app-emulation/docker-runc: Add new runc package for Docker 17.06

This takes the old app-emulation/runc ebuild and syncs it with
Gentoo.  The only differences from Gentoo's rc3_p20170607 are now:

 1. Use of the CoreOS Go eclasses
 2. Addition of src_unpack to set up a Go workspace from the above
 3. Dropping src_prepare to prevent hiding the commit ID
 4. Carrying over a patch from the previous package
 5. Adding the "selinux" USE flag
 6. Dropping "-i" from "go build" to fix arm64 builds

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest

@@ -0,0 +1 @@
+DIST docker-runc-1.0.0_rc3_p53.tar.gz 1042839 SHA256 d09b31b9a5adf0a3295d10b20e5f65ec8e1c52a371d463218694c37e075829e9 SHA512 8e937e8ccaa114913d61a450b030496668c1e2d80eecccf5e4914c5685d7dde9a0d50bc2aef9be844dc69eab81621aa1c043abbc72ba28ab6bdb9db5e86daeaf WHIRLPOOL bec7b506a6b2522d401733b32a9f500aec69920dc6d8072ab434c7bfbb1c88a6fb00afa1d2728f78fbaac1d58f890a2b5932fdbe2b0e87b749293f2b48ed2e8a

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53.ebuild

@@ -0,0 +1,72 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+GITHUB_URI="github.com/opencontainers/runc"
+COREOS_GO_PACKAGE="${GITHUB_URI}"
+COREOS_GO_VERSION="go1.8"
+# the commit of runc that docker uses.
+# see https://github.com/docker/docker-ce/blob/v17.06.1-ce/components/engine/hack/dockerfile/binaries-commits#L6
+# Note: this commit is only really present in `docker/runc` in the 'docker/17.06' branch
+# Update the patch number when this commit is changed (i.e. the _p in the ebuild).
+# The patch version is arbitrarily the number of commits since the tag version
+# spcified in the ebuild name. For example:
+# $ git log --oneline v1.0.0-rc3..${COMMIT_ID} | wc -l
+COMMIT_ID="810190ceaa507aa2727d7ae6f4790c76ec150bd2"
+
+inherit eutils flag-o-matic coreos-go vcs-snapshot
+
+SRC_URI="https://${GITHUB_URI}/archive/${COMMIT_ID}.tar.gz -> ${P}.tar.gz"
+KEYWORDS="amd64 arm64"
+
+DESCRIPTION="runc container cli tools (docker fork)"
+HOMEPAGE="http://runc.io"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE="apparmor ambient hardened +seccomp selinux"
+
+RDEPEND="
+	apparmor? ( sys-libs/libapparmor )
+	seccomp? ( sys-libs/libseccomp )
+	!app-emulation/runc
+"
+
+S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}
+
+RESTRICT="test"
+
+src_unpack() {
+	mkdir -p "${S}"
+	tar --strip-components=1 -C "${S}" -xf "${DISTDIR}/${A}"
+}
+
+PATCHES=(
+	"${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch"
+)
+
+src_compile() {
+	# Taken from app-emulation/docker-1.7.0-r1
+	export CGO_CFLAGS="-I${ROOT}/usr/include"
+	export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')
+		-L${ROOT}/usr/$(get_libdir)"
+
+	# build up optional flags
+	local options=(
+		$(usex apparmor 'apparmor' '')
+		$(usex ambient 'ambient' '')
+		$(usex seccomp 'seccomp' '')
+		$(usex selinux 'selinux' '')
+	)
+
+	# CoreOS: Don't try to install dependencies.
+	sed -i 's/go build -i /go build /' Makefile
+
+	GOPATH="${WORKDIR}/${P}" emake BUILDTAGS="${options[*]}" \
+		COMMIT="${COMMIT_ID}"
+}
+
+src_install() {
+	dobin runc
+}

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch

@@ -0,0 +1,45 @@
+From ab3a3b89d712bb1c6ca2e09ffc375f4b837e9401 Mon Sep 17 00:00:00 2001
+From: Mrunal Patel <mrunalp@gmail.com>
+Date: Thu, 2 Feb 2017 11:23:26 -0800
+Subject: [PATCH] Delay unshare of CLONE_NEWIPC for SELinux
+
+We ensure that mqueue is owned by user namespace root
+by unsharing CLONE_NEWIPC after we become user namespace
+root. This allows us to apply the container SELinux label
+to mqueue.
+
+Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
+---
+ libcontainer/nsenter/nsexec.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index 0ad68834..5100698a 100644
+--- a/libcontainer/nsenter/nsexec.c
++++ b/libcontainer/nsenter/nsexec.c
+@@ -719,7 +719,12 @@ void nsexec(void)
+ 			 * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
+ 			 * was broken, so we'll just do it the long way anyway.
+ 			 */
+-			if (unshare(config.cloneflags) < 0)
++			uint32_t apply_cloneflags = config.cloneflags;
++			if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
++				apply_cloneflags &= ~CLONE_NEWIPC;
++			}
++
++			if (unshare(apply_cloneflags) < 0)
+ 				bail("failed to unshare namespaces");
+ 
+ 			/*
+@@ -841,6 +846,11 @@ void nsexec(void)
+ 					bail("setgroups failed");
+ 			}
+ 
++			if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
++				if (unshare(CLONE_NEWIPC) < 0)
++					bail("unshare ipc failed");
++			}
++
+ 			s = SYNC_CHILD_READY;
+ 			if (write(syncfd, &s, sizeof(s)) != sizeof(s))
+ 				bail("failed to sync with patent: write(SYNC_CHILD_READY)");

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/metadata.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<longdescription lang="en">
+		runc is a CLI tool for spawning and running containers according
+		to the OCF (Open Container Format) specification.
+	</longdescription>
+	<maintainer type="person">
+		<email>mrueg@gentoo.org</email>
+		<name>Manuel Rüger</name>
+	</maintainer>
+	<use>
+		<flag name="ambient">Enable support for ambient capability</flag>
+		<flag name="apparmor">Enable AppArmor support</flag>
+	</use>
+	<upstream>
+		<remote-id type="github">docker/runc</remote-id>
+	</upstream>
+</pkgmetadata>