24.0.2

2025-02-23 03:42:48 +00:00 · 2024-04-10 20:04:25 +00:00 · 2024-04-10 20:04:25 +00:00 · 349ded351e
commit 349ded351e
parent e558fc0396
5 changed files with 273 additions and 164 deletions
--- a/.abf.yml
+++ b/.abf.yml
@ -1,5 +1,6 @@
 sources:
-  docker-20.10.1.tar.gz: 475dfcec26cb528894c91c43fba95ec4eb4b3bb6
-  docker-ce-19.03.13.tar.gz: 4e04a6b17d8f2baba981cb52d2a5d0bc4f63601d
-  libnetwork-master.zip: b2d123edfb2e93ca74980991f6e8a26d18ed831e
+  buildx-0.10.5.tar.gz: ebfb3eb86e2e7776d90930fa2eef0b22193cddf3
+  cli-24.0.2.tar.gz: a935389283acba305d94897dc64a55d1889f294d
+  libnetwork-master.tar.gz: 3d5fff39d764e56b927223527e3355c07a82939f
+  moby-24.0.2.tar.gz: af6b3c2af980f1643f48de8442560d444799df16
  tini-0.19.0.tar.gz: 2245210bdd29faea02e566a192df4c7df702b264
--- a/docker-zone.xml
+++ b/docker-zone.xml
@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>docker</short>
+  <description>All network connections are accepted.</description>
+  <interface name="docker0"/>
+</zone>
--- a/docker.spec
+++ b/docker.spec
@ -1,59 +1,82 @@
-%global __requires_exclude '.*/bin/make'
-
 # modifying the dockerinit binary breaks the SHA1 sum check by docker
-%global __os_install_post %{_usrlibrpm}/brp-compress

-%define debug_package %{nil}
+%global tini_version 0.19.0
+%global buildx_version 0.10.5

-%global commit 89658bed64c2a8fe05a978e5b87dbec409d57a0f
+%global project docker
+%global repo %{project}
+%global import_path github.com/%{project}/%{repo}
+
+#debuginfo not supported with Go
+%global gopath  %{_libdir}/golang
+%define gosrc %{gopath}/src/pkg/%{import_path}
+
+%global commit      659604f9ee60f147020bdd444b26e4b5c636dc28
 %global shortcommit %(c=%{commit}; echo ${c:0:7})

-%define tini_ver 0.19.0
-
 Summary:	Automates deployment of containerized applications
 Name:		docker
-Version:	20.10.1
-Release:	1
+Version:	24.0.2
+%global moby_version %{version}
+Release:	2
 License:	ASL 2.0
-Group:		System/Kernel and hardware
-URL:		http://www.docker.com
-# only x86_64 for now: https://github.com/docker/docker/issues/136
-#ExclusiveArch:	x86_64
-Source0:	https://github.com/docker/cli/archive/v%{version}/%{name}-%{version}.tar.gz
-Source1:	%{name}.service
-Source2:	%{name}.sysconfig
-Source3:	%{name}-storage.sysconfig
-Source6:	%{name}-network.sysconfig
-Source7:	%{name}.socket
-Source8:	%{name}-network-cleanup.sh
+Epoch:		1
+Group:		System/Configuration/Other
+URL:		https://www.docker.com
+Source0:	https://github.com/moby/moby/archive/v%{version}/moby-%{version}.tar.gz
+Source1:	%{repo}.service
+Source2:	%{repo}.sysconfig
+Source3:	%{repo}-storage.sysconfig
+Source4:	docker.sysusers
+Source6:	%{repo}-network.sysconfig
+Source7:	%{repo}.socket
+Source8:	%{repo}-network-cleanup.sh
 Source9:	overlay.conf
-#Source10:	https://github.com/docker/libnetwork/archive/master.zip?/libnetwork-master.zip
-Source11:	https://github.com/krallin/tini/archive/v%{tini_ver}.tar.gz?/tini-%{tini_ver}.tar.gz
-Source100:	%{name}.rpmlintrc
-BuildRequires:	cmake
-BuildRequires:	go-md2man
-BuildRequires:	golang
-BuildRequires:	systemd
-BuildRequires:	btrfs-devel
+# docker-proxy
+Source10:	https://github.com/%{project}/libnetwork/archive/master/libnetwork-master.tar.gz
+# tini
+Source11:	https://github.com/krallin/tini/archive/v%{tini_version}/tini-%{tini_version}.tar.gz
+# cli
+Source12:	https://github.com/docker/cli/archive/v%{version}/cli-%{version}.tar.gz
+# buildx
+Source13:	https://github.com/docker/buildx/archive/v%{buildx_version}/buildx-%{buildx_version}.tar.gz
+# (tpg) taken from https://gist.github.com/goll/bdd6b43c2023f82d15729e9b0067de60
+Source14:	nftables-docker.nft
+BuildRequires:	gcc
 BuildRequires:	glibc-devel
 BuildRequires:	glibc-static-devel
-BuildRequires:	libtool-devel
-BuildRequires:	pkgconfig(devmapper)
-BuildRequires:	pkgconfig(libseccomp)
+BuildRequires:	libltdl-devel
+# ensure build uses golang 1.4 or above
+BuildRequires:	golang >= 1.7
 BuildRequires:	pkgconfig(sqlite3)
+BuildRequires:	go-md2man
+BuildRequires:	pkgconfig(devmapper)
+BuildRequires:	btrfs-devel
 BuildRequires:	pkgconfig(systemd)
-Requires:	bridge-utils
-Requires:	%{name}-containerd
-Requires:	runc
+BuildRequires:	systemd
+BuildRequires:	libtool-devel
+BuildRequires:	pkgconfig(libseccomp)
+BuildRequires:	cmake
+Requires(pre):	systemd
+%systemd_requires
+# With docker >= 1.11 you now need containerd (and runC or crun as a dep)
+Requires:	containerd
+Requires:	crun
 # need xz to work with ubuntu images
 # https://bugzilla.redhat.com/show_bug.cgi?id=1045220
 Requires:	xz
-Requires(pre):	rpm-helper
-Requires(post,preun,postun):	systemd
+Requires:	bridge-utils
+Requires(post):	nftables
+Requires(postun):	sed
 # https://bugzilla.redhat.com/show_bug.cgi?id=1034919
 # No longer needed in Fedora because of libcontainer
-Provides:	lxc-%{name} = %{EVRD}
-Provides:	%{name}-swarm = %{EVRD}
+Provides:	lxc-docker = %{version}
+Provides:	docker-swarm = %{EVRD}
+# compat with Docker repos for RH
+Provides:	docker-ce = %{EVRD}
+#Recommends:	(%{name}-fish-completion if fish)
+#Recommends:	(%{name}-zsh-completion if zsh)
+#Recommends:	(%{name}-vim if vim)

