[docker-io] iptables-fix.patch corrected
Lokesh Mandvekar
lsm5 at fedoraproject.org
Thu Nov 28 08:15:45 UTC 2013
commit 0832c9e0a9facdfc3a353bb7811d4fd3f68e2b06
Author: Lokesh Mandvekar <lsm5 at redhat.com>
Date: Thu Nov 28 02:15:31 2013 -0600
iptables-fix.patch corrected
Signed-off-by: Lokesh Mandvekar <lsm5 at redhat.com>
docker-0.7.0-iptables-fix.patch | 595 ++-------------------------------------
docker-io.spec | 5 +-
2 files changed, 23 insertions(+), 577 deletions(-)
---
diff --git a/docker-0.7.0-iptables-fix.patch b/docker-0.7.0-iptables-fix.patch
index 5d04a7e..303cc08 100644
--- a/docker-0.7.0-iptables-fix.patch
+++ b/docker-0.7.0-iptables-fix.patch
@@ -1,560 +1,18 @@
-diff -uNr docker-0.7.0/contrib/mkseccomp.pl docker-0ff9bc1be3ae044107732c605986a0af20220134/contrib/mkseccomp.pl
---- docker-0.7.0/contrib/mkseccomp.pl 1969-12-31 18:00:00.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/contrib/mkseccomp.pl 2013-11-27 05:14:18.000000000 -0600
-@@ -0,0 +1,77 @@
-+#!/usr/bin/perl
-+#
-+# A simple helper script to help people build seccomp profiles for
-+# Docker/LXC. The goal is mostly to reduce the attack surface to the
-+# kernel, by restricting access to rarely used, recently added or not used
-+# syscalls.
-+#
-+# This script processes one or more files which contain the list of system
-+# calls to be allowed. See mkseccomp.sample for more information how you
-+# can configure the list of syscalls. When run, this script produces output
-+# which, when stored in a file, can be passed to docker as follows:
-+#
-+# docker run -lxc-conf="lxc.seccomp=$file" <rest of arguments>
-+#
-+# The included sample file shows how to cut about a quarter of all syscalls,
-+# which affecting most applications.
-+#
-+# For specific situations it is possible to reduce the list further. By
-+# reducing the list to just those syscalls required by a certain application
-+# you can make it difficult for unknown/unexpected code to run.
-+#
-+# Run this script as follows:
-+#
-+# ./mkseccomp.pl < mkseccomp.sample >syscalls.list
-+# or
-+# ./mkseccomp.pl mkseccomp.sample >syscalls.list
-+#
-+# Multiple files can be specified, in which case the lists of syscalls are
-+# combined.
-+#
-+# By Martijn van Oosterhout <kleptog at svana.org> Nov 2013
-+
-+# How it works:
-+#
-+# This program basically spawns two processes to form a chain like:
-+#
-+# <process data section to prefix __NR_> | cpp | <add header and filter unknown syscalls>
-+
-+use strict;
-+use warnings;
-+
-+if( -t ) {
-+ print STDERR "Helper script to make seccomp filters for Docker/LXC.\n";
-+ print STDERR "Usage: mkseccomp.pl [files...]\n";
-+ exit 1;
-+}
-+
-+my $pid = open(my $in, "-|") // die "Couldn't fork1 ($!)\n";
-+
-+if($pid == 0) { # Child
-+ $pid = open(my $out, "|-") // die "Couldn't fork2 ($!)\n";
-+
-+ if($pid == 0) { # Child, which execs cpp
-+ exec "cpp" or die "Couldn't exec cpp ($!)\n";
-+ exit 1;
-+ }
-+
-+ # Process the DATA section and output to cpp
-+ print $out "#include <sys/syscall.h>\n";
-+ while(<>) {
-+ if(/^\w/) {
-+ print $out "__NR_$_";
-+ }
-+ }
-+ close $out;
-+ exit 0;
-+
-+}
-+
-+# Print header and then process output from cpp.
