerd upstream data is bumped. +%global containerd_rpm_snapshot_date 20210617 +%global containerd_rpm_snapshot_vcs git%{containerd_short_sha} +# Get the version bits before the dash or plus. +%global containerd_rpm_version %(r=%containerd_release; echo ${r%%%%-*}) +# Pre/Post release suffix with VCS info embedded into release. +%global containerd_rpm_release_suffix .%{containerd_rpm_snapshot_date}.%{containerd_rpm_snapshot_vcs} + +%global containerd_buildtags %{?containerd_buildtags} selinux +%if %{with btrfs} +%global containerd_buildtags %{?containerd_buildtags} btrfs +%else +%global containerd_buildtags %{?containerd_buildtags} no_btrfs +%endif +%if %{with seccomp} +%global containerd_buildtags %{?containerd_buildtags} seccomp +%endif + +Name: containerd +Version: %{containerd_rpm_version} +Release: 1%{?dist} +# Upstream license specification: Apache-2.0 +License: ASL 2.0 +Summary: An industry-standard container runtime with an emphasis on simplicity, robustness and portability + +Source0: https://%{containerd_package}/archive/%{containerd_commit}/containerd-%{containerd_release}-%{containerd_short_sha}.tar.gz +Source1: config.toml + +Patch1000: containerd-1.4.0-Update-path-to-use-packaged-daemon-executable-in-ser.patch + +# Runtime requirements +Requires: runc +%if %{with seccomp} +# Require the version of seccomp that we were built against. +%global seccomp_version %(pkg-config --modversion libseccomp 2>/dev/null || echo 0) +Requires: libseccomp%{?_isa} >= %{seccomp_version} +%endif +# container-selinux 2.120.0 adds necessary support for containerd-cri +Conflicts: container-selinux < 2.120.0 + +# Compilation requirements +BuildRequires: golang >= 1.18.3 +BuildRequires: kernel-headers +BuildRequires: libselinux-devel +BuildRequires: go-rpm-macros +BuildRequires: systemd-rpm-macros +BuildRequires: go-md2man +%if %{with btrfs} +BuildRequires: btrfs-progs-devel +%endif +%if %{with seccomp} +BuildRequires: libseccomp-devel +%endif + +%description +containerd is an industry-standard container runtime with an emphasis +on simplicity, robustness and portability. It is available as a daemon +for Linux and Windows, which can manage the complete container +lifecycle of its host system: image transfer and storage, container +execution and supervision, low-level storage and network attachments, +etc. + +%package stress +License: ASL 2.0 +Summary: stress test a containerd daemon +Requires: %{name} = %{version}-%{release} + +%description stress +%{summary}. + +%prep +%setup -c -T -n %{name}-%{version}-%{release} +%golang_init_gopath + +%golang_prep -p %{containerd_package} -s %SOURCE0 -S 1 + +cd "%containerd_src" +%patch1000 -p1 + +%build +%golang_set_gopath +cd "%containerd_src" +export LDFLAGS="-X %{containerd_package}/version.Version=%{version} -X %{containerd_package}/version.Revision=%{containerd_commit} " +export BUILDTAGS="%{containerd_buildtags}" +for cmd in containerd containerd-shim containerd-shim-runc-v1 containerd-shim-runc-v2 containerd-stress ctr gen-manpages ; do + %gobuild -o %{gobuilddir}/bin/$cmd %{containerd_src}/cmd/$cmd +done +mkdir _man +go-md2man -in docs/man/containerd-config.8.md -out _man/containerd-config.8 +go-md2man -in docs/man/containerd-config.toml.5.md -out _man/containerd-config.toml.5 +%{gobuilddir}/bin/gen-manpages containerd.8 _man +%{gobuilddir}/bin/gen-manpages ctr.8 _man +rm %{gobuilddir}/bin/gen-manpages + +%check +%golang_set_gopath +export BUILDTAGS="%{containerd_buildtags}" +# Run scoped unit tests - skips some if not running as root. +%if %{without btrfs} +# We want to build/run tests the same way we build the binaries +export EXTRA_TESTFLAGS="-tags='%{containerd_buildtags}'" +%endif +make -C %{containerd_src} test + +%install +%golang_set_gopath + +# Install containerd binaries +install -d %{buildroot}%{_bindir} +install -p %{gobuilddir}/bin/* %{buildroot}%{_bindir}/ +install -d %{buildroot}%{_mandir}/man{5,8} +install -p -m 644 %{containerd_src}/_man/*.5 %{buildroot}%{_mandir}/man5/ +install -p -m 644 %{containerd_src}/_man/*.8 %{buildroot}%{_mandir}/man8/ +install -D -p -m 0644 %{S:1} %{buildroot}%{_sysconfdir}/containerd/config.toml + +%if %{with systemd} +install -D -p -m 644 %{containerd_src}/containerd.service %{buildroot}%{_unitdir}/containerd.service +%endif +install -d %{buildroot}%{_localstatedir}/lib/containerd + +%if 0%{?amzn} == 2 +# On a fresh install of container-selinux, or updating from selinux-policy in +# amzn2-core to one that more closely tracks upstream, we need to relabel critical +# files to pick up changes to file_contexts introduced by those packages. +%define selinux_relabel_paths %{_bindir}/ctr %{_bindir}/containerd %{_bindir}/containerd-shim* %{_sysconfdir}/containerd/config.toml %{_localstatedir}/lib/containerd +%define do_selinux_relabel() /usr/sbin/selinuxenabled && /usr/sbin/restorecon -r %* + +%triggerin -- container-selinux +if [ $1 -eq 1 ]; then # new install, not update + %{do_selinux_relabel} %{selinux_relabel_paths} ||: +fi + +%triggerun -- selinux-policy < 3.13.1-266 +if [ $1 -eq 1 ]; then # update, not uninstall + %{do_selinux_relabel} %{selinux_relabel_paths} ||: +fi + +%triggerin stress -- container-selinux +if [ $1 -eq 1 ]; then # new install, not update + %{do_selinux_relabel} %{_bindir}/containerd-stress ||: +fi + +%triggerun stress -- selinux-policy < 3.13.1-266 +if [ $1 -eq 1 ]; then # update, not uninstall + %{do_selinux_relabel} %{_bindir}/containerd-stress ||: +fi +%endif + +%files +%license src/github.com/containerd/containerd/LICENSE +%doc src/github.com/containerd/containerd/README.md +%{_bindir}/ctr +%{_bindir}/containerd +%{_bindir}/containerd-shim +%{_bindir}/containerd-shim-runc-v1 +%{_bindir}/containerd-shim-runc-v2 +%config(noreplace) %{_sysconfdir}/containerd/config.toml +%dir %{_localstatedir}/lib/containerd +%if %{with systemd} +%{_unitdir}/containerd.service +%endif +%{_mandir}/man5/containerd-config.toml.5* +%{_mandir}/man8/containerd-config.8* +%{_mandir}/man8/containerd.8* +%{_mandir}/man8/ctr.8* + +%files stress +%{_bindir}/containerd-stress + +%post +%if %{with systemd} +%systemd_post containerd +%endif + +%preun +%if %{with systemd} +%systemd_preun containerd +%endif + +%postun +%if %{with systemd} +%systemd_postun_with_restart containerd +%endif + +%changelog +* Thu Jul 06 2023 Lucas Meneghel - 1.7.2-1.amzn2023.0.1 +- containerd: Update to upstream 1.7.2 +- Dropped patches that are included with the new version + +* Fri Mar 17 2023 Sonia Xu - 1.6.19-1.amzn2023.0.1 +- Update to v1.6.19 +- Update patch to apply properly + +* Tue Mar 14 2023 Sai Harsha - 1.6.8-2.amzn2023.0.4 +- Fix CVE-2022-1996 + +* Mon Jan 30 2023 Stewart Smith - 1.6.8-2.amzn2023.0.3 +- Mass rebuild for AL2023 + +* Tue Dec 20 2022 Chanchal Mathew - 1.6.8-2.amzn2022.0.2 +- Rebuild for CVE-2022-2879, CVE-2022-41715, CVE-2022-41716 in golang + +* Tue Oct 11 2022 Chanchal Mathew - 1.6.8-2 +- Fix FTBFS + +* Tue Oct 04 2022 Chanchal Mathew - 1.6.8-1 +- Update to 1.6.8 from upstream + +* Mon Oct 03 2022 Stewart Smith - 1.6.6-1.amzn2022.0.3 +- AL2022 pre-GA mass rebuild + +* Wed Sep 28 2022 Mansi Jaitly - 1.6.6-1.amzn2022.0.2 +- Rebuild due to golang-1.19.1-1.amzn2022.0.1 update + +* Fri Jul 22 2022 Stewart Smith - 1.6.6-1.amzn2022.0.1 +- build without btrfs on Amazon Linux + +* Mon Jun 20 2022 Sai Harsha - 1.6.6-1 +- Update to 1.6.6 from upstream +- Remove patches included upstream since 1.4.13 + +* Tue May 31 2022 Sai Harsha - 1.4.13-3 +- Limit the response size of ExecSync + +* Tue Mar 29 2022 Malcolm Inglis - 1.4.13-2 +- Apply patch for CVE-2022-24769 + +* Tue Mar 29 2022 Malcolm Inglis - 1.4.13-1 +- Update to 1.4.13 from upstream +- Update golang BuildRequires to 1.16.15 +- Remove patches included upstream since 1.4.6 + +* Thu Feb 24 2022 Malcolm Inglis - 1.4.6-9 +- Apply patch for CVE-2022-23648 + +* Wed Dec 08 2021 Paul Ezvan - 1.4.6-8 +- Build for AL2022 + +* Wed Nov 17 2021 Jamie Anderson - 1.4.6-7 +- CVE-2021-41190 + +* Tue Nov 02 2021 Jamie Anderson - 1.4.6-5 +- Fix typo in container-selinux Conflicts: + +* Fri Oct 29 2021 Jamie Anderson - 1.4.6-4 +- Add selinux to buildtags +- Conflict with container-selinux versions that don't have containerd-cri support + +* Fri Sep 24 2021 Jamie Anderson - 1.4.6-3 +- Apply patches for CVE-2021-41103 + +* Mon Jul 12 2021 Jamie Anderson - 1.4.6-2 +- Apply patch for CVE-2021-32760 + +* Thu Jun 17 2021 Jamie Anderson - 1.4.6-1 +- Update to 1.4.6 from upstream + +* Thu Feb 25 2021 Jamie Anderson - 1.4.4-1 +- Update to 1.4.4 from upstream + +* Tue Nov 17 2020 Samuel Karp - 1.4.1-2 +- Apply patch for CVE-2020-15257 + +* Fri Nov 13 2020 Jamie Anderson - 1.4.1 +- Update to 1.4.1 from upstream + +* Wed Sep 23 2020 Jamie Anderson - 1.4.0 +- Update to 1.4.0 from upstream +- Add triggers to relabel after container-selinux install + +* Mon Feb 10 2020 Jamie Anderson - 1.3.2 +- Update to 1.3.2 from upstream + +* Mon May 13 2019 Jacob Vallejo - 1.2.6-1 +- Initial packaging + diff --git a/base/docker/README-docker-runtimes.d b/base/docker/README-docker-runtimes.d new file mode 100644 index 0000000..f938c64 --- /dev/null +++ b/base/docker/README-docker-runtimes.d @@ -0,0 +1,7 @@ +Users can add runtimes (in addition to runc) to Docker by adding executable +files in /etc/docker-runtimes.d. + +The name of the file becomes the name of the runtime. + +To disable an installed runtime file without RPM clobbering it and re-enabling +it on an update, remove the executable bits (chmod a-x). diff --git a/base/docker/docker-20.10.17-Skip-kubeconfig-and-loadcontext-tests-that-require-root.patch b/base/docker/docker-20.10.17-Skip-kubeconfig-and-loadcontext-tests-that-require-root.patch new file mode 100644 index 0000000..8531efc --- /dev/null +++ b/base/docker/docker-20.10.17-Skip-kubeconfig-and-loadcontext-tests-that-require-root.patch @@ -0,0 +1,54 @@ +From 4c4d58519541008ef8982e1fcffe76c60e1389f5 Mon Sep 17 00:00:00 2001 +From: Sai Harsha +Date: Tue, 14 Jun 2022 06:39:31 +0000 +Subject: [PATCH 1/1] Skip TestSaveLoadContexts and TestExportKubeconfig + +Skipping TestExportKubeconfig and TestSaveLoadContexts tests which require root access + +--- + cli/command/context/export-import_test.go | 2 ++ + cli/context/kubernetes/endpoint_test.go | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/cli/command/context/export-import_test.go b/cli/command/context/export-import_test.go +index bf0cd88..6be9384 100644 +--- a/cli/command/context/export-import_test.go ++++ b/cli/command/context/export-import_test.go +@@ -8,6 +8,7 @@ import ( + "path/filepath" + "testing" + ++ "github.com/docker/docker/testutil" + "github.com/docker/cli/cli/streams" + "gotest.tools/v3/assert" + ) +@@ -71,6 +72,7 @@ func TestExportImportPipe(t *testing.T) { + } + + func TestExportKubeconfig(t *testing.T) { ++ testutil.RequiresRoot(t) + contextFile := filepath.Join(t.TempDir(), "exported") + cli := makeFakeCli(t) + createTestContextWithKube(t, cli) +diff --git a/cli/context/kubernetes/endpoint_test.go b/cli/context/kubernetes/endpoint_test.go +index 89eeb9d..700e21e 100644 +--- a/cli/context/kubernetes/endpoint_test.go ++++ b/cli/context/kubernetes/endpoint_test.go +@@ -5,6 +5,7 @@ import ( + "os" + "testing" + ++ "github.com/docker/docker/testutil" + "github.com/docker/cli/cli/context" + "github.com/docker/cli/cli/context/store" + "gotest.tools/v3/assert" +@@ -41,6 +42,7 @@ var testStoreCfg = store.NewConfig( + ) + + func TestSaveLoadContexts(t *testing.T) { ++ testutil.RequiresRoot(t) + store := store.New(t.TempDir(), testStoreCfg) + assert.NilError(t, save(store, testEndpoint("https://test", "test", nil, nil, nil, false), "raw-notls")) + assert.NilError(t, save(store, testEndpoint("https://test", "test", nil, nil, nil, true), "raw-notls-skip")) +-- +2.32.0 diff --git a/base/docker/docker-20.10.4-Limit-logger-errors-logged-into-daemon-logs.patch b/base/docker/docker-20.10.4-Limit-logger-errors-logged-into-daemon-logs.patch new file mode 100644 index 0000000..237ec25 --- /dev/null +++ b/base/docker/docker-20.10.4-Limit-logger-errors-logged-into-daemon-logs.patch @@ -0,0 +1,112 @@ +From fb5a9ec741c4a2246624b694d88db2e5fabc9118 Mon Sep 17 00:00:00 2001 +From: Angel Velazquez +Date: Thu, 20 May 2021 16:59:30 -0700 +Subject: [PATCH] Limit the rate at which logger errors are logged into daemon + logs + +Logging to daemon logs every time there's an error with a log driver can be +problematic since daemon logs can grow rapidly, potentially exhausting disk +space. + +Instead, it's preferable to limit the rate at which log driver errors are allowed +to be written. By default, this limit is 333 entries per second max. + +Signed-off-by: Angel Velazquez +--- + daemon/logger/copier.go | 6 ++---- + daemon/logger/logger_error.go | 24 ++++++++++++++++++++++++ + daemon/logger/ring.go | 12 ++---------- + 3 files changed, 28 insertions(+), 14 deletions(-) + create mode 100644 daemon/logger/logger_error.go + +diff --git a/daemon/logger/copier.go b/daemon/logger/copier.go +index e2ee36c0987e..30c68ea364d2 100644 +--- a/daemon/logger/copier.go ++++ b/daemon/logger/copier.go +@@ -126,8 +126,7 @@ func (c *Copier) copySrc(name string, src io.Reader) { + } + + if logErr := c.dst.Log(msg); logErr != nil { +- logWritesFailedCount.Inc(1) +- logrus.Errorf("Failed to log msg %q for logger %s: %s", msg.Line, c.dst.Name(), logErr) ++ logDriverError(c.dst.Name(), string(msg.Line), logErr) + } + } + p += q + 1 +@@ -159,8 +158,7 @@ func (c *Copier) copySrc(name string, src io.Reader) { + hasMorePartial = true + + if logErr := c.dst.Log(msg); logErr != nil { +- logWritesFailedCount.Inc(1) +- logrus.Errorf("Failed to log msg %q for logger %s: %s", msg.Line, c.dst.Name(), logErr) ++ logDriverError(c.dst.Name(), string(msg.Line), logErr) + } + p = 0 + n = 0 +diff --git a/daemon/logger/logger_error.go b/daemon/logger/logger_error.go +new file mode 100644 +index 000000000000..70f4311979c4 +--- /dev/null ++++ b/daemon/logger/logger_error.go +@@ -0,0 +1,24 @@ ++package logger ++ ++import ( ++ "github.com/sirupsen/logrus" ++ "golang.org/x/time/rate" ++) ++ ++// Rates based on journald defaults of 10,000 messages in 30s. ++// reference: https://www.freedesktop.org/software/systemd/man/journald.conf.html#RateLimitIntervalSec= ++var logErrorLimiter = rate.NewLimiter(333, 333) ++ ++// logDriverError logs errors produced by log drivers to the daemon logs. It also increments the logWritesFailedCount ++// metric. ++// Logging to the daemon logs is limited to 333 operations per second at most. If this limit is exceeded, the ++// logWritesFailedCount is still counted, but logging to the daemon logs is omitted in order to prevent disk saturation. ++func logDriverError(loggerName, msgLine string, logErr error) { ++ logWritesFailedCount.Inc(1) ++ if logErrorLimiter.Allow() { ++ logrus.WithError(logErr). ++ WithField("driver", loggerName). ++ WithField("message", msgLine). ++ Errorf("Error writing log message") ++ } ++} +diff --git a/daemon/logger/ring.go b/daemon/logger/ring.go +index b6432aed36f7..3b2652af63c1 100644 +--- a/daemon/logger/ring.go ++++ b/daemon/logger/ring.go +@@ -4,8 +4,6 @@ import ( + "errors" + "sync" + "sync/atomic" +- +- "github.com/sirupsen/logrus" + ) + + const ( +@@ -104,10 +102,7 @@ func (r *RingLogger) Close() error { + } + + if err := r.l.Log(msg); err != nil { +- logrus.WithField("driver", r.l.Name()). +- WithField("container", r.logInfo.ContainerID). +- WithError(err). +- Errorf("Error writing log message") ++ logDriverError(r.l.Name(), string(msg.Line), err) + logErr = true + } + } +@@ -128,10 +123,7 @@ func (r *RingLogger) run() { + return + } + if err := r.l.Log(msg); err != nil { +- logrus.WithField("driver", r.l.Name()). +- WithField("container", r.logInfo.ContainerID). +- WithError(err). +- Errorf("Error writing log message") ++ logDriverError(r.l.Name(), string(msg.Line), err) + } + } + } diff --git a/base/docker/docker-20.10.4-Restore-containerd-dependency-restart-policy-and-nof.patch b/base/docker/docker-20.10.4-Restore-containerd-dependency-restart-policy-and-nof.patch new file mode 100644 index 0000000..9f9f75d --- /dev/null +++ b/base/docker/docker-20.10.4-Restore-containerd-dependency-restart-policy-and-nof.patch @@ -0,0 +1,47 @@ +From e2d3dd827bcca6cba9e0f2b869d872af07ff2999 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Mon, 22 Mar 2021 20:33:57 +0000 +Subject: [PATCH] Restore containerd dependency, restart policy, and nofile + settings to service file + +Signed-off-by: Jamie Anderson +--- + contrib/init/systemd/docker.service | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/contrib/init/systemd/docker.service b/contrib/init/systemd/docker.service +index 7e87245..1654f0b 100644 +--- a/contrib/init/systemd/docker.service ++++ b/contrib/init/systemd/docker.service +@@ -1,7 +1,8 @@ + [Unit] + Description=Docker Application Container Engine + Documentation=https://docs.docker.com +-After=network-online.target docker.socket firewalld.service ++BindsTo=containerd.service ++After=network-online.target docker.socket firewalld.service containerd.service + Wants=network-online.target + Requires=docker.socket + +@@ -17,7 +18,7 @@ ExecStartPre=/usr/libexec/docker/docker-setup-runtimes.sh + # for containers run by docker + ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMES + ExecReload=/bin/kill -s HUP $MAINPID +-LimitNOFILE=1048576 ++LimitNOFILE=infinity + # Having non-zero Limit*s causes performance problems due to accounting overhead + # in the kernel. We recommend using cgroups to do container-local accounting. + LimitNPROC=infinity +@@ -31,7 +32,8 @@ Delegate=yes + # kill only the docker process, not all processes in the cgroup + KillMode=process + # restart the docker process if it exits prematurely +-Restart=on-failure ++RestartSec=2 ++Restart=always + StartLimitBurst=3 + StartLimitInterval=60s + +-- +2.31.0.rc2 + diff --git a/base/docker/docker-20.10.4-Skip-auth-middleware-test.patch b/base/docker/docker-20.10.4-Skip-auth-middleware-test.patch new file mode 100644 index 0000000..1a85d24 --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-auth-middleware-test.patch @@ -0,0 +1,33 @@ +From ff6ad03b4a9774b2a87c12445b31f54078c06b55 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Thu, 4 Mar 2021 17:48:05 +0000 +Subject: [PATCH] Skip auth/middleware test that creates sockets + +Signed-off-by: Jamie Anderson +--- + pkg/authorization/middleware_unix_test.