 %description
 Docker is an open-source engine that automates the deployment of any
@ -65,188 +88,206 @@ and between virtually any server. The same container that a developer builds
 and tests on a laptop will run at scale, in production*, on VMs, bare-metal
 servers, OpenStack clusters, public instances, or combinations of the above.

-%files
-%doc CHANGELOG.md CONTRIBUTING.md README.md
-%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
-%config(noreplace) %{_sysconfdir}/sysconfig/%{name}-network
-%config(noreplace) %{_sysconfdir}/sysconfig/%{name}-storage
-%{_bindir}/%{name}
-%{_bindir}/%{name}-proxy
-%{_bindir}/%{name}-init
-%{_sbindir}/%{name}-network-cleanup
-%{_sbindir}/%{name}d
-%{_presetdir}/86-%{name}.preset
-%{_unitdir}/%{name}.service
-%{_unitdir}/%{name}.socket
-%{_sysconfdir}/bash_completion.d/%{name}.bash
-%dir %{_localstatedir}/lib/%{name}
-%{_udevrulesdir}/80-%{name}.rules
-%{_sysconfdir}/modules-load.d/overlay.conf
-
-%pre
-getent group %{name} > /dev/null || %{_sbindir}/groupadd -r %{name}
-exit 0
-
-%post
-%systemd_post %{name}
-
-%preun
-%systemd_preun %{name}
-
-%postun
-%systemd_postun_with_restart %{name}
-
-#------------------------------------------------------------------
-
 %package fish-completion
-Summary:	Fish completion files for Docker
-Group:		System/Kernel and hardware
-Requires:	%{name} = %{EVRD}
-Recommends:	fish
-Provides:	%{name}-io-fish-completion = %{EVRD}
+Summary:	fish completion files for Docker
+Requires:	%{repo} = %{EVRD}
+Provides:	%{repo}-io-fish-completion = %{EVRD}

 %description fish-completion
 This package installs %{summary}.

-%files fish-completion
-%doc README.md
-%{_datadir}/fish/vendor_completions.d/%{name}.fish
+%package unit-test
+Summary:	%{summary} - for running unit tests

-#------------------------------------------------------------------
+%description unit-test
+%{summary} - for running unit tests.

