Merge pull request #2128 from mischief/docker-1.12

WIP: Docker 1.12
2025-08-23 15:31:05 +02:00 · 2016-08-19 17:03:35 -07:00 · 2016-08-19 17:03:35 -07:00 · 0b5f049741
commit 0b5f049741
parent 75652d00a6 8fc569eafa
9 changed files with 94 additions and 37 deletions
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/Manifest
@ -1 +1 @@
-DIST containerd-0.2.2.tar.gz 635882 SHA256 a21efc7ea4bb97306ae9807caadca6782358679f38d3afd606cb599b6853bc52 SHA512 db6111984ccce01e928d46f0a22aaeed8d0eb50c2578df4e0cd5f56f43f8bdea43aad3203c2afb743ccf82908bd5961792681eafe07818a4057ca5f5f31c5396 WHIRLPOOL ce80bf79970faeacc3329cb4e365973a88539508904003da3d0f32afce9966e89bdf13a8894657e1fd983392cf2ab88b053393cbbc2018f509d9cbc57ab835cc
+DIST containerd-0.2.3.tar.gz 997239 SHA256 247c459179b451cb235354d3f23876ad1a326a6bda430608f9306beeb0364287 SHA512 f850ea7558a3c772930d42352d7913ec00ec24536676720f8872153ec87b92785259645648d885bb5b27514ca01de7f207a931665c3074e787d8b74b48c51952 WHIRLPOOL ac5f5f38ce874146571017bb5ac0229af43782ccf7eb378c6c39ecfb4725cf6941a12a1b05b9a6840a75c85599a881d429eaea030148356a36d2b401874e01e4
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-0.2.2-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-0.2.2-r1.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.1-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.1-r2.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
@ -12,7 +12,7 @@ if [[ ${PV} == *9999 ]]; then
 	DOCKER_GITCOMMIT="unknown"
 	KEYWORDS="~amd64 ~arm64"
 else
-	CROS_WORKON_COMMIT="4a6e2b1e56ecd816ca066f71e7632f8a0171cada" # coreos-1.11.2
+	CROS_WORKON_COMMIT="f1e1b832d52e004c1c55406a965265a90e2504f8" # coreos-1.12.1
 	DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}"
 	KEYWORDS="amd64 arm64"
 fi
@ -66,12 +66,8 @@ RDEPEND="
 	>=dev-vcs/git-1.7
 	>=app-arch/xz-utils-4.9

-	>=app-emulation/containerd-0.2.0
-	>=app-emulation/runc-0.1.0
-
-	apparmor? (
-		sys-libs/libapparmor[static-libs]
-	)
+	>=app-emulation/containerd-0.2.3[seccomp?]
+	>=app-emulation/runc-1.0.0_rc1_p20160615[apparmor?,seccomp?]
 "

 RESTRICT="installsources strip"
@ -79,26 +75,28 @@ RESTRICT="installsources strip"
 # see "contrib/check-config.sh" from upstream's sources
 CONFIG_CHECK="
 	~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
-	~DEVPTS_MULTIPLE_INSTANCES
 	~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
 	~KEYS ~MACVLAN ~VETH ~BRIDGE ~BRIDGE_NETFILTER
-	~NF_NAT_IPV4 ~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
+	~NF_NAT_IPV4 ~IP_NF_FILTER ~IP_NF_MANGLE ~IP_NF_TARGET_MASQUERADE
+	~IP_VS ~IP_VS_RR
 	~NETFILTER_XT_MATCH_ADDRTYPE ~NETFILTER_XT_MATCH_CONNTRACK
+	~NETFILTER_XT_MATCH_IPVS
+	~NETFILTER_XT_MARK ~NETFILTER_XT_TARGET_REDIRECT
 	~NF_NAT ~NF_NAT_NEEDED

 	~POSIX_MQUEUE

-	~MEMCG_KMEM ~MEMCG_SWAP ~MEMCG_SWAP_ENABLED
+	~MEMCG_SWAP ~MEMCG_SWAP_ENABLED

 	~BLK_CGROUP ~IOSCHED_CFQ
 	~CGROUP_PERF
 	~CGROUP_HUGETLB
 	~NET_CLS_CGROUP
 	~CFS_BANDWIDTH ~FAIR_GROUP_SCHED ~RT_GROUP_SCHED
+	~XFRM_ALGO ~XFRM_USER
 "

