[docker-io] 0.7.0 patched with commit 0ff9bc1
Lokesh Mandvekar
lsm5 at fedoraproject.org
Thu Nov 28 07:46:11 UTC 2013
commit 0a007fd25fb5956264ff8fd8716fbfb41f65a27c
Author: Lokesh Mandvekar <lsm5 at redhat.com>
Date: Thu Nov 28 01:45:21 2013 -0600
0.7.0 patched with commit 0ff9bc1
Signed-off-by: Lokesh Mandvekar <lsm5 at redhat.com>
new file: docker-0.7.0-iptables-fix.patch
modified: docker-io.spec
modified: sources
docker-0.7.0-iptables-fix.patch | 646 +++++++++++++++++++++++++++++++++++++++
docker-io.spec | 15 +-
sources | 2 +-
3 files changed, 657 insertions(+), 6 deletions(-)
---
diff --git a/docker-0.7.0-iptables-fix.patch b/docker-0.7.0-iptables-fix.patch
new file mode 100644
index 0000000..5d04a7e
--- /dev/null
+++ b/docker-0.7.0-iptables-fix.patch
@@ -0,0 +1,646 @@
+diff -uNr docker-0.7.0/contrib/mkseccomp.pl docker-0ff9bc1be3ae044107732c605986a0af20220134/contrib/mkseccomp.pl
+--- docker-0.7.0/contrib/mkseccomp.pl 1969-12-31 18:00:00.000000000 -0600
++++ docker-0ff9bc1be3ae044107732c605986a0af20220134/contrib/mkseccomp.pl 2013-11-27 05:14:18.000000000 -0600
+@@ -0,0 +1,77 @@
++#!/usr/bin/perl
++#
++# A simple helper script to help people build seccomp profiles for
++# Docker/LXC. The goal is mostly to reduce the attack surface to the
++# kernel, by restricting access to rarely used, recently added or not used
++# syscalls.
++#
++# This script processes one or more files which contain the list of system
++# calls to be allowed. See mkseccomp.sample for more information how you
++# can configure the list of syscalls. When run, this script produces output
++# which, when stored in a file, can be passed to docker as follows:
++#
++# docker run -lxc-conf="lxc.seccomp=$file" <rest of arguments>
++#
++# The included sample file shows how to cut about a quarter of all syscalls,
++# which affecting most applications.
++#
++# For specific situations it is possible to reduce the list further. By
++# reducing the list to just those syscalls required by a certain application
++# you can make it difficult for unknown/unexpected code to run.
++#
++# Run this script as follows:
++#
++# ./mkseccomp.pl < mkseccomp.sample >syscalls.list
++# or
++# ./mkseccomp.pl mkseccomp.sample >syscalls.list
++#
++# Multiple files can be specified, in which case the lists of syscalls are
++# combined.
++#
++# By Martijn van Oosterhout <kleptog at svana.org> Nov 2013
++
++# How it works:
++#
++# This program basically spawns two processes to form a chain like:
++#
++# <process data section to prefix __NR_> | cpp | <add header and filter unknown syscalls>
++
++use strict;
++use warnings;
++
++if( -t ) {
++ print STDERR "Helper script to make seccomp filters for Docker/LXC.\n";
++ print STDERR "Usage: mkseccomp.pl [files...]\n";
++ exit 1;
++}
++
++my $pid = open(my $in, "-|") // die "Couldn't fork1 ($!)\n";
++
++if($pid == 0) { # Child
++ $pid = open(my $out, "|-") // die "Couldn't fork2 ($!)\n";
++
++ if($pid == 0) { # Child, which execs cpp
++ exec "cpp" or die "Couldn't exec cpp ($!)\n";
++ exit 1;
++ }
++
++ # Process the DATA section and output to cpp
++ print $out "#include <sys/syscall.h>\n";
++ while(<>) {
++ if(/^\w/) {
++ print $out "__NR_$_";
++ }
++ }
++ close $out;
++ exit 0;
++
++}
++
++# Print header and then process output from cpp.
