overlay app-emulation/docker: "Sync" with Gentoo

This is a kinda-sorta sync, because Gentoo has already dropped docker
20.x.y at 20.10.22, whereas we have 20.10.24. I updated our ebuild
based on the older version of Gentoo's and adapted the dependency
versions to ones mentioned on moby github page. The reason behind this
"syncing" is to pull in changes in the kernel config changes as there
are changes relevant to kernel 6.1.

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-20.10.24.ebuild

@@ -1,25 +1,21 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 EGO_PN=github.com/docker/docker
+MY_PV=${PV/_/-}
 GIT_COMMIT=d6cbf44b8c
-COREOS_GO_VERSION="go1.18"
-COREOS_GO_GO111MODULE="off"
-
-inherit bash-completion-r1 linux-info systemd udev golang-vcs-snapshot
-inherit coreos-go-depend
+inherit linux-info systemd udev golang-vcs-snapshot
 
 DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
 HOMEPAGE="https://www.docker.com/"
-MY_PV=${PV/_/-}
 SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
 
 LICENSE="Apache-2.0"
 SLOT="0"
-KEYWORDS="amd64 ~arm arm64 ppc64 ~x86"
-# Flatcar: default enable required USE flags
-IUSE="apparmor aufs +btrfs +cli +container-init +device-mapper +hardened +overlay +seccomp +journald"
+KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
+IUSE="apparmor aufs btrfs +cli +container-init device-mapper hardened
+overlay seccomp selinux"
 
 DEPEND="
 	acct-group/docker
@@ -30,20 +26,11 @@ DEPEND="
 	seccomp? ( >=sys-libs/libseccomp-2.2.1 )
 "
 
-# Flatcar:
-# For CoreOS builds coreos-kernel must be installed because this ebuild
-# checks the kernel config. The kernel config is left by the kernel compile
-# or an explicit copy when installing binary packages. See coreos-kernel.eclass
-DEPEND+="sys-kernel/coreos-kernel"
-
 # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
 # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
 # https://github.com/moby/moby/tree/master//hack/dockerfile/install
 # make sure docker-proxy is pinned to exact version from ^,
 # for appropriate branchch/version of course
-# Flatcar:
-# containerd ebuild doesn't support apparmor, device-mapper and seccomp use flags
-# tini ebuild doesn't support static use flag
 RDEPEND="
 	${DEPEND}
 	>=net-firewall/iptables-1.4
@@ -51,16 +38,17 @@ RDEPEND="
 	>=dev-vcs/git-1.7
 	>=app-arch/xz-utils-4.9
 	dev-libs/libltdl
-	>=app-emulation/containerd-1.4.6[btrfs?]
-	~app-emulation/docker-proxy-0.8.0_p20210525
-	cli? ( app-emulation/docker-cli )
-	container-init? ( >=sys-process/tini-0.19.0 )
+	>=app-containers/containerd-1.6.16[apparmor?,btrfs?,device-mapper?,seccomp?]
+	~app-containers/docker-proxy-0.8.0_p20230118
+	cli? ( ~app-containers/docker-cli-${PV} )
+	container-init? ( >=sys-process/tini-0.19.0[static] )
+	selinux? ( sec-policy/selinux-docker )
 "
 
 # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
-# Flatcar: drop go-md2man
 BDEPEND="
-	>=dev-lang/go-1.13.12
+	>=dev-lang/go-1.16.12
+	dev-go/go-md2man
 	virtual/pkgconfig
 "
 # tests require running dockerd as root and downloading containers
@@ -68,8 +56,10 @@ RESTRICT="installsources strip test"
 
 S="${WORKDIR}/${P}/src/${EGO_PN}"
 
+# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552
 PATCHES=(
 	"${FILESDIR}/ppc64-buildmode.patch"
+	"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
 )
 
 # see "contrib/check-config.sh" from upstream's sources
@@ -87,7 +77,6 @@ CONFIG_CHECK="
 	~USER_NS
 	~SECCOMP
 	~CGROUP_PIDS
-	~MEMCG_SWAP
 
 	~BLK_CGROUP ~BLK_DEV_THROTTLING
 	~CGROUP_PERF
@@ -152,6 +141,12 @@ pkg_setup() {
 		"
 	fi
 
+	if kernel_is lt 6 1; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP
+		"
+	fi
+
 	if use aufs; then
 		CONFIG_CHECK+="
 			~AUFS_FS
@@ -177,17 +172,14 @@ pkg_setup() {
 }
 
 src_compile() {
-	# Flatcar: for cross-compilation
-	go_export
 	export DOCKER_GITCOMMIT="${GIT_COMMIT}"
 	export GOPATH="${WORKDIR}/${P}"
 	export VERSION=${PV}
 
