[docker-io] add docker-selinux subpackage
Lokesh Mandvekar
lsm5 at fedoraproject.org
Fri Mar 20 14:09:22 UTC 2015
commit cb9bd360118860ede63cfffd80b1e52f1fbae747
Author: Lokesh Mandvekar <lsm5 at fedoraproject.org>
Date: Tue Mar 17 08:25:50 2015 -0500
add docker-selinux subpackage
- Add files to relabel when installing docker-selinux package
- Set minimal selinux-policy version
From: Lukas Vrabec <lvrabec at redhat.com>
- also, cosmetic changes
From: Lokesh Mandvekar <lsm5 at fedoraproject.org>
Signed-off-by: Lokesh Mandvekar <lsm5 at fedoraproject.org>
docker-io.spec | 193 +++++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 141 insertions(+), 52 deletions(-)
---
diff --git a/docker-io.spec b/docker-io.spec
index 334e6a5..68931f2 100644
--- a/docker-io.spec
+++ b/docker-io.spec
@@ -3,54 +3,80 @@
# docker builds in a checksum of dockerinit into docker,
# so stripping the binaries breaks docker
-%global debug_package %{nil}
-%global provider github
-%global provider_tld com
-%global project docker
-%global repo %{project}
+%global debug_package %{nil}
+%global provider github
+%global provider_tld com
+%global project docker
+%global repo %{project}
-%global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
-%global commit 5ebfacda4747fb0b2473841dff9b9b771b3bcb53
-%global shortcommit %(c=%{commit}; echo ${c:0:7})
+# docker stuff (prefix with d_)
+%global d_commit 5ebfacda4747fb0b2473841dff9b9b771b3bcb53
+%global d_shortcommit %(c=%{d_commit}; echo ${c:0:7})
%global tar_import_path code.google.com/p/go/src/pkg/archive/tar
-Name: %{repo}-io
-Version: 1.5.0
-Release: 20.git%{shortcommit}%{?dist}
-Summary: Automates deployment of containerized applications
-License: ASL 2.0
-URL: http://www.docker.com
-ExclusiveArch: x86_64 %{arm}
-#Source0: https://%{import_path}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
-Source0: https://github.com/lsm5/docker/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
-Source1: %{repo}.service
-Source2: %{repo}.sysconfig
-Source3: %{repo}-storage.sysconfig
-Source4: %{repo}-logrotate.sh
-Source5: README.%{repo}-logrotate
-Source6: %{repo}-network.sysconfig
-BuildRequires: glibc-static
-BuildRequires: golang >= 1.3.3
-BuildRequires: go-md2man
-BuildRequires: device-mapper-devel
-BuildRequires: btrfs-progs-devel
-BuildRequires: sqlite-devel
-BuildRequires: pkgconfig(systemd)
+# docker-selinux stuff (prefix with ds_ for version/release etc.)
+# Some bits borrowed from the openstack-selinux package
+%global ds_version 0
+%global ds_commit 4421e0d80866b4b03f6a16c5b6bfabdf4c8bfa7c
+%global ds_shortcommit %(c=%{ds_commit}; echo ${c:0:7})
+%global selinuxtype targeted
+%global moduletype services
+%global modulenames %{repo}
+
+# Usage: _format var format
+# Expand 'modulenames' into various formats as needed
+# Format must contain '$x' somewhere to do anything useful
+%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
+
+# Relabel files
+%global relabel_files() \
+ /sbin/restorecon -R %{_bindir}/docker %{_localstatedir}/run/docker.sock %{_localstatedir}/run/docker.pid %{_sharedstatedir}/docker %{_sysconfdir}/docker %{_localstatedir}/log/docker %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_usr}/lib/systemd/system/docker.service /root/.docker &> /dev/null || : \
+
+
+# Version of SELinux we were using
+%global selinux_policyver 3.13.1-119
+
+Name: %{repo}-io
+Version: 1.5.0
+Release: 21.git%{d_shortcommit}%{?dist}
+Summary: Automates deployment of containerized applications
+License: ASL 2.0
+URL: http://www.docker.com
+ExclusiveArch: x86_64 %{arm}
+#Source0: https://%{import_path}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
+Source0: https://github.com/lsm5/%{repo}/archive/%{d_commit}/%{repo}-%{d_shortcommit}.tar.gz
+Source1: %{repo}.service
+Source2: %{repo}.sysconfig
+Source3: %{repo}-storage.sysconfig