++print "1\n";
++print "whitelist\n";
++
++while(<$in>) {
++ print if( /^[0-9]/ );
++}
++
+diff -uNr docker-0.7.0/contrib/mkseccomp.sample docker-0ff9bc1be3ae044107732c605986a0af20220134/contrib/mkseccomp.sample
+--- docker-0.7.0/contrib/mkseccomp.sample 1969-12-31 18:00:00.000000000 -0600
++++ docker-0ff9bc1be3ae044107732c605986a0af20220134/contrib/mkseccomp.sample 2013-11-27 05:14:18.000000000 -0600
+@@ -0,0 +1,444 @@
++/* This sample file is an example for mkseccomp.pl to produce a seccomp file
++ * which restricts syscalls that are only useful for an admin but allows the
++ * vast majority of normal userspace programs to run normally.
++ *
++ * The format of this file is one line per syscall. This is then processed
++ * and passed to 'cpp' to convert the names to numbers using whatever is
++ * correct for your platform. As such C-style comments are permitted. Note
++ * this also means that C preprocessor macros are also allowed. So it is
++ * possible to create groups surrounded by #ifdef/#endif and control their
++ * inclusion via #define (not #include).
++ *
++ * Syscalls that don't exist on your architecture are silently filtered out.
++ * Syscalls marked with (*) are required for a container to spawn a bash
++ * shell successfully (not necessarily full featured). Listing the same
++ * syscall multiple times is no problem.
++ *
++ * If you want to make a list specifically for one application the easiest
++ * way is to run the application under strace, like so:
++ *
++ * $ strace -f -q -c -o strace.out application args...
++ *
++ * Once you have a reasonable sample of the execution of the program, exit
++ * it. The file strace.out will have a summary of the syscalls used. Copy
++ * that list into this file, comment out everything else except the starred
++ * syscalls (which you need for the container to start) and you're done.
++ *
++ * To get the list of syscalls from the strace output this works well for
++ * me
++ *
++ * $ cut -c52 < strace.out
++ *
++ * This sample list was compiled as a combination of all the syscalls
++ * available on i386 and amd64 on Ubuntu Precise, as such it may not contain
++ * everything and not everything may be relevent for your system. This
++ * shouldn't be a problem.
++ */
++
++// Filesystem/File descriptor related
++access // (*)
++chdir // (*)
++chmod
++chown
++chown32
++close // (*)
++creat
++dup // (*)
++dup2 // (*)
++dup3
++epoll_create
++epoll_create1
++epoll_ctl
++epoll_ctl_old
++epoll_pwait
++epoll_wait
++epoll_wait_old
++eventfd
++eventfd2
++faccessat // (*)
++fadvise64
++fadvise64_64
++fallocate
++fanotify_init
++fanotify_mark
++ioctl // (*)
++fchdir
++fchmod
++fchmodat
++fchown
++fchown32
++fchownat
++fcntl // (*)
++fcntl64
++fdatasync
++fgetxattr
++flistxattr
++flock
++fremovexattr
++fsetxattr
++fstat // (*)
++fstat64
++fstatat64
++fstatfs
++fstatfs64
++fsync
++ftruncate
++ftruncate64
++getcwd // (*)
++getdents // (*)
++getdents64
++getxattr
++inotify_add_watch
++inotify_init
++inotify_init1
++inotify_rm_watch
++io_cancel
++io_destroy
++io_getevents
++io_setup
++io_submit
++lchown
++lchown32
++lgetxattr
++link
++linkat
++listxattr
++llistxattr
++llseek
++_llseek
++lremovexattr
++lseek // (*)
++lsetxattr
++lstat
++lstat64
++mkdir
++mkdirat
++mknod
++mknodat
++newfstatat
++_newselect
++oldfstat
++oldlstat
++oldolduname
++oldstat
++olduname
++oldwait4
++open // (*)
++openat // (*)
++pipe // (*)
++pipe2
++poll
++ppoll
