[docker-io] iptables-fix.patch corrected - golang - Fedora mailing-lists

28 Nov 2013

commit 0832c9e0a9facdfc3a353bb7811d4fd3f68e2b06
Author: Lokesh Mandvekar lsm5@redhat.com
Date:   Thu Nov 28 02:15:31 2013 -0600
iptables-fix.patch corrected
Signed-off-by: Lokesh Mandvekar lsm5@redhat.com
docker-0.7.0-iptables-fix.patch |  595 ++-------------------------------------
 docker-io.spec                  |    5 +-
 2 files changed, 23 insertions(+), 577 deletions(-)
---

diff --git a/docker-0.7.0-iptables-fix.patch b/docker-0.7.0-iptables-fix.patch
index 5d04a7e..303cc08 100644
--- a/docker-0.7.0-iptables-fix.patch
+++ b/docker-0.7.0-iptables-fix.patch
@@ -1,560 +1,18 @@
-diff -uNr docker-0.7.0/contrib/mkseccomp.pl docker-0ff9bc1be3ae044107732c605986a0af20220134/contrib/mkseccomp.pl
---- docker-0.7.0/contrib/mkseccomp.pl	1969-12-31 18:00:00.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/contrib/mkseccomp.pl	2013-11-27 05:14:18.000000000 -0600
-@@ -0,0 +1,77 @@
-+#!/usr/bin/perl
-+#
-+# A simple helper script to help people build seccomp profiles for
-+# Docker/LXC.  The goal is mostly to reduce the attack surface to the
-+# kernel, by restricting access to rarely used, recently added or not used
-+# syscalls.
-+#
-+# This script processes one or more files which contain the list of system
-+# calls to be allowed.  See mkseccomp.sample for more information how you
-+# can configure the list of syscalls.  When run, this script produces output
-+# which, when stored in a file, can be passed to docker as follows:
-+#
-+# docker run -lxc-conf="lxc.seccomp=$file" <rest of arguments>
-+#
-+# The included sample file shows how to cut about a quarter of all syscalls,
-+# which affecting most applications.
-+#
-+# For specific situations it is possible to reduce the list further. By
-+# reducing the list to just those syscalls required by a certain application
-+# you can make it difficult for unknown/unexpected code to run.
-+#
-+# Run this script as follows:
-+#
-+# ./mkseccomp.pl < mkseccomp.sample >syscalls.list
-+# or
-+# ./mkseccomp.pl mkseccomp.sample >syscalls.list
-+#
-+# Multiple files can be specified, in which case the lists of syscalls are
-+# combined.
-+#
-+# By Martijn van Oosterhout kleptog@svana.org Nov 2013
-+
-+# How it works:
-+#
-+# This program basically spawns two processes to form a chain like:
-+#
-+# <process data section to prefix __NR_> | cpp | <add header and filter unknown syscalls>
-+
-+use strict;
-+use warnings;
-+
-+if( -t ) {
-+    print STDERR "Helper script to make seccomp filters for Docker/LXC.\n";
-+    print STDERR "Usage: mkseccomp.pl [files...]\n";
-+    exit 1;
-+}
-+
-+my $pid = open(my $in, "-|") // die "Couldn't fork1 ($!)\n";
-+
-+if($pid == 0) {  # Child
-+    $pid = open(my $out, "|-") // die "Couldn't fork2 ($!)\n";
-+
-+    if($pid == 0) { # Child, which execs cpp
-+        exec "cpp" or die "Couldn't exec cpp ($!)\n";
-+        exit 1;
-+    }
-+
-+    # Process the DATA section and output to cpp
-+    print $out "#include <sys/syscall.h>\n";
-+    while(<>) {
-+        if(/^\w/) {
-+            print $out "__NR_$_";
-+        }
-+    }
-+    close $out;
-+    exit 0;
-+
-+}
-+
-+# Print header and then process output from cpp.
