mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-07 04:56:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

app-containers: use upstream docker, containerd, runc

Browse Source 
This change removes Flatcar specific builds of docker[-cli], containerd,
runc, and cri-tools and instead switches to upstream Gentoo ebuilds
added to portage-stable.

The change updates docker to 24.0.6.

NOTE that there currently is no upstream ebuild for containerd-1.7.7, so
this change adds that ebuild based on the upstream containerd-1.7.6
ebuild.

Flatcar customisations like systemd units etc. are now applied in the
manglefs script of the respective sysexts, based on file system trees in
coreos-overlay/coreos/sysext/(containerd|docker).

The build_sysext script has been extended by an option to strip all
binaries in a sysext; the option is active by default. This takes care
of removing debug symbols from docker and containerd - which are not
removed by the default Gentoo build. The overall size of both containerd
and docker sysext is reduced by ~50%.

Lastly, the sysext command line syntax of build_image has been extended
to allow specifying multiple packages for a sysext. This was necessary
because docker-cli and docker do not have any runtime relationships and
therefore must both be specified for installation to correctly mirror
Flatcar's own docker packaging.

Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
This commit is contained in:
Thilo Fromm 2023-10-24 18:57:10 +02:00
parent bc0afaad1d
commit 9f45ea05e9
68 changed files with 1548 additions and 1407 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
build_image
View File

@ -33,8 +33,8 @@ DEFINE_string base_pkg "coreos-base/coreos" \
"The base portage package to base the build off of (only applies to prod images)" "The base portage package to base the build off of (only applies to prod images)"
DEFINE_string base_dev_pkg "coreos-base/coreos-dev" \ DEFINE_string base_dev_pkg "coreos-base/coreos-dev" \
"The base portage package to base the build off of (only applies to dev containers)" "The base portage package to base the build off of (only applies to dev containers)"
DEFINE_string base_sysexts "containerd-flatcar:app-containers/containerd,docker-flatcar:app-containers/docker" \ DEFINE_string base_sysexts "containerd-flatcar:app-containers/containerd,docker-flatcar:app-containers/docker&app-containers/docker-cli" \
"Comma-separated list of name:package - build 'package' into sysext 'name', and include with OS image and update payload. Must be in order of dependencies, base sysexts come first." "Comma-separated list of name:package[&package[&package]] - build 'package' (a single package or a list of packages separated by '&') into sysext 'name', and include with OS image and update payload. Must be in order of dependencies, base sysexts come first."
DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \ DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \
"Directory in which to place image result directories (named by version)" "Directory in which to place image result directories (named by version)"
DEFINE_string disk_layout "" \ DEFINE_string disk_layout "" \

11
build_library/sysext_mangle_containerd-flatcar
View File

@ -3,5 +3,16 @@
set -euo pipefail set -euo pipefail
rootfs="${1}" rootfs="${1}"
# No manpages on Flatcar, no need to ship "stress" tool
echo ">>> NOTICE: $0: removing 'gen-manpages', 'containerd-stress' from sysext"
rm -f "${rootfs}/usr/bin/gen-manpages" "${rootfs}/usr/bin/containerd-stress"
script_root="$(cd "$(dirname "$0")/../"; pwd)"
files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd"
echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
cp -va "${files_dir}/"* "${rootfs}"
mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d" mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d"
{ echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf" { echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf"

10
build_library/sysext_mangle_docker-flatcar
View File

@ -3,5 +3,15 @@
set -euo pipefail set -euo pipefail
rootfs="${1}" rootfs="${1}"
# Remove debug and contrib
echo ">>> NOTICE: $0: removing '/usr/lib/debug/', '/usr/share/docker/contrib' from sysext"
rm -rf "${rootfs}/usr/lib/debug/" "${rootfs}/usr/share/docker/contrib/"
script_root="$(cd "$(dirname "$0")/../"; pwd)"
files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker"
echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
cp -va "${files_dir}/"* "${rootfs}"
mkdir -p "${rootfs}/usr/lib/systemd/system/sockets.target.d" mkdir -p "${rootfs}/usr/lib/systemd/system/sockets.target.d"
{ echo "[Unit]"; echo "Upholds=docker.socket"; } > "${rootfs}/usr/lib/systemd/system/sockets.target.d/10-docker-socket.conf" { echo "[Unit]"; echo "Upholds=docker.socket"; } > "${rootfs}/usr/lib/systemd/system/sockets.target.d/10-docker-socket.conf"

8
build_library/sysext_prod_builder
View File

@ -30,12 +30,14 @@ create_prod_sysext() {
local base_sysext="$4" local base_sysext="$4"
local install_root="$5" local install_root="$5"
local name="$6" local name="$6"
local grp_pkg="$7" local grp_pkgs="$7"
local pkginfo="${8:-}" local pkginfo="${8:-}"
local -a build_sysext_opts=() local -a build_sysext_opts=()
local msg="Installing ${grp_pkg}' in sysext ${name}.raw" local grp_pkg="${grp_pkgs//&/ }"
local msg="Installing ${grp_pkg} in sysext ${name}.raw"
# Include previous sysexts' pkginfo if supplied # Include previous sysexts' pkginfo if supplied
if [[ -n "${pkginfo}" ]] ; then if [[ -n "${pkginfo}" ]] ; then
@ -60,7 +62,7 @@ create_prod_sysext() {
--squashfs_base="${base_sysext}" \ --squashfs_base="${base_sysext}" \
--generate_pkginfo \ --generate_pkginfo \
"${build_sysext_opts[@]}" \ "${build_sysext_opts[@]}" \
"${name}" "${grp_pkg}" "${name}" ${grp_pkg}
sudo mv "${workdir}/sysext-build/${name}.raw" "${workdir}/sysext-build/${name}_pkginfo.raw" \ sudo mv "${workdir}/sysext-build/${name}.raw" "${workdir}/sysext-build/${name}_pkginfo.raw" \
"${workdir}/sysext-build/${name}"_*.txt "${output_dir}" "${workdir}/sysext-build/${name}"_*.txt "${output_dir}"

18
build_sysext
View File

@ -25,6 +25,8 @@ DEFINE_string squashfs_base '' \
"The path to the squashfs base image. Defaults to the most current image built in '${default_imagedir}/${FLATCAR_PRODUCTION_IMAGE_SYSEXT_BASE}'." "The path to the squashfs base image. Defaults to the most current image built in '${default_imagedir}/${FLATCAR_PRODUCTION_IMAGE_SYSEXT_BASE}'."
DEFINE_string image_builddir '' \ DEFINE_string image_builddir '' \
"Custom directory to build the sysext in. Defaults to a 'sysext' sub-directory of the directory the squashfs base image resides in; '${default_imagedir}/sysext' by default." "Custom directory to build the sysext in. Defaults to a 'sysext' sub-directory of the directory the squashfs base image resides in; '${default_imagedir}/sysext' by default."
DEFINE_boolean strip_binaries "${FLAGS_TRUE}" \
"After installation, scan sysext root for unstripped binaries and strip these."
DEFINE_string manglefs_script '' \ DEFINE_string manglefs_script '' \
"A path to executable that will customize the rootfs of the sysext image." "A path to executable that will customize the rootfs of the sysext image."
DEFINE_boolean generate_pkginfo "${FLAGS_FALSE}" \ DEFINE_boolean generate_pkginfo "${FLAGS_FALSE}" \
@ -231,6 +233,22 @@ info "Writing ${SYSEXTNAME}_packages.txt"
ROOT="${BUILD_DIR}/install-root" PORTAGE_CONFIGROOT="${BUILD_DIR}/install-root" \ ROOT="${BUILD_DIR}/install-root" PORTAGE_CONFIGROOT="${BUILD_DIR}/install-root" \
equery --no-color list --format '$cpv::$repo' '*' > "${BUILD_DIR}/${SYSEXTNAME}_packages.txt" equery --no-color list --format '$cpv::$repo' '*' > "${BUILD_DIR}/${SYSEXTNAME}_packages.txt"
if [[ "${FLAGS_strip_binaries}" = "${FLAGS_TRUE}" ]]; then
chost="$("portageq-${BOARD}" envvar CHOST)"
strip="${chost}-strip"
info "Stripping all non-stripped binaries in sysext using '${strip}'"
# Find all non-stripped binaries, remove ':' from filepath, and strip 'em
find "${BUILD_DIR}/install-root" -exec file \{\} \; \
| awk '/not stripped/ {print substr($1, 1, length($1)-1)}' \
| while read bin; do
info " ${strip} ${bin}"
"${strip}" "${bin}"
done
fi
if [[ -n "${FLAGS_manglefs_script}" ]]; then if [[ -n "${FLAGS_manglefs_script}" ]]; then
if [[ ! -x "${FLAGS_manglefs_script}" ]]; then if [[ ! -x "${FLAGS_manglefs_script}" ]]; then
die "${FLAGS_manglefs_script} is not executable" die "${FLAGS_manglefs_script} is not executable"

1
sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest vendored
View File

@ -1 +0,0 @@
DIST containerd-1.7.7.tar.gz 9910424 BLAKE2B 623315962233fe3ce965c17c37c950dc1ded8b381012ed50d2bee8b1cea134bc9ef5a1cf5599b6bcd121cabe204fe61015526226131954364a976ebb08d8c353 SHA512 a44e901b017522639963bb415f666599af04335d8ccbd28899712606a4692c1601e95eaa2f1db32a3c077ad2c3f332f37393154ad6c2660646b7e8365a6ab720

1
sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.7.ebuild vendored
View File

@ -1 +0,0 @@
containerd-9999.ebuild

69
sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-9999.ebuild vendored
View File

@ -1,69 +0,0 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
GITHUB_URI="github.com/containerd/containerd"
COREOS_GO_PACKAGE="${GITHUB_URI}"
COREOS_GO_VERSION="go1.19"
if [[ ${PV} == *9999 ]]; then
EGIT_REPO_URI="https://${GITHUB_URI}.git"
inherit git-r3
else
MY_PV="${PV/_rc/-rc.}"
EGIT_COMMIT="v${MY_PV}"
CONTAINERD_COMMIT="c676287c3e99d785927d9775eb4bcf9facdd4159"
SRC_URI="https://${GITHUB_URI}/archive/${EGIT_COMMIT}.tar.gz -> ${P}.tar.gz"
KEYWORDS="amd64 arm64"
inherit vcs-snapshot
fi
inherit coreos-go systemd
DESCRIPTION="A daemon to control runC"
HOMEPAGE="https://containerd.tools"
LICENSE="Apache-2.0"
SLOT="0"
IUSE="+btrfs hardened"
DEPEND="btrfs? ( sys-fs/btrfs-progs )"
RDEPEND="~app-containers/runc-1.1.9
sys-libs/libseccomp"
S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}
RESTRICT="test"
src_unpack() {
mkdir -p "${S}"
tar --strip-components=1 -C "${S}" -xf "${DISTDIR}/${A}"
}
src_prepare() {
coreos-go_src_prepare
if [[ ${PV} != *9999* ]]; then
sed -i -e "s/git describe --match.*$/echo ${PV})/"\
-e "s/git rev-parse HEAD.*$/echo $CONTAINERD_COMMIT)/"\
-e "s/-s -w//" \
Makefile || die
fi
}
src_compile() {
local options=( $(usex btrfs "" "no_btrfs") )
export GOPATH="${WORKDIR}/${P}" # ${PWD}/vendor
export GO111MODULE=on
export GOFLAGS="-v -x -mod=vendor"
LDFLAGS=$(usex hardened '-extldflags -fno-PIC' '') emake BUILDTAGS="${options[*]}"
}
src_install() {
dobin bin/containerd{-shim,-shim-runc-v*,} bin/ctr
systemd_newunit "${FILESDIR}/${PN}-1.0.0.service" "${PN}.service"
systemd_enable_service multi-user.target "${PN}.service"
insinto /usr/share/containerd
doins "${FILESDIR}/config.toml"
doins "${FILESDIR}/config-cgroupfs.toml"
}