++pread64
++preadv
++futimesat
++pselect6
++pwrite64
++pwritev
++read // (*)
++readahead
++readdir
++readlink
++readlinkat
++readv
++removexattr
++rename
++renameat
++rmdir
++select
++sendfile
++sendfile64
++setxattr
++splice
++stat // (*)
++stat64
++statfs // (*)
++statfs64
++symlink
++symlinkat
++sync
++sync_file_range
++sync_file_range2
++syncfs
++tee
++truncate
++truncate64
++umask
++unlink
++unlinkat
++ustat
++utime
++utimensat
++utimes
++write // (*)
++writev
++
++// Network related
++accept
++accept4
++bind // (*)
++connect // (*)
++getpeername
++getsockname // (*)
++getsockopt
++listen
++recv
++recvfrom // (*)
++recvmmsg
++recvmsg
++send
++sendmmsg
++sendmsg
++sendto // (*)
++setsockopt
++shutdown
++socket // (*)
++socketcall
++socketpair
++
++// Signal related
++pause
++rt_sigaction // (*)
++rt_sigpending
++rt_sigprocmask // (*)
++rt_sigqueueinfo
++rt_sigreturn // (*)
++rt_sigsuspend
++rt_sigtimedwait
++rt_tgsigqueueinfo
++sigaction
++sigaltstack // (*)
++signal
++signalfd
++signalfd4
++sigpending
++sigprocmask
++sigreturn
++sigsuspend
++
++// Other needed POSIX
++alarm
++brk // (*)
++clock_adjtime
++clock_getres
++clock_gettime
++clock_nanosleep
++//clock_settime
++gettimeofday
++nanosleep
++nice
++sysinfo
++syslog
++time
++timer_create
++timer_delete
++timerfd_create
++timerfd_gettime
++timerfd_settime
++timer_getoverrun
++timer_gettime
++timer_settime
++times
++uname // (*)
++
++// Memory control
++madvise
++mbind
++mincore
++mlock
++mlockall
++mmap // (*)
++mmap2
++mprotect // (*)
++mremap
++msync
++munlock
++munlockall
++munmap // (*)
++remap_file_pages
++set_mempolicy
++vmsplice
++
++// Process control
++capget
++//capset
++clone // (*)
++execve // (*)
++exit // (*)
++exit_group // (*)
++fork
++getcpu
++getpgid
++getpgrp // (*)
++getpid // (*)
++getppid // (*)
++getpriority
++getresgid
++getresgid32
++getresuid
++getresuid32
++getrlimit // (*)
++getrusage
++getsid
++getuid // (*)
++getuid32
++getegid // (*)
++getegid32
++geteuid // (*)
++geteuid32
++getgid // (*)
++getgid32
++getgroups
++getgroups32
++getitimer
++get_mempolicy
++kill
++//personality
++prctl
++prlimit64
++sched_getaffinity
++sched_getparam
++sched_get_priority_max
++sched_get_priority_min
++sched_getscheduler
++sched_rr_get_interval
++//sched_setaffinity
++//sched_setparam
++//sched_setscheduler
++sched_yield
++setfsgid
++setfsgid32
++setfsuid
++setfsuid32
++setgid
++setgid32
++setgroups
++setgroups32
++setitimer
++setpgid // (*)
++setpriority
++setregid
++setregid32
++setresgid
++setresgid32
++setresuid
++setresuid32
++setreuid
++setreuid32
++setrlimit
++setsid
++setuid
++setuid32
++ugetrlimit
++vfork
++wait4 // (*)
++waitid
++waitpid
++
++// IPC
++ipc
++mq_getsetattr
++mq_notify
++mq_open
++mq_timedreceive
++mq_timedsend
++mq_unlink
++msgctl
++msgget
++msgrcv
++msgsnd
++semctl
++semget
++semop
++semtimedop
++shmat
++shmctl
++shmdt
++shmget
++
++// Linux specific, mostly needed for thread-related stuff
++arch_prctl // (*)
++get_robust_list
++get_thread_area
++gettid
++futex // (*)
++restart_syscall // (*)
++set_robust_list // (*)
++set_thread_area
++set_tid_address // (*)
++tgkill
++tkill
++
++// Admin syscalls, these are blocked
++//acct
++//adjtimex
++//bdflush
++//chroot
++//create_module
++//delete_module
++//get_kernel_syms // Obsolete
++//idle // Obsolete
++//init_module
++//ioperm
++//iopl
++//ioprio_get
++//ioprio_set
++//kexec_load
++//lookup_dcookie // oprofile only?