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/pkg/authorization/middleware_unix_test.go b/pkg/authorization/middleware_unix_test.go +index 468cb59..b5e26ac 100644 +--- a/pkg/authorization/middleware_unix_test.go ++++ b/pkg/authorization/middleware_unix_test.go +@@ -7,6 +7,7 @@ import ( + "net/http" + "net/http/httptest" + "testing" ++ "github.com/docker/docker/testutil" + + "github.com/docker/docker/pkg/plugingetter" + "gotest.tools/v3/assert" +@@ -14,6 +15,7 @@ import ( + ) + + func TestMiddlewareWrapHandler(t *testing.T) { ++ testutil.RequiresRoot(t) + server := authZPluginTestServer{t: t} + server.start() + defer server.stop() +-- +2.25.0.24.gbc7a3d4 + diff --git a/base/docker/docker-20.10.4-Skip-btrfs-graphdriver-tests-if-not-root.patch b/base/docker/docker-20.10.4-Skip-btrfs-graphdriver-tests-if-not-root.patch new file mode 100644 index 0000000..e4e0f67 --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-btrfs-graphdriver-tests-if-not-root.patch @@ -0,0 +1,53 @@ +From 4d116f8caee01d47e344571c0fe4b805ae44e8d8 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Fri, 19 Mar 2021 20:59:20 +0000 +Subject: [PATCH] Skip btrfs graphdriver tests if not root + +Signed-off-by: Jamie Anderson +--- + daemon/graphdriver/btrfs/btrfs_test.go | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/daemon/graphdriver/btrfs/btrfs_test.go b/daemon/graphdriver/btrfs/btrfs_test.go +index b70e93b..c75960b 100644 +--- a/daemon/graphdriver/btrfs/btrfs_test.go ++++ b/daemon/graphdriver/btrfs/btrfs_test.go +@@ -6,6 +6,7 @@ import ( + "os" + "path" + "testing" ++ "github.com/docker/docker/testutil" + + "github.com/docker/docker/daemon/graphdriver/graphtest" + ) +@@ -13,22 +14,27 @@ import ( + // This avoids creating a new driver for each test if all tests are run + // Make sure to put new tests between TestBtrfsSetup and TestBtrfsTeardown + func TestBtrfsSetup(t *testing.T) { ++ testutil.RequiresRoot(t) + graphtest.GetDriver(t, "btrfs") + } + + func TestBtrfsCreateEmpty(t *testing.T) { ++ testutil.RequiresRoot(t) + graphtest.DriverTestCreateEmpty(t, "btrfs") + } + + func TestBtrfsCreateBase(t *testing.T) { ++ testutil.RequiresRoot(t) + graphtest.DriverTestCreateBase(t, "btrfs") + } + + func TestBtrfsCreateSnap(t *testing.T) { ++ testutil.RequiresRoot(t) + graphtest.DriverTestCreateSnap(t, "btrfs") + } + + func TestBtrfsSubvolDelete(t *testing.T) { ++ testutil.RequiresRoot(t) + d := graphtest.GetDriver(t, "btrfs") + if err := d.CreateReadWrite("test", "", nil); err != nil { + t.Fatal(err) +-- +2.31.0.rc2 + diff --git a/base/docker/docker-20.10.4-Skip-builder-tests-that-require-root.patch b/base/docker/docker-20.10.4-Skip-builder-tests-that-require-root.patch new file mode 100644 index 0000000..2166ddd --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-builder-tests-that-require-root.patch @@ -0,0 +1,102 @@ +From 1f8ac5f2a45ccbedb0904f6ac938f94ea655c49a Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Wed, 3 Mar 2021 22:00:57 +0000 +Subject: [PATCH] Skip builder tests that require root + +Signed-off-by: Jamie Anderson +--- + builder/dockerfile/internals_test.go | 5 +++++ + builder/remotecontext/tarsum_test.go | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/builder/dockerfile/internals_test.go b/builder/dockerfile/internals_test.go +index 5353167..5a68a39 100644 +--- a/builder/dockerfile/internals_test.go ++++ b/builder/dockerfile/internals_test.go +@@ -5,6 +5,7 @@ import ( + "os" + "runtime" + "testing" ++ "github.com/docker/docker/testutil" + + "github.com/docker/docker/api/types" + "github.com/docker/docker/api/types/backend" +@@ -23,6 +24,7 @@ import ( + ) + + func TestEmptyDockerfile(t *testing.T) { ++ testutil.RequiresRoot(t) + contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test") + defer cleanup() + +@@ -32,6 +34,7 @@ func TestEmptyDockerfile(t *testing.T) { + } + + func TestSymlinkDockerfile(t *testing.T) { ++ testutil.RequiresRoot(t) + contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test") + defer cleanup() + +@@ -47,6 +50,7 @@ func TestSymlinkDockerfile(t *testing.T) { + } + + func TestDockerfileOutsideTheBuildContext(t *testing.T) { ++ testutil.RequiresRoot(t) + contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test") + defer cleanup() + +@@ -59,6 +63,7 @@ func TestDockerfileOutsideTheBuildContext(t *testing.T) { + } + + func TestNonExistingDockerfile(t *testing.T) { ++ testutil.RequiresRoot(t) + contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test") + defer cleanup() + +diff --git a/builder/remotecontext/tarsum_test.go b/builder/remotecontext/tarsum_test.go +index c6a417d..93643a5 100644 +--- a/builder/remotecontext/tarsum_test.go ++++ b/builder/remotecontext/tarsum_test.go +@@ -5,6 +5,7 @@ import ( + "os" + "path/filepath" + "testing" ++ "github.com/docker/docker/testutil" + + "github.com/docker/docker/builder" + "github.com/docker/docker/pkg/archive" +@@ -23,6 +24,7 @@ func init() { + } + + func TestCloseRootDirectory(t *testing.T) { ++ testutil.RequiresRoot(t) + contextDir, err := os.MkdirTemp("", "builder-tarsum-test") + defer os.RemoveAll(contextDir) + if err != nil { +@@ -44,6 +46,7 @@ func TestCloseRootDirectory(t *testing.T) { + } + + func TestHashFile(t *testing.T) { ++ testutil.RequiresRoot(t) + contextDir, cleanup := createTestTempDir(t, "", "builder-tarsum-test") + defer cleanup() + +@@ -69,6 +72,7 @@ func TestHashFile(t *testing.T) { + } + + func TestHashSubdir(t *testing.T) { ++ testutil.RequiresRoot(t) + contextDir, cleanup := createTestTempDir(t, "", "builder-tarsum-test") + defer cleanup() + +@@ -106,6 +110,7 @@ func TestHashSubdir(t *testing.T) { + } + + func TestRemoveDirectory(t *testing.T) { ++ testutil.RequiresRoot(t) + contextDir, cleanup := createTestTempDir(t, "", "builder-tarsum-test") + defer cleanup() + +-- +2.25.0.24.gbc7a3d4 + diff --git a/base/docker/docker-20.10.4-Skip-cli-tests-that-require-network.patch b/base/docker/docker-20.10.4-Skip-cli-tests-that-require-network.patch new file mode 100644 index 0000000..f2ca8f5 --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-cli-tests-that-require-network.patch @@ -0,0 +1,54 @@ +From 29cf333688cf38c615f6a2c4dfc8a1fddbbbb4aa Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Wed, 3 Mar 2021 23:02:57 +0000 +Subject: [PATCH] Skip cli tests that require network + +Signed-off-by: Jamie Anderson +--- + cli/command/image/pull_test.go | 2 ++ + cli/command/image/push_test.go | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/cli/command/image/pull_test.go b/cli/command/image/pull_test.go +index b9d4970..bb7ce0e 100644 +--- a/cli/command/image/pull_test.go ++++ b/cli/command/image/pull_test.go +@@ -6,6 +6,7 @@ import ( + "io" + "strings" + "testing" ++ "github.com/docker/cli/testutil" + + "github.com/docker/cli/internal/test" + "github.com/docker/cli/internal/test/notary" +@@ -16,6 +17,7 @@ import ( + ) + + func TestNewPullCommandErrors(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + testCases := []struct { + name string + args []string +diff --git a/cli/command/image/push_test.go b/cli/command/image/push_test.go +index 9636369..14bfbd2 100644 +--- a/cli/command/image/push_test.go ++++ b/cli/command/image/push_test.go +@@ -5,6 +5,7 @@ import ( + "io" + "strings" + "testing" ++ "github.com/docker/cli/testutil" + + "github.com/docker/cli/internal/test" + "github.com/docker/docker/api/types" +@@ -13,6 +14,7 @@ import ( + ) + + func TestNewPushCommandErrors(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + testCases := []struct { + name string + args []string +-- +2.25.0.24.gbc7a3d4 + diff --git a/base/docker/docker-20.10.4-Skip-compression-tests-that-require-root.patch b/base/docker/docker-20.10.4-Skip-compression-tests-that-require-root.patch new file mode 100644 index 0000000..aea374d --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-compression-tests-that-require-root.patch @@ -0,0 +1,46 @@ +From 4622551eb4d29bee8fb30290368a4cce5af56737 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Fri, 19 Mar 2021 20:10:01 +0000 +Subject: [PATCH] Skip compression tests that require root + +Signed-off-by: Jamie Anderson +--- + cli/command/image/build/context_test.go | 2 ++ + cli/command/image/build_test.go | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/cli/command/image/build/context_test.go b/cli/command/image/build/context_test.go +index f216978..1dbea0b 100644 +--- a/cli/command/image/build/context_test.go ++++ b/cli/command/image/build/context_test.go +@@ -10,6 +10,7 @@ import ( + "runtime" + "strings" + "testing" ++ "github.com/docker/cli/testutil" + + "github.com/docker/docker/pkg/archive" + "github.com/docker/docker/pkg/fileutils" +@@ -173,6 +174,7 @@ func TestGetContextFromReaderString(t *testing.T) { + } + + func TestGetContextFromReaderTar(t *testing.T) { ++ testutil.RequiresRoot(t) + contextDir := createTestTempDir(t) + createTestTempFile(t, contextDir, DefaultDockerfileName, dockerfileContents) + +diff --git a/cli/command/image/build_test.go b/cli/command/image/build_test.go +index cef80a3..34014dd 100644 +--- a/cli/command/image/build_test.go ++++ b/cli/command/image/build_test.go +@@ -27,6 +27,7 @@ import ( + ) + + func TestRunBuildDockerfileFromStdinWithCompress(t *testing.T) { ++ testutil.RequiresRoot(t) + defer env.Patch(t, "DOCKER_BUILDKIT", "0")() + buffer := new(bytes.Buffer) + fakeBuild := newFakeBuild() +-- +2.31.0.rc2 + diff --git a/base/docker/docker-20.10.4-Skip-devmapper-tests-that-don-t-work-in-a-buildroot.patch b/base/docker/docker-20.10.4-Skip-devmapper-tests-that-don-t-work-in-a-buildroot.patch new file mode 100644 index 0000000..154cd60 --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-devmapper-tests-that-don-t-work-in-a-buildroot.patch @@ -0,0 +1,85 @@ +From 00faa3a1652a57c9f8f6ceeb930020680d3d5295 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Tue, 2 Mar 2021 19:11:09 +0000 +Subject: [PATCH] Skip devmapper tests that don't work in a buildroot + +Signed-off-by: Jamie Anderson +--- + daemon/graphdriver/devmapper/devmapper_test.go | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/daemon/graphdriver/devmapper/devmapper_test.go b/daemon/graphdriver/devmapper/devmapper_test.go +index afd6c5b..dc59dc5 100644 +--- a/daemon/graphdriver/devmapper/devmapper_test.go ++++ b/daemon/graphdriver/devmapper/devmapper_test.go +@@ -8,6 +8,7 @@ import ( + "os/exec" + "syscall" + "testing" ++ "github.com/docker/docker/testutil" + "time" + + "github.com/docker/docker/daemon/graphdriver" +@@ -17,6 +18,10 @@ import ( + ) + + func init() { ++ if _, err := os.Stat("/.initialized"); err == nil { ++ // Don't try to call initLoopbacks() in a buildroot ++ return nil ++ } + // Reduce the size of the base fs and loopback for the tests + defaultDataLoopbackSize = 300 * 1024 * 1024 + defaultMetaDataLoopbackSize = 200 * 1024 * 1024 +@@ -71,26 +76,32 @@ func getBaseLoopStats() (*syscall.Stat_t, error) { + // This avoids creating a new driver for each test if all tests are run + // Make sure to put new tests between TestDevmapperSetup and TestDevmapperTeardown + func TestDevmapperSetup(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + graphtest.GetDriver(t, "devicemapper") + } + + func TestDevmapperCreateEmpty(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + graphtest.DriverTestCreateEmpty(t, "devicemapper") + } + + func TestDevmapperCreateBase(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + graphtest.DriverTestCreateBase(t, "devicemapper") + } + + func TestDevmapperCreateSnap(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + graphtest.DriverTestCreateSnap(t, "devicemapper") + } + + func TestDevmapperTeardown(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + graphtest.PutDriver(t) + } + + func TestDevmapperReduceLoopBackSize(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + tenMB := int64(10 * 1024 * 1024) + testChangeLoopBackSize(t, -tenMB, defaultDataLoopbackSize, defaultMetaDataLoopbackSize) + } +@@ -101,6 +112,7 @@ func TestDevmapperIncreaseLoopBackSize(t *testing.T) { + } + + func testChangeLoopBackSize(t *testing.T, delta, expectDataSize, expectMetaDataSize int64) { ++ testutil.SkipIfBuildroot(t) + driver := graphtest.GetDriver(t, "devicemapper").(*graphtest.Driver).Driver.(*graphdriver.NaiveDiffDriver).ProtoDriver.(*Driver) + defer graphtest.PutDriver(t) + // make sure data or metadata loopback size are the default size +@@ -129,6 +141,7 @@ func testChangeLoopBackSize(t *testing.T, delta, expectDataSize, expectMetaDataS + + // Make sure devices.Lock() has been release upon return from cleanupDeletedDevices() function + func TestDevmapperLockReleasedDeviceDeletion(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + driver := graphtest.GetDriver(t, "devicemapper").(*graphtest.Driver).Driver.(*graphdriver.NaiveDiffDriver).ProtoDriver.(*Driver) + defer graphtest.PutDriver(t) + +-- +2.25.0.24.gbc7a3d4 + diff --git a/base/docker/docker-20.10.4-Skip-distribution-tests-that-network.patch b/base/docker/docker-20.10.4-Skip-distribution-tests-that-network.patch new file mode 100644 index 0000000..0c1fd4f --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-distribution-tests-that-network.patch @@ -0,0 +1,32 @@ +From e880fb184cc9147cc9dd3387752c1ef8b3d20be2 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Wed, 3 Mar 2021 21:20:24 +0000 +Subject: [PATCH] Skip distribution tests that network + +Signed-off-by: Jamie Anderson +--- + distribution/xfer/transfer_test.