24
sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.service vendored
View File

@ -1,24 +0,0 @@
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/bin/containerd --listen unix:///var/run/docker/libcontainerd/docker-containerd.sock --shim /usr/bin/containerd-shim --state-dir /var/run/docker/libcontainerd/containerd --start-timeout 2m
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target early-docker.target

1
sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/Manifest vendored
View File

@ -1 +0,0 @@
DIST cri-tools-1.24.2.tar.gz 5968560 BLAKE2B 8dce8d16d5218aa73705b4a49b31391eaa25b21deb97f3dfe553f43d7371adf58206d9198f3e22e1c9cbcb7f41b832b0600b324d7c0f943ef313dc89900da46d SHA512 9b5907b37bb5f00295eff4fa4207ae55d930feae7e0f48fa130c7ecc936bcd259a11d59ed240684a3e12c8bcee40f2c67d7f4af52c2a76df3d7bf82e5e388a75

46
sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/cri-tools-1.24.2.ebuild vendored
View File

@ -1,46 +0,0 @@
# Copyright 2021-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
# Flatcar: remove bash-completion, inherit coreos-go
inherit go-module coreos-go
COREOS_GO_VERSION="go1.19"
COREOS_GO_PACKAGE="github.com/kubernetes-sigs/cri-tools"
COREOS_GO_MOD="vendor"
MY_PV="v${PV/_beta/-beta.}"
EGO_PN="${COREOS_GO_PACKAGE}"
DESCRIPTION="CLI and validation tools for Kubelet Container Runtime (CRI)"
HOMEPAGE="https://github.com/kubernetes-sigs/cri-tools"
SRC_URI="https://github.com/kubernetes-sigs/cri-tools/archive/v${PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
SLOT="0"
# Flatcar: keyword arm64
KEYWORDS="amd64 arm64"
S=${WORKDIR}/cri-tools-${PV}
RESTRICT+=" test"
src_compile() {
# Flatcar: make use of the existing helpers provided by `coreos-go.eclass`.
# To optimize the binary size of crictl, add "-X" to GO_LDFLAGS,
# like "-X $(PROJECT)/pkg/version.Version=$(VERSION)" in the original
# Makefile of cri-tools. We cannot follow way of Gentoo ebuilds like `emake`,
# because Makefile of cri-tools does not allow users to pass in ${GOARCH}.
# Remove shell completions.
GO_LDFLAGS="-s -w -extldflags=-Wl,-z,now,-z,relro,-z,defs "
GO_LDFLAGS+="-X ${COREOS_GO_PACKAGE}/pkg/version.Version=${PV} "
go_build "${COREOS_GO_PACKAGE}/cmd/crictl"
}
src_install() {
# Flatcar: install only crictl binary, remove shell completions.
dobin "${GOBIN}/crictl"
dodoc -r docs {README,RELEASE,CHANGELOG,CONTRIBUTING}.md
}

1
sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/Manifest vendored
View File

@ -1 +0,0 @@
DIST docker-cli-20.10.24.tar.gz 7589761 BLAKE2B 353298fba483dc9ce2797397398bb99f9194302e09f943614b5101f24d7a6b404c5e8a1890acf76450e85d295e623f18fb21ab55a3faabfd04596ca520f740c5 SHA512 5996c24070986e18c0530d0db1a9b4a2c0188c1d22b4c0d99161b2f69bb9cecd4221b628afc0db3078d17918a6e312c6b6ca63f889e634006d4e04c677257a27

104
sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/files/0001-20.10-vendor-docker-v20.10.25-45-g0d4b9ed98b-v20.10..patch vendored
View File

@ -1,104 +0,0 @@
From 5d4e44df90bb913f30a1f0215f9715cb60e17d75 Mon Sep 17 00:00:00 2001
Message-Id: <5d4e44df90bb913f30a1f0215f9715cb60e17d75.1689769748.git.dpark@linux.microsoft.com>
From: Sebastiaan van Stijn <github@gone.nl>
Date: Mon, 17 Jul 2023 16:48:27 +0200
Subject: [PATCH] [20.10] vendor: docker v20.10.25-45-g0d4b9ed98b
(v20.10.26-dev)
full diff: https://github.com/docker/docker/compare/v20.10.25...0d4b9ed98be2aecf27e8dd014bef7bad0be15457
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
.../github.com/docker/docker/client/client.go | 30 +++++++++++++++++++
.../github.com/docker/docker/client/hijack.go | 6 +++-
.../docker/docker/client/request.go | 14 ++++-----
vendor/github.com/docker/docker/vendor.conf | 2 +-
5 files changed, 43 insertions(+), 11 deletions(-)
diff --git a/vendor/github.com/docker/docker/client/client.go b/vendor/github.com/docker/docker/client/client.go
index 0d3614d5..d0ce09ae 100644
--- a/vendor/github.com/docker/docker/client/client.go
+++ b/vendor/github.com/docker/docker/client/client.go
@@ -56,6 +56,36 @@ import (
"github.com/pkg/errors"
)
+// DummyHost is a hostname used for local communication.
+//
+// It acts as a valid formatted hostname for local connections (such as "unix://"
+// or "npipe://") which do not require a hostname. It should never be resolved,
+// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
+// and [RFC 6761, Section 6.3]).
+//
+// [RFC 7230, Section 5.4] defines that an empty header must be used for such
+// cases:
+//
+// If the authority component is missing or undefined for the target URI,
+// then a client MUST send a Host header field with an empty field-value.
+//
+// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
+// allow an empty header to be used, and requires req.URL.Scheme to be either
+// "http" or "https".
+//
+// For further details, refer to:
+//
+// - https://github.com/docker/engine-api/issues/189
+// - https://github.com/golang/go/issues/13624
+// - https://github.com/golang/go/issues/61076
+// - https://github.com/moby/moby/issues/45935
+//
+// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
+// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
+// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
+// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
+const DummyHost = "api.moby.localhost"
+
// ErrRedirect is the error returned by checkRedirect when the request is non-GET.
var ErrRedirect = errors.New("unexpected redirect in response")
diff --git a/vendor/github.com/docker/docker/client/hijack.go b/vendor/github.com/docker/docker/client/hijack.go
index e1dc49ef..b8fac0be 100644
--- a/vendor/github.com/docker/docker/client/hijack.go
+++ b/vendor/github.com/docker/docker/client/hijack.go
@@ -62,7 +62,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
}
func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, error) {
- req.Host = cli.addr
+ req.URL.Host = cli.addr
+ if cli.proto == "unix" || cli.proto == "npipe" {
+ // Override host header for non-tcp connections.
+ req.Host = DummyHost
+ }
req.Header.Set("Connection", "Upgrade")
req.Header.Set("Upgrade", proto)
diff --git a/vendor/github.com/docker/docker/client/request.go b/vendor/github.com/docker/docker/client/request.go
index d3d9a3fe..66530d4b 100644
--- a/vendor/github.com/docker/docker/client/request.go
+++ b/vendor/github.com/docker/docker/client/request.go
@@ -88,15 +88,13 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea
return nil, err
}
req = cli.addHeaders(req, headers)
-
- if cli.proto == "unix" || cli.proto == "npipe" {
- // For local communications, it doesn't matter what the host is. We just
- // need a valid and meaningful host name. (See #189)
- req.Host = "docker"
- }
-
- req.URL.Host = cli.addr
req.URL.Scheme = cli.scheme
+ req.URL.Host = cli.addr
+
+ if cli.proto == "unix" || cli.proto == "npipe" {
+ // Override host header for non-tcp connections.
+ req.Host = DummyHost
+ }
if expectedPayload && req.Header.Get("Content-Type") == "" {
req.Header.Set("Content-Type", "text/plain")
--
2.34.1

1
sdk_container/src/third_party/coreos-overlay/app-containers/docker/Manifest vendored
View File

@ -1 +0,0 @@
DIST docker-20.10.24.tar.gz 11235129 BLAKE2B abeae0ff9e2d03bd7c901a9e3c1f5a3ccf84afefb034ce032f4e559349ea01ab69ebe120d6c0992885aafa153a784a8c253ed3f7345b921860b758da8e0474ef SHA512 2e82d8048fbf53e3d8ac87eb155d2e321378ca9c9ee038d13bb1b510db31df0f9951db51df81bad28a64c25285e21f8e541b4ce58a68af81fa66d5c07dd3f4d3

332
sdk_container/src/third_party/coreos-overlay/app-containers/docker/docker-20.10.24-r3.ebuild vendored
View File