-+print "1\n";
-+print "whitelist\n";
-+
-+while(<$in>) {
-+    print if( /^[0-9]/ );
-+}
-+
-diff -uNr docker-0.7.0/contrib/mkseccomp.sample docker-0ff9bc1be3ae044107732c605986a0af20220134/contrib/mkseccomp.sample
---- docker-0.7.0/contrib/mkseccomp.sample	1969-12-31 18:00:00.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/contrib/mkseccomp.sample	2013-11-27 05:14:18.000000000 -0600
-@@ -0,0 +1,444 @@
-+/* This sample file is an example for mkseccomp.pl to produce a seccomp file
-+ * which restricts syscalls that are only useful for an admin but allows the
-+ * vast majority of normal userspace programs to run normally.
-+ *
-+ * The format of this file is one line per syscall.  This is then processed
-+ * and passed to 'cpp' to convert the names to numbers using whatever is
-+ * correct for your platform.  As such C-style comments are permitted.  Note
-+ * this also means that C preprocessor macros are also allowed.  So it is
-+ * possible to create groups surrounded by #ifdef/#endif and control their
-+ * inclusion via #define (not #include).
-+ *
-+ * Syscalls that don't exist on your architecture are silently filtered out.
-+ * Syscalls marked with (*) are required for a container to spawn a bash
-+ * shell successfully (not necessarily full featured).  Listing the same
-+ * syscall multiple times is no problem.
-+ *
-+ * If you want to make a list specifically for one application the easiest
-+ * way is to run the application under strace, like so:
-+ *
-+ * $ strace -f -q -c -o strace.out application args...
-+ *
-+ * Once you have a reasonable sample of the execution of the program, exit
-+ * it.  The file strace.out will have a summary of the syscalls used.  Copy
-+ * that list into this file, comment out everything else except the starred
-+ * syscalls (which you need for the container to start) and you're done.
-+ *
-+ * To get the list of syscalls from the strace output this works well for
-+ * me
-+ *
-+ * $ cut -c52 < strace.out
-+ *
-+ * This sample list was compiled as a combination of all the syscalls
-+ * available on i386 and amd64 on Ubuntu Precise, as such it may not contain
-+ * everything and not everything may be relevent for your system.  This
-+ * shouldn't be a problem.
-+ */
-+
-+// Filesystem/File descriptor related
-+access                 // (*)
-+chdir                  // (*)
-+chmod
-+chown
-+chown32
-+close                  // (*)
-+creat
-+dup                    // (*)
-+dup2                   // (*)
-+dup3
-+epoll_create
-+epoll_create1
-+epoll_ctl
-+epoll_ctl_old
-+epoll_pwait
-+epoll_wait
-+epoll_wait_old
-+eventfd
-+eventfd2
-+faccessat              // (*)
-+fadvise64
-+fadvise64_64
-+fallocate
-+fanotify_init
-+fanotify_mark
-+ioctl                  // (*)
-+fchdir
-+fchmod
-+fchmodat
-+fchown
-+fchown32
-+fchownat
-+fcntl                  // (*)
-+fcntl64
-+fdatasync
-+fgetxattr
-+flistxattr
-+flock
-+fremovexattr
-+fsetxattr
-+fstat                  // (*)
-+fstat64
-+fstatat64
-+fstatfs
-+fstatfs64
-+fsync
-+ftruncate
-+ftruncate64
-+getcwd                 // (*)
-+getdents               // (*)
-+getdents64
-+getxattr
-+inotify_add_watch
-+inotify_init
-+inotify_init1
-+inotify_rm_watch
-+io_cancel
-+io_destroy
-+io_getevents
-+io_setup
-+io_submit
-+lchown
-+lchown32
-+lgetxattr
-+link
-+linkat
-+listxattr
-+llistxattr