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/distribution/xfer/transfer_test.go b/distribution/xfer/transfer_test.go +index f8f8e96..6764f17 100644 +--- a/distribution/xfer/transfer_test.go ++++ b/distribution/xfer/transfer_test.go +@@ -3,12 +3,14 @@ package xfer // import "github.com/docker/docker/distribution/xfer" + import ( + "sync/atomic" + "testing" ++ "github.com/docker/docker/testutil" + "time" + + "github.com/docker/docker/pkg/progress" + ) + + func TestTransfer(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + makeXferFunc := func(id string) DoFunc { + return func(progressChan chan<- progress.Progress, start <-chan struct{}, _ chan<- struct{}) Transfer { + select { +-- +2.25.0.24.gbc7a3d4 + diff --git a/base/docker/docker-20.10.4-Skip-engine-layer-tests.patch b/base/docker/docker-20.10.4-Skip-engine-layer-tests.patch new file mode 100644 index 0000000..60ef47f --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-engine-layer-tests.patch @@ -0,0 +1,160 @@ +From bad779d02c86a9cf6bdd3b376920093da9441739 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Mon, 8 Mar 2021 19:27:36 +0000 +Subject: [PATCH] Skip layer tests that require root + +Signed-off-by: Jamie Anderson +--- + layer/layer_test.go | 7 +++++++ + layer/layer_unix_test.go | 2 ++ + layer/migration_test.go | 3 +++ + layer/mount_test.go | 4 ++++ + 4 files changed, 16 insertions(+) + +diff --git a/layer/layer_test.go b/layer/layer_test.go +index 9199b9c..abd6bde 100644 +--- a/layer/layer_test.go ++++ b/layer/layer_test.go +@@ -9,6 +9,7 @@ import ( + "runtime" + "strings" + "testing" ++ "github.com/docker/docker/testutil" + + "github.com/containerd/continuity/driver" + "github.com/docker/docker/daemon/graphdriver" +@@ -258,6 +259,7 @@ func assertLayerEqual(t *testing.T, l1, l2 Layer) { + } + + func TestMountAndRegister(t *testing.T) { ++ testutil.RequiresRoot(t) + ls, _, cleanup := newTestStore(t) + defer cleanup() + +@@ -299,6 +301,7 @@ func TestMountAndRegister(t *testing.T) { + } + + func TestLayerRelease(t *testing.T) { ++ testutil.RequiresRoot(t) + // TODO Windows: Figure out why this is failing + if runtime.GOOS == "windows" { + t.Skip("Failing on Windows") +@@ -348,6 +351,7 @@ func TestLayerRelease(t *testing.T) { + } + + func TestStoreRestore(t *testing.T) { ++ testutil.RequiresRoot(t) + // TODO Windows: Figure out why this is failing + if runtime.GOOS == "windows" { + t.Skip("Failing on Windows") +@@ -463,6 +467,7 @@ func TestStoreRestore(t *testing.T) { + } + + func TestTarStreamStability(t *testing.T) { ++ testutil.RequiresRoot(t) + // TODO Windows: Figure out why this is failing + if runtime.GOOS == "windows" { + t.Skip("Failing on Windows") +@@ -656,6 +661,7 @@ func assertReferences(t *testing.T, references ...Layer) { + } + + func TestRegisterExistingLayer(t *testing.T) { ++ testutil.RequiresRoot(t) + ls, _, cleanup := newTestStore(t) + defer cleanup() + +@@ -692,6 +698,7 @@ func TestRegisterExistingLayer(t *testing.T) { + } + + func TestTarStreamVerification(t *testing.T) { ++ testutil.RequiresRoot(t) + // TODO Windows: Figure out why this is failing + if runtime.GOOS == "windows" { + t.Skip("Failing on Windows") +diff --git a/layer/layer_unix_test.go b/layer/layer_unix_test.go +index 6830158..fc12af7 100644 +--- a/layer/layer_unix_test.go ++++ b/layer/layer_unix_test.go +@@ -4,6 +4,7 @@ package layer // import "github.com/docker/docker/layer" + + import ( + "testing" ++ "github.com/docker/docker/testutil" + ) + + func graphDiffSize(ls Store, l Layer) (int64, error) { +@@ -18,6 +19,7 @@ func graphDiffSize(ls Store, l Layer) (int64, error) { + // Unix as Windows graph driver does not support Changes which is indirectly + // invoked by calling DiffSize on the driver + func TestLayerSize(t *testing.T) { ++ testutil.RequiresRoot(t) + ls, _, cleanup := newTestStore(t) + defer cleanup() + +diff --git a/layer/migration_test.go b/layer/migration_test.go +index 2b5c330..1cb6d0d 100644 +--- a/layer/migration_test.go ++++ b/layer/migration_test.go +@@ -9,6 +9,7 @@ import ( + "path/filepath" + "runtime" + "testing" ++ "github.com/docker/docker/testutil" + + "github.com/docker/docker/daemon/graphdriver" + "github.com/docker/docker/pkg/stringid" +@@ -41,6 +42,7 @@ func writeTarSplitFile(name string, tarContent []byte) error { + } + + func TestLayerMigration(t *testing.T) { ++ testutil.RequiresRoot(t) + // TODO Windows: Figure out why this is failing + if runtime.GOOS == "windows" { + t.Skip("Failing on Windows") +@@ -177,6 +179,7 @@ func tarFromFilesInGraph(graph graphdriver.Driver, graphID, parentID string, fil + } + + func TestLayerMigrationNoTarsplit(t *testing.T) { ++ testutil.RequiresRoot(t) + // TODO Windows: Figure out why this is failing + if runtime.GOOS == "windows" { + t.Skip("Failing on Windows") +diff --git a/layer/mount_test.go b/layer/mount_test.go +index 3c868b2..c2ea782 100644 +--- a/layer/mount_test.go ++++ b/layer/mount_test.go +@@ -5,6 +5,7 @@ import ( + "runtime" + "sort" + "testing" ++ "github.com/docker/docker/testutil" + + "github.com/containerd/continuity/driver" + "github.com/docker/docker/pkg/archive" +@@ -12,6 +13,7 @@ import ( + ) + + func TestMountInit(t *testing.T) { ++ testutil.RequiresRoot(t) + // TODO Windows: Figure out why this is failing + if runtime.GOOS == "windows" { + t.Skip("Failing on Windows") +@@ -71,6 +73,7 @@ func TestMountInit(t *testing.T) { + } + + func TestMountSize(t *testing.T) { ++ testutil.RequiresRoot(t) + // TODO Windows: Figure out why this is failing + if runtime.GOOS == "windows" { + t.Skip("Failing on Windows") +@@ -120,6 +123,7 @@ func TestMountSize(t *testing.T) { + } + + func TestMountChanges(t *testing.T) { ++ testutil.RequiresRoot(t) + // TODO Windows: Figure out why this is failing + if runtime.GOOS == "windows" { + t.Skip("Failing on Windows") +-- +2.25.0.24.gbc7a3d4 + diff --git a/base/docker/docker-20.10.4-Skip-get-source-mount.patch b/base/docker/docker-20.10.4-Skip-get-source-mount.patch new file mode 100644 index 0000000..6b2ae16 --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-get-source-mount.patch @@ -0,0 +1,33 @@ +From a7a12b2fcec36a5d60e60f87dc6808bdf012f4d8 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Thu, 11 Mar 2021 21:40:57 +0000 +Subject: [PATCH] Skip daemon/TestGetSourceMount in buildroot + +Signed-off-by: Jamie Anderson +--- + daemon/oci_linux_test.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/daemon/oci_linux_test.go b/daemon/oci_linux_test.go +index 890875a..f814dbc 100644 +--- a/daemon/oci_linux_test.go ++++ b/daemon/oci_linux_test.go +@@ -5,6 +5,7 @@ import ( + "os" + "path/filepath" + "testing" ++ "github.com/docker/docker/testutil" + + containertypes "github.com/docker/docker/api/types/container" + "github.com/docker/docker/container" +@@ -180,6 +181,7 @@ func TestSysctlOverrideHost(t *testing.T) { + } + + func TestGetSourceMount(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + // must be able to find source mount for / + mnt, _, err := getSourceMount("/") + assert.NilError(t, err) +-- +2.31.0.rc2 + diff --git a/base/docker/docker-20.10.4-Skip-git-tests.patch b/base/docker/docker-20.10.4-Skip-git-tests.patch new file mode 100644 index 0000000..7213972 --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-git-tests.patch @@ -0,0 +1,35 @@ +From 41d73e0b128e30ea17f5e319906846a9da2fcdd5 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Fri, 19 Mar 2021 18:34:30 +0000 +Subject: [PATCH] Skip git tests + +These tests fail in a buildroot because they try to talk to GitHub + +Signed-off-by: Jamie Anderson +--- + cli/command/image/build_test.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/cli/command/image/build_test.go b/cli/command/image/build_test.go +index 4317a74..cef80a3 100644 +--- a/cli/command/image/build_test.go ++++ b/cli/command/image/build_test.go +@@ -12,6 +12,7 @@ import ( + "path/filepath" + "sort" + "testing" ++ "github.com/docker/cli/testutil" + + "github.com/docker/cli/cli/streams" + "github.com/docker/cli/internal/test" +@@ -126,6 +127,7 @@ COPY data /data + // TODO: test "context selection" logic directly when runBuild is refactored + // to support testing (ex: docker/cli#294) + func TestRunBuildFromGitHubSpecialCase(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + defer env.Patch(t, "DOCKER_BUILDKIT", "0")() + cmd := NewBuildCommand(test.NewFakeCli(&fakeClient{})) + // Clone a small repo that exists so git doesn't prompt for credentials +-- +2.31.0.rc2 + diff --git a/base/docker/docker-20.10.4-Skip-mutating-vfs-tests.patch b/base/docker/docker-20.10.4-Skip-mutating-vfs-tests.patch new file mode 100644 index 0000000..2c181da --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-mutating-vfs-tests.patch @@ -0,0 +1,57 @@ +From 29304ba81dd3a600454c017d7720a608143d87a0 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Tue, 2 Mar 2021 19:26:37 +0000 +Subject: [PATCH] Skip mutating vfs tests + +Signed-off-by: Jamie Anderson +--- + daemon/graphdriver/vfs/vfs_test.go | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/daemon/graphdriver/vfs/vfs_test.go b/daemon/graphdriver/vfs/vfs_test.go +index 7c59ec3..9562959 100644 +--- a/daemon/graphdriver/vfs/vfs_test.go ++++ b/daemon/graphdriver/vfs/vfs_test.go +@@ -4,6 +4,7 @@ package vfs // import "github.com/docker/docker/daemon/graphdriver/vfs" + + import ( + "testing" ++ "github.com/docker/docker/testutil" + + "github.com/docker/docker/daemon/graphdriver/graphtest" + +@@ -17,25 +18,31 @@ func init() { + // This avoids creating a new driver for each test if all tests are run + // Make sure to put new tests between TestVfsSetup and TestVfsTeardown + func TestVfsSetup(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + graphtest.GetDriver(t, "vfs") + } + + func TestVfsCreateEmpty(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + graphtest.DriverTestCreateEmpty(t, "vfs") + } + + func TestVfsCreateBase(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + graphtest.DriverTestCreateBase(t, "vfs") + } + + func TestVfsCreateSnap(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + graphtest.DriverTestCreateSnap(t, "vfs") + } + + func TestVfsSetQuota(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + graphtest.DriverTestSetQuota(t, "vfs", false) + } + + func TestVfsTeardown(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + graphtest.PutDriver(t) + } +-- +2.25.0.24.gbc7a3d4 + diff --git a/base/docker/docker-20.10.4-Skip-mutating-volume-local-tests.patch b/base/docker/docker-20.10.4-Skip-mutating-volume-local-tests.patch new file mode 100644 index 0000000..39abda2 --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-mutating-volume-local-tests.patch @@ -0,0 +1,57 @@ +From cdaa60828f12a4e3f122e2120e57c6508456cb4d Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Wed, 3 Mar 2021 17:55:10 +0000 +Subject: [PATCH] Skip mutating volume/local tests + +Signed-off-by: Jamie Anderson +--- + volume/local/local_test.go | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/volume/local/local_test.go b/volume/local/local_test.go +index 8045e87..12bc7d8 100644 +--- a/volume/local/local_test.go ++++ b/volume/local/local_test.go +@@ -8,6 +8,7 @@ import ( + "runtime" + "strings" + "testing" ++ "github.com/docker/docker/testutil" + + "github.com/docker/docker/pkg/idtools" + "github.com/moby/sys/mountinfo" +@@ -31,6 +32,7 @@ func TestGetAddress(t *testing.T) { + } + + func TestRemove(t *testing.T) { ++ testutil.RequiresRoot(t) + skip.If(t, runtime.GOOS == "windows", "FIXME: investigate why this test fails on CI") + rootDir, err := os.MkdirTemp("", "local-volume-test") + if err != nil { +@@ -74,6 +76,7 @@ func TestRemove(t *testing.T) { + } + + func TestInitializeWithVolumes(t *testing.T) { ++ testutil.RequiresRoot(t) + rootDir, err := os.MkdirTemp("", "local-volume-test") + if err != nil { + t.Fatal(err) +@@ -106,6 +109,7 @@ func TestInitializeWithVolumes(t *testing.T) { + } + + func TestCreate(t *testing.T) { ++ testutil.RequiresRoot(t) + rootDir, err := os.MkdirTemp("", "local-volume-test") + if err != nil { + t.Fatal(err) +@@ -277,6 +281,7 @@ func TestCreateWithOpts(t *testing.T) { + } + + func TestRelaodNoOpts(t *testing.T) { ++ testutil.RequiresRoot(t) + rootDir, err := os.MkdirTemp("", "volume-test-reload-no-opts") + if err != nil { + t.Fatal(err) +-- +2.25.0.24.gbc7a3d4 + diff --git a/base/docker/docker-20.10.4-Skip-pkg-authorization-tests-that-create-sockets.patch b/base/docker/docker-20.10.4-Skip-pkg-authorization-tests-that-create-sockets.patch new file mode 100644 index 0000000..12aea3f --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-pkg-authorization-tests-that-create-sockets.patch @@ -0,0 +1,49 @@ +From 56221d3508e4e82f4fc51c17836609eb031af670 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Wed, 3 Mar 2021 18:19:29 +0000 +Subject: [PATCH] Skip pkg/authorization tests that create sockets + +Signed-off-by: Jamie Anderson +--- + pkg/authorization/authz_unix_test.go | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go +index 9b48986..0ac5e92 100644 +--- a/pkg/authorization/authz_unix_test.go ++++ b/pkg/authorization/authz_unix_test.go +@@ -17,6 +17,7 @@ import ( + "reflect" + "strings" + "testing" ++ "github.com/docker/docker/testutil" + + "github.com/docker/docker/pkg/plugins" + "github.com/docker/go-connections/tlsconfig" +@@ -28,6 +29,7 @@ const ( + ) + + func TestAuthZRequestPluginError(t *testing.T) { ++ testutil.RequiresRoot(t) + server := authZPluginTestServer{t: t} + server.start() + defer server.stop() +@@ -59,6 +61,7 @@ func TestAuthZRequestPluginError(t *testing.T) { + } + + func TestAuthZRequestPlugin(t *testing.T) { ++ testutil.RequiresRoot(t) + server := authZPluginTestServer{t: t} + server.start() + defer server.stop() +@@ -91,6 +94,7 @@ func TestAuthZRequestPlugin(t *testing.T) { + } + + func TestAuthZResponsePlugin(t *testing.T) { ++ testutil.RequiresRoot(t) + server := authZPluginTestServer{t: t} + server.start() + defer server.stop() +-- +2.25.0.24.gbc7a3d4 + diff --git a/base/docker/docker-20.10.4-Skip-pkg-idtools-tests-that-require-root.patch b/base/docker/docker-20.10.4-Skip-pkg-idtools-tests-that-require-root.patch new file mode 100644 index 0000000..8187e6b --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-pkg-idtools-tests-that-require-root.patch @@ -0,0 +1,20 @@ +Index: docker-ce-17.11.0-ce/pkg/idtools/idtools_unix_test.go +=================================================================== +--- docker-ce-17.11.0-ce.orig/pkg/idtools/idtools_unix_test.go ++++ docker-ce-17.11.0-ce/pkg/idtools/idtools_unix_test.go +@@ -239,6 +239,7 @@ func delUser(t *testing.T, name string) + } + + func TestParseSubidFileWithNewlinesAndComments(t *testing.T) { ++ RequiresRoot(t) + tmpDir, err := os.MkdirTemp("", "parsesubid") + if err != nil { + t.Fatal(err) +@@ -267,6 +268,7 @@ dockremap:231072:65536` + } + + func TestGetRootUIDGID(t *testing.T) { ++ RequiresRoot(t) + uidMap := []IDMap{ + { + ContainerID: 0, diff --git a/base/docker/docker-20.10.4-Skip-pkg-sysinfo-tests-that-require-root.patch b/base/docker/docker-20.10.4-Skip-pkg-sysinfo-tests-that-require-root.patch new file mode 100644 index 0000000..51c316a --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-pkg-sysinfo-tests-that-require-root.patch @@ -0,0 +1,32 @@ +From 34f63b7d07c0a1c9a8986c896ebbdf6ae131629f Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Wed, 3 Mar 2021 17:45:43 +0000 +Subject: [PATCH] Skip pkg/sysinfo tests that require root + +Signed-off-by: Jamie Anderson +--- + pkg/sysinfo/sysinfo_linux_test.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/pkg/sysinfo/sysinfo_linux_test.go b/pkg/sysinfo/sysinfo_linux_test.go +index aa557c9..ffb4b70 100644 +--- a/pkg/sysinfo/sysinfo_linux_test.go ++++ b/pkg/sysinfo/sysinfo_linux_test.go +@@ -6,12 +6,14 @@ import ( + "path" + "path/filepath" + "testing" ++ "github.com/docker/docker/testutil" + + "golang.org/x/sys/unix" + "gotest.tools/v3/assert" + ) + + func TestReadProcBool(t *testing.T) { ++ testutil.RequiresRoot(t) + tmpDir, err := os.MkdirTemp("", "test-sysinfo-proc") + assert.NilError(t, err) + defer os.RemoveAll(tmpDir) +-- +2.25.0.24.gbc7a3d4 + diff --git a/base/docker/docker-20.10.4-Skip-quota-tests.patch b/base/docker/docker-20.10.4-Skip-quota-tests.patch new file mode 100644 index 0000000..5bbcaa7 --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-quota-tests.patch @@ -0,0 +1,33 @@ +From 6ff01f51e73537015d6ec9a182f6b740cea16e76 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Thu, 4 Mar 2021 18:11:39 +0000 +Subject: [PATCH] Skip quota tests that try to manage block devices + +Signed-off-by: Jamie Anderson +--- + quota/projectquota_test.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/quota/projectquota_test.go b/quota/projectquota_test.go +index 9bf5c29..4e1e9c2 100644 +--- a/quota/projectquota_test.go ++++ b/quota/projectquota_test.go +@@ -8,6 +8,7 @@ import ( + "os" + "path/filepath" + "testing" ++ "github.com/docker/docker/testutil" + + "gotest.tools/v3/assert" + is "gotest.tools/v3/assert/cmp" +@@ -17,6 +18,7 @@ import ( + const testQuotaSize = 10 * 1024 * 1024 + + func TestBlockDev(t *testing.T) { ++ testutil.SkipIfBuildroot(t) + if msg, ok := CanTestQuota(); !ok { + t.Skip(msg) + } +-- +2.25.0.24.gbc7a3d4 + diff --git a/base/docker/docker-20.10.4-Skip-volume-store-tests.patch b/base/docker/docker-20.10.4-Skip-volume-store-tests.patch new file mode 100644 index 0000000..a3a70fe --- /dev/null +++ b/base/docker/docker-20.10.4-Skip-volume-store-tests.patch @@ -0,0 +1,41 @@ +From de0a19b6da6b704d63e4c36586f120a6ee6b262a Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Wed, 10 Mar 2021 19:12:49 +0000 +Subject: [PATCH] Skip volume store tests that require root + +Signed-off-by: Jamie Anderson +--- + volume/service/store_test.go | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/volume/service/store_test.go b/volume/service/store_test.go +index 5442f45..ef044d0 100644 +--- a/volume/service/store_test.go ++++ b/volume/service/store_test.go +@@ -9,6 +9,7 @@ import ( + "os" + "strings" + "testing" ++ "github.com/docker/docker/testutil" + + "github.com/docker/docker/volume" + volumedrivers "github.com/docker/docker/volume/drivers" +@@ -288,6 +289,7 @@ func TestDefererencePluginOnCreateError(t *testing.T) { + } + + func TestRefDerefRemove(t *testing.T) { ++ testutil.RequiresRoot(t) + t.Parallel() + + driverName := "test-ref-deref-remove" +@@ -309,6 +311,7 @@ func TestRefDerefRemove(t *testing.T) { + } + + func TestGet(t *testing.T) { ++ testutil.RequiresRoot(t) + t.Parallel() + + driverName := "test-get" +-- +2.31.0.rc2 + diff --git a/base/docker/docker-20.10.4-fix-TestTarUntarWithXattr-failure-on-4.14+-kernel.patch b/base/docker/docker-20.10.4-fix-TestTarUntarWithXattr-failure-on-4.14+-kernel.patch new file mode 100644 index 0000000..091283c --- /dev/null +++ b/base/docker/docker-20.10.4-fix-TestTarUntarWithXattr-failure-on-4.14+-kernel.patch @@ -0,0 +1,22 @@ +diff --git a/pkg/archive/archive_unix_test.go b/pkg/archive/archive_unix_test.go +index dc4e1fd..6fb8895 100644 +--- a/pkg/archive/archive_unix_test.go ++++ b/pkg/archive/archive_unix_test.go +@@ -241,7 +241,7 @@ func TestTarUntarWithXattr(t *testing.T) { + err = os.WriteFile(filepath.Join(origin, "3"), []byte("will be ignored"), 0700) + assert.NilError(t, err) + // there is no known Go implementation of setcap/getcap with support for v3 file capability +- out, err := exec.Command("setcap", "cap_block_suspend+ep", filepath.Join(origin, "2")).CombinedOutput() ++ out, err := exec.Command("setcap", "cap_sys_nice+ep", filepath.Join(origin, "2")).CombinedOutput() + assert.NilError(t, err, string(out)) + + for _, c := range []Compression{ +@@ -262,7 +262,7 @@ func TestTarUntarWithXattr(t *testing.T) { + } + out, err := exec.Command("getcap", filepath.Join(origin, "2")).CombinedOutput() + assert.NilError(t, err, string(out)) +- assert.Check(t, is.Contains(string(out), "cap_block_suspend=ep"), "untar should have kept the 'security.capability' xattr") ++ assert.Check(t, is.Contains(string(out), "cap_sys_nice+ep"), "untar should have kept the 'security.capability' xattr") + } + } + diff --git a/base/docker/docker-20.10.4-systemd-unit-runtimes.d.patch b/base/docker/docker-20.10.4-systemd-unit-runtimes.d.patch new file mode 100644 index 0000000..7c695f8 --- /dev/null +++ b/base/docker/docker-20.10.4-systemd-unit-runtimes.d.patch @@ -0,0 +1,43 @@ +From 414e5fb4ca7f14fae5ff57c4fb1fd64b77e9b733 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Fri, 12 Mar 2021 17:10:08 +0000 +Subject: [PATCH] Support /etc/docker-runtimes.d + +Reworked for docker 20.10.4 +Original patch message: + From 77efbceb6f074900c72855af903b63685803bc59 Mon Sep 17 00:00:00 2001 + From: Jacob Vallejo + Date: Mon, 23 Sep 2019 15:58:38 -0700 + Subject: [PATCH] Support /etc/docker-runtimes.d + + Use additional configured runtimes by evaluating their configs and + subsequently providing any necessary configuration flags to the docker + daemon at startup. + +Signed-off-by: Jamie Anderson +--- + contrib/init/systemd/docker.service | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/contrib/init/systemd/docker.service b/contrib/init/systemd/docker.service +index d76aee3..7e87245 100644 +--- a/contrib/init/systemd/docker.service ++++ b/contrib/init/systemd/docker.service +@@ -9,10 +9,13 @@ Requires=docker.socket + Type=notify + EnvironmentFile=-/etc/sysconfig/docker + EnvironmentFile=-/etc/sysconfig/docker-storage ++EnvironmentFile=-/run/docker/runtimes.env ++ExecStartPre=/bin/mkdir -p /run/docker ++ExecStartPre=/usr/libexec/docker/docker-setup-runtimes.sh + # the default is not to use systemd for cgroups because the delegate issues still + # exists and systemd currently does not support the cgroup feature set required + # for containers run by docker +-ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $OPTIONS $DOCKER_STORAGE_OPTIONS ++ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMES + ExecReload=/bin/kill -s HUP $MAINPID + LimitNOFILE=1048576 + # Having non-zero Limit*s causes performance problems due to accounting overhead +-- +2.31.0.rc2 + diff --git a/base/docker/docker-20.10.4-systemd-unit-sysconfig.patch b/base/docker/docker-20.10.4-systemd-unit-sysconfig.patch new file mode 100644 index 0000000..29bd7cd --- /dev/null +++ b/base/docker/docker-20.10.4-systemd-unit-sysconfig.patch @@ -0,0 +1,40 @@ +From 863e370fa7b6abffe839ba405b72f409116ad677 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Wed, 10 Mar 2021 19:25:02 +0000 +Subject: [PATCH] Support the use of sysconfig envvars in unit + +Reworked for 20.10.4 +Original patch message: + From: Jacob Vallejo + Date: Mon, 23 Sep 2019 15:55:53 -0700 + Subject: [PATCH] Support the use of sysconfig envvars in unit + + Environment variables may be conventionally configured here and are + wired up into the startup of docker if they are provided. + +Signed-off-by: Jamie Anderson +--- + contrib/init/systemd/docker.service | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/contrib/init/systemd/docker.service b/contrib/init/systemd/docker.service +index 5174631..a92685e 100644 +--- a/contrib/init/systemd/docker.service ++++ b/contrib/init/systemd/docker.service +@@ -7,10 +7,12 @@ Requires=docker.socket + + [Service] + Type=notify ++EnvironmentFile=-/etc/sysconfig/docker ++EnvironmentFile=-/etc/sysconfig/docker-storage + # the default is not to use systemd for cgroups because the delegate issues still + # exists and systemd currently does not support the cgroup feature set required + # for containers run by docker +-ExecStart=/usr/bin/dockerd -H fd:// ++ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $OPTIONS $DOCKER_STORAGE_OPTIONS + ExecReload=/bin/kill -s HUP $MAINPID + LimitNOFILE=1048576 + # Having non-zero Limit*s causes performance problems due to accounting overhead +-- +2.31.0.rc2 + diff --git a/base/docker/docker-20.10.4-sysvinit-add-storage-opts.patch b/base/docker/docker-20.10.4-sysvinit-add-storage-opts.patch new file mode 100644 index 0000000..4b26e6e --- /dev/null +++ b/base/docker/docker-20.10.4-sysvinit-add-storage-opts.patch @@ -0,0 +1,29 @@ +Index: docker-20.10.4/contrib/init/sysvinit-redhat/docker +=================================================================== +--- docker-20.10.4.orig/contrib/init/sysvinit-redhat/docker ++++ docker-20.10.4/contrib/init/sysvinit-redhat/docker +@@ -30,6 +30,15 @@ lockfile="/var/lock/subsys/$prog" + logfile="/var/log/$prog" + + [ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog ++[ -e /etc/sysconfig/${prog}-storage ] && . /etc/sysconfig/${prog}-storage ++ ++# Additional start options for the Docker daemon can ++# be defined in the $OPTIONS variable in /etc/sysconfig/docker, ++# which is also the variable name referenced by the systemd unit. ++# If $OPTIONS is not defined, we set it to the value of $other_args, ++# which is the variable name expected by the upstream sysvinit script. ++OPTIONS="${OPTIONS:-${other_args}}" ++ + + prestart() { + service cgconfig status > /dev/null +@@ -56,7 +65,7 @@ start() { + prestart + printf "Starting $prog:\t" + echo "\n$(date)\n" >> $logfile +- "$unshare" -m -- nohup $exec $other_args >> $logfile 2>&1 & ++ "$unshare" -m -- nohup $exec ${OPTIONS} ${DOCKER_STORAGE_OPTIONS} >> $logfile 2>&1 & + pid=$! + touch $lockfile + # wait up to 10 seconds for the pidfile to exist. see diff --git a/base/docker/docker-20.10.4-sysvinit-configurable-start-timeout.patch b/base/docker/docker-20.10.4-sysvinit-configurable-start-timeout.patch new file mode 100644 index 0000000..fa5525a --- /dev/null +++ b/base/docker/docker-20.10.4-sysvinit-configurable-start-timeout.patch @@ -0,0 +1,26 @@ +Index: docker-20.10.4/contrib/init/sysvinit-redhat/docker +=================================================================== +--- docker-20.10.4.orig/contrib/init/sysvinit-redhat/docker ++++ docker-20.10.4/contrib/init/sysvinit-redhat/docker +@@ -41,6 +41,9 @@ logfile="/var/log/$prog" + # which is the variable name expected by the upstream sysvinit script. + OPTIONS="${OPTIONS:-${other_args}}" + ++# How many seconds to wait for the pidfile to appear after starting the daemon. ++# The default value from upstream is 10. ++DAEMON_PIDFILE_TIMEOUT="${DAEMON_PIDFILE_TIMEOUT:-10}" + + prestart() { + service cgconfig status > /dev/null +@@ -70,10 +73,8 @@ start() { + "$unshare" -m -- nohup $exec ${OPTIONS} ${DOCKER_STORAGE_OPTIONS} >> $logfile 2>&1 & + pid=$! + touch $lockfile +- # wait up to 10 seconds for the pidfile to exist. see +- # https://github.com/docker/docker/issues/5359 + tries=0 +- while [ ! -f $pidfile -a $tries -lt 10 ]; do ++ while [ ! -f $pidfile -a $tries -lt ${DAEMON_PIDFILE_TIMEOUT} ]; do + sleep 1 + tries=$((tries + 1)) + echo -n '.' diff --git a/base/docker/docker-20.10.4-sysvinit-increase-daemon-maxfiles.patch b/base/docker/docker-20.10.4-sysvinit-increase-daemon-maxfiles.patch new file mode 100644 index 0000000..41c72c7 --- /dev/null +++ b/base/docker/docker-20.10.4-sysvinit-increase-daemon-maxfiles.patch @@ -0,0 +1,13 @@ +Index: docker-20.10.4/contrib/init/sysvinit-redhat/docker +=================================================================== +--- docker-20.10.4.orig/contrib/init/sysvinit-redhat/docker ++++ docker-20.10.4/contrib/init/sysvinit-redhat/docker +@@ -32,6 +32,8 @@ logfile="/var/log/$prog" + [ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog + [ -e /etc/sysconfig/${prog}-storage ] && . /etc/sysconfig/${prog}-storage + ++[ -n "${DAEMON_MAXFILES}" ] && ulimit -n "${DAEMON_MAXFILES}" ++ + # Additional start options for the Docker daemon can + # be defined in the $OPTIONS variable in /etc/sysconfig/docker, + # which is also the variable name referenced by the systemd unit. diff --git a/base/docker/docker-20.10.4-sysvinit-stop-before-network.patch b/base/docker/docker-20.10.4-sysvinit-stop-before-network.patch new file mode 100644 index 0000000..37b8cab --- /dev/null +++ b/base/docker/docker-20.10.4-sysvinit-stop-before-network.patch @@ -0,0 +1,13 @@ +Index: docker-20.10.4/contrib/init/sysvinit-redhat/docker +=================================================================== +--- docker-20.10.4.orig/contrib/init/sysvinit-redhat/docker ++++ docker-20.10.4/contrib/init/sysvinit-redhat/docker +@@ -4,7 +4,7 @@ + # + # Daemon for docker.com + # +-# chkconfig: 2345 95 95 ++# chkconfig: 2345 95 05 + # description: Daemon for docker.com + + ### BEGIN INIT INFO diff --git a/base/docker/docker-20.10.4-sysvinit-use-nohup.patch b/base/docker/docker-20.10.4-sysvinit-use-nohup.patch new file mode 100644 index 0000000..81fa45c --- /dev/null +++ b/base/docker/docker-20.10.4-sysvinit-use-nohup.patch @@ -0,0 +1,13 @@ +Index: docker-20.10.4/contrib/init/sysvinit-redhat/docker +=================================================================== +--- docker-20.10.4.orig/contrib/init/sysvinit-redhat/docker ++++ docker-20.10.4/contrib/init/sysvinit-redhat/docker +@@ -56,7 +56,7 @@ start() { + prestart + printf "Starting $prog:\t" + echo "\n$(date)\n" >> $logfile +- "$unshare" -m -- $exec $other_args >> $logfile 2>&1 & ++ "$unshare" -m -- nohup $exec $other_args >> $logfile 2>&1 & + pid=$! + touch $lockfile + # wait up to 10 seconds for the pidfile to exist. see diff --git a/base/docker/docker-20.10.7-Add-test-skip-helpers-to-cli.patch b/base/docker/docker-20.10.7-Add-test-skip-helpers-to-cli.patch new file mode 100644 index 0000000..c1b963e --- /dev/null +++ b/base/docker/docker-20.10.7-Add-test-skip-helpers-to-cli.patch @@ -0,0 +1,96 @@ +From f8f7e0d380488665cb77d8213d816bfdeeb7a252 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Wed, 18 Aug 2021 22:33:15 +0000 +Subject: [PATCH] Add test skip helpers to cli/testutil + +Signed-off-by: Jamie Anderson +--- + testutil/helpers.go | 14 ++++++++++++++ + testutil/helpers_unix.go | 34 ++++++++++++++++++++++++++++++++++ + testutil/helpers_windows.go | 12 ++++++++++++ + 3 files changed, 60 insertions(+) + create mode 100644 testutil/helpers.go + create mode 100644 testutil/helpers_unix.go + create mode 100644 testutil/helpers_windows.go + +diff --git a/testutil/helpers.go b/testutil/helpers.go +new file mode 100644 +index 0000000..0eeff25 +--- /dev/null ++++ b/testutil/helpers.go +@@ -0,0 +1,14 @@ ++package testutil // import "github.com/docker/cli/testutil" ++ ++import ( ++ "flag" ++) ++ ++// This variable and the init() function copied from ++// https://github.com/containerd/containerd/blob/master/pkg/testutil/helpers.go ++// Original Copyright The Containerd Authors. Licensed under the Apache License, Version 2.0. ++var rootEnabled bool ++ ++func init() { ++ flag.BoolVar(&rootEnabled, "test.root", false, "enable tests that require root") ++} +diff --git a/testutil/helpers_unix.go b/testutil/helpers_unix.go +new file mode 100644 +index 0000000..c846775 +--- /dev/null ++++ b/testutil/helpers_unix.go +@@ -0,0 +1,34 @@ ++// +build !windows ++ ++package testutil ++ ++import ( ++ "os" ++ "testing" ++ ++ "gotest.tools/v3/assert" ++) ++ ++// This function was copied from ++// https://github.com/containerd/containerd/blob/master/pkg/testutil/helpers_unix.go ++// Original Copyright The Containerd Authors. Licensed under the Apache License, Version 2.0. ++// RequiresRoot skips tests that require root, unless the test.root flag has ++// been set ++func RequiresRoot(t testing.TB) { ++ if !rootEnabled { ++ t.Skip("skipping test that requires root") ++ } ++ assert.Equal(t, 0, os.Getuid(), "This test must be run as root.") ++} ++ ++// This function is adapted from a previous patch applied by Amazon ++// The existence of /.initialized or /builddir is a marker that we're in a build chroot ++// Tests that perform filesystem operations, generate non-localhost network traffic, ++// and possibly other things, are likely to not work correctly ++func SkipIfBuildroot(t testing.TB) { ++ if _, err := os.Stat("/.initialized"); err == nil { ++ t.Skip("not appropriate for a buildroot environment") ++ } else if _, err := os.Stat("/builddir"); err == nil { ++ t.Skip("not appropriate for a buildroot environment") ++ } ++} +diff --git a/testutil/helpers_windows.go b/testutil/helpers_windows.go +new file mode 100644 +index 0000000..aefeca0 +--- /dev/null ++++ b/testutil/helpers_windows.go +@@ -0,0 +1,12 @@ ++// +build windows ++ ++package testutil ++ ++import "testing" ++ ++func RequiresRoot(t testing.TB) { ++} ++ ++func SkipIfBuildroot(t testing.TB) { ++} ++ +-- +2.31.0.rc2 + diff --git a/base/docker/docker-20.10.7-Add-test-skip-helpers-to-testutil.patch b/base/docker/docker-20.10.7-Add-test-skip-helpers-to-testutil.patch new file mode 100644 index 0000000..8b5b50f --- /dev/null +++ b/base/docker/docker-20.10.7-Add-test-skip-helpers-to-testutil.patch @@ -0,0 +1,99 @@ +From 021e33a5b2c3384243e3ae76444bb90006214f5a Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Wed, 18 Aug 2021 22:17:52 +0000 +Subject: [PATCH] Add test skip helpers to testutil + +Signed-off-by: Jamie Anderson +--- + testutil/helpers.go | 10 ++++++++++ + testutil/helpers_unix.go | 34 ++++++++++++++++++++++++++++++++++ + testutil/helpers_windows.go | 12 ++++++++++++ + 3 files changed, 56 insertions(+) + create mode 100644 testutil/helpers_unix.go + create mode 100644 testutil/helpers_windows.go + +diff --git a/testutil/helpers.go b/testutil/helpers.go +index e522b5a..6de9de5 100644 +--- a/testutil/helpers.go ++++ b/testutil/helpers.go +@@ -1,9 +1,19 @@ + package testutil // import "github.com/docker/docker/testutil" + + import ( ++ "flag" + "io" + ) + ++// This variable and the init() function copied from ++// https://github.com/containerd/containerd/blob/master/pkg/testutil/helpers.go ++// Original Copyright The Containerd Authors. Licensed under the Apache License, Version 2.0. ++var rootEnabled bool ++ ++func init() { ++ flag.BoolVar(&rootEnabled, "test.root", false, "enable tests that require root") ++} ++ + // DevZero acts like /dev/zero but in an OS-independent fashion. + var DevZero io.Reader = devZero{} + +diff --git a/testutil/helpers_unix.go b/testutil/helpers_unix.go +new file mode 100644 +index 0000000..c846775 +--- /dev/null ++++ b/testutil/helpers_unix.go +@@ -0,0 +1,34 @@ ++// +build !windows ++ ++package testutil ++ ++import ( ++ "os" ++ "testing" ++ ++ "gotest.tools/v3/assert" ++) ++ ++// This function was copied from ++// https://github.com/containerd/containerd/blob/master/pkg/testutil/helpers_unix.go ++// Original Copyright The Containerd Authors. Licensed under the Apache License, Version 2.0. ++// RequiresRoot skips tests that require root, unless the test.root flag has ++// been set ++func RequiresRoot(t testing.TB) { ++ if !rootEnabled { ++ t.Skip("skipping test that requires root") ++ } ++ assert.Equal(t, 0, os.Getuid(), "This test must be run as root.") ++} ++ ++// This function is adapted from a previous patch applied by Amazon ++// The existence of /.initialized or /builddir is a marker that we're in a build chroot ++// Tests that perform filesystem operations, generate non-localhost network traffic, ++// and possibly other things, are likely to not work correctly ++func SkipIfBuildroot(t testing.TB) { ++ if _, err := os.Stat("/.initialized"); err == nil { ++ t.Skip("not appropriate for a buildroot environment") ++ } else if _, err := os.Stat("/builddir"); err == nil { ++ t.Skip("not appropriate for a buildroot environment") ++ } ++} +diff --git a/testutil/helpers_windows.go b/testutil/helpers_windows.go +new file mode 100644 +index 0000000..aefeca0 +--- /dev/null ++++ b/testutil/helpers_windows.go +@@ -0,0 +1,12 @@ ++// +build windows ++ ++package testutil ++ ++import "testing" ++ ++func RequiresRoot(t testing.TB) { ++} ++ ++func SkipIfBuildroot(t testing.TB) { ++} ++ +-- +2.31.0.rc2 + diff --git a/base/docker/docker-20.10.7-Skip-overlay-tar-untar-test.patch b/base/docker/docker-20.10.7-Skip-overlay-tar-untar-test.patch new file mode 100644 index 0000000..6b377b9 --- /dev/null +++ b/base/docker/docker-20.10.7-Skip-overlay-tar-untar-test.patch @@ -0,0 +1,41 @@ +From fc8490a29aa87f81ad4a58c5b759317acb77876e Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Mon, 16 Aug 2021 17:21:38 +0000 +Subject: [PATCH] Skip overlay/tar/untar test + +Signed-off-by: Jamie Anderson +--- + pkg/archive/archive_linux_test.go | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/pkg/archive/archive_linux_test.go b/pkg/archive/archive_linux_test.go +index 800fda6..08a196b 100644 +--- a/pkg/archive/archive_linux_test.go ++++ b/pkg/archive/archive_linux_test.go +@@ -9,6 +9,7 @@ import ( + + "github.com/containerd/containerd/sys" + "github.com/docker/docker/pkg/system" ++ "github.com/docker/docker/testutil" + "golang.org/x/sys/unix" + "gotest.tools/v3/assert" + "gotest.tools/v3/skip" +@@ -87,6 +88,7 @@ func checkFileMode(t *testing.T, path string, perm os.FileMode) { + } + + func TestOverlayTarUntar(t *testing.T) { ++ testutil.RequiresRoot(t) + oldmask, err := system.Umask(0) + assert.NilError(t, err) + defer system.Umask(oldmask) +@@ -126,6 +128,7 @@ func TestOverlayTarUntar(t *testing.T) { + } + + func TestOverlayTarAUFSUntar(t *testing.T) { ++ testutil.RequiresRoot(t) + oldmask, err := system.Umask(0) + assert.NilError(t, err) + defer system.Umask(oldmask) +-- +2.31.0.rc2 + diff --git a/base/docker/docker-20.10.7-Skip-pkg-archive-tests-that-require-root.patch b/base/docker/docker-20.10.7-Skip-pkg-archive-tests-that-require-root.patch new file mode 100644 index 0000000..a78bbee --- /dev/null +++ b/base/docker/docker-20.10.7-Skip-pkg-archive-tests-that-require-root.patch @@ -0,0 +1,33 @@ +From d099d78e4ac135ff2fcf24e08ad7573067b37a5a Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Mon, 16 Aug 2021 17:31:32 +0000 +Subject: [PATCH] Skip pkg/archive tests that require root + +Signed-off-by: Jamie Anderson +--- + pkg/archive/changes_test.go | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/pkg/archive/changes_test.go b/pkg/archive/changes_test.go +index 0a2689d..490af6d 100644 +--- a/pkg/archive/changes_test.go ++++ b/pkg/archive/changes_test.go +@@ -13,6 +13,7 @@ import ( + "time" + + "github.com/docker/docker/pkg/system" ++ "github.com/docker/docker/testutil" + "gotest.tools/v3/assert" + "gotest.tools/v3/skip" + ) +@@ -187,6 +188,7 @@ func TestChangesWithChanges(t *testing.T) { + + // See https://github.com/docker/docker/pull/13590 + func TestChangesWithChangesGH13590(t *testing.T) { ++ testutil.RequiresRoot(t) + // TODO Windows. Needs further investigation to identify the failure + if runtime.GOOS == "windows" { + t.Skip("needs more investigation") +-- +2.31.0.rc2 + diff --git a/base/docker/docker-setup-runtimes.sh b/base/docker/docker-setup-runtimes.sh new file mode 100644 index 0000000..4fd3c87 --- /dev/null +++ b/base/docker/docker-setup-runtimes.sh @@ -0,0 +1,8 @@ +#!