kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity
moby--moby/hack/make/ubuntu
Eric Windisch 80d99236c1 Move AppArmor policy to contrib & deb packaging 
The automatic installation of AppArmor policies prevents the
management of custom, site-specific apparmor policies for the
default container profile. Furthermore, this change will allow
a future policy for the engine itself to be written without demanding
the engine be able to arbitrarily create and manage AppArmor policies.

- Add deb package suggests for apparmor.
- Ubuntu postinst use aa-status & fix policy path
- Add the policies to the debian packages.
- Add apparmor tests for writing proc files
Additional restrictions against modifying files in proc
are enforced by AppArmor. Ensure that AppArmor is preventing
access to these files, not simply Docker's configuration of proc.
- Remove /proc/k?mem from AA policy
The path to mem and kmem are in /dev, not /proc
and cannot be restricted successfully through AppArmor.
The device cgroup will need to be sufficient here.
- Load contrib/apparmor during integration tests
Note that this is somewhat dirty because we
cannot restore the host to its original configuration.
However, it should be noted that prior to this patch
series, the Docker daemon itself was loading apparmor
policy from within the tests, so this is no dirtier or
uglier than the status-quo.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-21 11:05:53 -04:00

198 lines
6.3 KiB
Bash
Raw Blame History

#!/bin/bash
PKGVERSION="${VERSION//-/'~'}"
# if we have a "-dev" suffix or have change in Git, let's make this package version more complex so it works better
if [[ "$VERSION" == *-dev ]] || [ -n "$(git status --porcelain)" ]; then
GIT_UNIX="$(git log -1 --pretty='%at')"
GIT_DATE="$(date --date "@$GIT_UNIX" +'%Y%m%d.%H%M%S')"
GIT_COMMIT="$(git log -1 --pretty='%h')"
GIT_VERSION="git${GIT_DATE}.0.${GIT_COMMIT}"
# GIT_VERSION is now something like 'git20150128.112847.0.17e840a'
PKGVERSION="$PKGVERSION~$GIT_VERSION"
fi
# $ dpkg --compare-versions 1.5.0 gt 1.5.0~rc1 && echo true || echo false
# true
# $ dpkg --compare-versions 1.5.0~rc1 gt 1.5.0~git20150128.112847.17e840a && echo true || echo false
# true
# $ dpkg --compare-versions 1.5.0~git20150128.112847.17e840a gt 1.5.0~dev~git20150128.112847.17e840a && echo true || echo false
# true
# ie, 1.5.0 > 1.5.0~rc1 > 1.5.0~git20150128.112847.17e840a > 1.5.0~dev~git20150128.112847.17e840a
PACKAGE_ARCHITECTURE="$(dpkg-architecture -qDEB_HOST_ARCH)"
PACKAGE_URL="https://www.docker.com/"
PACKAGE_MAINTAINER="support@docker.com"
PACKAGE_DESCRIPTION="Linux container runtime
Docker complements LXC with a high-level API which operates at the process
level. It runs unix processes with strong guarantees of isolation and
repeatability across servers.
Docker is a great building block for automating distributed systems:
large-scale web deployments, database clusters, continuous deployment systems,
private PaaS, service-oriented architectures, etc."
PACKAGE_LICENSE="Apache-2.0"
# Build docker as an ubuntu package using FPM and REPREPRO (sue me).
# bundle_binary must be called first.
bundle_ubuntu() {
DIR="$ABS_DEST/build"
# Include our udev rules
mkdir -p "$DIR/etc/udev/rules.d"
cp contrib/udev/80-docker.rules "$DIR/etc/udev/rules.d/"
# Include our init scripts
mkdir -p "$DIR/etc/init"
cp contrib/init/upstart/docker.conf "$DIR/etc/init/"
mkdir -p "$DIR/etc/init.d"
cp contrib/init/sysvinit-debian/docker "$DIR/etc/init.d/"
mkdir -p "$DIR/etc/default"
cp contrib/init/sysvinit-debian/docker.default "$DIR/etc/default/docker"
mkdir -p "$DIR/lib/systemd/system"
cp contrib/init/systemd/docker.{service,socket} "$DIR/lib/systemd/system/"
# Include contributed completions
mkdir -p "$DIR/etc/bash_completion.d"
cp contrib/completion/bash/docker "$DIR/etc/bash_completion.d/"
mkdir -p "$DIR/usr/share/zsh/vendor-completions"