 %package vim
-Summary:	Vim syntax highlighting files for Docker
-Group:		System/Kernel and hardware
-Requires:	%{name} = %{EVRD}
+Summary:	vim syntax highlighting files for Docker
+Requires:	%{repo} = %{EVRD}
 Requires:	vim
-Provides:	%{name}-io-vim = %{EVRD}
+Provides:	%{repo}-io-vim = %{EVRD}

 %description vim
 This package installs %{summary}.

-%files vim
-%doc README.md
-%{_datadir}/vim/vimfiles/ftdetect/%{name}file.vim
-%{_datadir}/vim/vimfiles/syntax/%{name}file.vim
-
-#------------------------------------------------------------------
-
 %package zsh-completion
-Summary:	Zsh completion files for Docker
-Group:		System/Kernel and hardware
-Requires:	%{name} = %{EVRD}
+Summary:	zsh completion files for Docker
+Requires:	%{repo} = %{EVRD}
 Requires:	zsh
-Provides:	%{name}-io-zsh-completion = %{EVRD}
+Provides:	%{repo}-io-zsh-completion = %{EVRD}

 %description zsh-completion
 This package installs %{summary}.

-%files zsh-completion
-%doc README.md
-%{_datadir}/zsh/site-functions/_%{name}
-
-#------------------------------------------------------------------
-
 %prep
-%setup -q -n %{name}-ce-%{version} -a10 -a11
-mv libnetwork-master libnetwork
-mv tini-* tini
+%setup -qn moby-%{version}
+tar xf %{SOURCE10}
+tar xf %{SOURCE11}
+mv tini-%{tini_version} tini
+tar xf %{SOURCE12}
+tar xf %{SOURCE13}
+mv buildx-%{buildx_version} buildx
+find . -name "*~" |xargs rm || :
+# Needs to be done after unpacking extra bits, given we may want
+# to patch tini -- so no %%autosetup
+#autopatch -p1
+%apply_patches

 %build
-# magic again
-fake_gopath_pushd() {
-	mkdir -p "$(pwd)/src/${2%/*}"
-	rm -f "$(pwd)/src/$2"
-	ln -rsT "$1" "$(pwd)/src/$2"
-	pushd "$(pwd)/src/$2" >/dev/null
-}
-
-fake_gopath_popd() {
-	popd >/dev/null
-}
-
+mkdir -p GO/src/github.com/{docker,krallin}
+ln -s $(pwd)/cli-%{version} GO/src/github.com/docker/cli
+ln -s $(pwd)/libnetwork-master GO/src/github.com/docker/libnetwork
+ln -s $(pwd)/tini GO/src/github.com/krallin/tini
+ln -s $(pwd) GO/src/github.com/docker/docker
 export DOCKER_GITCOMMIT="%{shortcommit}"
-mkdir -p src/github.com/%{name}
-export GOPATH=%{_libdir}/golang:$(pwd)
-# MAGIC HERE
-ln -s ../../../components/cli src/github.com/%{name}
-ln -s ../../../components/engine src/github.com/%{name}/%{name}
+export DOCKER_CLI_EXPERIMENTAL=enabled
+export TMP_GOPATH="$(pwd)/GO"
+export GOPATH=%{gopath}:"$(pwd)/GO"
+export GO111MODULE=off
+
+# docker-init
+cd tini
+    %cmake
+    %make_build tini-static
+cd ../..

 # dockerd
-pushd components/engine
-	DOCKER_BUILDTAGS='seccomp journald' VERSION=%{version} hack/make.sh dynbinary
-popd
+DOCKER_BUILDTAGS='selinux seccomp journald' VERSION=%{moby_version} hack/make.sh dynbinary

-# docker cli
-pushd components/cli
-	DISABLE_WARN_OUTSIDE_CONTAINER=1 make VERSION=%{version} dynbinary
-popd
+# docker-proxy
+cd libnetwork
+    go build -ldflags='-linkmode=external' github.com/docker/libnetwork/cmd/proxy
+cd ..

-### docker proxy
-fake_gopath_pushd libnetwork github.com/%{name}/libnetwork
-	go build -ldflags='-linkmode=external' github.com/%{name}/libnetwork/cmd/proxy
-fake_gopath_popd
+# cli
+cd cli-%{version}
+    DISABLE_WARN_OUTSIDE_CONTAINER=1 make VERSION=%{moby_version} LDFLAGS="-linkmode=external" dynbinary
+cd ..