/bin/sh +{ + echo -n "DOCKER_ADD_RUNTIMES=\"" + for file in /etc/docker-runtimes.d/*; do + [ -f "$file" ] && [ -x "$file" ] && echo -n "--add-runtime $(basename "$file")=$file " + done + echo "\"" +} > /run/docker/runtimes.env diff --git a/base/docker/docker-storage.sysconfig b/base/docker/docker-storage.sysconfig new file mode 100644 index 0000000..e300888 --- /dev/null +++ b/base/docker/docker-storage.sysconfig @@ -0,0 +1,14 @@ +# This file may be automatically generated by an installation program. + +# By default, Docker uses a loopback-mounted sparse file in +# /var/lib/docker. The loopback makes it slower, and there are some +# restrictive defaults, such as 100GB max storage. + +# If your installation did not set a custom storage for Docker, you +# may do it below. + +# Example: Use a custom pair of raw logical volumes (one for metadata, +# one for data). +# DOCKER_STORAGE_OPTIONS="--storage-opt dm.metadatadev=/dev/myvg/my-docker-metadata --storage-opt dm.datadev=/dev/myvg/my-docker-data" + +DOCKER_STORAGE_OPTIONS= diff --git a/base/docker/docker.spec b/base/docker/docker.spec new file mode 100644 index 0000000..9908752 --- /dev/null +++ b/base/docker/docker.spec @@ -0,0 +1,1578 @@ +# Globals are used to derive release details for Moby as it +# exists in its composite release repository at: +# +# https://github.com/moby/moby +# +# When updating this spec to package a new release, it's likely only +# these bits will need updating: +# +# Moby release version, eg: 18.09.6-ce +%global moby_version 20.10.25 +# Moby repository commit for above version, eg: <40 char sha> +%global moby_commit 5df983c7dbe2f8914e6efd4dd6e0083a20c41ce1 +# Moby targets a specific golang compiler, eg: 1.10.8 +# +# NOTE: this must match exactly with upstream as Docker is sensitive and closely +# tied to stdlib/runtime and its bugs/features of a given version. +%global moby_target_golang 1.19.9 +# Moby designates not only the daemon, but also its +# dependencies. This package bundles libnetwork (for docker-proxy) +# and tini (as docker-init), specifying their commits in "installers", +# these commits should match the project's declared commits. +# +# hint: https://github.com/moby/moby/blob/master/hack/dockerfile/install/proxy.installer +%global moby_libnetwork_commit 05b93e0d3a95952f70c113b0bc5bdb538d7afdd7 +# +# hint: https://github.com/moby/moby/blob/master/hack/dockerfile/install/tini.installer +%global moby_tini_commit de40ad007797e0dcd8b7126f27bb87401d224240 +# +# We package the version of docker-cli that corresponds to the version of moby (the engine) +# Refer to: https://github.com/docker/cli/tags +# Note this is NOT the same as the version specified in +# https://github.com/moby/moby/blob/master/hack/dockerfile/install/dockercli.installer +# which is quite out-of-date. +%global docker_cli_commit b82b9f3a0e763304a250531cb9350aa6d93723c9 +# buildx is a Docker CLI plugin for extended build capabilities +# hint: https://github.com/docker/buildx +%global buildx_version v0.10.4 +%global buildx_commit c513d34049e499c53468deac6c4267ee72948f02 +# container restart policies require a version of libcgroup that supports the pids root +%global libcgroup_min_version 0.40.rc1-5.15 + +### bconds +%bcond_without systemd + + +# By default, include testing with some cases modified or removed for +# build time limitations. +%bcond_without tests + +# Enable docker's seccomp integrations. +%bcond_without seccomp + +# Assert that commits for docker's bundled projects match the +# committed Git SHAs. +%bcond_without strict_components # with + +%bcond_with btrfs +%bcond_with aufs + +### Golang helper macros + +# Emit GOPATH settings inline. +%define golang_set_gopath(d:) \ +export GOPATH="%{-d:%{-d*}}%{!-d:$(pwd -P)}"; \ +export PATH="$PATH:$GOPATH/bin" \ +export GO111MODULE=off + +# Initialize a GOPATH for building golang packages. +%define golang_init_gopath(d:) \ +%{golang_set_gopath} \ +rm -rf "${GOPATH}/"{src,bin} \ +install -d "${GOPATH}"/{src,pkg,bin} + +# The ${GOPATH:-.} allows for use in the files section when $PWD is at +# the $GOPATH root. +%define golang_src_path(p:) ${GOPATH:-.}/src/%{-p*} + +# Unpack a Source at conventional golang package path in $GOPATH - its +# import path. +%define golang_prep(p:s:S:) \ +install -d "$GOPATH/src/%{-p*}" && \ +tar -x %{-S:--strip-components=%{-S*}} -C "%{golang_src_path -p %{-p*}}" -f %{-s*} + +### Docker derived data +# Component package collects the release sources for the daemon and +# the cli. +%global docker_component_package github.com/moby/moby +%global docker_component_src %{golang_src_path -p %docker_component_package} +%global docker_component_commit %moby_commit +# The componentized github.com/docker/docker +%global docker_package github.com/docker/docker +%global docker_src %{golang_src_path -p %docker_package} +%global docker_version %moby_version +%global docker_rpm_version %(sed 's/-//' <<< %docker_version) +%global docker_commit %docker_component_commit +%global docker_shortcommit %(c=%{docker_commit}; echo ${c:0:7}) +# The componentized github.com/docker/cli package +%global docker_cli_package github.com/docker/cli +%global docker_cli_src %{golang_src_path -p %docker_cli_package} +%global docker_cli_version %docker_version +%global docker_cli_shortcommit %(c=%{docker_cli_commit}; echo ${c:0:7}) +# The componentized github.com/docker/buildx package +%global buildx_package github.com/docker/buildx +%global buildx_src %{golang_src_path -p %buildx_package} +%global buildx_shortcommit %(c=%{buildx_commit}; echo ${c:0:7}) + +# Add buildtags appropriate for the package's build configuration. +%global build_tags %{?build_tags} selinux +%if %{with seccomp} +%global build_tags %{?build_tags} seccomp +%endif + +%if %{without btrfs} +%global build_tags %{?build_tags} exclude_graphdriver_btrfs +%endif + +%if %{without aufs} +%global build_tags %{?build_tags} exclude_graphdriver_aufs +%endif + +%global apprundir %{_rundir}/docker +%global appconfdir %{_sysconfdir}/docker + +### Components' derived data +# The commit SHAs for external, however bundled, components are +# defined in the installers for each (see the vars _COMMIT for +# the SHAs). +%global docker_component_tree_url https://github.com/moby/moby/tree/%{docker_commit}/hack/dockerfile/install/ + +# libnetwork provides the docker-proxy binary. +%global libnetwork_package github.com/docker/libnetwork +%global libnetwork_src %{golang_src_path -p %libnetwork_package} +%global libnetwork_commit %moby_libnetwork_commit +%global libnetwork_shortcommit %(c=%{libnetwork_commit}; echo ${c:0:7}) + +# tini provides the "docker-init" binary +%global tini_package github.com/krallin/tini +%global tini_src %{golang_src_path -p %tini_package} +%global tini_commit %moby_tini_commit +%global tini_shortcommit %(c=%{tini_commit}; echo ${c:0:7}) + +Name: docker +Version: %{docker_rpm_version} +Release: 1%{?dist} +Summary: Automates deployment of containerized applications +License: ASL 2.0 and MIT and BSD and MPLv2.0 and WTFPL +URL: http://www.docker.com +# Disable ix86 builds: https://github.com/docker/docker/issues/136 +ExcludeArch: %{ix86} + +Source0: https://%{docker_component_package}/archive/%{docker_commit}/docker-%{docker_version}.tar.gz +Source2: docker.sysconfig +Source3: docker-storage.sysconfig +Source6: https://%{libnetwork_package}/archive/%{libnetwork_commit}/libnetwork-%{libnetwork_shortcommit}.tar.gz +Source7: https://%{tini_package}/archive/%{tini_commit}/tini-%{tini_shortcommit}.tar.gz +Source9: https://%{docker_cli_package}/archive/%{docker_cli_commit}/cli-%{docker_cli_version}.tar.gz +Source10: https://%{buildx_package}/archive/refs/tags/%{buildx_version}.tar.gz + +# Amazon-provided sources +# Scripts and other resources to support /etc/docker-runtimes.d +Source1001: docker-setup-runtimes.sh +Source1002: README-docker-runtimes.d + +# Amazon-provided patches +Patch2001: docker-20.10.4-sysvinit-use-nohup.patch +Patch2002: docker-20.10.4-sysvinit-add-storage-opts.patch +Patch2004: docker-20.10.4-sysvinit-increase-daemon-maxfiles.patch +Patch2007: docker-20.10.4-sysvinit-stop-before-network.patch +# Allow users to control the timeout when waiting for the daemon to start +Patch2010: docker-20.10.4-sysvinit-configurable-start-timeout.patch + +# These patches disable tests that don't work in the AL AMI buildroot environment + +# The graphdriver/devmapper tests try to create and mount a loopback fs +Patch2103: docker-20.10.4-Skip-devmapper-tests-that-don-t-work-in-a-buildroot.patch +# Skip graphdriver/vfs tests that require root privileges and mutate the filesystem +Patch2104: docker-20.10.4-Skip-mutating-vfs-tests.patch +# Skip pkg/sysinfo test that tries to write to /proc +Patch2108: docker-20.10.4-Skip-pkg-sysinfo-tests-that-require-root.patch +# Skip volume/local tests that try to mutate the buildroot filesystem +Patch2109: docker-20.10.4-Skip-mutating-volume-local-tests.patch +# Skip tests in pkg/authorization that try to create sockets without being root +Patch2113: docker-20.10.4-Skip-pkg-authorization-tests-that-create-sockets.patch +# Skip tests in pkg/idtools that call mkdir outside the buildroot without privileges +# pkg/idtools has its own implementation of RequiresRoot() +Patch2114: docker-20.10.4-Skip-pkg-idtools-tests-that-require-root.patch +# Skip tests in distribution that generate network traffic +Patch2115: docker-20.10.4-Skip-distribution-tests-that-network.patch + +# Skip tests in builder that try to change namespaces +Patch2117: docker-20.10.4-Skip-builder-tests-that-require-root.patch +# Skip Overlay Tar/Untar test which fails in buildroot when setting ext. attributes on overlay fs +Patch2118: docker-20.10.7-Skip-overlay-tar-untar-test.patch + +Patch2120: no-private-mnt-namespace.patch + +Patch2123: runc-allow-git-sha-override.patch +Patch2125: tini-allow-git-sha-override.patch +Patch2126: docker-20.10.4-Skip-cli-tests-that-require-network.patch +Patch2130: docker-20.10.4-Skip-auth-middleware-test.patch +Patch2133: docker-20.10.4-Skip-quota-tests.patch +Patch2135: docker-20.10.4-Skip-engine-layer-tests.patch +Patch2140: docker-20.10.4-Skip-volume-store-tests.patch + +# systemd sysconfig configuration file support +Patch2141: docker-20.10.4-systemd-unit-sysconfig.patch + +# skip TestGetSourceMount ("/" not available in buildroot env) +# Example output of `cat /proc/self/mountinfo` in buildroot: +# 148 147 0:3 / /proc rw,relatime shared:64 - proc proc rw +# 152 147 0:17 / /sys rw,relatime shared:66 - sysfs sysfs rw,seclabel +# 157 147 0:39 / /dev/shm rw,relatime shared:70 - tmpfs tmpfs rw,seclabel +# 163 147 0:41 / /dev/pts rw,relatime shared:72 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=666 +# 167 148 202:1 /tmp/mock-selinux-plugin.R40Ep_ /proc/filesystems rw,relatime shared:1 - xfs /dev/xvda1 rw,seclabel,attr2,inode64,noquota +Patch2143: docker-20.10.4-Skip-get-source-mount.patch + +# systemd /etc/docker-runtimes.d support +Patch2144: docker-20.10.4-systemd-unit-runtimes.d.patch + +# test skips +Patch2145: docker-20.10.4-Skip-git-tests.patch +Patch2146: docker-20.10.4-Skip-compression-tests-that-require-root.patch +Patch2148: docker-20.10.4-Skip-btrfs-graphdriver-tests-if-not-root.patch + +# Restore containerd dependency and other changes to the systemd service +Patch2149: docker-20.10.4-Restore-containerd-dependency-restart-policy-and-nof.patch + +# Patch tests to use a capability that's valid on ALAMI, CAP_SYS_NICE, +# instead of CAP_BLOCK_SUSPEND +Patch3004: docker-20.10.4-fix-TestTarUntarWithXattr-failure-on-4.14+-kernel.patch + +# Skip pkg/archive and pkg/chrootarchive tests that require root privileges +Patch3005: docker-20.10.7-Skip-pkg-archive-tests-that-require-root.patch + +# Add helpers for skipping tests conditionally +Patch3008: docker-20.10.7-Add-test-skip-helpers-to-testutil.patch +Patch3009: docker-20.10.7-Add-test-skip-helpers-to-cli.patch + +# Patch limits the rate at which logger errors are logged into daemon logs +Patch3013: docker-20.10.4-Limit-logger-errors-logged-into-daemon-logs.patch + +# Patch for skipping kubeconfig and loadcontext tests that require root access +Patch3014: docker-20.10.17-Skip-kubeconfig-and-loadcontext-tests-that-require-root.patch + +BuildRequires: gcc >= 7.2 +BuildRequires: glibc-static +BuildRequires: golang >= %{moby_target_golang} +BuildRequires: device-mapper-devel +%if %{with btrfs} +BuildRequires: btrfs-progs-devel >= 3.14.2 +%endif +BuildRequires: cmake +BuildRequires: git +BuildRequires: libtool-ltdl-devel +BuildRequires: libselinux-devel +BuildRequires: libudev-devel +# Required for testing the pigz archive functionality in docker. +BuildRequires: pigz +# Required for memfd runc protection. +BuildRequires: kernel-headers >= 3.17 +BuildRequires: go-rpm-macros +BuildRequires: go-md2man +%if %{with systemd} +BuildRequires: pkgconfig(systemd) +BuildRequires: systemd-units +%endif +%if %{with seccomp} +BuildRequires: libseccomp-static +%endif + +Provides: docker-ce = %{version}-%{release} +Provides: docker-io = %{version}-%{release} +Provides: lxc-docker = %{version}-%{release} +Provides: moby = %{version}-%{release} +Provides: moby-endgine = %{version}-%{release} + +Obsoletes: docker-devel < 17 +Obsoletes: docker-pkg-devel < 17 +Conflicts: podman-docker +Conflicts: docker-ce + +# need xz to work with ubuntu images +# https://bugzilla.redhat.com/show_bug.cgi?id=1045220 +Requires: xz +# https://bugzilla.redhat.com/show_bug.cgi?id=1034919 +Requires: libcgroup >= %{libcgroup_min_version} + +Requires: iptables +Requires: device-mapper-libs >= 1.02.90-2.24 +Requires: pigz +# Used by the sysvinit script for mountpoint namespacing +%if 0%{?amzn} < 2 +Requires: /usr/bin/unshare +%endif +# Container restart policies require the pids cgroup controller, +# which was implemented in the kernel starting with version 4.3 +# Amazon Linux 2 is a minimum of 4.14 (4.9 in prereleases) +%if 0%{?amzn} < 2 +Requires: kernel >= 4.3 +%endif +# In Docker 1.9.1, the default filesystem for devmapper changed from +# ext4 to xfs +Requires: xfsprogs + +# docker-runc and docker-containerd are now satisfied with discrete +# packages for each. These packages remain necessary at a foundational +# level. +Requires: runc >= 1.0.0 +Requires: containerd >= 1.3.2 + +# Older versions of ec2-net-utils call ec2net.hotplug for veth +# interfaces, which causes performance issues when quickly creating or +# deleting lots of containers +Conflicts: ec2-net-utils < 0.4-1.24 + +# Docker mount ordering changed in later versions of Docker to address security +# vulnerabilities. The ECS init package contains fixes that mount its system +# dependencies correctly with this change in versions newer than 1.36.2. +Conflicts: ecs-init < 1.36.2 + +%description +Docker is an open-source engine that automates the deployment of any +application as a lightweight, portable, self-sufficient container that will +run virtually anywhere. + +Docker containers can encapsulate any payload, and will run consistently on +and between virtually any server. The same container that a developer builds +and tests on a laptop