-ERROR_KEYS="CONFIG_KEYS: is mandatory, see bug 581348"
-ERROR_MEMCG_KMEM="CONFIG_MEMCG_KMEM: is optional"
+ERROR_KEYS="CONFIG_KEYS: is mandatory"
 ERROR_MEMCG_SWAP="CONFIG_MEMCG_SWAP: is required if you wish to limit swap usage of containers"
 ERROR_RESOURCE_COUNTERS="CONFIG_RESOURCE_COUNTERS: is optional for container statistics gathering"

@ -106,6 +104,8 @@ ERROR_BLK_CGROUP="CONFIG_BLK_CGROUP: is optional for container statistics gather
 ERROR_IOSCHED_CFQ="CONFIG_IOSCHED_CFQ: is optional for container statistics gathering"
 ERROR_CGROUP_PERF="CONFIG_CGROUP_PERF: is optional for container statistics gathering"
 ERROR_CFS_BANDWIDTH="CONFIG_CFS_BANDWIDTH: is optional for container statistics gathering"
+ERROR_XFRM_ALGO="CONFIG_XFRM_ALGO: is optional for secure networks"
+ERROR_XFRM_USER="CONFIG_XFRM_USER: is optional for secure networks"

 pkg_setup() {
 	if kernel_is lt 3 10; then
@ -145,6 +145,19 @@ pkg_setup() {
 		"
 	fi

+	if kernel_is lt 4 5; then
+		CONFIG_CHECK+="
+			~MEMCG_KMEM
+		"
+		ERROR_MEMCG_KMEM="CONFIG_MEMCG_KMEM: is optional"
+	fi
+
+	if kernel_is lt 4 7; then
+		CONFIG_CHECK+="
+			~DEVPTS_MULTIPLE_INSTANCES
+		"
+	fi
+
 	if use aufs; then
 		CONFIG_CHECK+="
 			~AUFS_FS
@ -214,8 +227,11 @@ src_compile() {
 		grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'

 		sed  "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \
-			-i hack/make/dynbinary || die
-		grep -q -- '-fno-PIC' hack/make/dynbinary || die 'hardened sed failed'
+			-i hack/make/dynbinary-client || die
+		sed  "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \
+			-i hack/make/dynbinary-daemon || die
+		grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed'
+		grep -q -- '-fno-PIC' hack/make/dynbinary-client || die 'hardened sed failed'
 	fi

 	# let's set up some optional features :)
@ -260,7 +276,12 @@ src_compile() {

 src_install() {
 	VERSION="$(cat VERSION)"
-	newbin "bundles/$VERSION/dynbinary/docker-$VERSION" docker
+	newbin "bundles/$VERSION/dynbinary-client/docker-$VERSION" docker
+	newbin "bundles/$VERSION/dynbinary-daemon/dockerd-$VERSION" dockerd
+	newbin "bundles/$VERSION/dynbinary-daemon/docker-proxy-$VERSION" docker-proxy
+	dosym containerd /usr/bin/docker-containerd
+	dosym containerd-shim /usr/bin/docker-containerd-shim
+	dosym runc /usr/bin/docker-runc

 	newinitd contrib/init/openrc/docker.initd docker
 	newconfd contrib/init/openrc/docker.confd docker
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service
@ -5,11 +5,25 @@ After=docker.socket early-docker.target network.target
 Requires=docker.socket early-docker.target

 [Service]
+Type=notify
 EnvironmentFile=-/run/flannel_docker_opts.env
 MountFlags=slave
+# the default is not to use systemd for cgroups because the delegate issues still
+# exists and systemd currently does not support the cgroup feature set required
+# for containers run by docker
+ExecStart=/usr/lib/coreos/dockerd --host=fd:// $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
+ExecReload=/bin/kill -s HUP $MAINPID
 LimitNOFILE=1048576
-LimitNPROC=1048576
-ExecStart=/usr/lib/coreos/dockerd daemon --host=fd:// $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
+# Uncomment TasksMax if your systemd version supports it.
+# Only systemd 226 and above support this version.
+TasksMax=infinity
+TimeoutStartSec=0
+# set delegate yes so that systemd does not reset the cgroups of docker containers
+Delegate=yes

 [Install]
 WantedBy=multi-user.target
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd
@ -87,4 +87,4 @@ if [[ -z "${ARG_SELINUX}" ]]; then
        maybe_enable_selinux
 fi

-exec docker "$@" ${USE_SELINUX}
+exec dockerd "$@" ${USE_SELINUX}
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/early-docker.service
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/early-docker.service
@ -5,11 +5,25 @@ After=early-docker.socket
 Requires=early-docker.socket

