From 964117a9a27f8c048d646f423ffaf09b57bfad00 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Mar 2023 15:41:01 +0100 Subject: [PATCH] overlay app-emulation/docker: "Sync" with Gentoo This is a kinda-sorta sync, because Gentoo has already dropped docker 20.x.y at 20.10.22, whereas we have 20.10.24. I updated our ebuild based on the older version of Gentoo's and adapted the dependency versions to ones mentioned on moby github page. The reason behind this "syncing" is to pull in changes in the kernel config changes as there are changes relevant to kernel 6.1. --- .../docker/docker-20.10.24.ebuild | 90 ++++++++----------- ...nrc-Depend-on-containerd-init-script.patch | 28 ++++++ .../docker/files/50-docker.network | 6 -- .../docker/files/90-docker-veth.network | 5 -- .../app-emulation/docker/files/docker.service | 37 -------- .../app-emulation/docker/files/docker.socket | 13 --- .../app-emulation/docker/files/dockerd | 41 --------- .../docker/files/ppc64-buildmode.patch | 14 +-- .../app-emulation/docker/metadata.xml | 7 +- 9 files changed, 74 insertions(+), 167 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/50-docker.network delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/90-docker-veth.network delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.socket delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-20.10.24.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-20.10.24.ebuild index 28035af927..cbc0f16d21 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-20.10.24.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-20.10.24.ebuild @@ -1,25 +1,21 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 EGO_PN=github.com/docker/docker +MY_PV=${PV/_/-} GIT_COMMIT=d6cbf44b8c -COREOS_GO_VERSION="go1.18" -COREOS_GO_GO111MODULE="off" - -inherit bash-completion-r1 linux-info systemd udev golang-vcs-snapshot -inherit coreos-go-depend +inherit linux-info systemd udev golang-vcs-snapshot DESCRIPTION="The core functions you need to create Docker images and run Docker containers" HOMEPAGE="https://www.docker.com/" -MY_PV=${PV/_/-} SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" LICENSE="Apache-2.0" SLOT="0" -KEYWORDS="amd64 ~arm arm64 ppc64 ~x86" -# Flatcar: default enable required USE flags -IUSE="apparmor aufs +btrfs +cli +container-init +device-mapper +hardened +overlay +seccomp +journald" +KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" +IUSE="apparmor aufs btrfs +cli +container-init device-mapper hardened +overlay seccomp selinux" DEPEND=" acct-group/docker @@ -30,20 +26,11 @@ DEPEND=" seccomp? ( >=sys-libs/libseccomp-2.2.1 ) " -# Flatcar: -# For CoreOS builds coreos-kernel must be installed because this ebuild -# checks the kernel config. The kernel config is left by the kernel compile -# or an explicit copy when installing binary packages. See coreos-kernel.eclass -DEPEND+="sys-kernel/coreos-kernel" - # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies # https://github.com/moby/moby/tree/master//hack/dockerfile/install # make sure docker-proxy is pinned to exact version from ^, # for appropriate branchch/version of course -# Flatcar: -# containerd ebuild doesn't support apparmor, device-mapper and seccomp use flags -# tini ebuild doesn't support static use flag RDEPEND=" ${DEPEND} >=net-firewall/iptables-1.4 @@ -51,16 +38,17 @@ RDEPEND=" >=dev-vcs/git-1.7 >=app-arch/xz-utils-4.9 dev-libs/libltdl - >=app-emulation/containerd-1.4.6[btrfs?] - ~app-emulation/docker-proxy-0.8.0_p20210525 - cli? ( app-emulation/docker-cli ) - container-init? ( >=sys-process/tini-0.19.0 ) + >=app-containers/containerd-1.6.16[apparmor?,btrfs?,device-mapper?,seccomp?] + ~app-containers/docker-proxy-0.8.0_p20230118 + cli? ( ~app-containers/docker-cli-${PV} ) + container-init? ( >=sys-process/tini-0.19.0[static] ) + selinux? ( sec-policy/selinux-docker ) " # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies -# Flatcar: drop go-md2man BDEPEND=" - >=dev-lang/go-1.13.12 + >=dev-lang/go-1.16.12 + dev-go/go-md2man virtual/pkgconfig " # tests require running dockerd as root and downloading containers @@ -68,8 +56,10 @@ RESTRICT="installsources strip test" S="${WORKDIR}/${P}/src/${EGO_PN}" +# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552 PATCHES=( "${FILESDIR}/ppc64-buildmode.patch" + "${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch" ) # see "contrib/check-config.sh" from upstream's sources @@ -87,7 +77,6 @@ CONFIG_CHECK=" ~USER_NS ~SECCOMP ~CGROUP_PIDS - ~MEMCG_SWAP ~BLK_CGROUP ~BLK_DEV_THROTTLING ~CGROUP_PERF @@ -152,6 +141,12 @@ pkg_setup() { " fi + if kernel_is lt 6 1; then + CONFIG_CHECK+=" + ~MEMCG_SWAP + " + fi + if use aufs; then CONFIG_CHECK+=" ~AUFS_FS @@ -177,17 +172,14 @@ pkg_setup() { } src_compile() { - # Flatcar: for cross-compilation - go_export