++//migrate_pages // NUMA
++//modify_ldt
++//mount
++//move_pages // NUMA
++//name_to_handle_at // NFS server
++//nfsservctl // NFS server
++//open_by_handle_at // NFS server
++//perf_event_open
++//pivot_root
++//process_vm_readv // For debugger
++//process_vm_writev // For debugger
++//ptrace // For debugger
++//query_module
++//quotactl
++//reboot
++//setdomainname
++//sethostname
++//setns
++//settimeofday
++//sgetmask // Obsolete
++//ssetmask // Obsolete
++//stime
++//swapoff
++//swapon
++//_sysctl
++//sysfs
++//sys_setaltroot
++//umount
++//umount2
++//unshare
++//uselib
++//vhangup
++//vm86
++//vm86old
++
++// Kernel key management
++//add_key
++//keyctl
++//request_key
++
++// Unimplemented
++//afs_syscall
++//break
++//ftime
++//getpmsg
++//gtty
++//lock
++//madvise1
++//mpx
++//prof
++//profil
++//putpmsg
++//security
++//stty
++//tuxcall
++//ulimit
++//vserver
+diff -uNr docker-0.7.0/CONTRIBUTING.md docker-0ff9bc1be3ae044107732c605986a0af20220134/CONTRIBUTING.md
+--- docker-0.7.0/CONTRIBUTING.md 2013-11-26 02:09:45.000000000 -0600
++++ docker-0ff9bc1be3ae044107732c605986a0af20220134/CONTRIBUTING.md 2013-11-27 05:14:18.000000000 -0600
+@@ -64,7 +64,7 @@
+
+ Update the documentation when creating or modifying features. Test
+ your documentation changes for clarity, concision, and correctness, as
+-well as a clean docmuent build. See ``docs/README.md`` for more
++well as a clean documentation build. See ``docs/README.md`` for more
+ information on building the docs and how docs get released.
+
+ Write clean code. Universally formatted code promotes ease of writing, reading,
+diff -uNr docker-0.7.0/hack/CONTRIBUTORS.md docker-0ff9bc1be3ae044107732c605986a0af20220134/hack/CONTRIBUTORS.md
+--- docker-0.7.0/hack/CONTRIBUTORS.md 2013-11-26 02:09:45.000000000 -0600
++++ docker-0ff9bc1be3ae044107732c605986a0af20220134/hack/CONTRIBUTORS.md 2013-11-27 05:14:18.000000000 -0600
+@@ -64,7 +64,7 @@
+
+ Update the documentation when creating or modifying features. Test
+ your documentation changes for clarity, concision, and correctness, as
+-well as a clean docmuent build. See ``docs/README.md`` for more
++well as a clean documentation build. See ``docs/README.md`` for more
+ information on building the docs and how docs get released.