-+print "1\n";
-+print "whitelist\n";
-+
-+while(<$in>) {
-+ print if( /^[0-9]/ );
-+}
-+
-diff -uNr docker-0.7.0/contrib/mkseccomp.sample docker-0ff9bc1be3ae044107732c605986a0af20220134/contrib/mkseccomp.sample
---- docker-0.7.0/contrib/mkseccomp.sample 1969-12-31 18:00:00.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/contrib/mkseccomp.sample 2013-11-27 05:14:18.000000000 -0600
-@@ -0,0 +1,444 @@
-+/* This sample file is an example for mkseccomp.pl to produce a seccomp file
-+ * which restricts syscalls that are only useful for an admin but allows the
-+ * vast majority of normal userspace programs to run normally.
-+ *
-+ * The format of this file is one line per syscall. This is then processed
-+ * and passed to 'cpp' to convert the names to numbers using whatever is
-+ * correct for your platform. As such C-style comments are permitted. Note
-+ * this also means that C preprocessor macros are also allowed. So it is
-+ * possible to create groups surrounded by #ifdef/#endif and control their
-+ * inclusion via #define (not #include).
-+ *
-+ * Syscalls that don't exist on your architecture are silently filtered out.
-+ * Syscalls marked with (*) are required for a container to spawn a bash
-+ * shell successfully (not necessarily full featured). Listing the same
-+ * syscall multiple times is no problem.
-+ *
-+ * If you want to make a list specifically for one application the easiest
-+ * way is to run the application under strace, like so:
-+ *
-+ * $ strace -f -q -c -o strace.out application args...
-+ *
-+ * Once you have a reasonable sample of the execution of the program, exit
-+ * it. The file strace.out will have a summary of the syscalls used. Copy
-+ * that list into this file, comment out everything else except the starred
-+ * syscalls (which you need for the container to start) and you're done.
-+ *
-+ * To get the list of syscalls from the strace output this works well for
-+ * me
-+ *
-+ * $ cut -c52 < strace.out
-+ *
-+ * This sample list was compiled as a combination of all the syscalls
-+ * available on i386 and amd64 on Ubuntu Precise, as such it may not contain
-+ * everything and not everything may be relevent for your system. This
-+ * shouldn't be a problem.
-+ */
-+
-+// Filesystem/File descriptor related
-+access // (*)
-+chdir // (*)
-+chmod
-+chown
-+chown32
-+close // (*)
-+creat
-+dup // (*)
-+dup2 // (*)
-+dup3
-+epoll_create
-+epoll_create1
-+epoll_ctl
-+epoll_ctl_old
-+epoll_pwait
-+epoll_wait
-+epoll_wait_old
-+eventfd
-+eventfd2
-+faccessat // (*)
-+fadvise64
-+fadvise64_64
-+fallocate
-+fanotify_init
-+fanotify_mark
-+ioctl // (*)
-+fchdir
-+fchmod
-+fchmodat
-+fchown
-+fchown32
-+fchownat
-+fcntl // (*)
-+fcntl64
-+fdatasync
-+fgetxattr
-+flistxattr
-+flock
-+fremovexattr
-+fsetxattr
-+fstat // (*)
-+fstat64
-+fstatat64
-+fstatfs
-+fstatfs64
-+fsync
-+ftruncate
-+ftruncate64
-+getcwd // (*)
-+getdents // (*)
-+getdents64
-+getxattr
-+inotify_add_watch
-+inotify_init
-+inotify_init1
-+inotify_rm_watch
-+io_cancel
-+io_destroy