 	# setup CFLAGS and LDFLAGS for separate build target
 	# see https://github.com/tianon/docker-overlay/pull/10
-	# Flatcar: allow injecting CFLAGS/LDFLAGS, which is needed for torcx rpath
-	export CGO_CFLAGS="${CGO_CFLAGS} -I${ESYSROOT}/usr/include"
-	export CGO_LDFLAGS="${CGO_LDFLAGS} -L${ESYSROOT}/usr/$(get_libdir)"
+	export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
+	export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)"
 
 	# let's set up some optional features :)
 	export DOCKER_BUILDTAGS=''
@@ -197,18 +189,16 @@ src_compile() {
 		fi
 	done
 
-	for tag in apparmor seccomp journald; do
+	for tag in apparmor seccomp; do
 		if use $tag; then
 			DOCKER_BUILDTAGS+=" $tag"
 		fi
 	done
 
-	# Flatcar:
-	# inject LDFLAGS for torcx
 	if use hardened; then
-		sed -i "s#EXTLDFLAGS_STATIC='#&-fno-PIC $LDFLAGS #" hack/make.sh || die
+		sed -i "s/EXTLDFLAGS_STATIC='/&-fno-PIC /" hack/make.sh || die
 		grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'
-		sed  "s#LDFLAGS_STATIC_DOCKER='#&-extldflags \"-fno-PIC $LDFLAGS\" #" \
+		sed  "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \
 			-i hack/make/dynbinary-daemon || die
 		grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed'
 	fi
@@ -227,26 +217,16 @@ src_install() {
 	newinitd contrib/init/openrc/docker.initd docker
 	newconfd contrib/init/openrc/docker.confd docker
 
-	# Flatcar:
-	# install our systemd units/network config and our wrapper into
-	# /usr/lib/flatcar/docker for backwards compatibility
-	exeinto /usr/lib/flatcar
-	doexe "${FILESDIR}/dockerd"
-
-	systemd_dounit "${FILESDIR}/docker.service"
-	systemd_dounit "${FILESDIR}/docker.socket"
-
-	insinto /usr/lib/systemd/network
-	doins "${FILESDIR}/50-docker.network"
-	doins "${FILESDIR}/90-docker-veth.network"
+	systemd_dounit contrib/init/systemd/docker.{service,socket}
 
 	udev_dorules contrib/udev/*.rules
 
 	dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md
 	dodoc -r docs/*
 
-	# Flatcar:
-	# don't install contrib bits
+	# note: intentionally not using "doins" so that we preserve +x bits
+	dodir /usr/share/${PN}/contrib
+	cp -R contrib/* "${ED}/usr/share/${PN}/contrib"
 }
 
 pkg_postinst() {
@@ -287,15 +267,15 @@ pkg_postinst() {
 		ewarn "Starting with docker 20.10.2, docker has been split into"
 		ewarn "two packages upstream, so Gentoo has followed suit."
 		ewarn
-		ewarn "app-emulation/docker contains the daemon and"
-		ewarn "app-emulation/docker-cli contains the docker command."
+		ewarn "app-containers/docker contains the daemon and"
+		ewarn "app-containers/docker-cli contains the docker command."
 		ewarn
 		ewarn "docker currently installs docker-cli using the cli use flag."
 		ewarn
 		ewarn "This use flag is temporary, so you need to take the"
 		ewarn "following actions:"
 		ewarn
-		ewarn "First, disable the cli use flag for app-emulation/docker"
+		ewarn "First, disable the cli use flag for app-containers/docker"
 		ewarn
 		ewarn "Then, if you need docker-cli and docker on the same machine,"
 		ewarn "run the following command:"
@@ -304,3 +284,7 @@ pkg_postinst() {
 		ewarn
 	fi
 }
+
+pkg_postrm() {
+	udev_reload
+}

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch

@@ -0,0 +1,28 @@
+From bb69104381805014eb7675682d204fe460a52388 Mon Sep 17 00:00:00 2001
+From: Jan Breig <git@pygos.space>
+Date: Mon, 16 May 2022 14:58:36 +0200
+Subject: [PATCH] Openrc: Depend on containerd init script
+
+Signed-off-by: Jan Breig <git@pygos.space>
+---
+ contrib/init/openrc/docker.initd | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/contrib/init/openrc/docker.initd b/contrib/init/openrc/docker.initd
+index 3229223bad..57defb8f57 100644
+--- a/contrib/init/openrc/docker.initd
++++ b/contrib/init/openrc/docker.initd
+@@ -17,6 +17,10 @@ rc_ulimit="${DOCKER_ULIMIT:--c unlimited -n 1048576 -u unlimited}"
+ 
+ retry="${DOCKER_RETRY:-TERM/60/KILL/10}"
+ 
++depend() {
++	need containerd
++}
++
+ start_pre() {
+ 	checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE"
+ }
+-- 
+2.35.1
+

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/50-docker.network

@@ -1,6 +0,0 @@
-[Match]
-Type=bridge
-Name=docker* br-*
-
-[Link]
-Unmanaged=yes

