From 1d499f2ce4e2ff5ecf1978f86ce6da528b4ebcee Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Tue, 9 May 2017 10:45:26 -0700 Subject: [PATCH] app-emulation/docker: deprecate dockerd script This script had two main functions: 1. Select the graphdriver This functionality is now handled in the docker daemon. It defaults to overlay2 on recent docker versions, and does its own fs detection for btrfs etc. We carry a patch for 1.12.6 now to prefer overlay to devicemapper 2. Avoid enabling selinux on btrfs This no longer matters since as of v1.10, selinux on btrfs is supported. See moby/moby#16452 This PR replaces that original functionality with a simpler systemd environment variable, which is also more in-line with what we do for other similar choices. The environment variable is also more discoverable and easier for users to edit. Note: for backwards compatibility with DOCKER_OPTS=--selinux-enabled=false (to make that take precedent), we intentionally put the environment variable as the first option. However, for backwards compatibility with older units, we also retain the script. We are able to remove the graphdriver detection/selection since that behavior now happens appropriately in docker, but we need to keep the selinux defaulting so that people who are executing the script and expecting selinux to work (e.g. if they copied an old docker.service) will continue to get selinux as expected. --- ...12.6-r4.ebuild => docker-1.12.6-r5.ebuild} | 3 +- ...4.0-r2.ebuild => docker-17.04.0-r3.ebuild} | 0 .../app-emulation/docker/docker-9999.ebuild | 1 + .../app-emulation/docker/files/docker.service | 3 +- .../app-emulation/docker/files/dockerd | 59 ++----------------- 5 files changed, 10 insertions(+), 56 deletions(-) rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker/{docker-1.12.6-r4.ebuild => docker-1.12.6-r5.ebuild} (98%) rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker/{docker-17.04.0-r2.ebuild => docker-17.04.0-r3.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r5.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r4.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r5.ebuild index 1aaa094235..4fd32b6442 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r5.ebuild @@ -9,7 +9,7 @@ CROS_WORKON_LOCALNAME="docker" CROS_WORKON_REPO="git://github.com" COREOS_GO_VERSION="go1.7" -CROS_WORKON_COMMIT="d5236f0452873048a28c1ecd63d40513efa66542" # coreos-1.12.6 +CROS_WORKON_COMMIT="a82d35e3daba1a2cd48c66e57a4f9975c39c45c6" # coreos-1.12.6 DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}" KEYWORDS="amd64 arm64" @@ -270,6 +270,7 @@ src_install() { newconfd contrib/init/openrc/docker.confd docker exeinto /usr/lib/coreos + # Create /usr/lib/coreos/dockerd script for backwards compatibility doexe "${FILESDIR}/dockerd" systemd_dounit "${FILESDIR}/docker.service" diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.04.0-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.04.0-r3.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.04.0-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.04.0-r3.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild index c655b638bb..1c690e9451 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild @@ -258,6 +258,7 @@ src_install() { newconfd contrib/init/openrc/docker.confd docker exeinto /usr/lib/coreos + # Create /usr/lib/coreos/dockerd for backwards compatibility doexe "${FILESDIR}/dockerd" systemd_dounit "${FILESDIR}/docker.service" diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service index 2b6470ecdd..a8f1bf4ef5 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service @@ -8,11 +8,12 @@ Requires=containerd.service docker.socket [Service] Type=notify EnvironmentFile=-/run/flannel/flannel_docker_opts.env +Environment=DOCKER_SELINUX=--selinux-enabled=true # the default is not to use systemd for cgroups because the delegate issues still # exists and systemd currently does not support the cgroup feature set required # for containers run by docker -ExecStart=/usr/lib/coreos/dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ +ExecStart=/usr/bin/dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock $DOCKER_SELINUX $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ ExecReload=/bin/kill -s HUP $MAINPID LimitNOFILE=1048576 # Having non-zero Limit*s causes performance problems due to accounting overhead diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd index 9260e127d8..2a94d06561 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd @@ -1,5 +1,7 @@ #!/bin/bash -# Wrapper for launching docker daemons with an appropriate backend. +# Wrapper for launching docker daemons with selinux default on +# This wrapper script has been deprecated (euank: 2017-05-09) and is retained +# for backwards compatibility. set -e @@ -16,14 +18,6 @@ parse_docker_args() { fi case "${flag}" in - -g|--graph) - ARG_ROOT="$1" - shift - ;; - -s|--storage-driver) - ARG_DRIVER="$1" - shift - ;; --selinux-enabled) ARG_SELINUX="$1" shift @@ -35,56 +29,13 @@ parse_docker_args() { done } -select_docker_driver() { - local fstype - - # mimic docker's behavior to ensure we stat the right filesystem. - if [[ -L "${ARG_ROOT}" ]]; then - ARG_ROOT="$(readlink -f "${ARG_ROOT}")" - fi - - mkdir --parents --mode=0700 "${ARG_ROOT}" - fstype=$(findmnt --noheadings --output FSTYPE --target "${ARG_ROOT}") - - case "${fstype}" in - btrfs) - export DOCKER_DRIVER=btrfs - ;; - ext4|tmpfs|xfs) # As of 4.1 - export DOCKER_DRIVER=overlay - ;; - *) - # Fall back to whatever docker's default behavior is. - ;; - esac -} - -# Enable selinux except when known to be unsupported (btrfs). -maybe_enable_selinux() { - case "${DOCKER_DRIVER}" in - btrfs) - USE_SELINUX="" - ;; - *) - # Enable for everything else. - USE_SELINUX="--selinux-enabled" - ;; - esac -} - -ARG_ROOT="/var/lib/docker" -ARG_DRIVER="" parse_docker_args "$@" -# Do not override the driver if it is already explicitly configured. -if [[ -z "${ARG_DRIVER}" && -z "${DOCKER_DRIVER}" ]]; then - select_docker_driver -fi - USE_SELINUX="" # Do not override selinux if it is already explicitly configured. if [[ -z "${ARG_SELINUX}" ]]; then - maybe_enable_selinux + # If unspecified, default on + USE_SELINUX="--selinux-enabled" fi exec dockerd "$@" ${USE_SELINUX}