+Source4: %{repo}-logrotate.sh
+Source5: README.%{repo}-logrotate
+Source6: %{repo}-network.sysconfig
+Source7: https://github.com/wrabcak/%{repo}-selinux/archive/%{ds_commit}/%{repo}-selinux-%{ds_shortcommit}.tar.gz
+BuildRequires: glibc-static
+BuildRequires: golang >= 1.3.3
+BuildRequires: go-md2man
+BuildRequires: device-mapper-devel
+BuildRequires: btrfs-progs-devel
+BuildRequires: sqlite-devel
+BuildRequires: pkgconfig(systemd)
%if 0%{?fedora} >= 21
# Resolves: rhbz#1165615
-Requires: device-mapper-libs >= 1.02.90-1
+Requires: device-mapper-libs >= 1.02.90-1
%endif
# RE: rhbz#1195804 - ensure min NVR for selinux-policy
%if 0%{?fedora} >= 23
-Requires: selinux-policy >= 3.13.1-114
+Requires: selinux-policy >= 3.13.1-114
%endif
# Resolves: rhbz#1045220
-Requires: xz
-Provides: lxc-docker = %{version}-%{release}
+Requires: xz
+Provides: lxc-%{repo} = %{version}-%{release}
+
+Requires: %{repo}-selinux >= %{ds_version}-%{release}
# permitted by https://fedorahosted.org/fpc/ticket/341#comment:7
# In F22, the whole package should be renamed to be just "docker" and
@@ -70,7 +96,7 @@ and tests on a laptop will run at scale, in production*, on VMs, bare-metal
servers, OpenStack clusters, public instances, or combinations of the above.
%package devel
-BuildRequires: golang >= 1.2.1-3
+BuildRequires: golang >= 1.2.1-3
Requires: golang >= 1.2.1-3
Provides: %{repo}-devel = %{version}-%{release}
Provides: %{name}-pkg-devel = %{version}-%{release}
@@ -173,51 +199,71 @@ Provides: golang(%{import_path}/graph) = %{version}-%{release}
This package provides the source libraries for docker.
%package fish-completion
-Summary: fish completion files for docker
-Requires: %{name} = %{version}-%{release}
-Requires: fish
-Provides: %{repo}-fish-completion = %{version}-%{release}
+Summary: fish completion files for docker
+Requires: %{name} = %{version}-%{release}
+Requires: fish
+Provides: %{repo}-fish-completion = %{version}-%{release}
%description fish-completion
This package installs %{summary}.
%package logrotate
-Summary: cron job to run logrotate on docker containers
-Requires: %{name} = %{version}-%{release}
-Provides: %{repo}-logrotate = %{version}-%{release}
+Summary: cron job to run logrotate on docker containers
+Requires: %{name} = %{version}-%{release}
+Provides: %{repo}-logrotate = %{version}-%{release}
%description logrotate
This package installs %{summary}. logrotate is assumed to be installed on
containers for this to work, failures are silently ignored.
+%package selinux
+Summary: SELinux policies for Docker
+Version: %{ds_version}
+Release: 21.git%{ds_shortcommit}%{?dist}
+BuildRequires: selinux-policy
+BuildRequires: selinux-policy-devel
+Requires: %{repo} >= %{version}-%{release}
+Requires(post): selinux-policy-base >= %{selinux_policyver}
+Requires(post): selinux-policy-targeted >= %{selinux_policyver}
+Requires(post): policycoreutils
+Requires(post): policycoreutils-python
+Requires(post): libselinux-utils
+Provides: %{name}-selinux
+
+%description selinux
+SELinux policy modules for use with %{repo}.
+
%package vim
-Summary: vim syntax highlighting files for docker
-Requires: %{name} = %{version}-%{release}
-Requires: vim
-Provides: %{repo}-vim = %{version}-%{release}
+Summary: vim syntax highlighting files for docker
+Requires: %{name} = %{version}-%{release}
+Requires: vim
+Provides: %{repo}-vim = %{version}-%{release}
%description vim
This package installs %{summary}.
%package zsh-completion
-Summary: zsh completion files for docker
-Requires: %{name} = %{version}-%{release}
-Requires: zsh
-Provides: %{repo}-zsh-completion = %{version}-%{release}
+Summary: zsh completion files for docker
+Requires: %{name} = %{version}-%{release}
+Requires: zsh
+Provides: %{repo}-zsh-completion = %{version}-%{release}
%description zsh-completion
This package installs %{summary}.