-+llseek
-+_llseek
-+lremovexattr
-+lseek                  // (*)
-+lsetxattr
-+lstat
-+lstat64
-+mkdir
-+mkdirat
-+mknod
-+mknodat
-+newfstatat
-+_newselect
-+oldfstat
-+oldlstat
-+oldolduname
-+oldstat
-+olduname
-+oldwait4
-+open                   // (*)
-+openat                 // (*)
-+pipe                   // (*)
-+pipe2
-+poll
-+ppoll
-+pread64
-+preadv
-+futimesat
-+pselect6
-+pwrite64
-+pwritev
-+read                   // (*)
-+readahead
-+readdir
-+readlink
-+readlinkat
-+readv
-+removexattr
-+rename
-+renameat
-+rmdir
-+select
-+sendfile
-+sendfile64
-+setxattr
-+splice
-+stat                   // (*)
-+stat64
-+statfs                 // (*)
-+statfs64
-+symlink
-+symlinkat
-+sync
-+sync_file_range
-+sync_file_range2
-+syncfs
-+tee
-+truncate
-+truncate64
-+umask
-+unlink
-+unlinkat
-+ustat
-+utime
-+utimensat
-+utimes
-+write                  // (*)
-+writev
-+
-+// Network related
-+accept
-+accept4
-+bind                   // (*)
-+connect                // (*)
-+getpeername
-+getsockname            // (*)
-+getsockopt
-+listen
-+recv
-+recvfrom               // (*)
-+recvmmsg
-+recvmsg
-+send
-+sendmmsg
-+sendmsg
-+sendto                 // (*)
-+setsockopt
-+shutdown
-+socket                 // (*)
-+socketcall
-+socketpair
-+
-+// Signal related
-+pause
-+rt_sigaction           // (*)
-+rt_sigpending
-+rt_sigprocmask         // (*)
-+rt_sigqueueinfo
-+rt_sigreturn           // (*)
-+rt_sigsuspend
-+rt_sigtimedwait
-+rt_tgsigqueueinfo
-+sigaction
-+sigaltstack            // (*)
-+signal
-+signalfd
-+signalfd4
-+sigpending
-+sigprocmask
-+sigreturn
-+sigsuspend
-+
-+// Other needed POSIX
-+alarm
-+brk                    // (*)
-+clock_adjtime
-+clock_getres
-+clock_gettime
-+clock_nanosleep
-+//clock_settime
-+gettimeofday
-+nanosleep
-+nice
-+sysinfo
-+syslog
-+time
-+timer_create
-+timer_delete
-+timerfd_create
-+timerfd_gettime
-+timerfd_settime
-+timer_getoverrun
-+timer_gettime
-+timer_settime
-+times
-+uname                  // (*)
-+
-+// Memory control
-+madvise
-+mbind
-+mincore
-+mlock
-+mlockall
-+mmap                   // (*)
-+mmap2
-+mprotect               // (*)
-+mremap
-+msync
-+munlock
-+munlockall
-+munmap                 // (*)
-+remap_file_pages
-+set_mempolicy
-+vmsplice
-+
-+// Process control
-+capget
-+//capset
-+clone                  // (*)
-+execve                 // (*)
-+exit                   // (*)
-+exit_group             // (*)
-+fork
-+getcpu
-+getpgid
-+getpgrp                // (*)
-+getpid                 // (*)
-+getppid                // (*)
-+getpriority
-+getresgid
-+getresgid32
-+getresuid
-+getresuid32
-+getrlimit              // (*)
-+getrusage
-+getsid
-+getuid                 // (*)
-+getuid32
-+getegid                // (*)
-+getegid32
-+geteuid                // (*)
-+geteuid32
-+getgid                 // (*)
-+getgid32
-+getgroups
-+getgroups32
-+getitimer
-+get_mempolicy
-+kill
-+//personality
-+prctl
-+prlimit64
-+sched_getaffinity
-+sched_getparam
-+sched_get_priority_max
-+sched_get_priority_min
-+sched_getscheduler
-+sched_rr_get_interval
-+//sched_setaffinity
-+//sched_setparam
-+//sched_setscheduler
-+sched_yield
-+setfsgid
-+setfsgid32
-+setfsuid
-+setfsuid32
-+setgid
-+setgid32
-+setgroups
-+setgroups32
-+setitimer
-+setpgid                // (*)
-+setpriority
-+setregid
-+setregid32
-+setresgid