-+io_getevents
-+io_setup
-+io_submit
-+lchown
-+lchown32
-+lgetxattr
-+link
-+linkat
-+listxattr
-+llistxattr
-+llseek
-+_llseek
-+lremovexattr
-+lseek // (*)
-+lsetxattr
-+lstat
-+lstat64
-+mkdir
-+mkdirat
-+mknod
-+mknodat
-+newfstatat
-+_newselect
-+oldfstat
-+oldlstat
-+oldolduname
-+oldstat
-+olduname
-+oldwait4
-+open // (*)
-+openat // (*)
-+pipe // (*)
-+pipe2
-+poll
-+ppoll
-+pread64
-+preadv
-+futimesat
-+pselect6
-+pwrite64
-+pwritev
-+read // (*)
-+readahead
-+readdir
-+readlink
-+readlinkat
-+readv
-+removexattr
-+rename
-+renameat
-+rmdir
-+select
-+sendfile
-+sendfile64
-+setxattr
-+splice
-+stat // (*)
-+stat64
-+statfs // (*)
-+statfs64
-+symlink
-+symlinkat
-+sync
-+sync_file_range
-+sync_file_range2
-+syncfs
-+tee
-+truncate
-+truncate64
-+umask
-+unlink
-+unlinkat
-+ustat
-+utime
-+utimensat
-+utimes
-+write // (*)
-+writev
-+
-+// Network related
-+accept
-+accept4
-+bind // (*)
-+connect // (*)
-+getpeername
-+getsockname // (*)
-+getsockopt
-+listen
-+recv
-+recvfrom // (*)
-+recvmmsg
-+recvmsg
-+send
-+sendmmsg
-+sendmsg
-+sendto // (*)
-+setsockopt
-+shutdown
-+socket // (*)
-+socketcall
-+socketpair
-+
-+// Signal related
-+pause
-+rt_sigaction // (*)
-+rt_sigpending
-+rt_sigprocmask // (*)
-+rt_sigqueueinfo
-+rt_sigreturn // (*)
-+rt_sigsuspend
-+rt_sigtimedwait
-+rt_tgsigqueueinfo
-+sigaction
-+sigaltstack // (*)
-+signal
-+signalfd
-+signalfd4
-+sigpending
-+sigprocmask
-+sigreturn
-+sigsuspend
-+
-+// Other needed POSIX
-+alarm
-+brk // (*)
-+clock_adjtime
-+clock_getres
-+clock_gettime
-+clock_nanosleep
-+//clock_settime
-+gettimeofday
-+nanosleep
-+nice
-+sysinfo
-+syslog
-+time
-+timer_create
-+timer_delete
-+timerfd_create
-+timerfd_gettime
-+timerfd_settime
-+timer_getoverrun
-+timer_gettime
-+timer_settime
-+times
-+uname // (*)
-+
-+// Memory control
-+madvise
-+mbind
-+mincore
-+mlock
-+mlockall
-+mmap // (*)
-+mmap2
-+mprotect // (*)
-+mremap
-+msync
-+munlock
-+munlockall
-+munmap // (*)
-+remap_file_pages
-+set_mempolicy
-+vmsplice
-+
-+// Process control
-+capget
-+//capset
-+clone // (*)
-+execve // (*)
-+exit // (*)
-+exit_group // (*)
-+fork
-+getcpu
-+getpgid
-+getpgrp // (*)
-+getpid // (*)
-+getppid // (*)
-+getpriority
-+getresgid
-+getresgid32
-+getresuid
-+getresuid32
-+getrlimit // (*)
-+getrusage
-+getsid
-+getuid // (*)
-+getuid32
-+getegid // (*)
-+getegid32
-+geteuid // (*)
-+geteuid32
-+getgid // (*)
-+getgid32
-+getgroups
-+getgroups32
-+getitimer
-+get_mempolicy
-+kill
-+//personality
-+prctl
-+prlimit64
-+sched_getaffinity
-+sched_getparam
-+sched_get_priority_max
-+sched_get_priority_min
-+sched_getscheduler
-+sched_rr_get_interval
-+//sched_setaffinity
-+//sched_setparam
-+//sched_setscheduler
-+sched_yield
-+setfsgid
-+setfsgid32
-+setfsuid
-+setfsuid32
-+setgid
-+setgid32
-+setgroups
-+setgroups32
-+setitimer
-+setpgid // (*)
-+setpriority
-+setregid
-+setregid32
-+setresgid
-+setresgid32
-+setresuid
-+setresuid32
-+setreuid
-+setreuid32
-+setrlimit
-+setsid
-+setuid
-+setuid32
-+ugetrlimit
-+vfork
