mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-23 14:41:31 +02:00
Code Issues Packages Projects Releases Wiki Activity

overlay app-containers/docker: Apply Flatcar modifications

Browse Source 
Apply Flatcar patches, based on commit
9d6af12f1cc48359e0f84654302155b46ad780c7.
This commit is contained in:
Dongsu Park 2023-07-20 09:59:41 +02:00
parent c7209aaf50
commit 3d001c577d
7 changed files with 154 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
sdk_container/src/third_party/coreos-overlay/app-containers/docker/docker-20.10.24-r2.ebuild vendored
View File

@ -7,6 +7,11 @@ MY_PV=${PV/_/-}
GIT_COMMIT=d6cbf44b8c GIT_COMMIT=d6cbf44b8c
inherit linux-info systemd udev golang-vcs-snapshot inherit linux-info systemd udev golang-vcs-snapshot
COREOS_GO_VERSION="go1.19"
COREOS_GO_GO111MODULE="off"
inherit coreos-go-depend
DESCRIPTION="The core functions you need to create Docker images and run Docker containers" DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
HOMEPAGE="https://www.docker.com/" HOMEPAGE="https://www.docker.com/"
SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
@ -14,8 +19,9 @@ SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0" LICENSE="Apache-2.0"
SLOT="0" SLOT="0"
KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
IUSE="apparmor aufs btrfs +cli +container-init device-mapper hardened # Flatcar: default enable required USE flags
overlay seccomp selinux" IUSE="apparmor aufs +btrfs +cli +container-init +device-mapper +hardened
+overlay +seccomp selinux"
DEPEND=" DEPEND="
acct-group/docker acct-group/docker
@ -26,11 +32,21 @@ DEPEND="
seccomp? ( >=sys-libs/libseccomp-2.2.1 ) seccomp? ( >=sys-libs/libseccomp-2.2.1 )
" "
# Flatcar:
# For CoreOS builds coreos-kernel must be installed because this ebuild
# checks the kernel config. The kernel config is left by the kernel compile
# or an explicit copy when installing binary packages. See coreos-kernel.eclass
DEPEND+="
sys-kernel/coreos-kernel
"
# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
# https://github.com/moby/moby/tree/master//hack/dockerfile/install # https://github.com/moby/moby/tree/master//hack/dockerfile/install
# make sure docker-proxy is pinned to exact version from ^, # make sure docker-proxy is pinned to exact version from ^,
# for appropriate branchch/version of course # for appropriate branchch/version of course
# Flatcar:
# containerd ebuild doesn't support apparmor, device-mapper and seccomp use flags
RDEPEND=" RDEPEND="
${DEPEND} ${DEPEND}
>=net-firewall/iptables-1.4 >=net-firewall/iptables-1.4
@ -38,7 +54,7 @@ RDEPEND="
>=dev-vcs/git-1.7 >=dev-vcs/git-1.7
>=app-arch/xz-utils-4.9 >=app-arch/xz-utils-4.9
dev-libs/libltdl dev-libs/libltdl
>=app-containers/containerd-1.6.16[apparmor?,btrfs?,device-mapper?,seccomp?] >=app-containers/containerd-1.6.16[btrfs?]
~app-containers/docker-proxy-0.8.0_p20230118 ~app-containers/docker-proxy-0.8.0_p20230118
cli? ( ~app-containers/docker-cli-${PV} ) cli? ( ~app-containers/docker-cli-${PV} )
container-init? ( >=sys-process/tini-0.19.0[static] ) container-init? ( >=sys-process/tini-0.19.0[static] )
@ -46,9 +62,9 @@ RDEPEND="
" "
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
# Flatcar: drop go-md2man
BDEPEND=" BDEPEND="
>=dev-lang/go-1.16.12 >=dev-lang/go-1.16.12
dev-go/go-md2man
virtual/pkgconfig virtual/pkgconfig
" "
# tests require running dockerd as root and downloading containers # tests require running dockerd as root and downloading containers
@ -56,10 +72,9 @@ RESTRICT="installsources strip test"
S="${WORKDIR}/${P}/src/${EGO_PN}" S="${WORKDIR}/${P}/src/${EGO_PN}"
# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552 # Flatcar: Dropped outdated bug links, dropped openrc init script patch
PATCHES=( PATCHES=(
"${FILESDIR}/ppc64-buildmode.patch" "${FILESDIR}/ppc64-buildmode.patch"
"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
) )
# see "contrib/check-config.sh" from upstream's sources # see "contrib/check-config.sh" from upstream's sources
@ -172,14 +187,17 @@ pkg_setup() {
} }
src_compile() { src_compile() {
# Flatcar: for cross-compilation
go_export
export DOCKER_GITCOMMIT="${GIT_COMMIT}" export DOCKER_GITCOMMIT="${GIT_COMMIT}"
export GOPATH="${WORKDIR}/${P}" export GOPATH="${WORKDIR}/${P}"
export VERSION=${PV} export VERSION=${PV}
# setup CFLAGS and LDFLAGS for separate build target # setup CFLAGS and LDFLAGS for separate build target
# see https://github.com/tianon/docker-overlay/pull/10 # see https://github.com/tianon/docker-overlay/pull/10
export CGO_CFLAGS="-I${ESYSROOT}/usr/include" # Flatcar: allow injecting CFLAGS/LDFLAGS, which is needed for torcx rpath
export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)" export CGO_CFLAGS="${CGO_CFLAGS} -I${ESYSROOT}/usr/include"
export CGO_LDFLAGS="${CGO_LDFLAGS} -L${ESYSROOT}/usr/$(get_libdir)"
# let's set up some optional features :) # let's set up some optional features :)
export DOCKER_BUILDTAGS='' export DOCKER_BUILDTAGS=''
@ -194,11 +212,15 @@ src_compile() {
DOCKER_BUILDTAGS+=" $tag" DOCKER_BUILDTAGS+=" $tag"
fi fi
done done
# Flatcar: Add journald to build tags.
DOCKER_BUILDTAGS+=' journald'
# Flatcar:
# inject LDFLAGS for torcx
if use hardened; then if use hardened; then
sed -i "s/EXTLDFLAGS_STATIC='/&-fno-PIC /" hack/make.sh || die sed -i "s#EXTLDFLAGS_STATIC='#&-fno-PIC $LDFLAGS #" hack/make.sh || die
grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed' grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'
sed "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \ sed "s#LDFLAGS_STATIC_DOCKER='#&-extldflags \"-fno-PIC $LDFLAGS\" #" \
-i hack/make/dynbinary-daemon || die -i hack/make/dynbinary-daemon || die
grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed' grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed'
fi fi
@ -217,16 +239,32 @@ src_install() {
newinitd contrib/init/openrc/docker.initd docker newinitd contrib/init/openrc/docker.initd docker
newconfd contrib/init/openrc/docker.confd docker newconfd contrib/init/openrc/docker.confd docker
systemd_dounit contrib/init/systemd/docker.{service,socket} # Flatcar:
# install our systemd units/network config and our wrapper into
# /usr/lib/flatcar/docker for backwards compatibility instead of
# the units from contrib/init/systemd directory.
#
# systemd_dounit contrib/init/systemd/docker.{service,socket}
exeinto /usr/lib/flatcar
doexe "${FILESDIR}/dockerd"
systemd_dounit "${FILESDIR}/docker.service"
systemd_dounit "${FILESDIR}/docker.socket"
insinto /usr/lib/systemd/network
doins "${FILESDIR}/50-docker.network"
doins "${FILESDIR}/90-docker-veth.network"
udev_dorules contrib/udev/*.rules udev_dorules contrib/udev/*.rules
dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md
dodoc -r docs/* dodoc -r docs/*
# note: intentionally not using "doins" so that we preserve +x bits # Flatcar:
dodir /usr/share/${PN}/contrib # don't install contrib bits
cp -R contrib/* "${ED}/usr/share/${PN}/contrib" # # note: intentionally not using "doins" so that we preserve +x bits
# dodir /usr/share/${PN}/contrib
# cp -R contrib/* "${ED}/usr/share/${PN}/contrib"
} }
pkg_postinst() { pkg_postinst() {