@ -1,332 +0,0 @@
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
EGO_PN=github.com/docker/docker
MY_PV=${PV/_/-}
GIT_COMMIT=d6cbf44b8c
inherit linux-info systemd udev golang-vcs-snapshot
COREOS_GO_VERSION="go1.19"
COREOS_GO_GO111MODULE="off"
inherit coreos-go-depend
DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
HOMEPAGE="https://www.docker.com/"
SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
# Flatcar: default enable required USE flags
IUSE="apparmor aufs +btrfs +cli +container-init +device-mapper +hardened
+overlay +seccomp selinux"
DEPEND="
acct-group/docker
>=dev-db/sqlite-3.7.9:3
apparmor? ( sys-libs/libapparmor )
btrfs? ( >=sys-fs/btrfs-progs-3.16.1 )
device-mapper? ( >=sys-fs/lvm2-2.02.89[thin] )
seccomp? ( >=sys-libs/libseccomp-2.2.1 )
"
# Flatcar:
# For CoreOS builds coreos-kernel must be installed because this ebuild
# checks the kernel config. The kernel config is left by the kernel compile
# or an explicit copy when installing binary packages. See coreos-kernel.eclass
DEPEND+="
sys-kernel/coreos-kernel
"
# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
# https://github.com/moby/moby/tree/master//hack/dockerfile/install
# make sure docker-proxy is pinned to exact version from ^,
# for appropriate branchch/version of course
# Flatcar:
# containerd ebuild doesn't support apparmor, device-mapper and seccomp use flags
RDEPEND="
${DEPEND}
>=net-firewall/iptables-1.4
sys-process/procps
>=dev-vcs/git-1.7
>=app-arch/xz-utils-4.9
dev-libs/libltdl
>=app-containers/containerd-1.6.16[btrfs?]
~app-containers/docker-proxy-0.8.0_p20230118
cli? ( ~app-containers/docker-cli-${PV} )
container-init? ( >=sys-process/tini-0.19.0[static] )
selinux? ( sec-policy/selinux-docker )
"
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
# Flatcar: drop go-md2man
BDEPEND="
>=dev-lang/go-1.16.12
virtual/pkgconfig
"
# tests require running dockerd as root and downloading containers
RESTRICT="installsources strip test"
S="${WORKDIR}/${P}/src/${EGO_PN}"
# Flatcar: Dropped outdated bug links, dropped openrc init script patch,
# backport upstream patches for fixing invalid headers issue when building
# with Go 1.19.11+.
PATCHES=(
"${FILESDIR}/ppc64-buildmode.patch"
"${FILESDIR}/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch"
"${FILESDIR}/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch"
)
# see "contrib/check-config.sh" from upstream's sources
CONFIG_CHECK="
~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
~CGROUP_NET_PRIO
~KEYS
~VETH ~BRIDGE ~BRIDGE_NETFILTER
~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE ~NETFILTER_XT_MARK
~NETFILTER_NETLINK ~NETFILTER_XT_MATCH_ADDRTYPE ~NETFILTER_XT_MATCH_CONNTRACK ~NETFILTER_XT_MATCH_IPVS
~IP_NF_NAT ~NF_NAT
~POSIX_MQUEUE
~USER_NS
~SECCOMP
~CGROUP_PIDS
~BLK_CGROUP ~BLK_DEV_THROTTLING
~CGROUP_PERF
~CGROUP_HUGETLB
~NET_CLS_CGROUP
~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
~IP_VS ~IP_VS_PROTO_TCP ~IP_VS_PROTO_UDP ~IP_VS_NFCT ~IP_VS_RR
~VXLAN
~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH ~XFRM_ALGO ~XFRM_USER
~IPVLAN
~MACVLAN ~DUMMY
~OVERLAY_FS ~!OVERLAY_FS_REDIRECT_DIR
~EXT4_FS_SECURITY
~EXT4_FS_POSIX_ACL
"
ERROR_KEYS="CONFIG_KEYS: is mandatory"
ERROR_MEMCG_SWAP="CONFIG_MEMCG_SWAP: is required if you wish to limit swap usage of containers"
ERROR_RESOURCE_COUNTERS="CONFIG_RESOURCE_COUNTERS: is optional for container statistics gathering"
ERROR_BLK_CGROUP="CONFIG_BLK_CGROUP: is optional for container statistics gathering"
ERROR_IOSCHED_CFQ="CONFIG_IOSCHED_CFQ: is optional for container statistics gathering"
ERROR_CGROUP_PERF="CONFIG_CGROUP_PERF: is optional for container statistics gathering"
ERROR_CFS_BANDWIDTH="CONFIG_CFS_BANDWIDTH: is optional for container statistics gathering"
ERROR_XFRM_ALGO="CONFIG_XFRM_ALGO: is optional for secure networks"
ERROR_XFRM_USER="CONFIG_XFRM_USER: is optional for secure networks"
pkg_setup() {
if kernel_is lt 4 5; then
CONFIG_CHECK+="
~MEMCG_KMEM
"
ERROR_MEMCG_KMEM="CONFIG_MEMCG_KMEM: is optional"
fi
if kernel_is lt 4 7; then
CONFIG_CHECK+="
~DEVPTS_MULTIPLE_INSTANCES
"
fi
if kernel_is lt 5 1; then
CONFIG_CHECK+="
~NF_NAT_IPV4
~IOSCHED_CFQ
~CFQ_GROUP_IOSCHED
"
fi
if kernel_is lt 5 2; then
CONFIG_CHECK+="
~NF_NAT_NEEDED
"
fi
if kernel_is lt 5 8; then
CONFIG_CHECK+="
~MEMCG_SWAP_ENABLED
"
fi
if kernel_is lt 6 1; then
CONFIG_CHECK+="
~MEMCG_SWAP
"
fi
if use aufs; then
CONFIG_CHECK+="
~AUFS_FS
~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
"
ERROR_AUFS_FS="CONFIG_AUFS_FS: is required to be set if and only if aufs is patched to kernel instead of using standalone"
fi
if use btrfs; then
CONFIG_CHECK+="
~BTRFS_FS
~BTRFS_FS_POSIX_ACL
"
fi
if use device-mapper; then
CONFIG_CHECK+="
~BLK_DEV_DM ~DM_THIN_PROVISIONING ~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
"
fi
linux-info_pkg_setup
}
src_compile() {
# Flatcar: for cross-compilation
go_export
export DOCKER_GITCOMMIT="${GIT_COMMIT}"
export GOPATH="${WORKDIR}/${P}"
export VERSION=${PV}
# setup CFLAGS and LDFLAGS for separate build target
# see https://github.com/tianon/docker-overlay/pull/10
# Flatcar: allow injecting CFLAGS/LDFLAGS, which is needed for torcx rpath
export CGO_CFLAGS="${CGO_CFLAGS} -I${ESYSROOT}/usr/include"
export CGO_LDFLAGS="${CGO_LDFLAGS} -L${ESYSROOT}/usr/$(get_libdir)"
# let's set up some optional features :)
export DOCKER_BUILDTAGS=''
for gd in aufs btrfs device-mapper overlay; do
if ! use $gd; then
DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
fi
done
for tag in apparmor seccomp; do
if use $tag; then
DOCKER_BUILDTAGS+=" $tag"
fi
done
# Flatcar: Add journald to build tags.
DOCKER_BUILDTAGS+=' journald'
# Flatcar:
# inject LDFLAGS for torcx
if use hardened; then
sed -i "s#EXTLDFLAGS_STATIC='#&-fno-PIC $LDFLAGS #" hack/make.sh || die
grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'
sed "s#LDFLAGS_STATIC_DOCKER='#&-extldflags \"-fno-PIC $LDFLAGS\" #" \
-i hack/make/dynbinary-daemon || die
grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed'
fi
# build daemon
./hack/make.sh dynbinary || die 'dynbinary failed'
}
src_install() {
dosym containerd /usr/bin/docker-containerd
dosym containerd-shim /usr/bin/docker-containerd-shim
dosym runc /usr/bin/docker-runc
use container-init && dosym tini /usr/bin/docker-init
newbin bundles/dynbinary-daemon/dockerd dockerd
newinitd contrib/init/openrc/docker.initd docker
newconfd contrib/init/openrc/docker.confd docker
# Flatcar:
# install our systemd units/network config and our wrapper into
# /usr/lib/flatcar/docker for backwards compatibility instead of
# the units from contrib/init/systemd directory.
#
# systemd_dounit contrib/init/systemd/docker.{service,socket}
exeinto /usr/lib/flatcar
doexe "${FILESDIR}/dockerd"
systemd_dounit "${FILESDIR}/docker.service"
systemd_dounit "${FILESDIR}/docker.socket"
insinto /usr/lib/systemd/network
doins "${FILESDIR}/50-docker.network"
doins "${FILESDIR}/90-docker-veth.network"
udev_dorules contrib/udev/*.rules
dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md
dodoc -r docs/*
# Flatcar:
# don't install contrib bits
# # note: intentionally not using "doins" so that we preserve +x bits
# dodir /usr/share/${PN}/contrib
# cp -R contrib/* "${ED}/usr/share/${PN}/contrib"
}
pkg_postinst() {
udev_reload
elog
elog "To use Docker, the Docker daemon must be running as root. To automatically"
elog "start the Docker daemon at boot:"
if systemd_is_booted || has_version sys-apps/systemd; then
elog " systemctl enable docker.service"
else
elog " rc-update add docker default"
fi
elog
elog "To use Docker as a non-root user, add yourself to the 'docker' group:"
elog ' usermod -aG docker <youruser>'
elog
if use device-mapper; then
elog " Devicemapper storage driver has been deprecated"
elog " It will be removed in a future release"
elog
fi
if use overlay; then
elog " Overlay storage driver/USEflag has been deprecated"
elog " in favor of overlay2 (enabled unconditionally)"
elog
fi
if has_version sys-fs/zfs; then
elog " ZFS storage driver is available"
elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info"
elog
fi
if use cli; then
ewarn "Starting with docker 20.10.2, docker has been split into"
ewarn "two packages upstream, so Gentoo has followed suit."
ewarn
ewarn "app-containers/docker contains the daemon and"
ewarn "app-containers/docker-cli contains the docker command."
ewarn
ewarn "docker currently installs docker-cli using the cli use flag."
ewarn
ewarn "This use flag is temporary, so you need to take the"
ewarn "following actions:"
ewarn
ewarn "First, disable the cli use flag for app-containers/docker"
ewarn
ewarn "Then, if you need docker-cli and docker on the same machine,"
ewarn "run the following command:"
ewarn
ewarn "# emerge --noreplace docker-cli"
ewarn
fi
}
pkg_postrm() {
udev_reload
}