-+wait4 // (*)
-+waitid
-+waitpid
-+
-+// IPC
-+ipc
-+mq_getsetattr
-+mq_notify
-+mq_open
-+mq_timedreceive
-+mq_timedsend
-+mq_unlink
-+msgctl
-+msgget
-+msgrcv
-+msgsnd
-+semctl
-+semget
-+semop
-+semtimedop
-+shmat
-+shmctl
-+shmdt
-+shmget
-+
-+// Linux specific, mostly needed for thread-related stuff
-+arch_prctl // (*)
-+get_robust_list
-+get_thread_area
-+gettid
-+futex // (*)
-+restart_syscall // (*)
-+set_robust_list // (*)
-+set_thread_area
-+set_tid_address // (*)
-+tgkill
-+tkill
-+
-+// Admin syscalls, these are blocked
-+//acct
-+//adjtimex
-+//bdflush
-+//chroot
-+//create_module
-+//delete_module
-+//get_kernel_syms // Obsolete
-+//idle // Obsolete
-+//init_module
-+//ioperm
-+//iopl
-+//ioprio_get
-+//ioprio_set
-+//kexec_load
-+//lookup_dcookie // oprofile only?
-+//migrate_pages // NUMA
-+//modify_ldt
-+//mount
-+//move_pages // NUMA
-+//name_to_handle_at // NFS server
-+//nfsservctl // NFS server
-+//open_by_handle_at // NFS server
-+//perf_event_open
-+//pivot_root
-+//process_vm_readv // For debugger
-+//process_vm_writev // For debugger
-+//ptrace // For debugger
-+//query_module
-+//quotactl
-+//reboot
-+//setdomainname
-+//sethostname
-+//setns
-+//settimeofday
-+//sgetmask // Obsolete
-+//ssetmask // Obsolete
-+//stime
-+//swapoff
-+//swapon
-+//_sysctl
-+//sysfs
-+//sys_setaltroot
-+//umount
-+//umount2
-+//unshare
-+//uselib
-+//vhangup
-+//vm86
-+//vm86old
-+
-+// Kernel key management
-+//add_key
-+//keyctl
-+//request_key
-+
-+// Unimplemented
-+//afs_syscall
-+//break
-+//ftime
-+//getpmsg
-+//gtty
-+//lock
-+//madvise1
-+//mpx
-+//prof
-+//profil
-+//putpmsg
-+//security
-+//stty
-+//tuxcall
-+//ulimit
-+//vserver
-diff -uNr docker-0.7.0/CONTRIBUTING.md docker-0ff9bc1be3ae044107732c605986a0af20220134/CONTRIBUTING.md
---- docker-0.7.0/CONTRIBUTING.md 2013-11-26 02:09:45.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/CONTRIBUTING.md 2013-11-27 05:14:18.000000000 -0600
-@@ -64,7 +64,7 @@
-
- Update the documentation when creating or modifying features. Test
- your documentation changes for clarity, concision, and correctness, as
--well as a clean docmuent build. See ``docs/README.md`` for more
-+well as a clean documentation build. See ``docs/README.md`` for more
- information on building the docs and how docs get released.
-
- Write clean code. Universally formatted code promotes ease of writing, reading,
-diff -uNr docker-0.7.0/hack/CONTRIBUTORS.md docker-0ff9bc1be3ae044107732c605986a0af20220134/hack/CONTRIBUTORS.md
---- docker-0.7.0/hack/CONTRIBUTORS.md 2013-11-26 02:09:45.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/hack/CONTRIBUTORS.md 2013-11-27 05:14:18.000000000 -0600
-@@ -64,7 +64,7 @@
-
- Update the documentation when creating or modifying features. Test
- your documentation changes for clarity, concision, and correctness, as
--well as a clean docmuent build. See ``docs/README.md`` for more
-+well as a clean documentation build. See ``docs/README.md`` for more
- information on building the docs and how docs get released.