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/90-docker-veth.network

@@ -1,5 +0,0 @@
-[Match]
-Driver=veth
-
-[Link]
-Unmanaged=yes

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service

@@ -1,37 +0,0 @@
-[Unit]
-Description=Docker Application Container Engine
-Documentation=http://docs.docker.com
-After=containerd.service docker.socket network-online.target
-Wants=network-online.target
-Requires=containerd.service docker.socket
-
-[Service]
-Type=notify
-EnvironmentFile=-/run/flannel/flannel_docker_opts.env
-Environment=DOCKER_SELINUX=--selinux-enabled=true
-
-# the default is not to use systemd for cgroups because the delegate issues still
-# exists and systemd currently does not support the cgroup feature set required
-# for containers run by docker
-ExecStart=/usr/bin/dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock $DOCKER_SELINUX $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
-ExecReload=/bin/kill -s HUP $MAINPID
-LimitNOFILE=1048576
-# Having non-zero Limit*s causes performance problems due to accounting overhead
-# in the kernel. We recommend using cgroups to do container-local accounting.
-LimitNPROC=infinity
-LimitCORE=infinity
-# Uncomment TasksMax if your systemd version supports it.
-# Only systemd 226 and above support this version.
-TasksMax=infinity
-TimeoutStartSec=0
-# set delegate yes so that systemd does not reset the cgroups of docker containers
-Delegate=yes
-# kill only the docker process, not all processes in the cgroup
-KillMode=process
-# restart the docker process if it exits prematurely
-Restart=on-failure
-StartLimitBurst=3
-StartLimitInterval=60s
-
-[Install]
-WantedBy=multi-user.target

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.socket

@@ -1,13 +0,0 @@
-[Unit]
-Description=Docker Socket for the API
-PartOf=docker.service
-
-[Socket]
-ListenStream=/var/run/docker.sock
-SocketMode=0660
-SocketUser=root
-SocketGroup=docker
-
-[Install]
-WantedBy=sockets.target
-

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd

@@ -1,41 +0,0 @@
-#!/bin/bash
-# Wrapper for launching docker daemons with selinux default on
-# This wrapper script has been deprecated (euank: 2017-05-09) and is retained
-# for backwards compatibility.
-
-set -e
-
-parse_docker_args() {
-    local flag
-    while [[ $# -gt 0 ]]; do
-        flag="$1"
-        shift
-
-        # treat --flag=foo and --flag foo identically
-        if [[ "${flag}" == *=* ]]; then
-            set -- "${flag#*=}" "$@"
-            flag="${flag%=*}"
-        fi
-
-        case "${flag}" in
-            --selinux-enabled)
-                ARG_SELINUX="$1"
-                shift
-                ;;
-            *)
-                # ignore everything else
-                ;;
-        esac
-    done
-}
-
-parse_docker_args "$@"
-
-USE_SELINUX=""
-# Do not override selinux if it is already explicitly configured.
-if [[ -z "${ARG_SELINUX}" ]]; then
-        # If unspecified, default off
-        USE_SELINUX="--selinux-enabled=false"
-fi
-
-exec dockerd "$@" ${USE_SELINUX}

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/ppc64-buildmode.patch

@@ -17,14 +17,14 @@ index 5ea3e373f2..7a911de15a 100644
 --- a/hack/make/.binary
 +++ b/hack/make/.binary
 @@ -70,7 +70,7 @@ hash_files() {
- 	if [[ " $BUILDFLAGS " != *" -race "* ]]; then
- 		# -buildmode=pie is not supported on Windows and Linux on mips and riscv64.
- 		case "$(go env GOOS)/$(go env GOARCH)" in
--			windows/* | linux/mips* | linux/riscv*) ;;
-+			windows/* | linux/mips* | linux/riscv* | linux/ppc64) ;;
  
- 			*)
- 				BUILDFLAGS+=("-buildmode=pie")
+ 	# -buildmode=pie is not supported on Windows and Linux on mips and riscv64.
+ 	case "$(go env GOOS)/$(go env GOARCH)" in
+-		windows/* | linux/mips* | linux/riscv*) ;;
++		windows/* | linux/mips* | linux/riscv* | linux/ppc64) ;;
+ 
+ 		*)
+ 			BUILDFLAGS+=("-buildmode=pie")
 -- 
 2.32.0
 

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/metadata.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<longdescription>
 		Docker is an open-source project to easily create lightweight,
@@ -21,16 +21,13 @@
 			Enables dependencies for the "aufs" graph driver, including
 			necessary kernel flags.
 		</flag>
-		<flag name="apparmor">
-			Enable AppArmor support.
-		</flag>
 		<flag name="btrfs">
 			Enables dependencies for the "btrfs" graph driver, including
 			necessary kernel flags.
 		</flag>
 			<flag name="cli">
 				This is a temporary use flag which pulls in
-				app-emulation/docker-cli, the docker command line client.
+				<pkg>app-containers/docker-cli</pkg>, the docker command line client.
 				This flag is here to assist in the transition to split packages
 				and will be removed in a future release.
 		</flag>