[docker-io/f19] RHBZ#1109533 solution and install Dockerfile.5
Lokesh Mandvekar
lsm5 at fedoraproject.org
Mon Jun 16 14:46:36 UTC 2014
commit 5a6cdeab970fc25df30b7414a7836a3f0ae1b3f8
Author: Lokesh Mandvekar <lsm5 at fedoraproject.org>
Date: Sat Jun 14 19:03:16 2014 -0400
RHBZ#1109533 solution and install Dockerfile.5
docker-io.spec | 15 +++++++++-
finalize-namespace.patch | 64 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 77 insertions(+), 2 deletions(-)
---
diff --git a/docker-io.spec b/docker-io.spec
index e2df187..f2e41f9 100644
--- a/docker-io.spec
+++ b/docker-io.spec
@@ -10,10 +10,11 @@
Name: docker-io
Version: 1.0.0
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Automates deployment of containerized applications
License: ASL 2.0
Patch1: upstream-patched-archive-tar.patch
+Patch2: finalize-namespace.patch
URL: http://www.docker.io
# only x86_64 for now: https://github.com/dotcloud/docker/issues/136
ExclusiveArch: x86_64
@@ -35,7 +36,8 @@ BuildRequires: golang(github.com/godbus/dbus)
BuildRequires: golang(github.com/coreos/go-systemd) >= 2-1
BuildRequires: golang(code.google.com/p/go.net/websocket)
BuildRequires: golang(code.google.com/p/gosqlite/sqlite3)
-BuildRequires: golang(github.com/syndtr/gocapability/capability)
+# RHBZ#1109039 use syndtr/gocapability >= 0-0.7
+BuildRequires: golang(github.com/syndtr/gocapability/capability) >= 0-0.7
BuildRequires: device-mapper-devel
BuildRequires: btrfs-progs-devel
BuildRequires: pkgconfig(systemd)
@@ -64,6 +66,7 @@ servers, OpenStack clusters, public instances, or combinations of the above.
%setup -q -n docker-%{version}
rm -rf vendor
%patch1 -p1 -b upstream-patched-archive-tar
+%patch2 -p1 -b finalize-namespace
%build
mkdir _build
@@ -92,6 +95,8 @@ install -p -m 755 bundles/%{version}/dynbinary/dockerinit-%{version} %{buildroot
# install manpage
install -d %{buildroot}%{_mandir}/man1
install -p -m 644 contrib/man/man1/docker*.1 %{buildroot}%{_mandir}/man1
+install -d %{buildroot}%{_mandir}/man5
+install -p -m 644 contrib/man/man5/Dockerfile.5 %{buildroot}%{_mandir}/man5
# install bash completion
install -d %{buildroot}%{_sysconfdir}/bash_completion.d
install -p -m 644 contrib/completion/bash/docker %{buildroot}%{_sysconfdir}/bash_completion.d/docker.bash
@@ -135,6 +140,7 @@ exit 0
%doc AUTHORS CHANGELOG.md CONTRIBUTING.md FIXME LICENSE MAINTAINERS NOTICE README.md
%doc LICENSE-vim-syntax README-vim-syntax.md
%{_mandir}/man1/docker*.1.gz
+%{_mandir}/man5/Dockerfile.5.gz
%{_bindir}/docker
%dir %{_libexecdir}/docker
%{_libexecdir}/docker/dockerinit
@@ -155,6 +161,11 @@ exit 0
%{_datadir}/vim/vimfiles/syntax/dockerfile.vim
%changelog
+* Mon Jun 14 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.0.0-2
+- RHBZ#1109533 patch libcontainer for finalize namespace error
+- RHBZ#1109039 build with updated golang-github-syndtr-gocapability
+- install Dockerfile.5 manpage
+
* Mon Jun 09 2014 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.0.0-1
- upstream version bump to v1.0.0
diff --git a/finalize-namespace.patch b/finalize-namespace.patch
new file mode 100644
index 0000000..5721c6b
--- /dev/null
+++ b/finalize-namespace.patch
@@ -0,0 +1,64 @@
+From 11d1fa3018f6c53e709870b0fce185dfddbe8c6f Mon Sep 17 00:00:00 2001
+From: Lokesh Mandvekar <lsm5 at redhat.com>
+Date: Sat, 14 Jun 2014 18:33:10 -0400
+Subject: [PATCH] RHBZ#1109039 finalize namespace error
+
+Link to original PR: https://github.com/docker/libcontainer/pull/17
+
+Sometimes I was getting:
+
+2014/06/13 13:47:24 finalize namespace drop bounding set read /proc/1/status: bad file descriptor
+
+This happens when applying the capabilities, and the code that
+reads the current caps opens /proc/1/status and then reads some data from it.
+But during this it gets a EBADFD error.
+
+The problem is that FinalizeNamespace() closes all FDs before applying
+the caps, and if a GC then happens after /proc/1/status is opened but
+before reading from the fd, then an old os.File finalizer may close the
+already closed-and-reused fd, wreaking havoc.
+
+We fix this by running the GC before closing all the FDs to avoid
+the risk of this happening to later os.File users, as well as
+moving the fd closing to the after setting the capabilities.
+
+Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl at redhat.com> (github: alexlarsson)
+---
+ pkg/libcontainer/namespaces/init.go | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/pkg/libcontainer/namespaces/init.go b/pkg/libcontainer/namespaces/init.go
+index b53c566..554daf7 100644
+--- a/pkg/libcontainer/namespaces/init.go
++++ b/pkg/libcontainer/namespaces/init.go
+@@ -185,10 +185,6 @@ func setupRoute(container *libcontainer.Container) error {
+ // and working dir, and closes any leaky file descriptors
+ // before execing the command inside the namespace
+ func FinalizeNamespace(container *libcontainer.Container) error {
+- if err := system.CloseFdsFrom(3); err != nil {
+- return fmt.Errorf("close open file descriptors %s", err)
+- }
+-
+ // drop capabilities in bounding set before changing user
+ if err := capabilities.DropBoundingSet(container); err != nil {
+ return fmt.Errorf("drop bounding set %s", err)
+@@ -217,6 +213,16 @@ func FinalizeNamespace(container *libcontainer.Container) error {
+ return fmt.Errorf("chdir to %s %s", container.WorkingDir, err)
+ }
+ }
++
++ // Run the GC to ensure all outstanding os.File are finalized
++ // otherwise the below close could cause problems due to the
++ // GC causing an re-used fd to be closed.
++ runtime.GC()
++
++ if err := system.CloseFdsFrom(3); err != nil {
++ return fmt.Errorf("close open file descriptors %s", err)
++ }
++
+ return nil
+ }
+
+--
+1.9.3
+
More information about the scm-commits
mailing list