-+setresgid32
-+setresuid
-+setresuid32
-+setreuid
-+setreuid32
-+setrlimit
-+setsid
-+setuid
-+setuid32
-+ugetrlimit
-+vfork
-+wait4                  // (*)
-+waitid
-+waitpid
-+
-+// IPC
-+ipc
-+mq_getsetattr
-+mq_notify
-+mq_open
-+mq_timedreceive
-+mq_timedsend
-+mq_unlink
-+msgctl
-+msgget
-+msgrcv
-+msgsnd
-+semctl
-+semget
-+semop
-+semtimedop
-+shmat
-+shmctl
-+shmdt
-+shmget
-+
-+// Linux specific, mostly needed for thread-related stuff
-+arch_prctl             // (*)
-+get_robust_list
-+get_thread_area
-+gettid
-+futex                  // (*)
-+restart_syscall        // (*)
-+set_robust_list        // (*)
-+set_thread_area
-+set_tid_address        // (*)
-+tgkill
-+tkill
-+
-+// Admin syscalls, these are blocked
-+//acct
-+//adjtimex
-+//bdflush
-+//chroot
-+//create_module
-+//delete_module
-+//get_kernel_syms      // Obsolete
-+//idle                 // Obsolete
-+//init_module
-+//ioperm
-+//iopl
-+//ioprio_get
-+//ioprio_set
-+//kexec_load
-+//lookup_dcookie       // oprofile only?
-+//migrate_pages        // NUMA
-+//modify_ldt
-+//mount
-+//move_pages           // NUMA
-+//name_to_handle_at    // NFS server
-+//nfsservctl           // NFS server
-+//open_by_handle_at    // NFS server
-+//perf_event_open
-+//pivot_root
-+//process_vm_readv     // For debugger
-+//process_vm_writev    // For debugger
-+//ptrace               // For debugger
-+//query_module
-+//quotactl
-+//reboot
-+//setdomainname
-+//sethostname
-+//setns
-+//settimeofday
-+//sgetmask             // Obsolete
-+//ssetmask             // Obsolete
-+//stime
-+//swapoff
-+//swapon
-+//_sysctl
-+//sysfs
-+//sys_setaltroot
-+//umount
-+//umount2
-+//unshare
-+//uselib
-+//vhangup
-+//vm86
-+//vm86old
-+
-+// Kernel key management
-+//add_key
-+//keyctl
-+//request_key
-+
-+// Unimplemented
-+//afs_syscall
-+//break
-+//ftime
-+//getpmsg
-+//gtty
-+//lock
-+//madvise1
-+//mpx
-+//prof
-+//profil
-+//putpmsg
-+//security
-+//stty
-+//tuxcall
-+//ulimit
-+//vserver
-diff -uNr docker-0.7.0/CONTRIBUTING.md docker-0ff9bc1be3ae044107732c605986a0af20220134/CONTRIBUTING.md
---- docker-0.7.0/CONTRIBUTING.md	2013-11-26 02:09:45.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/CONTRIBUTING.md	2013-11-27 05:14:18.000000000 -0600
-@@ -64,7 +64,7 @@
- 
- Update the documentation when creating or modifying features. Test
- your documentation changes for clarity, concision, and correctness, as
--well as a clean docmuent build. See ``docs/README.md`` for more
-+well as a clean documentation build. See ``docs/README.md`` for more
- information on building the docs and how docs get released.
- 
- Write clean code. Universally formatted code promotes ease of writing, reading,
-diff -uNr docker-0.7.0/hack/CONTRIBUTORS.md docker-0ff9bc1be3ae044107732c605986a0af20220134/hack/CONTRIBUTORS.md
---- docker-0.7.0/hack/CONTRIBUTORS.md	2013-11-26 02:09:45.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/hack/CONTRIBUTORS.md	2013-11-27 05:14:18.000000000 -0600
-@@ -64,7 +64,7 @@
- 
- Update the documentation when creating or modifying features. Test
- your documentation changes for clarity, concision, and correctness, as
--well as a clean docmuent build. See ``docs/README.md`` for more
-+well as a clean documentation build. See ``docs/README.md`` for more
- information on building the docs and how docs get released.