-### docker-init
-fake_gopath_pushd tini github.com/krallin/tini
-	%cmake
-	%make tini-static
-fake_gopath_popd

 %install
 # install binaries
 install -d %{buildroot}%{_bindir}
-install -p -m 755 components/cli/build/%{name}-linux-* %{buildroot}%{_bindir}/%{name}
+install -p -m 755 cli-%{version}/build/docker-linux-* %{buildroot}%{_bindir}/docker
 install -d %{buildroot}%{_sbindir}
-install -p -m 755 components/engine/bundles/dynbinary-daemon/%{name}d-%{version} %{buildroot}%{_sbindir}/%{name}d
-install -p -m 755 libnetwork/proxy %{buildroot}%{_bindir}/%{name}-proxy
-install -p -m 755 tini/build/tini-static %{buildroot}%{_bindir}/%{name}-init
+install -p -m 755 bundles/dynbinary-daemon/dockerd %{buildroot}%{_sbindir}/dockerd
+install -p -m 755 libnetwork/proxy %{buildroot}%{_bindir}/docker-proxy
+install -p -m 755 tini/build/tini-static %{buildroot}%{_bindir}/docker-init

 # Place to store images
-install -d %{buildroot}%{_localstatedir}/lib/%{name}
+install -d %{buildroot}%{_var}/lib/docker
+
+install -d %{buildroot}%{_sysconfdir}/docker
+# (tpg) we are using nftables
+# (bero) but for reasons yet to be determined, that prevents containers
+# from having net access -- allow them to keep using iptables for now
+cat > %{buildroot}%{_sysconfdir}/docker/daemon.json << 'EOF'
+{
+  "iptables": true
+}
+EOF
+install -D -p -m 755 %{SOURCE14} %{buildroot}%{_sysconfdir}/nftables/%{name}.nft

 # install bash completion
 install -d %{buildroot}%{_sysconfdir}/bash_completion.d
-install -p -m 644 components/cli/contrib/completion/bash/%{name} %{buildroot}%{_sysconfdir}/bash_completion.d/%{name}.bash
+install -p -m 644 cli-%{version}/contrib/completion/bash/docker %{buildroot}%{_sysconfdir}/bash_completion.d/docker.bash
+
+# install zsh completion
+install -d %{buildroot}%{_datadir}/zsh/site-functions
+install -p -m 644 cli-%{version}/contrib/completion/zsh/_docker %{buildroot}%{_datadir}/zsh/site-functions

 # install fish completion
 # create, install and own /usr/share/fish/vendor_completions.d until
 # upstream fish provides it
 install -dp %{buildroot}%{_datadir}/fish/vendor_completions.d
-install -p -m 644 components/cli/contrib/completion/fish/%{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d
-
-# install vim syntax highlighting
-install -d %{buildroot}%{_datadir}/vim/vimfiles/{doc,ftdetect,syntax}
-install -p -m 644 components/engine/contrib/syntax/vim/ftdetect/%{name}file.vim %{buildroot}%{_datadir}/vim/vimfiles/ftdetect
-install -p -m 644 components/engine/contrib/syntax/vim/syntax/%{name}file.vim %{buildroot}%{_datadir}/vim/vimfiles/syntax
-
-# install zsh completion
-install -d %{buildroot}%{_datadir}/zsh/site-functions
-install -p -m 644 components/cli/contrib/completion/zsh/_%{name} %{buildroot}%{_datadir}/zsh/site-functions
+install -p -m 644 cli-%{version}/contrib/completion/fish/%{repo}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d

 # install udev rules
 install -d %{buildroot}%{_udevrulesdir}
-install -p -m 644 components/engine/contrib/udev/80-%{name}.rules %{buildroot}%{_udevrulesdir}
+install -p -m 644 contrib/udev/80-docker.rules %{buildroot}%{_udevrulesdir}
 # install storage dir
-install -d -m 700 %{buildroot}%{_localstatedir}/lib/%{name}
+install -d -m 700 %{buildroot}%{_var}/lib/docker
 # install systemd/init scripts
 install -d %{buildroot}%{_unitdir}
 install -p -m 644 %{SOURCE1} %{SOURCE7} %{buildroot}%{_unitdir}

 # for additional args
 install -d %{buildroot}%{_sysconfdir}/sysconfig/
-install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
-install -p -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/sysconfig/%{name}-network
-install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/%{name}-storage
+install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/%{repo}
+install -p -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/sysconfig/%{repo}-network
+install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/%{repo}-storage