export DOCKER_GITCOMMIT="${GIT_COMMIT}" export GOPATH="${WORKDIR}/${P}" export VERSION=${PV} # setup CFLAGS and LDFLAGS for separate build target # see https://github.com/tianon/docker-overlay/pull/10 - # Flatcar: allow injecting CFLAGS/LDFLAGS, which is needed for torcx rpath - export CGO_CFLAGS="${CGO_CFLAGS} -I${ESYSROOT}/usr/include" - export CGO_LDFLAGS="${CGO_LDFLAGS} -L${ESYSROOT}/usr/$(get_libdir)" + export CGO_CFLAGS="-I${ESYSROOT}/usr/include" + export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)" # let's set up some optional features :) export DOCKER_BUILDTAGS='' @@ -197,18 +189,16 @@ src_compile() { fi done - for tag in apparmor seccomp journald; do + for tag in apparmor seccomp; do if use $tag; then DOCKER_BUILDTAGS+=" $tag" fi done - # Flatcar: - # inject LDFLAGS for torcx if use hardened; then - sed -i "s#EXTLDFLAGS_STATIC='#&-fno-PIC $LDFLAGS #" hack/make.sh || die + sed -i "s/EXTLDFLAGS_STATIC='/&-fno-PIC /" hack/make.sh || die grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed' - sed "s#LDFLAGS_STATIC_DOCKER='#&-extldflags \"-fno-PIC $LDFLAGS\" #" \ + sed "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \ -i hack/make/dynbinary-daemon || die grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed' fi @@ -227,26 +217,16 @@ src_install() { newinitd contrib/init/openrc/docker.initd docker newconfd contrib/init/openrc/docker.confd docker - # Flatcar: - # install our systemd units/network config and our wrapper into - # /usr/lib/flatcar/docker for backwards compatibility - exeinto /usr/lib/flatcar - doexe "${FILESDIR}/dockerd" - - systemd_dounit "${FILESDIR}/docker.service" - systemd_dounit "${FILESDIR}/docker.socket" - - insinto /usr/lib/systemd/network - doins "${FILESDIR}/50-docker.network" - doins "${FILESDIR}/90-docker-veth.network" + systemd_dounit contrib/init/systemd/docker.{service,socket} udev_dorules contrib/udev/*.rules dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md dodoc -r docs/* - # Flatcar: - # don't install contrib bits + # note: intentionally not using "doins" so that we preserve +x bits + dodir /usr/share/${PN}/contrib + cp -R contrib/* "${ED}/usr/share/${PN}/contrib" } pkg_postinst() { @@ -287,15 +267,15 @@ pkg_postinst() { ewarn "Starting with docker 20.10.2, docker has been split into" ewarn "two packages upstream, so Gentoo has followed suit." ewarn - ewarn "app-emulation/docker contains the daemon and" - ewarn "app-emulation/docker-cli contains the docker command." + ewarn "app-containers/docker contains the daemon and" + ewarn "app-containers/docker-cli contains the docker command." ewarn ewarn "docker currently installs docker-cli using the cli use flag." ewarn ewarn "This use flag is temporary, so you need to take the" ewarn "following actions:" ewarn - ewarn "First, disable the cli use flag for app-emulation/docker" + ewarn "First, disable the cli use flag for app-containers/docker" ewarn ewarn "Then, if you need docker-cli and docker on the same machine," ewarn "run the following command:" @@ -304,3 +284,7 @@ pkg_postinst() { ewarn fi } + +pkg_postrm() { + udev_reload +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch new file mode 100644 index 0000000000..22aa145f33 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch @@ -0,0 +1,28 @@ +From bb69104381805014eb7675682d204fe460a52388 Mon Sep 17 00:00:00 2001 +From: Jan Breig +Date: Mon, 16 May 2022 14:58:36 +0200 +Subject: [PATCH] Openrc: Depend on containerd init script + +Signed-off-by: Jan Breig +--- + contrib/init/openrc/docker.initd | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/contrib/init/openrc/docker.initd b/contrib/init/openrc/docker.initd +index 3229223bad..57defb8f57 100644 +--- a/contrib/init/openrc/docker.initd ++++ b/contrib/init/openrc/docker.initd +@@ -17,6 +17,10 @@ rc_ulimit="${DOCKER_ULIMIT:--c unlimited -n 1048576 -u unlimited}" + + retry="${DOCKER_RETRY:-TERM/60/KILL/10}" + ++depend() { ++ need containerd ++} ++ + start_pre() { + checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE" + } +-- +2.35.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/50-docker.network b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/50-docker.network deleted file mode 100644 index a0d17b5368..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/50-docker.network +++ /dev/null @@ -1,6 +0,0 @@ -[Match] -Type=bridge -Name=docker* br-* - -[Link] -Unmanaged=yes diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/90-docker-veth.network b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/90-docker-veth.network deleted file mode 100644 index 3ca3816c23..