 [Service]
+Type=notify
 Environment=TMPDIR=/var/tmp
 MountFlags=slave
+# the default is not to use systemd for cgroups because the delegate issues still
+# exists and systemd currently does not support the cgroup feature set required
+# for containers run by docker
+ExecStart=/usr/lib/coreos/dockerd --host=fd:// --bridge=none --iptables=false --ip-masq=false --exec-root=/var/run/early-docker --graph=/var/lib/early-docker --pidfile=/var/run/early-docker.pid $DOCKER_OPTS $DOCKER_CGROUPS
+ExecReload=/bin/kill -s HUP $MAINPID
 LimitNOFILE=1048576
-LimitNPROC=1048576
-ExecStart=/usr/lib/coreos/dockerd daemon --host=fd:// --bridge=none --iptables=false --ip-masq=false --exec-root=/var/run/early-docker --graph=/var/lib/early-docker --pidfile=/var/run/early-docker.pid $DOCKER_OPTS $DOCKER_CGROUPS
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
+# Uncomment TasksMax if your systemd version supports it.
+# Only systemd 226 and above support this version.
+TasksMax=infinity
+TimeoutStartSec=0
+# set delegate yes so that systemd does not reset the cgroups of docker containers
+Delegate=yes

 [Install]
 WantedBy=early-docker.target
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest
@ -1 +1 @@
-DIST runc-0.1.0.tar.gz 496358 SHA256 681d6d89541ae2e06757f999a242a1f97bbcb1ad6e10f4cdee287ec4a9d2bff9 SHA512 8a9ff02b0161eda0a730194b0fbf7ad76e8f379992e74061ef49302da3492fd0c53f06db9153ded4d934d67bbf6f4291d6154254f1b924ef73c97c44cd14ffcf WHIRLPOOL 81f488a4f1e23e8704a9fa8404965b2f12f74a875ba8e67dc15de93f43b075dc538cd0d89c7a1187cb74ac6320317b5985855945fb8bf8f749d6736df47b844a
+DIST runc-1.0.0_rc1_p20160615.tar.gz 535401 SHA256 196b78c6caf1a4c6257314b393381baffa7c82bb2690ac02a7b3d6cd6cfe7776 SHA512 0bf8ce3bb15caaf09214f23a411003fd5b660d291662ad513c3d944647a0fa9b270d18902706b7e6aa3c30eb0f676e73af46b8249d1e2484e1dc40d6ffd5a80d WHIRLPOOL 9d15d069e00fe38e2bbda84b477dc0cf9f3431d3587919a80164d550a6d882d8742a5c2a8cdb7645509dec8d55b545912c0287785d0ca7e79acc0a08eace6f47
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc1_p20160615.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc1_p20160615.ebuild
@ -1,31 +1,36 @@
-# Copyright 1999-2015 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Id$
+# $Header: $

 EAPI=5

 GITHUB_URI="github.com/opencontainers/runc"
 COREOS_GO_PACKAGE="${GITHUB_URI}"
+# the commit of runc that docker uses.
+# see https://github.com/docker/docker/blob/v1.12.0/Dockerfile#L236
+COMMIT_ID="cc29e3dded8e27ba8f65738f40d251c885030a28"

-inherit eutils multilib coreos-go
+inherit eutils multilib coreos-go vcs-snapshot

 DESCRIPTION="runc container cli tools"
 HOMEPAGE="http://runc.io"

-if [[ ${PV} == *9999* ]]; then
-	EGIT_REPO_URI="git://${GITHUB_URI}.git"
-	inherit git-r3
-else
-	SRC_URI="https://${GITHUB_URI}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
-	KEYWORDS="amd64 arm64"
-fi
+SRC_URI="https://${GITHUB_URI}/archive/${COMMIT_ID}.tar.gz -> ${P}.tar.gz"
+KEYWORDS="amd64 arm64"

 LICENSE="Apache-2.0"
 SLOT="0"
-IUSE="+seccomp"
+IUSE="apparmor +seccomp"

-DEPEND=">=dev-lang/go-1.4:="
-RDEPEND="seccomp? ( sys-libs/libseccomp )"
+DEPEND=""
+RDEPEND="
+	apparmor? ( sys-libs/libapparmor )
+	seccomp? ( sys-libs/libseccomp )
+"
+
+src_prepare() {
+	eapply_user
+}

 src_compile() {
 	# fix up cross-compiling variables
@ -45,9 +50,12 @@ src_compile() {
 	export GOPATH="${PWD}/.gopath:${PWD}/vendor"

 	# build up optional flags
-	local options=( $(usex seccomp "seccomp") )
+	local options=(
+		$(usex apparmor 'apparmor')
+		$(usex seccomp 'seccomp')
+	)

-	emake BUILDTAGS="${options[@]}"
+	emake BUILDTAGS="${options[*]}"
 }

 src_install() {