- 
- Write clean code. Universally formatted code promotes ease of writing, reading,
-diff -uNr docker-0.7.0/network.go docker-0ff9bc1be3ae044107732c605986a0af20220134/network.go
---- docker-0.7.0/network.go	2013-11-26 02:09:45.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/network.go	2013-11-27 05:14:18.000000000 -0600
-@@ -167,30 +167,6 @@
+From 0ff9bc1be3ae044107732c605986a0af20220134 Mon Sep 17 00:00:00 2001
+From: Marek Goldmann marek.goldmann@gmail.com
+Date: Wed, 27 Nov 2013 09:10:44 +0100
+Subject: [PATCH] Make sure the firewall rules are created even if the bridge
+ interface is already created
+
+---
+ network.go | 58 ++++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 34 insertions(+), 24 deletions(-)
+
+diff --git a/network.go b/network.go
+index 1397de0..8cdbc0e 100644
+--- a/network.go
++++ b/network.go
+@@ -167,30 +167,6 @@ func CreateBridgeIface(config *DaemonConfig) error {
    	return fmt.Errorf("Unable to start network bridge: %s", err)
    }
@@ -585,7 +43,7 @@ diff -uNr docker-0.7.0/network.go docker-0ff9bc1be3ae044107732c605986a0af2022013
    return nil
  }
-@@ -699,6 +675,40 @@
+@@ -699,6 +675,40 @@ func newNetworkManager(config *DaemonConfig) (*NetworkManager, error) {
// Configure iptables for link support
    if config.EnableIptables {
@@ -626,21 +84,6 @@ diff -uNr docker-0.7.0/network.go docker-0ff9bc1be3ae044107732c605986a0af2022013
    	args := []string{"FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j"}
    	acceptArgs := append(args, "ACCEPT")
    	dropArgs := append(args, "DROP")
-diff -uNr docker-0.7.0/runtime.go docker-0ff9bc1be3ae044107732c605986a0af20220134/runtime.go
---- docker-0.7.0/runtime.go	2013-11-26 02:09:45.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/runtime.go	2013-11-27 05:14:18.000000000 -0600
-@@ -159,7 +159,7 @@
- 			return err
- 		}
- 		if !strings.Contains(string(output), "RUNNING") {
--			utils.Debugf("Container %s was supposed to be running be is not.", container.ID)
-+			utils.Debugf("Container %s was supposed to be running but is not.", container.ID)
- 			if runtime.config.AutoRestart {
- 				utils.Debugf("Restarting")
- 				container.State.SetGhost(false)
-diff -uNr docker-0.7.0/VERSION docker-0ff9bc1be3ae044107732c605986a0af20220134/VERSION
---- docker-0.7.0/VERSION	2013-11-26 02:09:45.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/VERSION	2013-11-27 05:14:18.000000000 -0600
-@@ -1 +1 @@
--0.7.0
-+0.7.0-dev
+-- 
+1.8.4
+
diff --git a/docker-io.spec b/docker-io.spec
index ac2a022..f590ef8 100644
--- a/docker-io.spec
+++ b/docker-io.spec
@@ -14,7 +14,7 @@
Name:           docker-io
 Version:        0.7.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        Automates deployment of containerized applications
 License:        ASL 2.0
@@ -164,6 +164,9 @@ fi
 %dir %{_sharedstatedir}/docker
%changelog
+* Thu Nov 28 2013 Lokesh Mandvekar lsm5@redhat.com - 0.7.0-8
+- iptables-fix patch corrected
+
 * Thu Nov 28 2013 Lokesh Mandvekar lsm5@redhat.com - 0.7.0-7
 - use upstream tarball and patch with mgoldman's commit

    