28
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch vendored
View File

@ -1,28 +0,0 @@
From bb69104381805014eb7675682d204fe460a52388 Mon Sep 17 00:00:00 2001
From: Jan Breig <git@pygos.space>
Date: Mon, 16 May 2022 14:58:36 +0200
Subject: [PATCH] Openrc: Depend on containerd init script
Signed-off-by: Jan Breig <git@pygos.space>
---
contrib/init/openrc/docker.initd | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/contrib/init/openrc/docker.initd b/contrib/init/openrc/docker.initd
index 3229223bad..57defb8f57 100644
--- a/contrib/init/openrc/docker.initd
+++ b/contrib/init/openrc/docker.initd
@@ -17,6 +17,10 @@ rc_ulimit="${DOCKER_ULIMIT:--c unlimited -n 1048576 -u unlimited}"
retry="${DOCKER_RETRY:-TERM/60/KILL/10}"
+depend() {
+ need containerd
+}
+
start_pre() {
checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE"
}
--
2.35.1

6
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/50-docker.network vendored Normal file
View File

@ -0,0 +1,6 @@
[Match]
Type=bridge
Name=docker* br-*
[Link]
Unmanaged=yes

5
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/90-docker-veth.network vendored Normal file
View File

@ -0,0 +1,5 @@
[Match]
Driver=veth
[Link]
Unmanaged=yes

37
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/docker.service vendored Normal file
View File

@ -0,0 +1,37 @@
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=containerd.service docker.socket network-online.target
Wants=network-online.target
Requires=containerd.service docker.socket
[Service]
Type=notify
EnvironmentFile=-/run/flannel/flannel_docker_opts.env
Environment=DOCKER_SELINUX=--selinux-enabled=true
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock $DOCKER_SELINUX $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target

13
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/docker.socket vendored Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Docker Socket for the API
PartOf=docker.service
[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target

41
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/dockerd vendored Normal file
View File

@ -0,0 +1,41 @@
#!/bin/bash
# Wrapper for launching docker daemons with selinux default on
# This wrapper script has been deprecated (euank: 2017-05-09) and is retained
# for backwards compatibility.
set -e
parse_docker_args() {
local flag
while [[ $# -gt 0 ]]; do
flag="$1"
shift
# treat --flag=foo and --flag foo identically
if [[ "${flag}" == *=* ]]; then
set -- "${flag#*=}" "$@"
flag="${flag%=*}"
fi
case "${flag}" in
--selinux-enabled)
ARG_SELINUX="$1"
shift
;;
*)
# ignore everything else
;;
esac
done
}
parse_docker_args "$@"
USE_SELINUX=""
# Do not override selinux if it is already explicitly configured.
if [[ -z "${ARG_SELINUX}" ]]; then
# If unspecified, default off
USE_SELINUX="--selinux-enabled=false"
fi
exec dockerd "$@" ${USE_SELINUX}