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/90-docker-veth.network +++ /dev/null @@ -1,5 +0,0 @@ -[Match] -Driver=veth - -[Link] -Unmanaged=yes diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service deleted file mode 100644 index a8f1bf4ef5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service +++ /dev/null @@ -1,37 +0,0 @@ -[Unit] -Description=Docker Application Container Engine -Documentation=http://docs.docker.com -After=containerd.service docker.socket network-online.target -Wants=network-online.target -Requires=containerd.service docker.socket - -[Service] -Type=notify -EnvironmentFile=-/run/flannel/flannel_docker_opts.env -Environment=DOCKER_SELINUX=--selinux-enabled=true - -# the default is not to use systemd for cgroups because the delegate issues still -# exists and systemd currently does not support the cgroup feature set required -# for containers run by docker -ExecStart=/usr/bin/dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock $DOCKER_SELINUX $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ -ExecReload=/bin/kill -s HUP $MAINPID -LimitNOFILE=1048576 -# Having non-zero Limit*s causes performance problems due to accounting overhead -# in the kernel. We recommend using cgroups to do container-local accounting. -LimitNPROC=infinity -LimitCORE=infinity -# Uncomment TasksMax if your systemd version supports it. -# Only systemd 226 and above support this version. -TasksMax=infinity -TimeoutStartSec=0 -# set delegate yes so that systemd does not reset the cgroups of docker containers -Delegate=yes -# kill only the docker process, not all processes in the cgroup -KillMode=process -# restart the docker process if it exits prematurely -Restart=on-failure -StartLimitBurst=3 -StartLimitInterval=60s - -[Install] -WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.socket b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.socket deleted file mode 100644 index 53133c4f8f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.socket +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Docker Socket for the API -PartOf=docker.service - -[Socket] -ListenStream=/var/run/docker.sock -SocketMode=0660 -SocketUser=root -SocketGroup=docker - -[Install] -WantedBy=sockets.target - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd deleted file mode 100644 index 19c440bdda..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash -# Wrapper for launching docker daemons with selinux default on -# This wrapper script has been deprecated (euank: 2017-05-09) and is retained -# for backwards compatibility. - -set -e - -parse_docker_args() { - local flag - while [[ $# -gt 0 ]]; do - flag="$1" - shift - - # treat --flag=foo and --flag foo identically - if [[ "${flag}" == *=* ]]; then - set -- "${flag#*=}" "$@" - flag="${flag%=*}" - fi - - case "${flag}" in - --selinux-enabled) - ARG_SELINUX="$1" - shift - ;; - *) - # ignore everything else - ;; - esac - done -} - -parse_docker_args "$@" - -USE_SELINUX="" -# Do not override selinux if it is already explicitly configured. -if [[ -z "${ARG_SELINUX}" ]]; then - # If unspecified, default off - USE_SELINUX="--selinux-enabled=false" -fi - -exec dockerd "$@" ${USE_SELINUX} diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/ppc64-buildmode.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/ppc64-buildmode.patch index 2d677a71ab..f16756e850 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/ppc64-buildmode.patch +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/ppc64-buildmode.patch @@ -17,14 +17,14 @@ index 5ea3e373f2..7a911de15a 100644 --- a/hack/make/.binary +++ b/hack/make/.binary @@ -70,7 +70,7 @@ hash_files() { - if [[ " $BUILDFLAGS " != *" -race "* ]]; then - # -buildmode=pie is not supported on Windows and Linux on mips and riscv64. - case "$(go env GOOS)/$(go env GOARCH)" in -- windows/* | linux/mips* | linux/riscv*) ;; -+ windows/* | linux/mips* | linux/riscv* | linux/ppc64) ;; - *) - BUILDFLAGS+=("-buildmode=pie") + # -buildmode=pie is not supported on Windows and Linux on mips and riscv64. + case "$(go env GOOS)/$(go env GOARCH)" in +- windows/* | linux/mips* | linux/riscv*) ;; ++ windows/* | linux/mips* | linux/riscv* | linux/ppc64) ;; + + *) + BUILDFLAGS+=("-buildmode=pie") -- 2.32.0 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/metadata.xml index 1ec7d35307..5f16394188 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/metadata.xml @@ -1,5 +1,5 @@ - + Docker is an open-source project to easily create lightweight, @@ -21,16 +21,13 @@ Enables dependencies for the "aufs" graph driver, including necessary kernel flags. - - Enable AppArmor support. - Enables dependencies for the "btrfs" graph driver, including necessary kernel flags. This is a temporary use flag which pulls in - app-emulation/docker-cli, the docker command line client. + app-containers/docker-cli, the docker command line client. This flag is here to assist in the transition to split packages and will be removed in a future release.