161
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch vendored
View File

@ -1,161 +0,0 @@
From 74b4974cb7e7e81e57661f93b03c94a95a15472e Mon Sep 17 00:00:00 2001
Message-Id: <74b4974cb7e7e81e57661f93b03c94a95a15472e.1689689028.git.dpark@linux.microsoft.com>
From: Sebastiaan van Stijn <github@gone.nl>
Date: Wed, 12 Jul 2023 14:15:38 +0200
Subject: [PATCH 1/2] client: define a "dummy" hostname to use for local
connections
For local communications (npipe://, unix://), the hostname is not used,
but we need valid and meaningful hostname.
The current code used the client's `addr` as hostname in some cases, which
could contain the path for the unix-socket (`/var/run/docker.sock`), which
gets rejected by go1.20.6 and go1.19.11 because of a security fix for
[CVE-2023-29406 ][1], which was implemented in https://go.dev/issue/60374.
Prior versions go Go would clean the host header, and strip slashes in the
process, but go1.20.6 and go1.19.11 no longer do, and reject the host
header.
This patch introduces a `DummyHost` const, and uses this dummy host for
cases where we don't need an actual hostname.
Before this patch (using go1.20.6):
make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
=== RUN TestAttachWithTTY
attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
--- FAIL: TestAttachWithTTY (0.11s)
=== RUN TestAttachWithoutTTy
attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
--- FAIL: TestAttachWithoutTTy (0.02s)
FAIL
With this patch applied:
make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
INFO: Testing against a local daemon
=== RUN TestAttachWithTTY
--- PASS: TestAttachWithTTY (0.12s)
=== RUN TestAttachWithoutTTy
--- PASS: TestAttachWithoutTTy (0.02s)
PASS
[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 92975f0c11f0566cc3c36659f5e3bb9faf5cb176)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
client/client.go | 30 ++++++++++++++++++++++++++++++
client/hijack.go | 6 +++++-
client/request.go | 14 ++++++--------
client/request_test.go | 4 ++--
4 files changed, 43 insertions(+), 11 deletions(-)
diff --git a/client/client.go b/client/client.go
index 0d3614d5..d0ce09ae 100644
--- a/client/client.go
+++ b/client/client.go
@@ -56,6 +56,36 @@ import (
"github.com/pkg/errors"
)
+// DummyHost is a hostname used for local communication.
+//
+// It acts as a valid formatted hostname for local connections (such as "unix://"
+// or "npipe://") which do not require a hostname. It should never be resolved,
+// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
+// and [RFC 6761, Section 6.3]).
+//
+// [RFC 7230, Section 5.4] defines that an empty header must be used for such
+// cases:
+//
+// If the authority component is missing or undefined for the target URI,
+// then a client MUST send a Host header field with an empty field-value.
+//
+// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
+// allow an empty header to be used, and requires req.URL.Scheme to be either
+// "http" or "https".
+//
+// For further details, refer to:
+//
+// - https://github.com/docker/engine-api/issues/189
+// - https://github.com/golang/go/issues/13624
+// - https://github.com/golang/go/issues/61076
+// - https://github.com/moby/moby/issues/45935
+//
+// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
+// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
+// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
+// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
+const DummyHost = "api.moby.localhost"
+
// ErrRedirect is the error returned by checkRedirect when the request is non-GET.
var ErrRedirect = errors.New("unexpected redirect in response")
diff --git a/client/hijack.go b/client/hijack.go
index e1dc49ef..b8fac0be 100644
--- a/client/hijack.go
+++ b/client/hijack.go
@@ -62,7 +62,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
}
func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, error) {
- req.Host = cli.addr
+ req.URL.Host = cli.addr
+ if cli.proto == "unix" || cli.proto == "npipe" {
+ // Override host header for non-tcp connections.
+ req.Host = DummyHost
+ }
req.Header.Set("Connection", "Upgrade")
req.Header.Set("Upgrade", proto)
diff --git a/client/request.go b/client/request.go
index d3d9a3fe..66530d4b 100644
--- a/client/request.go
+++ b/client/request.go
@@ -88,15 +88,13 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea
return nil, err
}
req = cli.addHeaders(req, headers)
-
- if cli.proto == "unix" || cli.proto == "npipe" {
- // For local communications, it doesn't matter what the host is. We just
- // need a valid and meaningful host name. (See #189)
- req.Host = "docker"
- }
-
- req.URL.Host = cli.addr
req.URL.Scheme = cli.scheme
+ req.URL.Host = cli.addr
+
+ if cli.proto == "unix" || cli.proto == "npipe" {
+ // Override host header for non-tcp connections.
+ req.Host = DummyHost
+ }
if expectedPayload && req.Header.Get("Content-Type") == "" {
req.Header.Set("Content-Type", "text/plain")
diff --git a/client/request_test.go b/client/request_test.go
index a3be507b..c1a10923 100644
--- a/client/request_test.go
+++ b/client/request_test.go
@@ -27,12 +27,12 @@ func TestSetHostHeader(t *testing.T) {
}{
{
"unix:///var/run/docker.sock",
- "docker",
+ DummyHost,
"/var/run/docker.sock",
},
{
"npipe:////./pipe/docker_engine",
- "docker",
+ DummyHost,
"//./pipe/docker_engine",
},
{
--
2.34.1

72
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch vendored
View File

@ -1,72 +0,0 @@
From 1603196c5bc3e3b826c841e599bc45fc33562633 Mon Sep 17 00:00:00 2001
Message-Id: <1603196c5bc3e3b826c841e599bc45fc33562633.1689689028.git.dpark@linux.microsoft.com>
In-Reply-To: <74b4974cb7e7e81e57661f93b03c94a95a15472e.1689689028.git.dpark@linux.microsoft.com>
References: <74b4974cb7e7e81e57661f93b03c94a95a15472e.1689689028.git.dpark@linux.microsoft.com>
From: Sebastiaan van Stijn <github@gone.nl>
Date: Wed, 12 Jul 2023 15:07:59 +0200
Subject: [PATCH 2/2] pkg/plugins: use a dummy hostname for local connections
For local communications (npipe://, unix://), the hostname is not used,
but we need valid and meaningful hostname.
The current code used the socket path as hostname, which gets rejected by
go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
which was implemented in https://go.dev/issue/60374.
Prior versions go Go would clean the host header, and strip slashes in the
process, but go1.20.6 and go1.19.11 no longer do, and reject the host
header.
Before this patch, tests would fail on go1.20.6:
=== FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s)
time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s"
time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s"
time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s"
time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s"
authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header
[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6b7705d5b29e226a24902a8dcc488836faaee33c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
pkg/plugins/client.go | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/pkg/plugins/client.go b/pkg/plugins/client.go
index 752fecd0..e683eb77 100644
--- a/pkg/plugins/client.go
+++ b/pkg/plugins/client.go
@@ -18,6 +18,12 @@ import (
const (
defaultTimeOut = 30
+
+ // dummyHost is a hostname used for local communication.
+ //
+ // For local communications (npipe://, unix://), the hostname is not used,
+ // but we need valid and meaningful hostname.
+ dummyHost = "plugin.moby.localhost"
)
func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transport, error) {
@@ -44,8 +50,12 @@ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transpor
return nil, err
}
scheme := httpScheme(u)
-
- return transport.NewHTTPTransport(tr, scheme, socket), nil
+ hostName := u.Host
+ if hostName == "" || u.Scheme == "unix" || u.Scheme == "npipe" {
+ // Override host header for non-tcp connections.
+ hostName = dummyHost
+ }
+ return transport.NewHTTPTransport(tr, scheme, hostName), nil
}
// NewClient creates a new plugin client (http).
--
2.34.1

30
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/ppc64-buildmode.patch vendored
View File

@ -1,30 +0,0 @@
From c4135e37e54a6480abfe18746f227f05cb9269ab Mon Sep 17 00:00:00 2001
From: Georgy Yakovlev <gyakovlev@gentoo.org>
Date: Thu, 10 Jun 2021 16:19:22 -0700
Subject: [PATCH] don't use buildmode=pie on ppc64
It's already omitted for ppc64 in
hack/dockerfile/install/install.sh
not using wildcard, because GOARCH=ppc64le supports pie
Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
---
hack/make/.binary | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hack/make/.binary b/hack/make/.binary
index 5ea3e373f2..7a911de15a 100644
--- a/hack/make/.binary
+++ b/hack/make/.binary
@@ -70,7 +70,7 @@ hash_files() {
if [[ " $BUILDFLAGS " != *" -race "* ]]; then
# -buildmode=pie is not supported on Windows and Linux on mips and riscv64.
case "$(go env GOOS)/$(go env GOARCH)" in
- windows/* | linux/mips* | linux/riscv*) ;;
+ windows/* | linux/mips* | linux/riscv* | linux/ppc64) ;;
*)
BUILDFLAGS+=("-buildmode=pie")
--
2.32.0

1
sdk_container/src/third_party/coreos-overlay/app-containers/runc/Manifest vendored
View File

@ -1 +0,0 @@
DIST runc-1.1.9.tar.gz 2514790 BLAKE2B dec0766c96fb2d264ee8d693adafd2b1f94a2f30329b41f966441f1632ceda83835f4aa8ad46966a04d890cb4c5107f6880ad911ed2b879d2c72565ba5d513e6 SHA512 722ed7d58eccfb37357d85e69b2a8f7fa23ed3553e3b6541e9f26946896dc0c2955e5e4708ee77765ad2d3e4dd9c9722fbcefce1f2a96111240edd445cf902ba

46
sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch vendored
View File

@ -1,46 +0,0 @@
From ab3a3b89d712bb1c6ca2e09ffc375f4b837e9401 Mon Sep 17 00:00:00 2001
From: Mrunal Patel <mrunalp@gmail.com>
Date: Thu, 2 Feb 2017 11:23:26 -0800
Subject: [PATCH] Delay unshare of CLONE_NEWIPC for SELinux
We ensure that mqueue is owned by user namespace root
by unsharing CLONE_NEWIPC after we become user namespace
root. This allows us to apply the container SELinux label
to mqueue.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
(dpark: Adjust the logic according to the new code of v1.1.5)
Signed-off-by: Dongsu Park <dpark@linux.microsoft.com>
---
libcontainer/nsenter/nsexec.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
index 2d224bab..4865261f 100644
--- a/libcontainer/nsenter/nsexec.c
+++ b/libcontainer/nsenter/nsexec.c
@@ -1241,7 +1241,12 @@ void nsexec(void)
* some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
* was broken, so we'll just do it the long way anyway.
*/
- try_unshare(config.cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)");
+ uint32_t apply_cloneflags = config.cloneflags;
+ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
+ apply_cloneflags &= ~CLONE_NEWIPC;
+ }
+
+ try_unshare(apply_cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)");
/* Ask our parent to send the mount sources fds. */
if (config.mountsources) {
@@ -1362,6 +1367,10 @@ void nsexec(void)
try_unshare(CLONE_NEWCGROUP, "cgroup namespace");
}
+ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) {
+ try_unshare(CLONE_NEWIPC, "ipc namespace");
+ }
+
write_log(DEBUG, "signal completion to stage-0");
s = SYNC_CHILD_FINISH;
if (write(syncfd, &s, sizeof(s)) != sizeof(s))