will run at scale, in production*, on VMs, bare-metal +servers, OpenStack clusters, public instances, or combinations of the above. + +%prep +%setup -T -c -q -n %{name}-%{version}-%{release} +# Setup a GOPATH appropriate for building components merged in the +# github.com/moby/moby repository. +# +# This avoids gymnastics to prepare many GOPATHs for each, effectively +# misnamed, improper import paths. +%golang_init_gopath + +%golang_prep -p %docker_component_package -S 1 -s %{SOURCE0} + +# tini isn't golang, but we arrange it like it is for navigation. +%golang_prep -p %tini_package -S 1 -s %{SOURCE7} +%golang_prep -p %libnetwork_package -S 1 -s %{SOURCE6} +%golang_prep -p %docker_cli_package -S 1 -s %{SOURCE9} +%golang_prep -p %buildx_package -S 1 -s %{SOURCE10} + +%if %{with systemd} +cp %{SOURCE1002} . +%endif + +# Apply moby patches +cd %{docker_component_src} + +%if %{without systemd} +%patch2001 -p1 +%patch2002 -p1 +%patch2004 -p1 +%patch2007 -p1 +%patch2010 -p1 +%endif + +%patch2103 -p1 +%patch2104 -p1 +%patch2108 -p1 +%patch2109 -p1 +%patch2113 -p1 +%patch2114 -p1 +%patch2115 -p1 +%patch2117 -p1 +%patch2118 -p1 +%if %{without systemd} +%patch2120 -p1 +%endif + +%patch2130 -p1 +%patch2133 -p1 +%patch2135 -p1 +%patch2140 -p1 +%patch2141 -p1 +%patch3004 -p1 +%patch2143 -p1 +%patch3005 -p1 +%patch2144 -p1 +%patch2148 -p1 +%patch2149 -p1 +%patch3008 -p1 +%patch3013 -p1 + +# Apply tini patches +cd %{tini_src} +%patch2125 -p2 + +# Apply cli patches +cd %{docker_cli_src} +%patch2126 -p1 +%patch2145 -p1 +%patch2146 -p1 +%patch3009 -p1 +%patch3014 -p1 + +# Now put the things back where they came from. The import paths are +# much happier this way and it correctly represents the collected +# software (in golang land). +install -d $(readlink -m %{docker_cli_src}/../) $(readlink -m %{docker_src}/../) +mv %{docker_component_src} %{docker_src} + +%build +%golang_set_gopath + +# Build the cli +( + cd %{docker_cli_src} + export VERSION=%{docker_cli_version} + export GITCOMMIT=%{docker_cli_shortcommit} + env GO_LINKMODE="dynamic" ./scripts/build/binary + + # Build the cli's man page and its bespoke generator + %gobuild -o gen-manpages github.com/docker/cli/man + # Generate cli's man1 entries + # + # Generation will attempt to load external long form descriptions, it + # will print WARN's when these are encountered which look a whole lot + # like errors. + mkdir -p %{docker_cli_src}/man/man1 + ./gen-manpages --root %{docker_cli_src} \ + --target %{docker_cli_src}/man/man1 2>&1 \ + | grep -v 'skipping' + # Then generate the remaining pages from markdown source. + ./man/md2man-all.sh -q +) +#Build the buildx plugin +cd %{buildx_src} +%gobuild -o "bin/buildx" ./cmd/buildx + +# Build the network proxy for docker - docker-proxy +cd %{libnetwork_src} +%gobuild -o "bin/docker-proxy" ./cmd/proxy + +# Build the simple init process for container pid 1, tini - it takes +# care of forwarding signals and child process management. +( + cd %{tini_src} + export GIT_COMMIT_OVERRIDE=%{tini_shortcommit} + cmake . + make +) + +# Build the docker daemon +( + cd %{docker_src} + export DOCKER_GITCOMMIT="%{docker_shortcommit}" + export DOCKER_BUILDTAGS="%{?build_tags}" + export VERSION="%{docker_version}" + hack/make.sh dynbinary +) + +%install +%golang_set_gopath + +rm -rf %{buildroot} + +# install docker cli +install -d %{buildroot}%{_bindir} +install -d %{buildroot}%{_localstatedir}/lib/docker +install -p -m 755 %{docker_cli_src}/build/docker %{buildroot}%{_bindir}/docker + +# install compatibility symlinks for binaries that moved when runc +# and containerd were split into separate packages +ln -sf ../sbin/runc %{buildroot}%{_bindir}/docker-runc +ln -sf containerd %{buildroot}%{_bindir}/docker-containerd +ln -sf containerd-shim %{buildroot}%{_bindir}/docker-containerd-shim +ln -sf ctr %{buildroot}%{_bindir}/docker-ctr + +# install docker cli manpages +install -d %{buildroot}%{_mandir}/man1 +install -p -m 644 %{docker_cli_src}/man/man1/docker*.1 %{buildroot}%{_mandir}/man1 +install -d %{buildroot}%{_mandir}/man5 +install -p -m 644 %{docker_cli_src}/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5 +install -d %{buildroot}%{_mandir}/man8 +install -p -m 644 %{docker_cli_src}/man/man8/docker*.8 %{buildroot}%{_mandir}/man8 + +# install docker cli bash completion +install -d %{buildroot}%{_datadir}/bash-completion +install -p -m 644 %{docker_cli_src}/contrib/completion/bash/docker %{buildroot}%{_datadir}/bash-completion + +# install buildx plugin +install -d %{buildroot}%{_libexecdir}/%{name}/cli-plugins +install -p -m 755 %{buildx_src}/bin/buildx %{buildroot}%{_libexecdir}/%{name}/cli-plugins/docker-buildx + +# install docker daemon +install -p -m 755 %{docker_src}/bundles/dynbinary-daemon/dockerd %{buildroot}%{_bindir}/dockerd + +# install docker-proxy for userspace network proxying +install -p -m 755 %{libnetwork_src}/bin/docker-proxy %{buildroot}%{_bindir}/docker-proxy + +# install tini as docker-init which is used by default +install -p -m 755 %{tini_src}/tini-static %{buildroot}%{_bindir}/docker-init + +# install udev rules +install -d %{buildroot}%{_sysconfdir}/udev/rules.d +install -p %{docker_src}/contrib/udev/80-docker.rules %{buildroot}%{_sysconfdir}/udev/rules.d + +# install daemon storage dir +install -d %{buildroot}%{_sharedstatedir}/docker + +# install docker daemon configuration dir (eg: /etc/docker) +install -d %{buildroot}%{appconfdir} + +# install daemon run dir +%if %{without systemd} +install -d %{buildroot}%{apprundir} +%else +# systemd manages this rundir itself +%endif + +# install init system service +%if %{with systemd} +# install systemd unitfile +install -d %{buildroot}%{_unitdir} +install -p -m 644 %{docker_src}/contrib/init/systemd/docker.{service,socket} %{buildroot}%{_unitdir} + +# install runtimes dir and script +install -d %{buildroot}%{_sysconfdir}/docker-runtimes.d +install -d %{buildroot}%{_libexecdir}/%{name} +install -p -m 755 %{SOURCE1001} %{buildroot}%{_libexecdir}/%{name} + +%else +# install sysvinit script +install -d %{buildroot}%{_initddir} +install -p -m 755 %{docker_src}/contrib/init/sysvinit-redhat/docker %{buildroot}%{_initddir} + +%endif + +# Install sysconfig defaults (used by systemd unit and sysvinit script). +install -d %{buildroot}%{_sysconfdir}/sysconfig/ +install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/docker +install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/docker-storage + +%clean +rm -rf %{buildroot} + +%check +%golang_set_gopath + +%if %{with tests} +# Patterns matching packages that are not to be tested. +skip_patterns=$(mktemp) + +%if %{with all_tests} +# No skip patterns, all tests will run. +%else +# Packages that should be skipped when running tests. +# +# Packages are listed such that they're evaluated as prefixes of +# matches to ignore so that child packages are also skipped. +grep -v -e '^$' -e '^#' >> $skip_patterns <&1 \ + | tee "${test_output}" + test_exit="${PIPESTATUS[0]}" + if [[ "$test_exit" -ne "0" ]]; then + echo "ERROR: One or more tests failed in ${pkg}" + go_test_status="$test_exit" + go_test_error_pkgs+=("$pkg - see test output: $test_output") + continue + fi + + # Detect any packages that were included but that didn't run + # tests. + if grep -F -q -e 'warning: no tests to run' -e '[no test files]' "${test_output}" ; then + echo "ERROR: ${pkg} was ppexpected to contain tests, but none were found." + go_test_status=1 + go_test_error_pkgs+=("$pkg - expected tests, none run") + continue + fi + + echo "PASS: ${pkg} tests passed" + # Remove passing test's output. + rm -f "${test_output}" +done +# If any of the tests failed, print out packages that failed and their +# outputs that can be used to debug (when built locally). +if [[ "$go_test_status" -ne 0 ]]; then + echo "ERROR: package tests failed" + printf '%s\n' "${go_test_error_pkgs[@]}" + exit "$go_test_status" +fi + +exit 0 +%endif # with tests + +# We expect to see a common pattern for the docker cli and daemon. +echo "INFO: Checking versions reported by executables" +# For docker (cli): +# +# Example: Docker version 18.09.5, build e8ff056 +cli_reported_version="$(%{docker_cli_src}/build/docker -v)" +cli_expected_version="Docker version %{docker_version}, build %{docker_cli_shortcommit}" +echo -e "INFO: docker -v\t$cli_reported_version" +if [[ "$cli_reported_version" != "$cli_expected_version" ]]; then + echo "ERROR: expected 'docker -v' to report '$cli_expected_version'" + exit 1 +fi + +# For dockerd (daemon): +# +# Example: Docker version 18.09.5, build e8ff056 +daemon_reported_version="$(%{docker_src}/bundles/dynbinary-daemon/dockerd -v)" +daemon_expected_version="Docker version %{docker_version}, build %{docker_shortcommit}" +echo -e "INFO: dockerd -v\t$daemon_reported_version" +if [[ "$daemon_reported_version" != "$daemon_expected_version" ]]; then + echo "ERROR: expected 'dockerd -v' to report '$daemon_expected_version'" + exit 1 +fi + + +%if %{with strict_components} +print_url() { + # Print link to the upstream's posted component installers. + echo "INFO: See %{docker_component_tree_url} for appropriate SHAs" +} +strict_level="ERROR" +on_strict_failure="print_url; exit 1" +%else +strict_level="WARN" +on_strict_failure="" +%endif + +# Check the components used to ensure they're the matching commits as +# is committed in the upstream package. + +# libnetwork (docker-proxy) +( + source %{docker_src}/hack/dockerfile/install/proxy.installer + spec_commit="%{libnetwork_commit}" + component_commit="$LIBNETWORK_COMMIT" + if [[ "$spec_commit" != "$component_commit" ]]; then + echo "$strict_level: expected component libnetwork@$component_commit but using libnetwork@$spec_commit" + $on_strict_failure + else + echo "INFO: libnetwork component matched upstream: libnetwork@$spec_commit" + fi +) +# tini (docker-init) +( + source %{docker_src}/hack/dockerfile/install/tini.installer + spec_commit="%{tini_commit}" + component_commit="$TINI_COMMIT" + if [[ "$spec_commit" != "$component_commit" ]]; then + echo "$strict_level: expected component tini@$component_commit but using tini@$spec_commit" + $on_strict_failure + else + echo "INFO: tini component matched upstream: tini@$spec_commit" + fi +) +unset strict_level on_strict_failure + +%pre +# Create the docker group for owning docker socket. +getent group docker > /dev/null || %{_sbindir}/groupadd -r docker +exit 0 + +%post +%if %{with systemd} +%systemd_post docker.service docker.socket +%else +if [ "$1" -eq "1" ]; then +# install but don't activate +/sbin/chkconfig --add docker +elif [ "$1" -eq "2" ]; then +# If upgrading, reset the init priorities, to ensure that +# the daemon always stops before networking goes down +# during shutdown and reboot. +/sbin/chkconfig docker resetpriorities || : +fi +%endif + +%preun +%if %{with systemd} +%systemd_preun docker.service docker.socket +%else +if [ "$1" -eq "0" ]; then + /sbin/service docker stop >/dev/null 2>&1 || : + /sbin/chkconfig --del docker +fi +%endif + +%postun +%if %{with systemd} +%systemd_postun_with_restart docker.service docker.socket +%else +if [ "$1" -ge "1" ] ; then + /sbin/service docker condrestart >/dev/null 2>&1 ||: +fi +%endif + +%triggerun -- libcgroup < %{libcgroup_min_version} +if [ $1 -eq 1 ]; then # update, not uninstall + # Make sure the pids cgroup root exists + /sbin/service cgconfig condrestart ||: +fi + + +%files +%doc src/github.com/docker/docker/AUTHORS +%doc src/github.com/docker/docker/LICENSE +%doc src/github.com/docker/docker/MAINTAINERS +%doc src/github.com/docker/docker/NOTICE +%doc src/github.com/docker/docker/CHANGELOG.md +%doc src/github.com/docker/docker/README.md +%doc src/github.com/docker/docker/CONTRIBUTING.md +%{_mandir}/man1/docker-attach.1* +%{_mandir}/man1/docker-build.1* +%{_mandir}/man1/docker-builder-build.1* +%{_mandir}/man1/docker-builder-prune.1* +%{_mandir}/man1/docker-builder.1* +%{_mandir}/man1/docker-checkpoint-create.1* +%{_mandir}/man1/docker-checkpoint-ls.1* +%{_mandir}/man1/docker-checkpoint-rm.1* +%{_mandir}/man1/docker-checkpoint.1* +%{_mandir}/man1/docker-commit.1* +%{_mandir}/man1/docker-config-create.1* +%{_mandir}/man1/docker-config-inspect.1* +%{_mandir}/man1/docker-config-ls.1* +%{_mandir}/man1/docker-config-rm.1* +%{_mandir}/man1/docker-config.1* +%{_mandir}/man1/docker-container-attach.1* +%{_mandir}/man1/docker-container-commit.1* +%{_mandir}/man1/docker-container-cp.1* +%{_mandir}/man1/docker-container-create.1* +%{_mandir}/man1/docker-container-diff.1* +%{_mandir}/man1/docker-container-exec.1* +%{_mandir}/man1/docker-container-export.1* +%{_mandir}/man1/docker-container-inspect.1* +%{_mandir}/man1/docker-container-kill.1* +%{_mandir}/man1/docker-container-logs.1* +%{_mandir}/man1/docker-container-ls.1* +%{_mandir}/man1/docker-container-pause.1* +%{_mandir}/man1/docker-container-port.1* +%{_mandir}/man1/docker-container-prune.1* +%{_mandir}/man1/docker-container-rename.1* +%{_mandir}/man1/docker-container-restart.1* +%{_mandir}/man1/docker-container-rm.1* +%{_mandir}/man1/docker-container-run.1* +%{_mandir}/man1/docker-container-start.1* +%{_mandir}/man1/docker-container-stats.1* +%{_mandir}/man1/docker-container-stop.1* +%{_mandir}/man1/docker-container-top.1* +%{_mandir}/man1/docker-container-unpause.1* +%{_mandir}/man1/docker-container-update.1* +%{_mandir}/man1/docker-container-wait.1* +%{_mandir}/man1/docker-container.1* +%{_mandir}/man1/docker-context-create.1* +%{_mandir}/man1/docker-context-export.1* +%{_mandir}/man1/docker-context-import.1* +%{_mandir}/man1/docker-context-inspect.1* +%{_mandir}/man1/docker-context-ls.1* +%{_mandir}/man1/docker-context-rm.1* +%{_mandir}/man1/docker-context-update.1* +%{_mandir}/man1/docker-context-use.1* +%{_mandir}/man1/docker-context.1* +%{_mandir}/man1/docker-cp.1* +%{_mandir}/man1/docker-create.1* +%{_mandir}/man1/docker-diff.1* +%{_mandir}/man1/docker-events.1* +%{_mandir}/man1/docker-exec.1* +%{_mandir}/man1/docker-export.1* +%{_mandir}/man1/docker-history.1* +%{_mandir}/man1/docker-image-build.1* +%{_mandir}/man1/docker-image-history.1* +%{_mandir}/man1/docker-image-import.1* +%{_mandir}/man1/docker-image-inspect.1* +%{_mandir}/man1/docker-image-load.1* +%{_mandir}/man1/docker-image-ls.1* +%{_mandir}/man1/docker-image-prune.1* +%{_mandir}/man1/docker-image-pull.1* +%{_mandir}/man1/docker-image-push.1* +%{_mandir}/man1/docker-image-rm.1* +%{_mandir}/man1/docker-image-save.1* +%{_mandir}/man1/docker-image-tag.1* +%{_mandir}/man1/docker-image.1* +%{_mandir}/man1/docker-images.1* +%{_mandir}/man1/docker-import.1* +%{_mandir}/man1/docker-info.1* +%{_mandir}/man1/docker-inspect.1* +%{_mandir}/man1/docker-kill.1* +%{_mandir}/man1/docker-load.1* +%{_mandir}/man1/docker-login.1* +%{_mandir}/man1/docker-logout.1* +%{_mandir}/man1/docker-logs.1* +%{_mandir}/man1/docker-manifest-annotate.1* +%{_mandir}/man1/docker-manifest-create.1* +%{_mandir}/man1/docker-manifest-inspect.1* +%{_mandir}/man1/docker-manifest-push.1* +%{_mandir}/man1/docker-manifest-rm.1* +%{_mandir}/man1/docker-manifest.1* +%{_mandir}/man1/docker-network-connect.1* +%{_mandir}/man1/docker-network-create.1* +%{_mandir}/man1/docker-network-disconnect.1* +%{_mandir}/man1/docker-network-inspect.1* +%{_mandir}/man1/docker-network-ls.1* +%{_mandir}/man1/docker-network-prune.1* +%{_mandir}/man1/docker-network-rm.1* +%{_mandir}/man1/docker-network.1* +%{_mandir}/man1/docker-node-demote.1* +%{_mandir}/man1/docker-node-inspect.1* +%{_mandir}/man1/docker-node-ls.1* +%{_mandir}/man1/docker-node-promote.1* +%{_mandir}/man1/docker-node-ps.1* +%{_mandir}/man1/docker-node-rm.1* +%{_mandir}/man1/docker-node-update.1* +%{_mandir}/man1/docker-node.1* +%{_mandir}/man1/docker-pause.1* +%{_mandir}/man1/docker-plugin-create.1* +%{_mandir}/man1/docker-plugin-disable.1* +%{_mandir}/man1/docker-plugin-enable.1* +%{_mandir}/man1/docker-plugin-inspect.1* +%{_mandir}/man1/docker-plugin-install.1* +%{_mandir}/man1/docker-plugin-ls.1* +%{_mandir}/man1/docker-plugin-push.1* +%{_mandir}/man1/docker-plugin-rm.1* +%{_mandir}/man1/docker-plugin-set.1* +%{_mandir}/man1/docker-plugin-upgrade.1* +%{_mandir}/man1/docker-plugin.1* +%{_mandir}/man1/docker-port.1* +%{_mandir}/man1/docker-ps.1* +%{_mandir}/man1/docker-pull.1* +%{_mandir}/man1/docker-push.1* +%{_mandir}/man1/docker-rename.1* +%{_mandir}/man1/docker-restart.1* +%{_mandir}/man1/docker-rm.1* +%{_mandir}/man1/docker-rmi.1* +%{_mandir}/man1/docker-run.1* +%{_mandir}/man1/docker-save.1* +%{_mandir}/man1/docker-search.1* +%{_mandir}/man1/docker-secret-create.1* +%{_mandir}/man1/docker-secret-inspect.1* +%{_mandir}/man1/docker-secret-ls.1* +%{_mandir}/man1/docker-secret-rm.1* +%{_mandir}/man1/docker-secret.1* +%{_mandir}/man1/docker-service-create.1* +%{_mandir}/man1/docker-service-inspect.1* +%{_mandir}/man1/docker-service-logs.1* +%{_mandir}/man1/docker-service-ls.1* +%{_mandir}/man1/docker-service-ps.1* +%{_mandir}/man1/docker-service-rm.1* +%{_mandir}/man1/docker-service-rollback.1* +%{_mandir}/man1/docker-service-scale.1* +%{_mandir}/man1/docker-service-update.1* +%{_mandir}/man1/docker-service.1* +%{_mandir}/man1/docker-stack-deploy.1* +%{_mandir}/man1/docker-stack-ls.1* +%{_mandir}/man1/docker-stack-ps.1* +%{_mandir}/man1/docker-stack-rm.1* +%{_mandir}/man1/docker-stack-services.1* +%{_mandir}/man1/docker-stack.1* +%{_mandir}/man1/docker-start.1* +%{_mandir}/man1/docker-stats.1* +%{_mandir}/man1/docker-stop.1* +%{_mandir}/man1/docker-swarm-ca.1* +%{_mandir}/man1/docker-swarm-init.1* +%{_mandir}/man1/docker-swarm-join-token.1* +%{_mandir}/man1/docker-swarm-join.1* +%{_mandir}/man1/docker-swarm-leave.1* +%{_mandir}/man1/docker-swarm-unlock-key.1* +%{_mandir}/man1/docker-swarm-unlock.1* +%{_mandir}/man1/docker-swarm-update.1* +%{_mandir}/man1/docker-swarm.1* +%{_mandir}/man1/docker-system-df.1* +%{_mandir}/man1/docker-system-events.1* +%{_mandir}/man1/docker-system-info.1* +%{_mandir}/man1/docker-system-prune.1* +%{_mandir}/man1/docker-system.1* +%{_mandir}/man1/docker-tag.1* +%{_mandir}/man1/docker-top.1* +%{_mandir}/man1/docker-trust-inspect.1* +%{_mandir}/man1/docker-trust-key-generate.1* +%{_mandir}/man1/docker-trust-key-load.1* +%{_mandir}/man1/docker-trust-key.1* +%{_mandir}/man1/docker-trust-revoke.1* +%{_mandir}/man1/docker-trust-sign.1* +%{_mandir}/man1/docker-trust-signer-add.1* +%{_mandir}/man1/docker-trust-signer-remove.1* +%{_mandir}/man1/docker-trust-signer.1* +%{_mandir}/man1/docker-trust.1* +%{_mandir}/man1/docker-unpause.1* +%{_mandir}/man1/docker-update.1* +%{_mandir}/man1/docker-version.1* +%{_mandir}/man1/docker-volume-create.1* +%{_mandir}/man1/docker-volume-inspect.1* +%{_mandir}/man1/docker-volume-ls.1* +%{_mandir}/man1/docker-volume-prune.1* +%{_mandir}/man1/docker-volume-rm.1* +%{_mandir}/man1/docker-volume.1* +%{_mandir}/man1/docker-wait.1* +%{_mandir}/man1/docker.1* +%{_mandir}/man5/Dockerfile.5* +%{_mandir}/man8/dockerd.8* +%config(noreplace) %{_sysconfdir}/sysconfig/docker +%config(noreplace) %{_sysconfdir}/sysconfig/docker-storage +%{_bindir}/docker +%{_bindir}/dockerd +%{_bindir}/docker-proxy +%{_bindir}/docker-init +%{_bindir}/docker-containerd +%{_bindir}/docker-containerd-shim +%{_bindir}/docker-ctr +%{_bindir}/docker-runc +%dir %{_libexecdir}/%{name} +%dir %{_libexecdir}/%{name}/cli-plugins +%{_libexecdir}/%{name}/cli-plugins/docker-buildx +%if %{with systemd} +%{_unitdir}/docker.service +%{_unitdir}/docker.socket +%{_libexecdir}/%{name}/docker-setup-runtimes.sh +%dir %{_sysconfdir}/docker-runtimes.d +%doc README-docker-runtimes.d +%else +%{_initddir}/docker +%endif +%{_datadir}/bash-completion/docker +%dir %{_sharedstatedir}/docker +%if %{with systemd} +%ghost %dir %{apprundir} +%else +%dir %{apprundir} +%endif +%dir %{appconfdir} +%{_sysconfdir}/udev/rules.d/80-docker.rules + +%changelog +* Wed Jul 5 2023 Antuan Weeks - 20.10.25-1.amzn2023.0.1 +- update to 20.10.25 from upstream to fix CVE-2022-41723 +- update target golang to 1.19.9 +- update docker cli to 20.10.25 +- update patches due to deprecation of io/ioutil (e.g. +https://github.com/docker/cli/commit/5c97f5c918bb58a9c03d2bc607ec85d77b008064) + +* Wed Apr 19 2023 Sai Harsha - 20.10.23-1.amzn2023.0.1 +- Update to 20.10.23 from upstream +- Update buildx to v0.10.4 and change the buildx plugin name to docker-buildx + +* Mon Mar 13 2023 Sonia Xu - 20.10.17-1.amzn2023.0.6 +- Backport patch for CVE-2022-36109 + +* Fri Feb 17 2023 Kev Jayne - 20.10.17-1.amzn2023.0.5 +- Skip outdated test: github.com/docker/docker/builder/remotecontext/git +- Mass rebuild for AL2023 + + +* Fri Feb 17 2023 Kev Jayne - 20.10.17-1 +- Skip Test: github.com/docker/docker/builder/remotecontext/git + +* Mon Jun 20 2022 Sai Harsha - 20.10.17-1 +- Update to 20.10.17 from upstream +- Remove patches included from upstream +- Add patch to skip test which require root access + +* Tue Mar 29 2022 Malcolm Inglis - 20.10.13-2 +- Apply patch for CVE-2022-24769 + +* Tue Mar 29 2022 Malcolm Inglis - 20.10.13-1 +- Update to 20.10.13 from upstream +- Update golang BuildRequires to 1.16.15 per upstream +- Remove patches included upstream since 20.10.10 + +* Fri Dec 10 2021 Paul Ezvan - 20.10.7-6 +- Build for AL2022 + +* Wed Nov 17 2021 Jamie Anderson - 20.10.7-5 +- CVE-2021-41190 +- Conditionalize older trigger that only applies to ALAMI + +* Mon Sep 27 2021 Jamie Anderson - 20.10.7-3 +- CVE-2021-41089 +- CVE-2021-41091 +- CVE-2021-41092 + +* Wed Aug 18 2021 Jamie Anderson - 20.10.7-2 +- Update test-skip helpers to detect more types of buildroots + +* Mon Aug 16 2021 Jamie Anderson - 20.10.7-1 +- Update to 20.10.7 from upstream +- Update golang BuildRequires for CVE-2021-33196 +- Increase default per-container file descriptor ulimit + +* Mon Aug 16 2021 Kinjal Thaker - 20.10.4-4 +- Back-port Patch https://github.com/moby/moby/pull/42401 + +* Mon Aug 09 2021 Kinjal Thaker - 20.10.4-3 +- Back-ported patches +- https://github.com/moby/moby/pull/41586 +- https://github.com/moby/moby/pull/41588 +- https://github.com/moby/moby/pull/42418 +- https://github.com/moby/moby/pull/42291 + +* Fri Jun 04 2021 Kinjal Thaker - 20.10.4-2 +- Added buildx plugin for Docker CLI + +* Tue Mar 23 2021 Jamie Anderson - 20.10.4-1 +- Update to 20.10.4 from upstream +- Reorganize sources to use moby/moby and docker/cli instead of docker-ce + +* Wed Sep 23 2020 Jamie Anderson - 19.03.13ce-1 +- Update to 19.03.13 from upstream +- Add triggers to conditionally relabel on container-selinux install + +* Wed May 27 2020 Jacob Vallejo - 19.03.6ce-4 +- CVE-2020-13401 + +* Fri Apr 24 2020 Jacob Vallejo - 19.03.6ce-3 +- Require compatible ecs-init package + +* Thu Apr 16 2020 Jamie Anderson - 19.03.6ce-2 +- awslogs: Update aws-sdk-go to support IMDSv2 + +* Wed Feb 26 2020 Jamie Anderson - 19.03.6ce-1 +- Update to 19.03.6 from upstream + +* Mon Sep 23 2019 Jacob Vallejo - 18.09.9ce-1 +- Update packaging for 18.09.9ce +- Split container primitives into package dependencies (containerd, runc) + +* Thu Jun 06 2019 Jamie Anderson - 18.06.1ce-10 +- CVE-2018-15664 + +* Wed Feb 27 2019 Jacob Vallejo - 18.06.1ce-8 +- Backport AWS CloudWatch Logs endpoint flag support + +* Thu Jan 24 2019 iliana weller - 18.06.1ce-7 +- CVE-2019-5736 + +* Thu Dec 13 2018 iliana weller - 18.06.1ce-6 +- Add /etc/docker-runtimes.d (AL2 only) + +* Tue Dec 4 2018 Zac Mrowicki - 18.06.1ce-6 +- Backport work around closing closed channel panic (https://github.com/moby/moby/pull/37780) + +* Mon Oct 22 2018 Jacob Vallejo - 18.06.1ce-5 +- Create /etc/docker in packaging +- Backport untar timing log improvements (https://github.com/moby/moby/pull/37983) +- Backport awslogs error message improvements (https://github.com/moby/moby/pull/37944) +- Backport awslogs utf8 normalization bugfix (https://github.com/moby/moby/pull/37986) + +* Tue Sep 25 2018 Justin Haynes - 18.06.1ce-4 +- Actually create %%{_rundir}/docker during install + +* Tue Sep 18 2018 Justin Haynes - 18.06.1ce-3 +- Create %%{_rundir}/docker during install + +* Thu Aug 23 2018 Jacob Vallejo - 18.06.1ce-1 +- Update packaging and patches for Docker 18.06.1 +- Add pigz for parallel gzip support + +* Wed Aug 15 2018 Frederick Lefebvre - 18.06.0ce-1 +- Rename the spec file to docker.spec to match the package name + +* Fri Jul 27 2018 Zac Mrowicki - 18.06.0ce-1 +- Update packaging and patches for Docker 18.06.0 + +* Tue Jul 17 2018 Zac Mrowicki - 18.03.1ce-5 +- Backport AWS CloudWatch Logs endpoint flag support (https://github.com/moby/moby/pull/37374) + +* Fri Jun 22 2018 Jacob Vallejo - 18.03.1ce-4 +- Re-enable sysconfig configuration in systemd unit + +* Fri Jun 15 2018 iliana weller - 18.03.1ce-3 +- Drop the kernel Requires for AL2 +- Re-enable systemd support in AL2 + +* Wed May 16 2018 Jacob Vallejo - 18.03.1ce +- Update packaging and patches for Docker 18.03.1. + +* Wed May 02 2018 Justin Haynes - 17.12.1ce +- Patch https://github.com/moby/moby/issues/33803 via upstream + https://github.com/moby/moby/pull/36522 + +* Mon Mar 26 2018 Justin Haynes - 17.12.1ce +- Update packaging and patches for Docker 17.12.1. +- Patch https://github.com/moby/moby/issues/36661 via upstream + https://github.com/containerd/containerd/pull/2229 + +* Tue Jan 30 2018 Justin Haynes - 17.12.0ce +- Update packaging and patches for Docker 17.12.0. + +* Mon Oct 20 2014 Lokesh Mandvekar - 1.3.0-1 +- Resolves: rhbz#1153936 - update to v1.3.0 +- don't install zsh files +- iptables=false => ip-masq=false + +* Wed Oct 08 2014 Lokesh Mandvekar - 1.2.0-5 +- Resolves: rhbz#1149882 - systemd unit and socket file updates + +* Tue Sep 30 2014 Lokesh Mandvekar - 1.2.0-4 +- Resolves: rhbz#1139415 - correct path for bash completion + /usr/share/bash-completion/completions +- versioned provides for docker +- golang versioned requirements for devel and pkg-devel +- remove macros from changelog +- don't own dirs owned by vim, systemd, bash + +* Thu Sep 25 2014 Lokesh Mandvekar - 1.2.0-3 +- Resolves: rhbz#1145660 - support /etc/sysconfig/docker-storage + From: Colin Walters +- patch to ignore selinux if it's disabled + https://github.com/docker/docker/commit/9e2eb0f1cc3c4ef000e139f1d85a20f0e00971e6 + From: Dan Walsh + +* Sun Aug 24 2014 Lokesh Mandvekar - 1.2.0-2 +- Provides docker only for f21 and above + +* Sat Aug 23 2014 Lokesh Mandvekar - 1.2.0-1 +- Resolves: rhbz#1132824 - update to v1.2.0 + +* Sat Aug 16 2014 Fedora Release Engineering - 1.1.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Aug 01 2014 Lokesh Mandvekar - 1.1.2-2 +- change conditionals + +* Thu Jul 31 2014 Lokesh Mandvekar - 1.1.2-1 +- Resolves: rhbz#1124036 - update to upstream v1.1.2 + +* Mon Jul 28 2014 Vincent Batts - 1.0.0-10 +- split out the import_path/pkg/... libraries, to avoid cyclic deps with libcontainer + +* Thu Jul 24 2014 Lokesh Mandvekar - 1.0.0-9 +- /etc/sysconfig/docker should be config(noreplace) + +* Wed Jul 23 2014 Lokesh Mandvekar - 1.0.0-8 +- Resolves: rhbz#1119849 +- Resolves: rhbz#1119413 - min delta between upstream and packaged unitfiles +- devel package owns directories it creates +- ensure min NVRs used for systemd contain fixes RE: CVE-2014-3499 + +* Wed Jul 16 2014 Vincent Batts - 1.0.0-7 +- clean up gopath +- add Provides for docker libraries +- produce a -devel with docker source libraries +- accomodate golang rpm macros + +* Tue Jul 01 2014 Lokesh Mandvekar - 1.0.0-6 +- Resolves: rhbz#1114810 - CVE-2014-3499 (correct bz#) + +* Tue Jul 01 2014 Lokesh Mandvekar - 1.0.0-5 +- Resolves: rhbz#11114810 - CVE-2014-3499 + +* Tue Jun 24 2014 Lokesh Mandvekar - 1.0.0-4 +- Set mode,user,group in docker.socket file + +* Sat Jun 14 2014 Lokesh Mandvekar - 1.0.0-3 +- correct bogus date + +* Sat Jun 14 2014 Lokesh Mandvekar - 1.0.0-2 +- RHBZ#1109533 patch libcontainer for finalize namespace error +- RHBZ#1109039 build with updated golang-github-syndtr-gocapability +- install Dockerfile.5 manpage + +* Mon Jun 09 2014 Lokesh Mandvekar - 1.0.0-1 +- upstream version bump to v1.0.0 + +* Mon Jun 09 2014 Lokesh Mandvekar - 0.12.0-1 +- RHBZ#1105789 Upstream bump to 0.12.0 + +* Sat Jun 07 2014 Fedora Release Engineering - 0.11.1-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Jun 05 2014 Lokesh Mandvekar - 0.11.1-11 +- unitfile should Require socket file (revert change in release 10) + +* Fri May 30 2014 Lokesh Mandvekar - 0.11.1-10 +- do not require docker.socket in unitfile + +* Thu May 29 2014 Lokesh Mandvekar - 0.11.1-9 +- BZ: change systemd service type to 'notify' + +* Thu May 29 2014 Lokesh Mandvekar - 0.11.1-8 +- use systemd socket-activation version + +* Thu May 29 2014 Lokesh Mandvekar - 0.11.1-7 +- add "Provides: docker" as per FPC exception (Matthew Miller + ) + +* Thu May 29 2014 Lokesh Mandvekar - 0.11.1-6 +- don't use docker.sysconfig meant for sysvinit (just to avoid confusion) + +* Thu May 29 2014 Lokesh Mandvekar - 0.11.1-5 +- Bug 1084232 - add /etc/sysconfig/docker for additional args + +* Tue May 27 2014 Lokesh Mandvekar - 0.11.1-4 +- patches for BZ 1088125, 1096375 + +* Fri May 09 2014 Lokesh Mandvekar - 0.11.1-3 +- add selinux buildtag +- enable selinux in unitfile + +* Fri May 09 2014 Lokesh Mandvekar - 0.11.1-2 +- get rid of conditionals, separate out spec for each branch + +* Thu May 08 2014 Lokesh Mandvekar - 0.11.1-1 +- Bug 1095616 - upstream bump to 0.11.1 +- manpages via pandoc + +* Mon Apr 14 2014 Lokesh Mandvekar - 0.10.0-2 +- regenerate btrfs removal patch +- update commit value + +* Mon Apr 14 2014 Lokesh Mandvekar - 0.10.0-1 +- include manpages from contrib + +* Wed Apr 09 2014 Bobby Powers - 0.10.0-1 +- Upstream version bump + +* Thu Mar 27 2014 Lokesh Mandvekar - 0.9.1-1 +- BZ 1080799 - upstream version bump + +* Thu Mar 13 2014 Adam Miller - 0.9.0-3 +- Add lxc requirement for EPEL6 and patch init script to use lxc driver +- Remove tar dep, no longer needed +- Require libcgroup only for EPEL6 + +* Tue Mar 11 2014 Lokesh Mandvekar - 0.9.0-2 +- lxc removed (optional) + http://blog.docker.io/2014/03/docker-0-9-introducing-execution-drivers-and-libcontainer/ + +* Tue Mar 11 2014 Lokesh Mandvekar - 0.9.0-1 +- BZ 1074880 - upstream version bump to v0.9.0 + +* Wed Feb 19 2014 Lokesh Mandvekar - 0.8.1-1 +- Bug 1066841 - upstream version bump to v0.8.1 +- use sysvinit files from upstream contrib +- BR golang >= 1.2-7 + +* Thu Feb 13 2014 Adam Miller - 0.8.0-3 +- Remove unneeded sysctl settings in initscript + https://github.com/dotcloud/docker/pull/4125 + +* Sat Feb 08 2014 Lokesh Mandvekar - 0.8.0-2 +- ignore btrfs for rhel7 and clones for now +- include vim syntax highlighting from contrib/syntax/vim + +* Wed Feb 05 2014 Lokesh Mandvekar - 0.8.0-1 +- upstream version bump +- don't use btrfs for rhel6 and clones (yet) + +* Mon Jan 20 2014 Lokesh Mandvekar - 0.7.6-2 +- bridge-utils only for rhel < 7 +- discard freespace when image is removed + +* Thu Jan 16 2014 Lokesh Mandvekar - 0.7.6-1 +- upstream version bump v0.7.6 +- built with golang >= 1.2 + +* Thu Jan 09 2014 Lokesh Mandvekar - 0.7.5-1 +- upstream version bump to 0.7.5 + +* Thu Jan 09 2014 Lokesh Mandvekar - 0.7.4-1 +- upstream version bump to 0.7.4 (BZ #1049793) +- udev rules file from upstream contrib +- unit file firewalld not used, description changes + +* Mon Jan 06 2014 Lokesh Mandvekar - 0.7.3-3 +- udev rules typo fixed (BZ 1048775) + +* Sat Jan 04 2014 Lokesh Mandvekar - 0.7.3-2 +- missed commit value in release 1, updated now +- upstream release monitoring (BZ 1048441) + +* Sat Jan 04 2014 Lokesh Mandvekar - 0.7.3-1 +- upstream release bump to v0.7.3 + +* Thu Dec 19 2013 Lokesh Mandvekar - 0.7.2-2 +- require xz to work with ubuntu images (BZ #1045220) + +* Wed Dec 18 2013 Lokesh Mandvekar - 0.7.2-1 +- upstream release bump to v0.7.2 + +* Fri Dec 06 2013 Vincent Batts - 0.7.1-1 +- upstream release of v0.7.1 + +* Mon Dec 02 2013 Lokesh Mandvekar - 0.7.0-14 +- sysvinit patch corrected (epel only) +- 80-docker.rules unified for udisks1 and udisks2 + +* Mon Dec 02 2013 Lokesh Mandvekar - 0.7.0-13 +- removed firewall-cmd --add-masquerade + +* Sat Nov 30 2013 Lokesh Mandvekar - 0.7.0-12 +- systemd for fedora >= 18 +- firewalld in unit file changed from Requires to Wants +- firewall-cmd --add-masquerade after docker daemon start in unit file + (Michal Fojtik ), continue if not present (Michael Young + ) +- 80-docker.rules included for epel too, ENV variables need to be changed for + udisks1 + +* Fri Nov 29 2013 Marek Goldmann - 0.7.0-11 +- Redirect docker log to /var/log/docker (epel only) +- Removed the '-b none' parameter from sysconfig, it's unnecessary since + we create the bridge now automatically (epel only) +- Make sure we have the cgconfig service started before we start docker, + RHBZ#1034919 (epel only) + +* Thu Nov 28 2013 Lokesh Mandvekar - 0.7.0-10 +- udev rules added for fedora >= 19 BZ 1034095 +- epel testing pending + +* Thu Nov 28 2013 Lokesh Mandvekar - 0.7.0-9 +- requires and started after firewalld + +* Thu Nov 28 2013 Lokesh Mandvekar - 0.7.0-8 +- iptables-fix patch corrected + +* Thu Nov 28 2013 Lokesh Mandvekar - 0.7.0-7 +- use upstream tarball and patch with mgoldman's commit + +* Thu Nov 28 2013 Lokesh Mandvekar - 0.7.0-6 +- using mgoldman's shortcommit value 0ff9bc1 for package (BZ #1033606) +- https://github.com/dotcloud/docker/pull/2907 + +* Wed Nov 27 2013 Adam Miller - 0.7.0-5 +- Fix up EL6 preun/postun to not fail on postun scripts + +* Wed Nov 27 2013 Lokesh Mandvekar - 0.7.0-4 +- brctl patch for rhel <= 7 + +* Wed Nov 27 2013 Vincent Batts - 0.7.0-3 +- Patch how the bridge network is set up on RHEL (BZ #1035436) + +* Wed Nov 27 2013 Vincent Batts - 0.7.0-2 +- add libcgroup require (BZ #1034919) + +* Tue Nov 26 2013 Marek Goldmann - 0.7.0-1 +- Upstream release 0.7.0 +- Using upstream script to build the binary + +* Mon Nov 25 2013 Vincent Batts - 0.7-0.20.rc7 +- correct the build time defines (bz#1026545). Thanks dan-fedora. + +* Fri Nov 22 2013 Adam Miller - 0.7-0.19.rc7 +- Remove xinetd entry, added sysvinit + +* Fri Nov 22 2013 Lokesh Mandvekar - 0.7-0.18.rc7 +- rc version bump + +* Wed Nov 20 2013 Lokesh Mandvekar - 0.7-0.17.rc6 +- removed ExecStartPost lines from docker.service (BZ #1026045) +- dockerinit listed in files + +* Wed Nov 20 2013 Vincent Batts - 0.7-0.16.rc6 +- adding back the none bridge patch + +* Wed Nov 20 2013 Vincent Batts - 0.7-0.15.rc6 +- update docker source to crosbymichael/0.7.0-rc6 +- bridge-patch is not needed on this branch + +* Tue Nov 19 2013 Vincent Batts - 0.7-0.14.rc5 +- update docker source to crosbymichael/0.7-rc5 +- update docker source to 457375ea370a2da0df301d35b1aaa8f5964dabfe +- static magic +- place dockerinit in a libexec +- add sqlite dependency + +* Sat Nov 02 2013 Lokesh Mandvekar - 0.7-0.13.dm +- docker.service file sets iptables rules to allow container networking, this + is a stopgap approach, relevant pull request here: + https://github.com/dotcloud/docker/pull/2527 + +* Sat Oct 26 2013 Lokesh Mandvekar - 0.7-0.12.dm +- dm branch +- dockerinit -> docker-init + +* Tue Oct 22 2013 Lokesh Mandvekar - 0.7-0.11.rc4 +- passing version information for docker build BZ #1017186 + +* Sat Oct 19 2013 Lokesh Mandvekar - 0.7-0.10.rc4 +- rc version bump +- docker-init -> dockerinit +- zsh completion script installed to /usr/share/zsh/site-functions + +* Fri Oct 18 2013 Lokesh Mandvekar - 0.7-0.9.rc3 +- lxc-docker version matches package version + +* Fri Oct 18 2013 Lokesh Mandvekar - 0.7-0.8.rc3 +- double quotes removed from buildrequires as per existing golang rules + +* Fri Oct 11 2013 Lokesh Mandvekar - 0.7-0.7.rc3 +- xinetd file renamed to docker.xinetd for clarity + +* Thu Oct 10 2013 Lokesh Mandvekar - 0.7-0.6.rc3 +- patched for el6 to use sphinx-1.0-build + +* Wed Oct 09 2013 Lokesh Mandvekar - 0.7-0.5.rc3 +- rc3 version bump +- exclusivearch x86_64 + +* Wed Oct 09 2013 Lokesh Mandvekar - 0.7-0.4.rc2 +- debuginfo not Go-ready yet, skipped + +* Wed Oct 09 2013 Lokesh Mandvekar - 0.7-0.3.rc2 +- debuginfo package generated +- buildrequires listed with versions where needed +- conditionals changed to reflect systemd or not +- docker commit value not needed +- versioned provides lxc-docker + +* Mon Oct 07 2013 Lokesh Mandvekar - 0.7-2.rc2 +- rc branch includes devmapper +- el6 BZ #1015865 fix included + +* Sun Oct 06 2013 Lokesh Mandvekar - 0.7-1 +- version bump, includes devicemapper +- epel conditionals included +- buildrequires sqlite-devel + +* Fri Oct 04 2013 Lokesh Mandvekar - 0.6.3-4.devicemapper +- docker-io service enables IPv4 and IPv6 forwarding +- docker user not needed +- golang not supported on ppc64, docker-io excluded too + +* Thu Oct 03 2013 Lokesh Mandvekar - 0.6.3-3.devicemapper +- Docker rebuilt with latest kr/pty, first run issue solved + +* Fri Sep 27 2013 Marek Goldmann - 0.6.3-2.devicemapper +- Remove setfcap from lxc.cap.drop to make setxattr() calls working in the + containers, RHBZ#1012952 + +* Thu Sep 26 2013 Lokesh Mandvekar 0.6.3-1.devicemapper +- version bump +- new version solves docker push issues + +* Tue Sep 24 2013 Lokesh Mandvekar 0.6.2-14.devicemapper +- package requires lxc + +* Tue Sep 24 2013 Lokesh Mandvekar 0.6.2-13.devicemapper +- package requires tar + +* Tue Sep 24 2013 Lokesh Mandvekar 0.6.2-12.devicemapper +- /var/lib/docker installed +- package also provides lxc-docker + +* Mon Sep 23 2013 Lokesh Mandvekar 0.6.2-11.devicemapper +- better looking url + +* Mon Sep 23 2013 Lokesh Mandvekar 0.6.2-10.devicemapper +- release tag changed to denote devicemapper patch + +* Mon Sep 23 2013 Lokesh Mandvekar 0.6.2-9 +- device-mapper-devel is a buildrequires for alex's code +- docker.service listed as a separate source file + +* Sun Sep 22 2013 Matthew Miller 0.6.2-8 +- install bash completion +- use -v for go build to show progress + +* Sun Sep 22 2013 Matthew Miller 0.6.2-7 +- build and install separate docker-init + +* Sun Sep 22 2013 Matthew Miller 0.6.2-4 +- update to use new source-only golang lib packages + +* Sat Sep 21 2013 Lokesh Mandvekar 0.6.2-3 +- man page generation from docs/. +- systemd service file created +- dotcloud/tar no longer required + +* Fri Sep 20 2013 Lokesh Mandvekar 0.6.2-2 +- patched with alex larsson's devmapper code + +* Wed Sep 18 2013 Lokesh Mandvekar 0.6.2-1 +- Version bump + +* Tue Sep 10 2013 Lokesh Mandvekar 0.6.1-2 +- buildrequires updated +- package renamed to docker-io + +* Fri Aug 30 2013 Lokesh Mandvekar 0.6.1-1 +- Version bump +- Package name change from lxc-docker to docker +- Makefile patched from 0.5.3 + +* Wed Aug 28 2013 Lokesh Mandvekar 0.5.3-5 +- File permissions settings included + +* Wed Aug 28 2013 Lokesh Mandvekar 0.5.3-4 +- Credits in changelog modified as per reference's request + +* Tue Aug 27 2013 Lokesh Mandvekar 0.5.3-3 +- Dependencies listed as rpm packages instead of tars +- Install section added + +* Mon Aug 26 2013 Lokesh Mandvekar 0.5.3-2 +- Github packaging +- Deps not downloaded at build time courtesy Elan Ruusamäe +- Manpage and other docs installed + +* Fri Aug 23 2013 Lokesh Mandvekar 0.5.3-1 +- Initial fedora package +- Some credit to Elan Ruusamäe (glen@pld-linux.org) + diff --git a/base/docker/docker.sysconfig b/base/docker/docker.sysconfig new file mode 100644 index 0000000..ab5a4d2 --- /dev/null +++ b/base/docker/docker.sysconfig @@ -0,0 +1,13 @@ +# The max number of open files for the daemon itself, and all +# running containers. The default value of 1048576 mirrors the value +# used by the systemd service unit. +DAEMON_MAXFILES=1048576 + +# Additional startup options for the Docker daemon, for example: +# OPTIONS="--ip-forward=true --iptables=true" +# By default we limit the number of open files per container +OPTIONS="--default-ulimit nofile=32768:65536" + +# How many seconds the sysvinit script waits for the pidfile to appear +# when starting the daemon. +DAEMON_PIDFILE_TIMEOUT=10 diff --git a/base/docker/no-private-mnt-namespace.patch b/base/docker/no-private-mnt-namespace.patch new file mode 100644 index 0000000..51a853a --- /dev/null +++ b/base/docker/no-private-mnt-namespace.patch @@ -0,0 +1,13 @@ +Index: docker-20.10.4/contrib/init/sysvinit-redhat/docker +=================================================================== +--- docker-20.10.4.orig/contrib/init/sysvinit-redhat/docker ++++ docker-20.10.4/contrib/init/sysvinit-redhat/docker +@@ -70,7 +70,7 @@ start() { + prestart + printf "Starting $prog:\t" + echo "\n$(date)\n" >> $logfile +- "$unshare" -m -- nohup $exec ${OPTIONS} ${DOCKER_STORAGE_OPTIONS} >> $logfile 2>&1 & ++ nohup $exec ${OPTIONS} ${DOCKER_STORAGE_OPTIONS} >> $logfile 2>&1 & + pid=$! + touch $lockfile + tries=0 diff --git a/base/docker/runc-allow-git-sha-override.patch b/base/docker/runc-allow-git-sha-override.patch new file mode 100644 index 0000000..94f6e1e --- /dev/null +++ b/base/docker/runc-allow-git-sha-override.patch @@ -0,0 +1,19 @@ +Index: docker-ce-17.11.0-ce/components/engine/runc-69663f0bd4b60df09991c08812a60108003fa340/Makefile +=================================================================== +--- docker-ce-17.11.0-ce.orig/components/engine/runc-69663f0bd4b60df09991c08812a60108003fa340/Makefile ++++ docker-ce-17.11.0-ce/components/engine/runc-69663f0bd4b60df09991c08812a60108003fa340/Makefile +@@ -12,8 +12,12 @@ GIT_BRANCH_CLEAN := $(shell echo $(GIT_B + RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN)) + PROJECT := github.com/opencontainers/runc + BUILDTAGS := seccomp +-COMMIT_NO := $(shell git rev-parse HEAD 2> /dev/null || true) +-COMMIT := $(if $(shell git status --porcelain --untracked-files=no),"${COMMIT_NO}-dirty","${COMMIT_NO}") ++ifeq ($(GIT_COMMIT_OVERRIDE),) ++ COMMIT_NO := $(shell git rev-parse HEAD 2> /dev/null || true) ++ COMMIT := $(if $(shell git status --porcelain --untracked-files=no),"${COMMIT_NO}-dirty","${COMMIT_NO}") ++else ++ COMMIT := $(GIT_COMMIT_OVERRIDE) ++endif + + MAN_DIR := $(CURDIR)/man/man8 + MAN_PAGES = $(shell ls $(MAN_DIR)/*.8) diff --git a/base/docker/tini-allow-git-sha-override.patch b/base/docker/tini-allow-git-sha-override.patch new file mode 100644 index 0000000..394469e --- /dev/null +++ b/base/docker/tini-allow-git-sha-override.patch @@ -0,0 +1,55 @@ +Index: tini/CMakeLists.txt +=================================================================== +--- a/tini/CMakeLists.txt ++++ b/tini/CMakeLists.txt +@@ -13,27 +13,32 @@ if(MINIMAL) + add_definitions(-DTINI_MINIMAL=1) + endif() + +-# Extract git version and dirty-ness +-execute_process ( +- COMMAND git --git-dir "${PROJECT_SOURCE_DIR}/.git" --work-tree "${PROJECT_SOURCE_DIR}" log -n 1 --date=local --pretty=format:%h +- WORKING_DIRECTORY "${PROJECT_SOURCE_DIR}" +- RESULT_VARIABLE git_version_check_ret +- OUTPUT_VARIABLE tini_VERSION_GIT +-) +- +-execute_process( +- COMMAND git --git-dir "${PROJECT_SOURCE_DIR}/.git" --work-tree "${PROJECT_SOURCE_DIR}" status --porcelain --untracked-files=no +- WORKING_DIRECTORY "${PROJECT_SOURCE_DIR}" +- OUTPUT_VARIABLE git_dirty_check_out +-) ++if("$ENV{GIT_COMMIT_OVERRIDE}" EQUAL "") + +-if("${git_version_check_ret}" EQUAL 0) +- set(tini_VERSION_GIT " - git.${tini_VERSION_GIT}") +- if(NOT "${git_dirty_check_out}" STREQUAL "") +- set(tini_VERSION_GIT "${tini_VERSION_GIT}-dirty") ++ # Extract git version and dirty-ness ++ execute_process ( ++ COMMAND git --git-dir "${PROJECT_SOURCE_DIR}/.git" --work-tree "${PROJECT_SOURCE_DIR}" log -n 1 --date=local --pretty=format:%h ++ WORKING_DIRECTORY "${PROJECT_SOURCE_DIR}" ++ RESULT_VARIABLE git_version_check_ret ++ OUTPUT_VARIABLE tini_VERSION_GIT ++ ) ++ ++ execute_process( ++ COMMAND git --git-dir "${PROJECT_SOURCE_DIR}/.git" --work-tree "${PROJECT_SOURCE_DIR}" status --porcelain --untracked-files=no ++ WORKING_DIRECTORY "${PROJECT_SOURCE_DIR}" ++ OUTPUT_VARIABLE git_dirty_check_out ++ ) ++ ++ if("${git_version_check_ret}" EQUAL 0) ++ set(tini_VERSION_GIT " - git.${tini_VERSION_GIT}") ++ if(NOT "${git_dirty_check_out}" STREQUAL "") ++ set(tini_VERSION_GIT "${tini_VERSION_GIT}-dirty") ++ endif() ++ else() ++ set(tini_VERSION_GIT "") + endif() + else() +- set(tini_VERSION_GIT "") ++ set(tini_VERSION_GIT " - git.$ENV{GIT_COMMIT_OVERRIDE}") + endif() + + # Flags diff --git a/base/libseccomp/libseccomp.spec b/base/libseccomp/libseccomp.spec new file mode 100644 index 0000000..11b896b --- /dev/null +++ b/base/libseccomp/libseccomp.spec @@ -0,0 +1,248 @@ +Name: libseccomp +Version: 2.5.3 +Release: 1%{?dist} +Summary: Enhanced seccomp library +License: LGPLv2 +URL: https://github.com/seccomp/libseccomp +Source0: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz + +BuildRequires: gcc +BuildRequires: gperf +BuildRequires: make + +%ifnarch riscv64 s390 +# Versions prior to 3.13.0-4 do not work on ARM with newer glibc 2.25.0-6 +# See https://bugzilla.redhat.com/show_bug.cgi?id=1466017 +BuildRequires: valgrind >= 1:3.13.0-4 +%endif + +%description +The libseccomp library provides an easy to use interface to the Linux Kernel's +syscall filtering mechanism, seccomp. The libseccomp API allows an application +to specify which syscalls, and optionally which syscall arguments, the +application is allowed to execute, all of which are enforced by the Linux +Kernel. + +%package devel +Summary: Development files used to build applications with libseccomp support +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The libseccomp library provides an easy to use interface to the Linux Kernel's +syscall filtering mechanism, seccomp. The libseccomp API allows an application +to specify which syscalls, and optionally which syscall arguments, the +application is allowed to execute, all of which are enforced by the Linux +Kernel. + +%package static +Summary: Enhanced seccomp static library +Requires: %{name}-devel%{?_isa} = %{version}-%{release} + +%description static +The libseccomp library provides an easy to use interface to the Linux Kernel's +syscall filtering mechanism, seccomp. The libseccomp API allows an application +to specify which syscalls, and optionally which syscall arguments, the +application is allowed to execute, all of which are enforced by the Linux +Kernel. + +%prep +%autosetup -p1 + +%build +%configure +%make_build + +%install +mkdir -p %{buildroot}/%{_libdir} +mkdir -p %{buildroot}/%{_includedir} +mkdir -p %{buildroot}/%{_mandir} + +%make_install + +rm -f %{buildroot}/%{_libdir}/libseccomp.la + +%check +%make_build check + + +%files +%license LICENSE +%doc CREDITS README.md CHANGELOG CONTRIBUTING.md +%{_libdir}/libseccomp.so.* + +%files devel +%{_includedir}/seccomp.h +%{_includedir}/seccomp-syscalls.h +%{_libdir}/libseccomp.so +%{_libdir}/pkgconfig/libseccomp.pc +%{_bindir}/scmp_sys_resolver +%{_mandir}/man1/* +%{_mandir}/man3/* + +%files static +%{_libdir}/libseccomp.a + +%changelog +* Wed Feb 01 2023 Stewart Smith - 2.5.3-1.amzn2023.0.2 +- Mass rebuild for AL2023 + +* Sat Oct 01 2022 Stewart Smith - 2.5.3-1.amzn2022.0.1 +- AL2022 pre-GA mass rebuild + +* Sat Nov 06 2021 Neal Gompa - 2.5.3-1 +- New upstream version (#2020824) + +* Wed Nov 03 2021 Debarshi Ray - 2.5.2-1 +- New upstream version (#1900097) + +* Wed Nov 03 2021 Debarshi Ray - 2.5.1-1 +- New upstream version (#1900097) + +* Thu Jul 22 2021 Fedora Release Engineering - 2.5.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jan 26 2021 Fedora Release Engineering - 2.5.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Aug 05 2020 Neal Gompa - 2.5.0-3 +- Apply fixes to change internal handling of the notification fd (#1865802) + +* Tue Jul 28 2020 Fedora Release Engineering - 2.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jul 24 2020 Neal Gompa - 2.5.0-1 +- New upstream version (#1858965) + +* Wed Jan 29 2020 Fedora Release Engineering - 2.4.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Dec 16 2019 Neal Gompa - 2.4.2-2 +- Modernize spec +- Backport fix for missing __SNR_ppoll symbol (#1777889) +- Refresh patch to build on aarch64 with upstream version + +* Wed Nov 20 2019 Zbigniew Jędrzejewski-Szmek - 2.4.2-1 +- New upstream version (#1765314) + +* Thu Jul 25 2019 Fedora Release Engineering - 2.4.1-1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Apr 17 2019 Paul Moore - 2.4.1-0 +- New upstream version + +* Thu Mar 14 2019 Paul Moore - 2.4.0-0 +- New upstream version +- Added a hack to workaround test failures (see %%check above) + +* Fri Feb 01 2019 Fedora Release Engineering - 2.3.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Nov 07 2018 Paul Moore - 2.3.3-4 +- Remove ldconfig scriptlet, thanks to James Antill (RHBZ #1644074) + +* Fri Jul 13 2018 Fedora Release Engineering - 2.3.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Feb 07 2018 Fedora Release Engineering - 2.3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jan 10 2018 Paul Moore - 2.3.3-1 +- New upstream version + +* Thu Aug 03 2017 Fedora Release Engineering - 2.3.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2.3.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Jun 29 2017 Stephen Gallagher - 2.3.2-3 +- Re-enable valgrind-based tests on ARMv7 + +* Thu Jun 29 2017 Stephen Gallagher - 2.3.2-2 +- Disable running valgrind-based tests on ARMv7 due to glibc/valgrind bug (RHBZ #1466017) + +* Wed Mar 01 2017 Paul Moore -2.3.2-1 +- New upstream version + +* Fri Feb 10 2017 Fedora Release Engineering - 2.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Apr 20 2016 Paul Moore - 2.3.1-1 +- Cleanup the changelog whitespace and escape the macros to make rpmlint happy + +* Wed Apr 20 2016 Paul Moore - 2.3.1-0 +- New upstream version + +* Tue Mar 1 2016 Peter Robinson 2.3.0-1 +- No valgrind on s390 + +* Mon Feb 29 2016 Paul Moore - 2.3.0-0 +- New upstream version + +* Thu Feb 04 2016 Fedora Release Engineering - 2.2.3-1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jul 08 2015 Paul Moore - 2.2.3-0 +- New upstream version + +* Wed Jun 17 2015 Fedora Release Engineering - 2.2.1-1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed May 13 2015 Paul Moore - 2.2.1-0 +- New upstream version + +* Thu Feb 12 2015 Paul Moore - 2.2.0-0 +- New upstream version +- Added aarch64 support +- Added a static build + +* Thu Sep 18 2014 Paul Moore - 2.1.1-6 +- Fully builds on i686, x86_64, and armv7hl (RHBZ #1106071) + +* Sun Aug 17 2014 Fedora Release Engineering - 2.1.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 18 2014 Tom Callaway - 2.1.1-4 +- fix license handling + +* Sat Jun 07 2014 Fedora Release Engineering - 2.1.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Feb 27 2014 Paul Moore - 2.1.1-2 +- Build with CFLAGS="${optflags}" + +* Mon Feb 17 2014 Paul Moore - 2.1.1-1 +- Removed the kernel dependency (RHBZ #1065572) + +* Thu Oct 31 2013 Paul Moore - 2.1.1-0 +- New upstream version +- Added a %%check procedure for self-test during build + +* Sat Aug 03 2013 Fedora Release Engineering - 2.1.0-1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Jun 11 2013 Paul Moore - 2.1.0-0 +- New upstream version +- Added support for the ARM architecture +- Added the scmp_sys_resolver tool + +* Mon Jan 28 2013 Paul Moore - 2.0.0-0 +- New upstream version + +* Tue Nov 13 2012 Paul Moore - 1.0.1-0 +- New upstream version with several important fixes + +* Tue Jul 31 2012 Paul Moore - 1.0.0-0 +- New upstream version +- Remove verbose build patch as it is no longer needed +- Enable _smp_mflags during build stage + +* Thu Jul 19 2012 Fedora Release Engineering - 0.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 10 2012 Paul Moore - 0.1.0-1 +- Limit package to x86/x86_64 platforms (RHBZ #837888) + +* Tue Jun 12 2012 Paul Moore - 0.1.0-0 +- Initial version +