-
- Write clean code. Universally formatted code promotes ease of writing, reading,
-diff -uNr docker-0.7.0/network.go docker-0ff9bc1be3ae044107732c605986a0af20220134/network.go
---- docker-0.7.0/network.go 2013-11-26 02:09:45.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/network.go 2013-11-27 05:14:18.000000000 -0600
-@@ -167,30 +167,6 @@
+From 0ff9bc1be3ae044107732c605986a0af20220134 Mon Sep 17 00:00:00 2001
+From: Marek Goldmann <marek.goldmann at gmail.com>
+Date: Wed, 27 Nov 2013 09:10:44 +0100
+Subject: [PATCH] Make sure the firewall rules are created even if the bridge
+ interface is already created
+
+---
+ network.go | 58 ++++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 34 insertions(+), 24 deletions(-)
+
+diff --git a/network.go b/network.go
+index 1397de0..8cdbc0e 100644
+--- a/network.go
++++ b/network.go
+@@ -167,30 +167,6 @@ func CreateBridgeIface(config *DaemonConfig) error {
return fmt.Errorf("Unable to start network bridge: %s", err)
}
@@ -585,7 +43,7 @@ diff -uNr docker-0.7.0/network.go docker-0ff9bc1be3ae044107732c605986a0af2022013
return nil
}
-@@ -699,6 +675,40 @@
+@@ -699,6 +675,40 @@ func newNetworkManager(config *DaemonConfig) (*NetworkManager, error) {
// Configure iptables for link support
if config.EnableIptables {
@@ -626,21 +84,6 @@ diff -uNr docker-0.7.0/network.go docker-0ff9bc1be3ae044107732c605986a0af2022013
args := []string{"FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j"}
acceptArgs := append(args, "ACCEPT")
dropArgs := append(args, "DROP")
-diff -uNr docker-0.7.0/runtime.go docker-0ff9bc1be3ae044107732c605986a0af20220134/runtime.go
---- docker-0.7.0/runtime.go 2013-11-26 02:09:45.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/runtime.go 2013-11-27 05:14:18.000000000 -0600
-@@ -159,7 +159,7 @@
- return err
- }
- if !strings.Contains(string(output), "RUNNING") {
-- utils.Debugf("Container %s was supposed to be running be is not.", container.ID)
-+ utils.Debugf("Container %s was supposed to be running but is not.", container.ID)
- if runtime.config.AutoRestart {
- utils.Debugf("Restarting")
- container.State.SetGhost(false)
-diff -uNr docker-0.7.0/VERSION docker-0ff9bc1be3ae044107732c605986a0af20220134/VERSION
---- docker-0.7.0/VERSION 2013-11-26 02:09:45.000000000 -0600
-+++ docker-0ff9bc1be3ae044107732c605986a0af20220134/VERSION 2013-11-27 05:14:18.000000000 -0600
-@@ -1 +1 @@
--0.7.0
-+0.7.0-dev
+--
+1.8.4
+
diff --git a/docker-io.spec b/docker-io.spec
index ac2a022..f590ef8 100644
--- a/docker-io.spec
+++ b/docker-io.spec
@@ -14,7 +14,7 @@
Name: docker-io
Version: 0.7.0
-Release: 7%{?dist}
+Release: 8%{?dist}
Summary: Automates deployment of containerized applications
License: ASL 2.0
@@ -164,6 +164,9 @@ fi
%dir %{_sharedstatedir}/docker
%changelog
+* Thu Nov 28 2013 Lokesh Mandvekar <lsm5 at redhat.com> - 0.7.0-8
+- iptables-fix patch corrected
+
* Thu Nov 28 2013 Lokesh Mandvekar <lsm5 at redhat.com> - 0.7.0-7
- use upstream tarball and patch with mgoldman's commit
More information about the scm-commits
mailing list