334
sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch vendored
View File

@ -1,334 +0,0 @@
From 2d069bb79260e594870ce3e7466477e54a0c5307 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 9 Jan 2019 13:40:01 +1100
Subject: [PATCH] nsenter: clone /proc/self/exe to avoid exposing host binary
to container
There are quite a few circumstances where /proc/self/exe pointing to a
pretty important container binary is a _bad_ thing, so to avoid this we
have to make a copy (preferably doing self-clean-up and not being
writeable).
We require memfd_create(2) -- though there is an O_TMPFILE fallback --
but we can always extend this to use a scratch MNT_DETACH overlayfs or
tmpfs. The main downside to this approach is no page-cache sharing for
the runc binary (which overlayfs would give us) but this is far less
complicated.
This is only done during nsenter so that it happens transparently to the
Go code, and any libcontainer users benefit from it. This also makes
ExtraFiles and --preserve-fds handling trivial (because we don't need to
worry about it).
Fixes: CVE-2019-5736
Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
---
libcontainer/nsenter/cloned_binary.c | 268 +++++++++++++++++++++++++++
libcontainer/nsenter/nsexec.c | 11 ++
2 files changed, 279 insertions(+)
create mode 100644 libcontainer/nsenter/cloned_binary.c
diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
new file mode 100644
index 000000000000..c8a42c23f73f
--- /dev/null
+++ b/libcontainer/nsenter/cloned_binary.c
@@ -0,0 +1,268 @@
+/*
+ * Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2019 SUSE LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <string.h>
+#include <limits.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/vfs.h>
+#include <sys/mman.h>
+#include <sys/sendfile.h>
+#include <sys/syscall.h>
+
+/* Use our own wrapper for memfd_create. */
+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
+# define SYS_memfd_create __NR_memfd_create
+#endif
+#ifdef SYS_memfd_create
+# define HAVE_MEMFD_CREATE
+/* memfd_create(2) flags -- copied from <linux/memfd.h>. */
+# ifndef MFD_CLOEXEC
+# define MFD_CLOEXEC 0x0001U
+# define MFD_ALLOW_SEALING 0x0002U
+# endif
+int memfd_create(const char *name, unsigned int flags)
+{
+ return syscall(SYS_memfd_create, name, flags);
+}
+#endif
+
+/* This comes directly from <linux/fcntl.h>. */
+#ifndef F_LINUX_SPECIFIC_BASE
+# define F_LINUX_SPECIFIC_BASE 1024
+#endif
+#ifndef F_ADD_SEALS
+# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
+# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
+#endif
+#ifndef F_SEAL_SEAL
+# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */
+# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
+# define F_SEAL_GROW 0x0004 /* prevent file from growing */
+# define F_SEAL_WRITE 0x0008 /* prevent writes */
+#endif
+
+#define RUNC_SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */
+#ifdef HAVE_MEMFD_CREATE
+# define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
+# define RUNC_MEMFD_SEALS \
+ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
+#endif
+
+static void *must_realloc(void *ptr, size_t size)
+{
+ void *old = ptr;
+ do {
+ ptr = realloc(old, size);
+ } while(!ptr);
+ return ptr;
+}
+
+/*
+ * Verify whether we are currently in a self-cloned program (namely, is
+ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
+ * for shmem files), and we want to be sure it's actually sealed.
+ */
+static int is_self_cloned(void)
+{
+ int fd, ret, is_cloned = 0;
+
+ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
+ if (fd < 0)
+ return -ENOTRECOVERABLE;
+
+#ifdef HAVE_MEMFD_CREATE
+ ret = fcntl(fd, F_GET_SEALS);
+ is_cloned = (ret == RUNC_MEMFD_SEALS);
+#else
+ struct stat statbuf = {0};
+ ret = fstat(fd, &statbuf);
+ if (ret >= 0)
+ is_cloned = (statbuf.st_nlink == 0);
+#endif
+ close(fd);
+ return is_cloned;
+}
+
+/*
+ * Basic wrapper around mmap(2) that gives you the file length so you can
+ * safely treat it as an ordinary buffer. Only gives you read access.
+ */
+static char *read_file(char *path, size_t *length)
+{
+ int fd;
+ char buf[4096], *copy = NULL;
+
+ if (!length)
+ return NULL;
+
+ fd = open(path, O_RDONLY | O_CLOEXEC);
+ if (fd < 0)
+ return NULL;
+
+ *length = 0;
+ for (;;) {
+ int n;
+
+ n = read(fd, buf, sizeof(buf));
+ if (n < 0)
+ goto error;
+ if (!n)
+ break;
+
+ copy = must_realloc(copy, (*length + n) * sizeof(*copy));
+ memcpy(copy + *length, buf, n);
+ *length += n;
+ }
+ close(fd);
+ return copy;
+
+error:
+ close(fd);
+ free(copy);
+ return NULL;
+}
+
+/*
+ * A poor-man's version of "xargs -0". Basically parses a given block of
+ * NUL-delimited data, within the given length and adds a pointer to each entry
+ * to the array of pointers.
+ */
+static int parse_xargs(char *data, int data_length, char ***output)
+{
+ int num = 0;
+ char *cur = data;
+
+ if (!data || *output != NULL)
+ return -1;
+
+ while (cur < data + data_length) {
+ num++;
+ *output = must_realloc(*output, (num + 1) * sizeof(**output));
+ (*output)[num - 1] = cur;
+ cur += strlen(cur) + 1;
+ }
+ (*output)[num] = NULL;
+ return num;
+}
+
+/*
+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.
+ * This is necessary because we are running in a context where we don't have a
+ * main() that we can just get the arguments from.
+ */
+static int fetchve(char ***argv, char ***envp)
+{
+ char *cmdline = NULL, *environ = NULL;
+ size_t cmdline_size, environ_size;
+
+ cmdline = read_file("/proc/self/cmdline", &cmdline_size);
+ if (!cmdline)
+ goto error;
+ environ = read_file("/proc/self/environ", &environ_size);
+ if (!environ)
+ goto error;
+
+ if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
+ goto error;
+ if (parse_xargs(environ, environ_size, envp) <= 0)
+ goto error;
+
+ return 0;
+
+error:
+ free(environ);
+ free(cmdline);
+ return -EINVAL;
+}
+
+static int clone_binary(void)
+{
+ int binfd, memfd;
+ ssize_t sent = 0;
+
+#ifdef HAVE_MEMFD_CREATE
+ memfd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
+#else
+ memfd = open("/tmp", O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0711);
+#endif
+ if (memfd < 0)
+ return -ENOTRECOVERABLE;
+
+ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
+ if (binfd < 0)
+ goto error;
+
+ sent = sendfile(memfd, binfd, NULL, RUNC_SENDFILE_MAX);
+ close(binfd);
+ if (sent < 0)
+ goto error;
+
+#ifdef HAVE_MEMFD_CREATE
+ int err = fcntl(memfd, F_ADD_SEALS, RUNC_MEMFD_SEALS);
+ if (err < 0)
+ goto error;
+#else
+ /* Need to re-open "memfd" as read-only to avoid execve(2) giving -EXTBUSY. */
+ int newfd;
+ char *fdpath = NULL;
+
+ if (asprintf(&fdpath, "/proc/self/fd/%d", memfd) < 0)
+ goto error;
+ newfd = open(fdpath, O_RDONLY | O_CLOEXEC);
+ free(fdpath);
+ if (newfd < 0)
+ goto error;
+
+ close(memfd);
+ memfd = newfd;
+#endif
+ return memfd;
+
+error:
+ close(memfd);
+ return -EIO;
+}
+
+int ensure_cloned_binary(void)
+{
+ int execfd;
+ char **argv = NULL, **envp = NULL;
+
+ /* Check that we're not self-cloned, and if we are then bail. */
+ int cloned = is_self_cloned();
+ if (cloned > 0 || cloned == -ENOTRECOVERABLE)
+ return cloned;
+
+ if (fetchve(&argv, &envp) < 0)
+ return -EINVAL;
+
+ execfd = clone_binary();
+ if (execfd < 0)
+ return -EIO;
+
+ fexecve(execfd, argv, envp);
+ return -ENOEXEC;
+}
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
index 28269dfc027f..7750af35ea92 100644
--- a/libcontainer/nsenter/nsexec.c
+++ b/libcontainer/nsenter/nsexec.c
@@ -534,6 +534,9 @@ void join_namespaces(char *nslist)
free(namespaces);
}
+/* Defined in cloned_binary.c. */
+extern int ensure_cloned_binary(void);
+
void nsexec(void)
{
int pipenum;
@@ -549,6 +552,14 @@ void nsexec(void)
if (pipenum == -1)
return;
+ /*
+ * We need to re-exec if we are not in a cloned binary. This is necessary
+ * to ensure that containers won't be able to access the host binary
+ * through /proc/self/exe. See CVE-2019-5736.
+ */
+ if (ensure_cloned_binary() < 0)
+ bail("could not ensure we are a cloned binary");
+
/* Parse all of the netlink configuration. */
nl_parse(pipenum, &config);

41
sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/docker-runc-1.0.0_rc2-mount-propagation.patch vendored
View File

@ -1,41 +0,0 @@
From db55cd4f29298ae08b20f92b8953735723ee2167 Mon Sep 17 00:00:00 2001
From: Euan Kemp <euan.kemp@coreos.com>
Date: Fri, 22 Sep 2017 02:31:17 -0700
Subject: [PATCH] libcontainer: default mount propagation correctly
The code in prepareRoot (https://github.com/opencontainers/runc/blob/e385f67a0e45fa1d8ef8154e2aea5128ea1d331b/libcontainer/rootfs_linux.go#L599-L605)
attempts to default the rootfs mount to `rslave`. However, since the spec
conversion has already defaulted it to `rprivate`, that code doesn't
actually ever do anything.
This changes the spec conversion code to accept "" and treat it as 0.
Implicitly, this makes rootfs propagation default to `rslave`, which is
a part of fixing the moby bug https://github.com/moby/moby/issues/34672
Alternate implementatoins include changing this defaulting to be
`rslave` and removing the defaulting code in prepareRoot, or skipping
the mapping entirely for "", but I think this change is the cleanest of
those options.
Signed-off-by: Euan Kemp <euan.kemp@coreos.com>
---
libcontainer/specconv/spec_linux.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 1575ae03..8a2947f6 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -36,7 +36,7 @@ var mountPropagationMapping = map[string]int{
"slave": syscall.MS_SLAVE,
"rshared": syscall.MS_SHARED | syscall.MS_REC,
"shared": syscall.MS_SHARED,
- "": syscall.MS_PRIVATE | syscall.MS_REC,
+ "": 0,
}
var allowedDevices = []*configs.Device{
--
2.13.5

19
sdk_container/src/third_party/coreos-overlay/app-containers/runc/metadata.xml vendored
View File

@ -1,19 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<longdescription lang="en">
runc is a CLI tool for spawning and running containers according
to the OCF (Open Container Format) specification.
</longdescription>
<maintainer type="person">
<email>mrueg@gentoo.org</email>
<name>Manuel Rüger</name>
</maintainer>
<use>
<flag name="ambient">Enable support for ambient capability</flag>
<flag name="apparmor">Enable AppArmor support</flag>
</use>
<upstream>
<remote-id type="github">docker/runc</remote-id>
</upstream>
</pkgmetadata>

64
sdk_container/src/third_party/coreos-overlay/app-containers/runc/runc-1.1.9.ebuild vendored
View File

@ -1,64 +0,0 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
GITHUB_URI="github.com/opencontainers/runc"
COREOS_GO_PACKAGE="${GITHUB_URI}"
COREOS_GO_VERSION="go1.19"
# the commit of runc that docker uses.
# see https://github.com/docker/docker-ce/blob/v19.03.15/components/engine/hack/dockerfile/install/runc.installer#L4
COMMIT_ID="f1136b082cc1c2840cdb3e0debf45e7ef832c918"
inherit eutils flag-o-matic coreos-go vcs-snapshot
SRC_URI="https://${GITHUB_URI}/archive/${COMMIT_ID}.tar.gz -> ${P}.tar.gz"
KEYWORDS="amd64 arm64"
DESCRIPTION="runc container cli tools (docker fork)"
HOMEPAGE="http://runc.io"
LICENSE="Apache-2.0"
SLOT="0"
IUSE="ambient apparmor hardened +seccomp selinux"
RDEPEND="
apparmor? ( sys-libs/libapparmor )
seccomp? ( sys-libs/libseccomp )
"
S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}
RESTRICT="test"
src_unpack() {
mkdir -p "${S}"
tar --strip-components=1 -C "${S}" -xf "${DISTDIR}/${A}"
}
PATCHES=(
"${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch"
)
src_compile() {
# Taken from app-containers/docker-1.7.0-r1
export CGO_CFLAGS="-I${SYSROOT}/usr/include"
export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')
-L${SYSROOT}/usr/$(get_libdir)"
# build up optional flags
local options=(
$(usex ambient 'ambient' '')
$(usex apparmor 'apparmor' '')
$(usex seccomp 'seccomp' '')
$(usex selinux 'selinux' '')
)
GOPATH="${WORKDIR}/${P}" emake BUILDTAGS="${options[*]}" \
VERSION=1.1.9+dev.docker-20.10 \
COMMIT="${COMMIT_ID}"
}
src_install() {
dobin runc
}

