Ubuntu
docker.io package

Merge ~lucaskanashiro/ubuntu/+source/docker.io:sru-docker-bionic into ubuntu/+source/docker.io:ubuntu/bionic-devel

  1. Git
  2. lp:~lucaskanashiro/ubuntu/+source/docker.io
  3. sru-docker-bionic
  4. Merge into ubuntu/bionic-devel
Proposed by Lucas Kanashiro
Status: Merged
Approved by: Lucas Kanashiro
Approved revision: 82c92cb2f8696ee4b9f2fe4e4e064e46c6c5cd82
Merged at revision: 82c92cb2f8696ee4b9f2fe4e4e064e46c6c5cd82
Proposed branch: ~lucaskanashiro/ubuntu/+source/docker.io:sru-docker-bionic
Merge into: ubuntu/+source/docker.io:ubuntu/bionic-devel
Diff against target: 132 lines (+90/-1)
5 files modified
debian/changelog (+16/-0)
debian/control (+1/-1)
debian/patches/do-not-bind-docker-to-containerd.patch (+64/-0)
debian/patches/series (+1/-0)
debian/rules (+8/-0)
Reviewer Review Type Date Requested Status
Sergio Durigan Junior (community) Approve
Canonical Server Pending
Review via email: mp+395169@code.launchpad.net

Description of the change

Backport the fix for the upgrade issue which makes the docker daemon stop, stopping also all the containers running.

PPA with the proposed package:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/containerd-upgrade-issue/+packages

DEP-8 tests are passing:

autopkgtest [17:34:03]: @@@@@@@@@@@@@@@@@@@@ summary
basic-smoke PASS
docker-in-lxd PASS

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

LGTM.

I tried searching to see if there's a bug opened about the libbtrfs-dev, but couldn't find anything.

review: Approve
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Uploaded:

$ git push pkg upload/19.03.6-0ubuntu1_18.04.3
Enumerating objects: 26, done.
Counting objects: 100% (26/26), done.
Delta compression using up to 32 threads
Compressing objects: 100% (19/19), done.
Writing objects: 100% (19/19), 4.01 KiB | 1.34 MiB/s, done.
Total 19 (delta 11), reused 0 (delta 0)
To ssh://git.launchpad.net/ubuntu/+source/docker.io
 * [new tag] upload/19.03.6-0ubuntu1_18.04.3 -> upload/19.03.6-0ubuntu1_18.04.3
$ dput ubuntu ../docker.io_19.03.6-0ubuntu1~18.04.3_source.changes
Checking signature on .changes
gpg: ../docker.io_19.03.6-0ubuntu1~18.04.3_source.changes: Valid signature from F823A2729883C97C
Checking signature on .dsc
gpg: ../docker.io_19.03.6-0ubuntu1~18.04.3.dsc: Valid signature from F823A2729883C97C
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading docker.io_19.03.6-0ubuntu1~18.04.3.dsc: done.
  Uploading docker.io_19.03.6-0ubuntu1~18.04.3.debian.tar.xz: done.
  Uploading docker.io_19.03.6-0ubuntu1~18.04.3_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 3207706..e3d2a97 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,19 @@
6+docker.io (19.03.6-0ubuntu1~18.04.3) bionic; urgency=medium
7+
8+ [ Bryce Harrington ]
9+ * d/p/do_not_bind_docker_to_containerd.patch: Update docker.io to not
10+ stop when containerd is upgraded, by using Wants= rather than BindTo=.
11+ (LP: #1870514)
12+ * d/rules: Fix docker.io to not restart its service during package
13+ upgrades, to prevent service downtime from automatic updates via
14+ unattended-upgrade.
15+ (LP: #1906364)
16+
17+ [ Lucas Kanashiro ]
18+ * Do not build depend on libbtrfs-dev, it is not available in Bionic.
19+
20+ -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 10 Dec 2020 10:23:49 -0300
21+
22 docker.io (19.03.6-0ubuntu1~18.04.2) bionic-security; urgency=medium
23
24 * SECURITY UPDATE: Sensitive information disclosure
25diff --git a/debian/control b/debian/control
26index 14c81fb..d744b3c 100644
27--- a/debian/control
28+++ b/debian/control
29@@ -16,7 +16,7 @@ Build-Depends: bash-completion,
30 git,
31 golang-any,
32 libapparmor-dev,
33- libbtrfs-dev | btrfs-progs (<< 4.16.1~),
34+ btrfs-progs (<< 4.16.1~),
35 libdevmapper-dev (>= 2:1.02.68~),
36 libltdl-dev,
37 libseccomp-dev,
38diff --git a/debian/patches/do-not-bind-docker-to-containerd.patch b/debian/patches/do-not-bind-docker-to-containerd.patch
39new file mode 100644
40index 0000000..d2202cc
41--- /dev/null
42+++ b/debian/patches/do-not-bind-docker-to-containerd.patch
43@@ -0,0 +1,64 @@
44+From 22f15d4137cb5d090f13fc5d9093dc3085dce67b Mon Sep 17 00:00:00 2001
45+From: =?UTF-8?q?Micha=C5=82=20Kosek?= <mihao@users.noreply.github.com>
46+Date: Tue, 9 Jul 2019 15:34:13 +0200
47+Subject: [PATCH] Do not "Bind" docker "To" containerd.
48+
49+relates to https://github.com/docker/for-linux/issues/678
50+
51+When using the BindTo directive, Docker is permanently stopped by systemd
52+when containerd is temporarily killed and restarted;
53+
54+Using `Requires` achieves mostly the same, but defines a weaker dependency;
55+
56+https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Requires=
57+
58+> Requires=
59+>
60+> .. If this unit gets activated, the units listed will be activated as well.
61+> If one of the other units fails to activate, and an ordering dependency
62+> After= on the failing unit is set, this unit will not be started. Besides,
63+> with or without specifying After=, this unit will be stopped if one of the
64+> other units is explicitly stopped.
65+
66+We may want to look into using `Wants=` instead of `Requires=`, because
67+that allows docker to continue running if containerd is restarted, quoting
68+the systemd documentation:
69+
70+> Often, it is a better choice to use Wants= instead of Requires= in order
71+> to achieve a system that is more robust when dealing with failing services.
72+
73+Given that docker will likely still fail if the containerd socket is not
74+present, startup will fail if containerd is not running, but if containerd
75+is restarted, the docker daemon may be able to try reconnecting.
76+
77+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
78+---
79+ systemd/docker.service | 3 +--
80+ 1 file changed, 1 insertion(+), 2 deletions(-)
81+
82+Origin: upstream, https://github.com/docker/docker-ce-packaging/pull/508
83+Bug: https://github.com/docker/for-linux/issues/678
84+Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1870514
85+Reviewed-By: Bryce Harrington <bryce@canonical.com>
86+Description: This is a backport of upstream's patch, with the path to
87+ the docker.service modified and using Wants= rather than Requires=, for
88+ reasons outlined above (Requires= did not work). The After= target
89+ also differs from upstream (we don't carry commit 36bb01538.)
90+Last-Updated: 2020-12-02
91+
92+diff --git a/systemd/docker.service b/systemd/docker.service
93+index 9c1d9e6d37..0a6a3064a4 100644
94+--- a/components/packaging/systemd/docker.service
95++++ b/components/packaging/systemd/docker.service
96+@@ -1,10 +1,10 @@
97+ [Unit]
98+ Description=Docker Application Container Engine
99+ Documentation=https://docs.docker.com
100+-BindsTo=containerd.service
101+ After=network-online.target firewalld.service containerd.service
102+ Wants=network-online.target
103+ Requires=docker.socket
104++Wants=containerd.service
105+
106+ [Service]
107+ Type=notify
108diff --git a/debian/patches/series b/debian/patches/series
109index 48cc425..faa7d40 100644
110--- a/debian/patches/series
111+++ b/debian/patches/series
112@@ -1 +1,2 @@
113 CVE-2020-15157.patch
114+do-not-bind-docker-to-containerd.patch
115diff --git a/debian/rules b/debian/rules
116index c260943..21043bd 100755
117--- a/debian/rules
118+++ b/debian/rules
119@@ -115,5 +115,13 @@ override_dh_shlibdeps:
120 override_dh_auto_clean:
121 @# stop debhelper from doing "make clean"
122
123+override_dh_systemd_start:
124+ # We take care of determining whether the docker.io service should be
125+ # restarted during upgrades or not ourselves, based on the debconf
126+ # choice made by the user during installation. For this reason, we
127+ # invoke dh_systemd_start with "-r" in order to avoid indiscriminately
128+ # stopping the service during upgrades.
129+ dh_systemd_start --package=docker.io -r
130+
131 %:
132 dh $@ --with=bash-completion,systemd

Subscribers

People subscribed via source and target branches