diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest new file mode 100644 index 0000000000..415ffda7c8 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest @@ -0,0 +1 @@ +DIST docker-runc-1.0.0_rc3_p53.tar.gz 1042839 SHA256 d09b31b9a5adf0a3295d10b20e5f65ec8e1c52a371d463218694c37e075829e9 SHA512 8e937e8ccaa114913d61a450b030496668c1e2d80eecccf5e4914c5685d7dde9a0d50bc2aef9be844dc69eab81621aa1c043abbc72ba28ab6bdb9db5e86daeaf WHIRLPOOL bec7b506a6b2522d401733b32a9f500aec69920dc6d8072ab434c7bfbb1c88a6fb00afa1d2728f78fbaac1d58f890a2b5932fdbe2b0e87b749293f2b48ed2e8a diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53.ebuild new file mode 100644 index 0000000000..a389a414a1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53.ebuild @@ -0,0 +1,72 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +GITHUB_URI="github.com/opencontainers/runc" +COREOS_GO_PACKAGE="${GITHUB_URI}" +COREOS_GO_VERSION="go1.8" +# the commit of runc that docker uses. +# see https://github.com/docker/docker-ce/blob/v17.06.1-ce/components/engine/hack/dockerfile/binaries-commits#L6 +# Note: this commit is only really present in `docker/runc` in the 'docker/17.06' branch +# Update the patch number when this commit is changed (i.e. the _p in the ebuild). +# The patch version is arbitrarily the number of commits since the tag version +# spcified in the ebuild name. For example: +# $ git log --oneline v1.0.0-rc3..${COMMIT_ID} | wc -l +COMMIT_ID="810190ceaa507aa2727d7ae6f4790c76ec150bd2" + +inherit eutils flag-o-matic coreos-go vcs-snapshot + +SRC_URI="https://${GITHUB_URI}/archive/${COMMIT_ID}.tar.gz -> ${P}.tar.gz" +KEYWORDS="amd64 arm64" + +DESCRIPTION="runc container cli tools (docker fork)" +HOMEPAGE="http://runc.io" + +LICENSE="Apache-2.0" +SLOT="0" +IUSE="apparmor ambient hardened +seccomp selinux" + +RDEPEND=" + apparmor? ( sys-libs/libapparmor ) + seccomp? ( sys-libs/libseccomp ) + !app-emulation/runc +" + +S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE} + +RESTRICT="test" + +src_unpack() { + mkdir -p "${S}" + tar --strip-components=1 -C "${S}" -xf "${DISTDIR}/${A}" +} + +PATCHES=( + "${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch" +) + +src_compile() { + # Taken from app-emulation/docker-1.7.0-r1 + export CGO_CFLAGS="-I${ROOT}/usr/include" + export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') + -L${ROOT}/usr/$(get_libdir)" + + # build up optional flags + local options=( + $(usex apparmor 'apparmor' '') + $(usex ambient 'ambient' '') + $(usex seccomp 'seccomp' '') + $(usex selinux 'selinux' '') + ) + + # CoreOS: Don't try to install dependencies. + sed -i 's/go build -i /go build /' Makefile + + GOPATH="${WORKDIR}/${P}" emake BUILDTAGS="${options[*]}" \ + COMMIT="${COMMIT_ID}" +} + +src_install() { + dobin runc +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch new file mode 100644 index 0000000000..5bd34b2210 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch @@ -0,0 +1,45 @@ +From ab3a3b89d712bb1c6ca2e09ffc375f4b837e9401 Mon Sep 17 00:00:00 2001 +From: Mrunal Patel +Date: Thu, 2 Feb 2017 11:23:26 -0800 +Subject: [PATCH] Delay unshare of CLONE_NEWIPC for SELinux + +We ensure that mqueue is owned by user namespace root +by unsharing CLONE_NEWIPC after we become user namespace +root. This allows us to apply the container SELinux label +to mqueue. + +Signed-off-by: Mrunal Patel +--- + libcontainer/nsenter/nsexec.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c +index 0ad68834..5100698a 100644 +--- a/libcontainer/nsenter/nsexec.c ++++ b/libcontainer/nsenter/nsexec.c +@@ -719,7 +719,12 @@ void nsexec(void) + * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID) + * was broken, so we'll just do it the long way anyway. + */ +- if (unshare(config.cloneflags) < 0) ++ uint32_t apply_cloneflags = config.cloneflags; ++ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) { ++ apply_cloneflags &= ~CLONE_NEWIPC; ++ } ++ ++ if (unshare(apply_cloneflags) < 0) + bail("failed to unshare namespaces"); + + /* +@@ -841,6 +846,11 @@ void nsexec(void) + bail("setgroups failed"); + } + ++ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) { ++ if (unshare(CLONE_NEWIPC) < 0) ++ bail("unshare ipc failed"); ++ } ++ + s = SYNC_CHILD_READY; + if (write(syncfd, &s, sizeof(s)) != sizeof(s)) + bail("failed to sync with patent: write(SYNC_CHILD_READY)"); diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/metadata.xml new file mode 100644 index 0000000000..9fe8126b58 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/metadata.xml @@ -0,0 +1,19 @@ + + + + + runc is a CLI tool for spawning and running containers according + to the OCF (Open Container Format) specification. + + + mrueg@gentoo.org + Manuel RĂ¼ger + + + Enable support for ambient capability + Enable AppArmor support + + + docker/runc + +