[docker-io/f20] RHBZ#1109533 solution and install Dockerfile.5

Lokesh Mandvekar lsm5 at fedoraproject.org
Sat Jun 14 23:39:35 UTC 2014 

commit 09b439ee13c265fe69c89a3249a3a52bc7feecbf
Author: Lokesh Mandvekar <lsm5 at fedoraproject.org>
Date:   Sat Jun 14 19:03:16 2014 -0400

    RHBZ#1109533 solution and install Dockerfile.5

 docker-io.spec           |   15 +++++++++-
 finalize-namespace.patch |   64 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+), 2 deletions(-)
---
diff --git a/docker-io.spec b/docker-io.spec
index 6003525..74d0b78 100644
--- a/docker-io.spec
+++ b/docker-io.spec
@@ -10,10 +10,11 @@
 
 Name:           docker-io
 Version:        1.0.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Automates deployment of containerized applications
 License:        ASL 2.0
 Patch1:         upstream-patched-archive-tar.patch
+Patch2:         finalize-namespace.patch
 URL:            http://www.docker.io
 # only x86_64 for now: https://github.com/dotcloud/docker/issues/136
 ExclusiveArch:  x86_64
@@ -35,7 +36,8 @@ BuildRequires:  golang(github.com/godbus/dbus)
 BuildRequires:  golang(github.com/coreos/go-systemd) >= 2-1
 BuildRequires:  golang(code.google.com/p/go.net/websocket)
 BuildRequires:  golang(code.google.com/p/gosqlite/sqlite3)
-BuildRequires:  golang(github.com/syndtr/gocapability/capability)
+# RHBZ#1109039 use syndtr/gocapability >= 0-0.7
+BuildRequires:  golang(github.com/syndtr/gocapability/capability) >= 0-0.7
 BuildRequires:  device-mapper-devel
 BuildRequires:  btrfs-progs-devel
 BuildRequires:  pkgconfig(systemd)
@@ -64,6 +66,7 @@ servers, OpenStack clusters, public instances, or combinations of the above.
 %setup -q -n docker-%{version}
 rm -rf vendor
 %patch1 -p1 -b upstream-patched-archive-tar
+%patch2 -p1 -b finalize-namespace
 
 %build
 mkdir _build
@@ -92,6 +95,8 @@ install -p -m 755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot
 # install manpage
 install -d %{buildroot}%{_mandir}/man1
 install -p -m 644 contrib/man/man1/docker*.1 %{buildroot}%{_mandir}/man1
+install -d %{buildroot}%{_mandir}/man5
+install -p -m 644 contrib/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
 # install bash completion
 install -d %{buildroot}%{_sysconfdir}/bash_completion.d
 install -p -m 644 contrib/completion/bash/docker %{buildroot}%{_sysconfdir}/bash_completion.d/docker.bash
@@ -135,6 +140,7 @@ exit 0
 %doc AUTHORS CHANGELOG.md CONTRIBUTING.md FIXME LICENSE MAINTAINERS NOTICE README.md 
 %doc LICENSE-vim-syntax README-vim-syntax.md
 %{_mandir}/man1/docker*.1.gz
+%{_mandir}/man5/Dockerfile.5.gz
 %{_bindir}/docker
 %dir %{_libexecdir}/docker
 %{_libexecdir}/docker/dockerinit
@@ -155,6 +161,11 @@ exit 0
 %{_datadir}/vim/vimfiles/syntax/dockerfile.vim
 
 %changelog
+* Mon Jun 14 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.0.0-2
+- RHBZ#1109533 patch libcontainer for finalize namespace error
+- RHBZ#1109039 build with updated golang-github-syndtr-gocapability
+- install Dockerfile.5 manpage
+
 * Mon Jun 09 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.0.0-1
 - upstream version bump to v1.0.0
 
diff --git a/finalize-namespace.patch b/finalize-namespace.patch
new file mode 100644
index 0000000..5721c6b
--- /dev/null
+++ b/finalize-namespace.patch
@@ -0,0 +1,64 @@
+From 11d1fa3018f6c53e709870b0fce185dfddbe8c6f Mon Sep 17 00:00:00 2001
+From: Lokesh Mandvekar <lsm5 at redhat.com>
+Date: Sat, 14 Jun 2014 18:33:10 -0400
+Subject: [PATCH] RHBZ#1109039 finalize namespace error
+
+Link to original PR: https://github.com/docker/libcontainer/pull/17
+
+Sometimes I was getting:
+
+2014/06/13 13:47:24 finalize namespace drop bounding set read /proc/1/status: bad file descriptor
+
+This happens when applying the capabilities, and the code that
+reads the current caps opens /proc/1/status and then reads some data from it.
+But during this it gets a EBADFD error.
+
+The problem is that FinalizeNamespace() closes all FDs before applying
+the caps, and if a GC then happens after /proc/1/status is opened but
+before reading from the fd, then an old os.File finalizer may close the
+already closed-and-reused fd, wreaking havoc.
+
+We fix this by running the GC before closing all the FDs to avoid
+the risk of this happening to later os.File users, as well as
+moving the fd closing to the after setting the capabilities.
+
+Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl at redhat.com> (github: alexlarsson)
+---
+ pkg/libcontainer/namespaces/init.go | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/pkg/libcontainer/namespaces/init.go b/pkg/libcontainer/namespaces/init.go
+index b53c566..554daf7 100644
+--- a/pkg/libcontainer/namespaces/init.go
++++ b/pkg/libcontainer/namespaces/init.go
+@@ -185,10 +185,6 @@ func setupRoute(container *libcontainer.Container) error {
+ // and working dir, and closes any leaky file descriptors
+ // before execing the command inside the namespace
+ func FinalizeNamespace(container *libcontainer.Container) error {
+-	if err := system.CloseFdsFrom(3); err != nil {
+-		return fmt.Errorf("close open file descriptors %s", err)
+-	}
+-
+ 	// drop capabilities in bounding set before changing user
+ 	if err := capabilities.DropBoundingSet(container); err != nil {
+ 		return fmt.Errorf("drop bounding set %s", err)
+@@ -217,6 +213,16 @@ func FinalizeNamespace(container *libcontainer.Container) error {
+ 			return fmt.Errorf("chdir to %s %s", container.WorkingDir, err)
+ 		}
+ 	}
++
++	// Run the GC to ensure all outstanding os.File are finalized
++	// otherwise the below close could cause problems due to the
++	// GC causing an re-used fd to be closed.
++	runtime.GC()
++
++	if err := system.CloseFdsFrom(3); err != nil {
++		return fmt.Errorf("close open file descriptors %s", err)
++	}
++
+ 	return nil
+ }
+
+-- 
+1.9.3
+

More information about the scm-commits mailing list