+
+ Write clean code. Universally formatted code promotes ease of writing, reading,
+diff -uNr docker-0.7.0/network.go docker-0ff9bc1be3ae044107732c605986a0af20220134/network.go
+--- docker-0.7.0/network.go 2013-11-26 02:09:45.000000000 -0600
++++ docker-0ff9bc1be3ae044107732c605986a0af20220134/network.go 2013-11-27 05:14:18.000000000 -0600
+@@ -167,30 +167,6 @@
+ return fmt.Errorf("Unable to start network bridge: %s", err)
+ }
+
+- if config.EnableIptables {
+- // Enable NAT
+- if output, err := iptables.Raw("-t", "nat", "-A", "POSTROUTING", "-s", ifaceAddr,
+- "!", "-d", ifaceAddr, "-j", "MASQUERADE"); err != nil {
+- return fmt.Errorf("Unable to enable network bridge NAT: %s", err)
+- } else if len(output) != 0 {
+- return fmt.Errorf("Error iptables postrouting: %s", output)
+- }
+-
+- // Accept incoming packets for existing connections
+- if output, err := iptables.Raw("-I", "FORWARD", "-o", config.BridgeIface, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"); err != nil {
+- return fmt.Errorf("Unable to allow incoming packets: %s", err)
+- } else if len(output) != 0 {
+- return fmt.Errorf("Error iptables allow incoming: %s", output)
+- }
+-
+- // Accept all non-intercontainer outgoing packets
+- if output, err := iptables.Raw("-I", "FORWARD", "-i", config.BridgeIface, "!", "-o", config.BridgeIface, "-j", "ACCEPT"); err != nil {
+- return fmt.Errorf("Unable to allow outgoing packets: %s", err)
+- } else if len(output) != 0 {
+- return fmt.Errorf("Error iptables allow outgoing: %s", output)
+- }
+-
+- }
+ return nil
+ }
+
+@@ -699,6 +675,40 @@
+
+ // Configure iptables for link support
+ if config.EnableIptables {
++
++ // Enable NAT
++ natArgs := []string{"POSTROUTING", "-t", "nat", "-s", addr.String(), "!", "-d", addr.String(), "-j", "MASQUERADE"}
++
++ if !iptables.Exists(natArgs...) {
++ if output, err := iptables.Raw(append([]string{"-A"}, natArgs...)...); err != nil {
++ return nil, fmt.Errorf("Unable to enable network bridge NAT: %s", err)
++ } else if len(output) != 0 {
++ return nil, fmt.Errorf("Error iptables postrouting: %s", output)
++ }
++ }
++
++ // Accept incoming packets for existing connections
++ existingArgs := []string{"FORWARD", "-o", config.BridgeIface, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
++
++ if !iptables.Exists(existingArgs...) {
++ if output, err := iptables.Raw(append([]string{"-I"}, existingArgs...)...); err != nil {
++ return nil, fmt.Errorf("Unable to allow incoming packets: %s", err)
++ } else if len(output) != 0 {
++ return nil, fmt.Errorf("Error iptables allow incoming: %s", output)
++ }
++ }
++
++ // Accept all non-intercontainer outgoing packets
++ outgoingArgs := []string{"FORWARD", "-i", config.BridgeIface, "!", "-o", config.BridgeIface, "-j", "ACCEPT"}
++
++ if !iptables.Exists(outgoingArgs...) {
++ if output, err := iptables.Raw(append([]string{"-I"}, outgoingArgs...)...); err != nil {
++ return nil, fmt.Errorf("Unable to allow outgoing packets: %s", err)
++ } else if len(output) != 0 {
++ return nil, fmt.Errorf("Error iptables allow outgoing: %s", output)
++ }
++ }
++
+ args := []string{"FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j"}
+ acceptArgs := append(args, "ACCEPT")
+ dropArgs := append(args, "DROP")
+diff -uNr docker-0.7.0/runtime.go docker-0ff9bc1be3ae044107732c605986a0af20220134/runtime.go
+--- docker-0.7.0/runtime.go 2013-11-26 02:09:45.000000000 -0600
++++ docker-0ff9bc1be3ae044107732c605986a0af20220134/runtime.go 2013-11-27 05:14:18.000000000 -0600