 #network cleanup
 install -d %{buildroot}%{_sbindir}
-install -p -m 755 %{SOURCE8} %{buildroot}%{_sbindir}/%{name}-network-cleanup
+install -p -m 755 %{SOURCE8} %{buildroot}%{_sbindir}/docker-network-cleanup

 install -d %{buildroot}%{_presetdir}
-cat > %{buildroot}%{_presetdir}/86-%{name}.preset << EOF
-enable %{name}.socket
+cat > %{buildroot}%{_presetdir}/86-docker.preset << EOF
+enable docker.socket
 EOF

 install -d %{buildroot}%{_sysconfdir}/modules-load.d/
 install -p -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/modules-load.d/overlay.conf
+
+install -Dpm 644 %{SOURCE4} %{buildroot}%{_sysusersdir}/%{name}.conf
+
+#%%check
+# This is completely unstable so I deactivate it for now.
+#[ ! -w /run/%{repo}.sock ] || {
+    #mkdir test_dir
+    #pushd test_dir
+    #git clone https://github.com/lsm5/docker.git -b fedora-1.10
+    #pushd %{repo}
+    #make test
+    #popd
+    #popd
+#}
+
+%pre
+%sysusers_create_package %{name} %{SOURCE4}
+
+%post
+%systemd_post docker
+if [ -e %{_sysconfdir}/sysconfig/nftables.conf ] && ! grep -q docker.nft %{_sysconfdir}/sysconfig/nftables.conf; then
+    printf '%s\n' 'include "/etc/nftables/docker.nft"' >> %{_sysconfdir}/sysconfig/nftables.conf
+fi
+
+%preun
+%systemd_preun docker
+
+%postun
+%systemd_postun_with_restart docker
+if [ $1 == 0 ] && [ -e %{_sysconfdir}/sysconfig/nftables.conf ]; then
+    sed -i -e '/docker\.nft/d' %{_sysconfdir}/sysconfig/nftables.conf
+fi
+
+%files
+%config(noreplace) %{_sysconfdir}/sysconfig/%{repo}
+%config(noreplace) %{_sysconfdir}/sysconfig/%{repo}-network
+%config(noreplace) %{_sysconfdir}/sysconfig/%{repo}-storage
+%{_sysusersdir}/%{name}.conf
+%dir %{_sysconfdir}/docker
+%config(noreplace) %{_sysconfdir}/docker/daemon.json
+%config(noreplace) %{_sysconfdir}/nftables/%{name}.nft
+%{_bindir}/docker
+%{_bindir}/docker-proxy
+%{_bindir}/docker-init
+%{_sbindir}/docker-network-cleanup
+%{_sbindir}/dockerd
+%{_presetdir}/86-docker.preset
+%{_unitdir}/docker.service
+%{_unitdir}/docker.socket
+%dir %{_sysconfdir}/bash_completion.d
+%{_sysconfdir}/bash_completion.d/docker.bash
+%dir %{_var}/lib/docker
+%dir %{_udevrulesdir}
+%{_udevrulesdir}/80-docker.rules
+%{_sysconfdir}/modules-load.d/overlay.conf
+
+%files fish-completion
+%dir %{_datadir}/fish/vendor_completions.d/
+%{_datadir}/fish/vendor_completions.d/%{repo}.fish
+
+%files zsh-completion
+%{_datadir}/zsh/site-functions/_%{repo}
--- a/docker.sysusers
+++ b/docker.sysusers
@ -0,0 +1 @@
+g docker - -
--- a/nftables-docker.nft
+++ b/nftables-docker.nft
@ -0,0 +1,60 @@
+table ip filter {
+	chain INPUT {
+		type filter hook input priority 0; policy accept;
+	}
+
+	chain FORWARD {
+		type filter hook forward priority 0; policy accept;
+		counter jump DOCKER-USER
+		counter jump DOCKER-ISOLATION-STAGE-1
+		oifname "docker0" ct state established,related counter accept
+		oifname "docker0" counter jump DOCKER
+		iifname "docker0" oifname != "docker0" counter accept
+		iifname "docker0" oifname "docker0" counter accept
+	}
+
+	chain OUTPUT {
+		type filter hook output priority 0; policy accept;
+	}
+
+	chain DOCKER {
+	}
+
+	chain DOCKER-ISOLATION-STAGE-1 {
+		iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2
+		counter return
+	}
+
+	chain DOCKER-ISOLATION-STAGE-2 {
+		oifname "docker0" counter drop
+		counter return
+	}
+
+	chain DOCKER-USER {
+		counter return
+	}
+}
+table ip nat {
+	chain PREROUTING {
+		type nat hook prerouting priority -100; policy accept;
+		fib daddr type local counter jump DOCKER
+	}
+
+	chain INPUT {
+		type nat hook input priority 100; policy accept;
+	}
+
+	chain POSTROUTING {
+		type nat hook postrouting priority 100; policy accept;
+		oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade
+	}
+
+	chain OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
+	}
+
+	chain DOCKER {
+		iifname "docker0" counter return
+	}
+}