cp contrib/completion/zsh/_docker "$DIR/usr/share/zsh/vendor-completions/"
mkdir -p "$DIR/etc/fish/completions"
cp contrib/completion/fish/docker.fish "$DIR/etc/fish/completions/"
# Include contributed man pages
man/md2man-all.sh -q
manRoot="$DIR/usr/share/man"
mkdir -p "$manRoot"
for manDir in man/man?; do
manBase="$(basename "$manDir")" # "man1"
for manFile in "$manDir"/*; do
manName="$(basename "$manFile")" # "docker-build.1"
mkdir -p "$manRoot/$manBase"
gzip -c "$manFile" > "$manRoot/$manBase/$manName.gz"
done
done
# Include contributed apparmor policy
mkdir -p "$DIR/etc/apparmor.d/"
cp contrib/apparmor/docker "$DIR/etc/apparmor.d/"
# Copy the binary
# This will fail if the binary bundle hasn't been built
mkdir -p "$DIR/usr/bin"
cp "$DEST/../binary/docker-$VERSION" "$DIR/usr/bin/docker"
# Generate postinst/prerm/postrm scripts
cat > "$DEST/postinst" <<'EOF'
#!/bin/sh
set -e
set -u
if [ "$1" = 'configure' ] && [ -z "$2" ]; then
if ! getent group docker > /dev/null; then
groupadd --system docker
fi
fi
if ( aa-status --enabled ); then
/sbin/apparmor_parser -r -W -T /etc/apparmor.d/docker
fi
if ! { [ -x /sbin/initctl ] && /sbin/initctl version 2>/dev/null | grep -q upstart; }; then
# we only need to do this if upstart isn't in charge
update-rc.d docker defaults > /dev/null || true
fi
if [ -n "$2" ]; then
_dh_action=restart
else
_dh_action=start
fi
service docker $_dh_action 2>/dev/null || true
#DEBHELPER#
EOF
cat > "$DEST/prerm" <<'EOF'
#!/bin/sh
set -e
set -u
service docker stop 2>/dev/null || true
#DEBHELPER#
EOF
cat > "$DEST/postrm" <<'EOF'
#!/bin/sh
set -e
set -u
if [ "$1" = "purge" ] ; then
update-rc.d docker remove > /dev/null || true
fi
# In case this system is running systemd, we make systemd reload the unit files
# to pick up changes.
if [ -d /run/systemd/system ] ; then
systemctl --system daemon-reload > /dev/null || true
fi
#DEBHELPER#
EOF
# TODO swaths of these were borrowed from debhelper's auto-inserted stuff, because we're still using fpm - we need to use debhelper instead, and somehow reconcile Ubuntu that way
chmod +x "$DEST/postinst" "$DEST/prerm" "$DEST/postrm"
(
# switch directories so we create *.deb in the right folder
cd "$DEST"
# create lxc-docker-VERSION package
fpm -s dir -C "$DIR" \
--name "lxc-docker-$VERSION" --version "$PKGVERSION" \
--after-install "$ABS_DEST/postinst" \
--before-remove "$ABS_DEST/prerm" \
--after-remove "$ABS_DEST/postrm" \
--architecture "$PACKAGE_ARCHITECTURE" \
--prefix / \
--depends iptables \
--deb-recommends aufs-tools \
--deb-recommends ca-certificates \
--deb-recommends git \
--deb-recommends xz-utils \
--deb-recommends 'cgroupfs-mount | cgroup-lite' \
--deb-suggests apparmor \
--description "$PACKAGE_DESCRIPTION" \
--maintainer "$PACKAGE_MAINTAINER" \
--conflicts docker \
--conflicts docker.io \
--conflicts lxc-docker-virtual-package \
--provides lxc-docker \
--provides lxc-docker-virtual-package \
--replaces lxc-docker \
--replaces lxc-docker-virtual-package \
--url "$PACKAGE_URL" \
--license "$PACKAGE_LICENSE" \
--config-files /etc/udev/rules.d/80-docker.rules \
--config-files /etc/init/docker.conf \
--config-files /etc/init.d/docker \
--config-files /etc/default/docker \
--deb-compression gz \
-t deb .
# TODO replace "Suggests: cgroup-lite" with "Recommends: cgroupfs-mount | cgroup-lite" once cgroupfs-mount is available
# create empty lxc-docker wrapper package
fpm -s empty \
--name lxc-docker --version "$PKGVERSION" \
--architecture "$PACKAGE_ARCHITECTURE" \
--depends lxc-docker-$VERSION \
--description "$PACKAGE_DESCRIPTION" \
--maintainer "$PACKAGE_MAINTAINER" \
--url "$PACKAGE_URL" \
--license "$PACKAGE_LICENSE" \
--deb-compression gz \
-t deb
)
# clean up after ourselves so we have a clean output directory
rm "$DEST/postinst" "$DEST/prerm" "$DEST/postrm"
rm -r "$DIR"
}
bundle_ubuntu
View git blame Copy permalink