0
sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r12.ebuild → sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r13.ebuild vendored
View File

1
sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild vendored
View File

@ -31,6 +31,7 @@ RDEPEND="
) )
app-containers/containerd app-containers/containerd
app-containers/docker app-containers/docker
app-containers/docker-cli
app-emulation/amazon-ssm-agent app-emulation/amazon-ssm-agent
app-emulation/wa-linux-agent app-emulation/wa-linux-agent
coreos-base/coreos coreos-base/coreos

0
sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd-1.0.0.service → sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/lib/systemd/system/containerd.service vendored
View File

1
sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/lib/systemd/system/multi-user.target.wants/containerd.service vendored Symbolic link
View File

@ -0,0 +1 @@
../containerd.service

0
sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/config-cgroupfs.toml → sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/share/containerd/config-cgroupfs.toml vendored
View File

0
sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/config.toml → sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/share/containerd/config.toml vendored
View File

0
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/dockerd → sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/flatcar/dockerd vendored Normal file → Executable file
View File

0
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/50-docker.network → sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/network/50-docker.network vendored
View File

0
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/90-docker-veth.network → sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/network/90-docker-veth.network vendored
View File

0
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/docker.service → sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/system/docker.service vendored
View File

0
sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/docker.socket → sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/system/docker.socket vendored
View File

10
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords vendored
View File

@ -96,3 +96,13 @@
# Accept unstable host Rust compilers. # Accept unstable host Rust compilers.
=virtual/rust-1.73.0 ~amd64 ~arm64 =virtual/rust-1.73.0 ~amd64 ~arm64
# Gentoo upstream package stabilisation
# (the following packages are "unstable" upstream; we're stabilising these)
=app-containers/containerd-1.7.7 ~amd64 ~arm64 # NOTE this doesn't even exist upstream; Gentoo is on 1.7.6.
=app-containers/cri-tools-1.27.0 ~amd64 ~arm64
=app-containers/docker-24.0.6 ~amd64 ~arm64
=app-containers/docker-cli-24.0.6 ~amd64 ~arm64
=app-containers/runc-1.1.9 ~amd64 ~arm64

5
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use vendored
View File

@ -148,3 +148,8 @@ net-analyzer/tcpdump -ssl -smi -samba
# selinux: to find files with a particular SElinux label # selinux: to find files with a particular SElinux label
sys-apps/findutils selinux sys-apps/findutils selinux
# Flatcar defaults formerly defined in coreos-overlay ebuilds
app-containers/containerd btrfs device-mapper
app-containers/docker btrfs device-mapper overlay seccomp
app-containers/docker-cli hardened

4
sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest vendored Normal file
View File

@ -0,0 +1,4 @@
DIST containerd-1.7.1.tar.gz 9682254 BLAKE2B f168070caf2b76f0be350a98f41bfdbfe6d78344d68821fb92a29f839a6e847d795e5b79436e36f985aa88028ff1c3f44f134cf6bd502ddac22453a457bd952b SHA512 e9b00ba8f4dd1b5b1088060d3822f684611d43b367ddfeb1bee1660140af85f31e9c9bfc600a67e8fc8645a625dc4e1919d9af7291bdeaa607bff7065a4fc945
DIST containerd-1.7.2.tar.gz 9688701 BLAKE2B d31cd0e96bb2675390cc63d06114e37d532b7c666b3ffc5b0087dfcef8de23559471f08bf8a52b164c5f645faf1b8102ab2ccdd8ec417a1c74336097f0c3a899 SHA512 c0d4c02991b7e9fc341c4ef3df2d93097f5854a51b99596ed95436a79f7a586820bb8bb7c17fc43b5f38d97ea942e59490fbbf6c9710391ef9caae3d34627bc5
DIST containerd-1.7.6.tar.gz 9714550 BLAKE2B 863df1a8ab0f0fe6ec62893ed64824763c1b5230fe830fa268820ce0d6254c79e1ac62ab1261a74785b86b01dff83ea9109a899857fa47a48f2cf2eaf298fea8 SHA512 8b7e13c6ea544754ba7d53092d143f3fd2224b9bc874a33d8a00b781e719927f1b22ad5cd1e35b7b95e4890e630f4b92308549a970587ccdf9dbb8eb470e2703
DIST containerd-1.7.7.tar.gz 9910424 BLAKE2B 623315962233fe3ce965c17c37c950dc1ded8b381012ed50d2bee8b1cea134bc9ef5a1cf5599b6bcd121cabe204fe61015526226131954364a976ebb08d8c353 SHA512 a44e901b017522639963bb415f666599af04335d8ccbd28899712606a4692c1601e95eaa2f1db32a3c077ad2c3f332f37393154ad6c2660646b7e8365a6ab720

86
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.1-r1.ebuild vendored Normal file
View File

@ -0,0 +1,86 @@
# Copyright 2022-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-module systemd
GIT_REVISION=2806fc1057397dbaeefbea0e4e17bddfbd388f38
DESCRIPTION="A daemon to control runC"
HOMEPAGE="https://containerd.io/"
SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
DEPEND="
btrfs? ( sys-fs/btrfs-progs )
seccomp? ( sys-libs/libseccomp )
"
# recommended version of runc is found in script/setup/runc-version
RDEPEND="
${DEPEND}
~app-containers/runc-1.1.7[apparmor?,seccomp?]
"
BDEPEND="
dev-go/go-md2man
virtual/pkgconfig
"
# tests require root or docker
RESTRICT+="test"
src_prepare() {
default
sed -i \
-e "s/-s -w//" \
-e "s/-mod=readonly//" \
Makefile || die
sed -i \
-e "s:/usr/local:/usr:" \
containerd.service || die
}
src_compile() {
local options=(
$(usev apparmor)
$(usex btrfs "" "no_btrfs")
$(usex cri "" "no_cri")
$(usex device-mapper "" "no_devmapper")
$(usev seccomp)
$(usev selinux)
)
myemakeargs=(
BUILDTAGS="${options[*]}"
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
REVISION="${GIT_REVISION}"
VERSION=v${PV}
)
# race condition in man target https://bugs.gentoo.org/765100
# we need to explicitly specify GOFLAGS for "go run" to use vendor source
emake "${myemakeargs[@]}" man -j1 #nowarn
emake "${myemakeargs[@]}" all
}
src_install() {
rm "${D}"/bin/gen-manpages
dobin bin/*
doman man/*
newconfd "${FILESDIR}"/${PN}.confd "${PN}"
newinitd "${FILESDIR}"/${PN}.initd "${PN}"
systemd_dounit containerd.service
keepdir /var/lib/containerd
# we already installed manpages, remove markdown source
# before installing docs directory
rm -r docs/man || die
local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. )
einstalldocs
}

86
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.2.ebuild vendored Normal file
View File

@ -0,0 +1,86 @@
# Copyright 2022-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-module systemd
GIT_REVISION=0cae528dd6cb557f7201036e9f43420650207b58
DESCRIPTION="A daemon to control runC"
HOMEPAGE="https://containerd.io/"
SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
DEPEND="
btrfs? ( sys-fs/btrfs-progs )
seccomp? ( sys-libs/libseccomp )
"
# recommended version of runc is found in script/setup/runc-version
RDEPEND="
${DEPEND}
~app-containers/runc-1.1.7[apparmor?,seccomp?]
"
BDEPEND="
dev-go/go-md2man
virtual/pkgconfig
"
# tests require root or docker
RESTRICT+="test"
src_prepare() {
default
sed -i \
-e "s/-s -w//" \
-e "s/-mod=readonly//" \
Makefile || die
sed -i \
-e "s:/usr/local:/usr:" \
containerd.service || die
}
src_compile() {
local options=(
$(usev apparmor)
$(usex btrfs "" "no_btrfs")
$(usex cri "" "no_cri")
$(usex device-mapper "" "no_devmapper")
$(usev seccomp)
$(usev selinux)
)
myemakeargs=(
BUILDTAGS="${options[*]}"
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
REVISION="${GIT_REVISION}"
VERSION=v${PV}
)
# race condition in man target https://bugs.gentoo.org/765100
# we need to explicitly specify GOFLAGS for "go run" to use vendor source
emake "${myemakeargs[@]}" man -j1 #nowarn
emake "${myemakeargs[@]}" all
}
src_install() {
rm "${D}"/bin/gen-manpages
dobin bin/*
doman man/*
newconfd "${FILESDIR}"/${PN}.confd "${PN}"
newinitd "${FILESDIR}"/${PN}.initd "${PN}"
systemd_dounit containerd.service
keepdir /var/lib/containerd
# we already installed manpages, remove markdown source
# before installing docs directory
rm -r docs/man || die
local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. )
einstalldocs
}

86
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.6.ebuild vendored Normal file
View File

@ -0,0 +1,86 @@
# Copyright 2022-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-module systemd
GIT_REVISION=091922f03c2762540fd057fba91260237ff86acb
DESCRIPTION="A daemon to control runC"
HOMEPAGE="https://containerd.io/"
SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
DEPEND="
btrfs? ( sys-fs/btrfs-progs )
seccomp? ( sys-libs/libseccomp )
"
# recommended version of runc is found in script/setup/runc-version
RDEPEND="
${DEPEND}
~app-containers/runc-1.1.9[apparmor?,seccomp?]
"
BDEPEND="
dev-go/go-md2man
virtual/pkgconfig
"
# tests require root or docker
RESTRICT+="test"
src_prepare() {
default
sed -i \
-e "s/-s -w//" \
-e "s/-mod=readonly//" \
Makefile || die
sed -i \
-e "s:/usr/local:/usr:" \
containerd.service || die
}
src_compile() {
local options=(
$(usev apparmor)
$(usex btrfs "" "no_btrfs")
$(usex cri "" "no_cri")
$(usex device-mapper "" "no_devmapper")
$(usev seccomp)
$(usev selinux)
)
myemakeargs=(
BUILDTAGS="${options[*]}"
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
REVISION="${GIT_REVISION}"
VERSION=v${PV}
)
# race condition in man target https://bugs.gentoo.org/765100
# we need to explicitly specify GOFLAGS for "go run" to use vendor source
emake "${myemakeargs[@]}" man -j1 #nowarn
emake "${myemakeargs[@]}" all
}
src_install() {
rm "${D}"/bin/gen-manpages
dobin bin/*
doman man/*
newconfd "${FILESDIR}"/${PN}.confd "${PN}"
newinitd "${FILESDIR}"/${PN}.initd "${PN}"
systemd_dounit containerd.service
keepdir /var/lib/containerd
# we already installed manpages, remove markdown source
# before installing docs directory
rm -r docs/man || die
local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. )
einstalldocs
}

86
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.7.ebuild vendored Normal file
View File