%prep
-%setup -q -n %{repo}-%{commit}
+%setup -q -n %{repo}-%{d_commit}
cp %{SOURCE5} .
+# unpack docker-selinux
+tar zxf %{SOURCE7}
+
%build
# set up temporary build gopath, and put our directory there
mkdir -p ./_build/src/github.com/docker
ln -s $(pwd) ./_build/src/%{import_path}
-export DOCKER_GITCOMMIT="%{shortcommit}/%{version}"
+export DOCKER_GITCOMMIT="%{d_shortcommit}/%{version}"
export DOCKER_BUILDTAGS="selinux btrfs_noversion"
export GOPATH=$(pwd)/_build:$(pwd)/vendor:%{gopath}
@@ -226,6 +272,11 @@ docs/man/md2man-all.sh
cp contrib/syntax/vim/LICENSE LICENSE-vim-syntax
cp contrib/syntax/vim/README.md README-vim-syntax.md
+# build docker-selinux
+pushd %{repo}-selinux-%{ds_commit}
+make SHARE=%{_datadir} TARGETS=%{modulenames}
+popd
+
%install
# install binary
install -d %{buildroot}%{_bindir}
@@ -285,6 +336,16 @@ install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/docker
install -p -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/sysconfig/docker-network
install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/docker-storage
+# install SELinux interfaces
+%_format INTERFACES $x.if
+install -d %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+install -p -m 644 %{repo}-selinux-%{ds_commit}/$INTERFACES %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+
+# install policy modules
+%_format MODULES $x.pp.bz2
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 0644 %{repo}-selinux-%{ds_commit}/$MODULES %{buildroot}%{_datadir}/selinux/packages
+
# sources
install -d -p %{buildroot}%{gopath}/src/%{import_path}
rm -rf pkg/symlink/testdata
@@ -296,6 +357,9 @@ cp -rpav vendor/src/%{tar_import_path}/* %{buildroot}%{gopath}/src/%{import_path
# remove dirs that won't be installed in devel
rm -rf vendor docs _build bundles contrib/init hack project
+# remove docker-selinux rpm spec file
+rm -rf %{repo}-selinux-%{ds_commit}/%{repo}-selinux.spec
+
# install sources to devel
for dir in */ ; do
cp -rpav $dir %{buildroot}/%{gopath}/src/%{import_path}/
@@ -322,12 +386,29 @@ exit 0
%post
%systemd_post docker
+%post selinux
+# Install all modules in a single transaction
+%_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
+%{_sbindir}/semodule -n -s %{selinuxtype} -i $MODULES
+if %{_sbindir}/selinuxenabled ; then
+%{_sbindir}/load_policy
+%relabel_files
+
%preun
%systemd_preun docker
%postun
%systemd_postun_with_restart docker
+%postun selinux
+if [ $1 -eq 0 ]; then
+%{_sbindir}/semodule -n -r %{modulenames} &> /dev/null || :
+if %{_sbindir}/selinuxenabled ; then
+%{_sbindir}/load_policy
+%relabel_files
+fi
+fi
+
%files
%doc AUTHORS CHANGELOG.md CONTRIBUTING.md LICENSE MAINTAINERS NOTICE README.md
%doc LICENSE-vim-syntax README-vim-syntax.md
@@ -357,6 +438,10 @@ exit 0
%doc README.%{repo}-logrotate
%{_sysconfdir}/cron.daily/%{repo}-logrotate
+%files selinux
+%doc %{repo}-selinux-%{ds_commit}/README.md
+%{_datadir}/selinux/*
+
%files vim
%{_datadir}/vim/vimfiles/doc/dockerfile.txt
%{_datadir}/vim/vimfiles/ftdetect/dockerfile.vim
@@ -366,6 +451,10 @@ exit 0
%{_datadir}/zsh/site-functions/_docker
%changelog
+* Fri Mar 20 2015 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.5.0-21.git5ebfacd
+- selinux specific rpm code from Lukas Vrabec <lvrabec at redhat.com>
+- use spaces instead of tabs
+
* Tue Mar 17 2015 Lokesh Mandvekar <lsm5 at fedoraproject.org> - 1.5.0-20.git5ebfacd
- built commit#5ebfacd
More information about the scm-commits
mailing list