+@@ -159,7 +159,7 @@
+ return err
+ }
+ if !strings.Contains(string(output), "RUNNING") {
+- utils.Debugf("Container %s was supposed to be running be is not.", container.ID)
++ utils.Debugf("Container %s was supposed to be running but is not.", container.ID)
+ if runtime.config.AutoRestart {
+ utils.Debugf("Restarting")
+ container.State.SetGhost(false)
+diff -uNr docker-0.7.0/VERSION docker-0ff9bc1be3ae044107732c605986a0af20220134/VERSION
+--- docker-0.7.0/VERSION 2013-11-26 02:09:45.000000000 -0600
++++ docker-0ff9bc1be3ae044107732c605986a0af20220134/VERSION 2013-11-27 05:14:18.000000000 -0600
+@@ -1 +1 @@
+-0.7.0
++0.7.0-dev
diff --git a/docker-io.spec b/docker-io.spec
index fdd331c..ac2a022 100644
--- a/docker-io.spec
+++ b/docker-io.spec
@@ -14,17 +14,18 @@
Name: docker-io
Version: 0.7.0
-Release: 6%{?dist}
+Release: 7%{?dist}
Summary: Automates deployment of containerized applications
License: ASL 2.0
Patch0: docker-0.7-remove-dotcloud-tar.patch
Patch1: docker-0.7-el6-docs.patch
Patch2: docker-rhel-brctl.patch
+Patch3: docker-0.7.0-iptables-fix.patch
URL: http://www.docker.io
# only x86_64 for now: https://github.com/dotcloud/docker/issues/136
ExclusiveArch: x86_64
-Source0: https://github.com/goldmann/docker/archive/%{commit}/docker-%{shortcommit}.tar.gz
+Source0: https://github.com/dotcloud/docker/archive/v%{version}.tar.gz
Source1: docker.service
# though final name for sysconf/sysvinit files is simply 'docker',
# having .sysvinit and .sysconfig makes things clear
@@ -69,12 +70,13 @@ and tests on a laptop will run at scale, in production*, on VMs, bare-metal
servers, OpenStack clusters, public instances, or combinations of the above.
%prep
-%setup -q -n docker-%{commit}
+%setup -q -n docker-%{version}
rm -rf vendor
%patch0 -p1 -b docker-0.7-remove-dotcloud-tar.patch
%if 0%{?rhel} >= 6
%patch1 -p1 -b docker-0.7-el6-docs.patch
%patch2 -p1 -b brctl
+%patch3 -p1 -b docker-0.7.0-iptables-fix.patch
%endif
%build
@@ -99,8 +101,8 @@ install -d %{buildroot}%{_mandir}/man1
install -d %{buildroot}%{_sysconfdir}/bash_completion.d
install -d %{buildroot}%{_datadir}/zsh/site-functions
install -d -m 700 %{buildroot}%{_sharedstatedir}/docker
-install -p -m 755 bundles/%{version}-dev/dynbinary/docker-%{version}-dev %{buildroot}%{_bindir}/docker
-install -p -m 755 bundles/%{version}-dev/dynbinary/dockerinit-%{version}-dev %{buildroot}%{_libexecdir}/docker/dockerinit
+install -p -m 755 bundles/%{version}/dynbinary/docker-%{version} %{buildroot}%{_bindir}/docker
+install -p -m 755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot}%{_libexecdir}/docker/dockerinit
install -p -m 644 docs/_build/man/docker.1 %{buildroot}%{_mandir}/man1
install -p -m 644 contrib/completion/bash/docker %{buildroot}%{_sysconfdir}/bash_completion.d/docker.bash
install -p -m 644 contrib/completion/zsh/_docker %{buildroot}%{_datadir}/zsh/site-functions
@@ -162,6 +164,9 @@ fi
%dir %{_sharedstatedir}/docker
%changelog
+* Thu Nov 28 2013 Lokesh Mandvekar <lsm5 at redhat.com> - 0.7.0-7
+- use upstream tarball and patch with mgoldman's commit
+
* Thu Nov 28 2013 Lokesh Mandvekar <lsm5 at redhat.com> - 0.7.0-6
- using mgoldman's shortcommit value 0ff9bc1 for package (BZ #1033606)
- https://github.com/dotcloud/docker/pull/2907
diff --git a/sources b/sources
index 5403ac7..b0fdf17 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-768bb70b1e7401a4119ee9dc5165d7e0 docker-0ff9bc1.tar.gz
+bc5e2aa1fbcd3ab8fac1a4f6a4613a16 v0.7.0.tar.gz
More information about the scm-commits
mailing list