@ -0,0 +1,86 @@
# Copyright 2022-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-module systemd
GIT_REVISION=091922f03c2762540fd057fba91260237ff86acb
DESCRIPTION="A daemon to control runC"
HOMEPAGE="https://containerd.io/"
SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test"
DEPEND="
btrfs? ( sys-fs/btrfs-progs )
seccomp? ( sys-libs/libseccomp )
"
# recommended version of runc is found in script/setup/runc-version
RDEPEND="
${DEPEND}
~app-containers/runc-1.1.9[apparmor?,seccomp?]
"
BDEPEND="
dev-go/go-md2man
virtual/pkgconfig
"
# tests require root or docker
RESTRICT+="test"
src_prepare() {
default
sed -i \
-e "s/-s -w//" \
-e "s/-mod=readonly//" \
Makefile || die
sed -i \
-e "s:/usr/local:/usr:" \
containerd.service || die
}
src_compile() {
local options=(
$(usev apparmor)
$(usex btrfs "" "no_btrfs")
$(usex cri "" "no_cri")
$(usex device-mapper "" "no_devmapper")
$(usev seccomp)
$(usev selinux)
)
myemakeargs=(
BUILDTAGS="${options[*]}"
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')"
REVISION="${GIT_REVISION}"
VERSION=v${PV}
)
# race condition in man target https://bugs.gentoo.org/765100
# we need to explicitly specify GOFLAGS for "go run" to use vendor source
emake "${myemakeargs[@]}" man -j1 #nowarn
emake "${myemakeargs[@]}" all
}
src_install() {
rm "${D}"/bin/gen-manpages
dobin bin/*
doman man/*
newconfd "${FILESDIR}"/${PN}.confd "${PN}"
newinitd "${FILESDIR}"/${PN}.initd "${PN}"
systemd_dounit containerd.service
keepdir /var/lib/containerd
# we already installed manpages, remove markdown source
# before installing docs directory
rm -r docs/man || die
local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. )
einstalldocs
}

3
sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.confd vendored Normal file
View File

@ -0,0 +1,3 @@
# This is the delay to be used in the start_post function to wait for
# the socket to be active.
#containerd_socket_delay=5

26
sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.initd vendored Normal file
View File

@ -0,0 +1,26 @@
#!/sbin/openrc-run
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
description="Containerd container runtime"
command="/usr/bin/containerd"
command_args="${command_args:-}"
command_background="true"
pidfile="${pidfile:-/run/${RC_SVCNAME}.pid}"
start_stop_daemon_args="--stderr /var/log/${RC_SVCNAME}/${RC_SVCNAME}.log --stdout /var/log/${RC_SVCNAME}/${RC_SVCNAME}.log"
start_pre() {
checkpath -m 0750 -d "/var/log/${RC_SVCNAME}"
ulimit -n 1048576
# Having non-zero limits causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
ulimit -u unlimited
return 0
}
start_post() {
ewaitfile ${containerd_socket_delay:-5} /run/containerd/containerd.sock
}

19
sdk_container/src/third_party/coreos-overlay/app-containers/containerd/metadata.xml → sdk_container/src/third_party/portage-stable/app-containers/containerd/metadata.xml vendored
View File

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata> <pkgmetadata>
<longdescription> <longdescription>
Containerd is a daemon with an API and a command line client, to manage Containerd is a daemon with an API and a command line client, to manage
@ -8,22 +8,21 @@
and user namespace support as well as checkpoint and restore for cloning and user namespace support as well as checkpoint and restore for cloning
and live migration of containers. and live migration of containers.
</longdescription> </longdescription>
<maintainer type="person">
<email>admwiggin@gmail.com</email>
<name>Tianon</name>
</maintainer>
<maintainer type="person">
<email>mrueg@gentoo.org</email>
<name>Manuel Rüger</name>
</maintainer>
<maintainer type="person"> <maintainer type="person">
<email>williamh@gentoo.org</email> <email>williamh@gentoo.org</email>
<name>William Hubbs</name> <name>William Hubbs</name>
</maintainer> </maintainer>
<maintainer type="person">
<email>gyakovlev@gentoo.org</email>
<name>Georgy Yakovlev</name>
</maintainer>
<use> <use>
<flag name="btrfs">Support for BTRFS snapshot driver</flag> <flag name="btrfs">Support for BTRFS snapshot driver</flag>
<flag name="cri">Support for Kubernetes CRI</flag>
<flag name="device-mapper">Support for device mapper snapshot driver</flag>
</use> </use>
<upstream> <upstream>
<remote-id type="github">docker/containerd</remote-id> <remote-id type="github">containerd/containerd</remote-id>
<remote-id type="cpe">cpe:/a:linuxfoundation:containerd</remote-id>
</upstream> </upstream>
</pkgmetadata> </pkgmetadata>

2
sdk_container/src/third_party/portage-stable/app-containers/cri-tools/Manifest vendored Normal file
View File

@ -0,0 +1,2 @@
DIST cri-tools-1.25.0.tar.gz 7905707 BLAKE2B 79595f31fc22aff608406bad4319a60dddcabda5f4dab8706305f11500b3db43f1d7021a340a096227d4580212953f32a95b05bbf81c1236f8fa8cf635017abb SHA512 dc04359320d59d6b3789e4e81fb613f3795b7e82dbad681393eaeff2c876e5b0393dd9384d7857d24ada5de34d03e151f7cf121367cc20e71d0b78607372b3a1
DIST cri-tools-1.27.0.tar.gz 8465050 BLAKE2B d6c0429271ebc4085e75b54d7f3b9f75ab796e63bc9ae7562105296b13bbad8b512293a7d25abf1ab946f4bf54e672016fdb72696c12c730d21ac74724da465c SHA512 b94122e6401eb0c33b9c3d112274b7ab20cbbad05e76a54933e79d2e42ded2d684771cb9ed703a6c1afa381844142b6f1b4dc77d17e915f9a42c236fd8426b9b

34
sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.25.0.ebuild vendored Normal file
View File

@ -0,0 +1,34 @@
# Copyright 2021-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit bash-completion-r1 go-module
DESCRIPTION="CLI and validation tools for Kubelet Container Runtime (CRI)"
HOMEPAGE="https://github.com/kubernetes-sigs/cri-tools"
SRC_URI="https://github.com/kubernetes-sigs/cri-tools/archive/v${PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
SLOT="0"
KEYWORDS="amd64 ~arm64"
DEPEND="dev-lang/go"
RESTRICT+=" test"
src_compile() {
emake VERSION="${PV}"
./build/bin/crictl completion bash > "crictl.bash" || die
./build/bin/crictl completion zsh > "crictl.zsh" || die
}
src_install() {
dobin ./build/bin/crictl
newbashcomp crictl.bash crictl
insinto /usr/share/zsh/site-functions
newins crictl.zsh _crictl
dodoc -r docs {README,RELEASE,CHANGELOG,CONTRIBUTING}.md
}

33
sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.27.0.ebuild vendored Normal file
View File

@ -0,0 +1,33 @@
# Copyright 2021-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit bash-completion-r1 go-module
DESCRIPTION="CLI and validation tools for Kubelet Container Runtime (CRI)"
HOMEPAGE="https://github.com/kubernetes-sigs/cri-tools"
SRC_URI="https://github.com/kubernetes-sigs/cri-tools/archive/v${PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
SLOT="0"
KEYWORDS="amd64 ~arm64"
RESTRICT="test"
DOCS=( docs {README,RELEASE,CHANGELOG,CONTRIBUTING}.md )
src_compile() {
emake VERSION="${PV}"
find build/ -name crictl -exec cp {} build/bin/ \; || die
./build/bin/crictl completion bash > "crictl.bash" || die
./build/bin/crictl completion zsh > "crictl.zsh" || die
}
src_install() {
einstalldocs
dobin ./build/bin/crictl
newbashcomp crictl.bash crictl
insinto /usr/share/zsh/site-functions
newins crictl.zsh _crictl
}

0
sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/metadata.xml → sdk_container/src/third_party/portage-stable/app-containers/cri-tools/metadata.xml vendored
View File

4
sdk_container/src/third_party/portage-stable/app-containers/docker-cli/Manifest vendored Normal file
View File

@ -0,0 +1,4 @@
DIST docker-cli-24.0.5-man.tar.xz 82496 BLAKE2B f3295b684dbf8d251ba13a19b9bad9b828fce7d2f76b6643b1cf579cd297b770e8f7304bd3fce823badfbe97e9b760a108b819ca3c760a55e352cf3c5235d815 SHA512 683b0f131902e0a57512207daa49534d73aac6db99dc8621ac6b48eeef26b873e2ba03fe4afe6f1e84c5922e4c60bf0e80e24cc95cdbf2a4953d1c11b80d56ad
DIST docker-cli-24.0.5.tar.gz 6243993 BLAKE2B a7ce84ecf329bc74e48f3a6e1b12a9e310a8f27ac68918ffeb40ab9c4eab8b79e753265b48220fcd3ab40b4136de5ebd44607831f642664eaf732111bd8f41b1 SHA512 765c67634d91d248b156d3e407398b98b7a0a89507bbac0310d4a68b95aa1a05e3af43c8b90bc10166748749d8cc36670619fc9efca110beefbdcd4385dc96be
DIST docker-cli-24.0.6-man.tar.xz 82600 BLAKE2B 9e39bf200d252a0d91b0b6f17680a4c1b34e55cc9f357a59f124138cef39c5ff10fb104c51efe3010bca9a4f72447764ced1c02e3bb3924051fa6f1f01a8f6fa SHA512 5e972647961899e438b765f53afff570b9f0c1742c7c72a3a424887719c3a6afbd467d15884d44ac64b752c984261967f304afa5c168466fe6f611967d18a578
DIST docker-cli-24.0.6.tar.gz 6244014 BLAKE2B c5f2082e44a568d3f6ee2ff5df9e9b727808f0b70d7d0c6c18b9769c1c4d0f49d371cbd08c95e748d441dc0ef011b66446527b0eeb33368ee59b85496185ba12 SHA512 55c56ae08eb314cce5f4c93544c6748586eadb3abe502d39d4d297e14d274af37346b38695a20a91dcfe51d3d35a77ddd7aa69d170b525e5e6ba345161869cd8

49
sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/docker-cli-20.10.24-r1.ebuild → sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-24.0.5.ebuild vendored
View File

@ -1,35 +1,36 @@
# Copyright 1999-2021 Gentoo Authors # Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2 # Distributed under the terms of the GNU General Public License v2
EAPI=7 EAPI=7
GIT_COMMIT=e78084afe5 GIT_COMMIT=ced0996600
EGO_PN="github.com/docker/cli" EGO_PN="github.com/docker/cli"
MY_PV=${PV/_/-}
COREOS_GO_PACKAGE="${EGO_PN}" inherit bash-completion-r1 golang-vcs-snapshot
COREOS_GO_VERSION="go1.19"
inherit bash-completion-r1 golang-vcs-snapshot coreos-go-depend
DESCRIPTION="the command line binary for docker" DESCRIPTION="the command line binary for docker"
HOMEPAGE="https://www.docker.com/" HOMEPAGE="https://www.docker.com/"
MY_PV=${PV/_/-}
SRC_URI="https://github.com/docker/cli/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" SRC_URI="https://github.com/docker/cli/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
SRC_URI+=" https://dev.gentoo.org/~williamh/dist/${P}-man.tar.xz"
LICENSE="Apache-2.0" LICENSE="Apache-2.0"
SLOT="0" SLOT="0"
KEYWORDS="amd64 arm64" KEYWORDS="amd64 ~arm arm64 ~loong ppc64 ~riscv ~x86"
IUSE="hardened" IUSE="hardened selinux"
RDEPEND="!<app-containers/docker-20.10.1" RDEPEND="!<app-containers/docker-20.10.1
selinux? ( sec-policy/selinux-docker )"
BDEPEND="
>=dev-lang/go-1.16.6"
RESTRICT="installsources strip" RESTRICT="installsources strip test"
S="${WORKDIR}/${P}/src/${EGO_PN}" S="${WORKDIR}/${P}/src/${EGO_PN}"
# Flatcar: fix invalid headers issue when building with Go 1.19.11+. src_unpack() {
PATCHES=( golang-vcs-snapshot_src_unpack
"${FILESDIR}/0001-20.10-vendor-docker-v20.10.25-45-g0d4b9ed98b-v20.10..patch" set -- ${A}
) unpack ${2}
}
src_prepare() { src_prepare() {
default default
@ -37,16 +38,12 @@ src_prepare() {
} }
src_compile() { src_compile() {
# Flatcar: override go version
go_export
export DISABLE_WARN_OUTSIDE_CONTAINER=1 export DISABLE_WARN_OUTSIDE_CONTAINER=1
export GOPATH="${WORKDIR}/${P}" export GOPATH="${WORKDIR}/${P}"
# setup CFLAGS and LDFLAGS for separate build target # setup CFLAGS and LDFLAGS for separate build target
# see https://github.com/tianon/docker-overlay/pull/10 # see https://github.com/tianon/docker-overlay/pull/10
# FLatcar: inject our own CFLAGS/LDFLAGS for torcx export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
export CGO_CFLAGS="${CGO_CFLAGS} -I${SYSROOT}/usr/include" export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)"
export CGO_LDFLAGS="${CGO_LDFLAGS} -L${SYSROOT}/usr/$(get_libdir)"
emake \ emake \
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" \ LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" \
VERSION="${PV}" \ VERSION="${PV}" \
@ -56,6 +53,7 @@ src_compile() {
src_install() { src_install() {
dobin build/docker dobin build/docker
doman "${WORKDIR}"/man/man?/*
dobashcomp contrib/completion/bash/* dobashcomp contrib/completion/bash/*
bashcomp_alias docker dockerd bashcomp_alias docker dockerd
insinto /usr/share/fish/vendor_completions.d/ insinto /usr/share/fish/vendor_completions.d/
@ -63,3 +61,10 @@ src_install() {
insinto /usr/share/zsh/site-functions insinto /usr/share/zsh/site-functions
doins contrib/completion/zsh/_* doins contrib/completion/zsh/_*
} }
pkg_postinst() {
has_version "app-containers/docker-buildx" && return
ewarn "the 'docker build' command is deprecated and will be removed in a"
ewarn "future release. If you need this functionality, install"
ewarn "app-containers/docker-buildx."
}

70
sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-24.0.6.ebuild vendored Normal file
View File

@ -0,0 +1,70 @@
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
GIT_COMMIT=ed223bc820
EGO_PN="github.com/docker/cli"
MY_PV=${PV/_/-}
inherit bash-completion-r1 golang-vcs-snapshot
DESCRIPTION="the command line binary for docker"
HOMEPAGE="https://www.docker.com/"
SRC_URI="https://github.com/docker/cli/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
SRC_URI+=" https://dev.gentoo.org/~williamh/dist/${P}-man.tar.xz"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc64 ~riscv ~x86"
IUSE="hardened selinux"
RDEPEND="!<app-containers/docker-20.10.1
selinux? ( sec-policy/selinux-docker )"
BDEPEND="
>=dev-lang/go-1.16.6"
RESTRICT="installsources strip test"
S="${WORKDIR}/${P}/src/${EGO_PN}"
src_unpack() {
golang-vcs-snapshot_src_unpack
set -- ${A}
unpack ${2}
}
src_prepare() {
default
sed -i 's@dockerd\?\.exe@@g' contrib/completion/bash/docker || die
}
src_compile() {
export DISABLE_WARN_OUTSIDE_CONTAINER=1
export GOPATH="${WORKDIR}/${P}"
# setup CFLAGS and LDFLAGS for separate build target
# see https://github.com/tianon/docker-overlay/pull/10
export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)"
emake \
LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" \
VERSION="${PV}" \
GITCOMMIT="${GIT_COMMIT}" \
dynbinary
}
src_install() {
dobin build/docker
doman "${WORKDIR}"/man/man?/*
dobashcomp contrib/completion/bash/*
bashcomp_alias docker dockerd
insinto /usr/share/fish/vendor_completions.d/
doins contrib/completion/fish/docker.fish
insinto /usr/share/zsh/site-functions
doins contrib/completion/zsh/_*
}
pkg_postinst() {
has_version "app-containers/docker-buildx" && return
ewarn "the 'docker build' command is deprecated and will be removed in a"
ewarn "future release. If you need this functionality, install"
ewarn "app-containers/docker-buildx."
}

15
sdk_container/src/third_party/portage-stable/app-containers/docker-cli/metadata.xml vendored Normal file
View File

@ -0,0 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>williamh@gentoo.org</email>
<name>William Hubbs</name>
</maintainer>
<maintainer type="person">
<email>gyakovlev@gentoo.org</email>
<name>Georgy Yakovlev</name>
</maintainer>
<upstream>
<remote-id type="github">docker/cli</remote-id>
</upstream>
</pkgmetadata>

0
sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/Manifest → sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/Manifest vendored
View File

14
sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild → sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild vendored
View File

@ -6,13 +6,6 @@ EGO_PN=github.com/moby/libnetwork
GIT_COMMIT=05b93e0d3a95952f70c113b0bc5bdb538d7afdd7 GIT_COMMIT=05b93e0d3a95952f70c113b0bc5bdb538d7afdd7
inherit golang-vcs-snapshot inherit golang-vcs-snapshot
# Flatcar: Add coreos go goo.
COREOS_GO_PACKAGE="${EGO_PN}"
COREOS_GO_VERSION="go1.19"
COREOS_GO_GO111MODULE="off"
inherit coreos-go
DESCRIPTION="Docker container networking" DESCRIPTION="Docker container networking"
HOMEPAGE="https://github.com/docker/libnetwork" HOMEPAGE="https://github.com/docker/libnetwork"
SRC_URI="https://github.com/moby/libnetwork/archive/${GIT_COMMIT}.tar.gz -> ${P}.tar.gz" SRC_URI="https://github.com/moby/libnetwork/archive/${GIT_COMMIT}.tar.gz -> ${P}.tar.gz"
@ -26,13 +19,12 @@ S=${WORKDIR}/${P}/src/${EGO_PN}
# needs dockerd # needs dockerd
RESTRICT="strip test" RESTRICT="strip test"
# Flatcar: Rewrite src_compile
src_compile() { src_compile() {
go_build "${COREOS_GO_PACKAGE}/cmd/proxy" GO111MODULE=auto GOPATH="${WORKDIR}/${P}" \
go build -o "bin/docker-proxy" ./cmd/proxy || die
} }
# Flatcar: Rewrite src_install
src_install() { src_install() {
dobin bin/docker-proxy
dodoc README.md CHANGELOG.md dodoc README.md CHANGELOG.md
newbin "${GOBIN}"/proxy docker-proxy
} }

0
sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/metadata.xml → sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/metadata.xml vendored
View File

2
sdk_container/src/third_party/portage-stable/app-containers/docker/Manifest vendored Normal file
View File

@ -0,0 +1,2 @@
DIST docker-24.0.5.tar.gz 14456089 BLAKE2B be13a4256787152cb35ddb96d80e97a5e5b587094f1c61d18158737a037c4e81b88c186098ba7416eb7778022ece07bc31ee55af13d3e3da8e0bbd5452ad027f SHA512 cde2e47e7658b153399ee29154ec21eebf54b292185e07d43b968895dcfdfead95e4507fefb713859a4540f21d8007116d3ebeaa1fb7ba305fb2a0449ba1bee6
DIST docker-24.0.6.tar.gz 14462378 BLAKE2B bced8e687abac59254a9969df46f323a835627a724889e5966bea08df8766b4291914442001d1b573280c45ac4d357a673e98e8fba2b8d116a1dbd65424ccf78 SHA512 d9bf0ba756b1ebe69a44819d7c6aa5d66dad8db5bcc41233e2bfce8131334a2fe1af3972de7f602b7911231288d29aaea797b7a05b335c2d7214a613b27c4b63

330
sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.5.ebuild vendored Normal file
View File

@ -0,0 +1,330 @@
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
EGO_PN=github.com/docker/docker
MY_PV=${PV/_/-}
inherit linux-info systemd udev golang-vcs-snapshot
GIT_COMMIT=4ffc61430bbe6d3d405bdf357b766bf303ff3cc5
DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
HOMEPAGE="https://www.docker.com/"
SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
IUSE="apparmor btrfs +container-init device-mapper overlay seccomp selinux"
DEPEND="
acct-group/docker
>=dev-db/sqlite-3.7.9:3
apparmor? ( sys-libs/libapparmor )
btrfs? ( >=sys-fs/btrfs-progs-3.16.1 )
device-mapper? ( >=sys-fs/lvm2-2.02.89[thin] )
seccomp? ( >=sys-libs/libseccomp-2.2.1 )
"
# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
RDEPEND="
${DEPEND}
>=net-firewall/iptables-1.4
sys-process/procps
>=dev-vcs/git-1.7
>=app-arch/xz-utils-4.9
dev-libs/libltdl
>=app-containers/containerd-1.7.1[apparmor?,btrfs?,device-mapper?,seccomp?]
!app-containers/docker-proxy
container-init? ( >=sys-process/tini-0.19.0[static] )
selinux? ( sec-policy/selinux-docker )
"
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
BDEPEND="
>=dev-lang/go-1.16.12
dev-go/go-md2man
virtual/pkgconfig
"
# tests require running dockerd as root and downloading containers
RESTRICT="installsources strip test"
S="${WORKDIR}/${P}/src/${EGO_PN}"
# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552
PATCHES=(
"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
)
pkg_setup() {
# this is based on "contrib/check-config.sh" from upstream's sources
# required features.
CONFIG_CHECK="
~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
~KEYS
~VETH ~BRIDGE ~BRIDGE_NETFILTER
~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
~NETFILTER_XT_MATCH_ADDRTYPE
~NETFILTER_XT_MATCH_CONNTRACK
~NETFILTER_XT_MATCH_IPVS
~NETFILTER_XT_MARK
~IP_NF_NAT ~NF_NAT
~POSIX_MQUEUE
"
WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers"
if kernel_is lt 4 8; then
CONFIG_CHECK+="
~DEVPTS_MULTIPLE_INSTANCES
"
fi
if kernel_is le 5 1; then
CONFIG_CHECK+="
~NF_NAT_IPV4
"
fi
if kernel_is le 5 2; then
CONFIG_CHECK+="
~NF_NAT_NEEDED
"
fi
if kernel_is ge 4 15; then
CONFIG_CHECK+="
~CGROUP_BPF
"
fi
# optional features
CONFIG_CHECK+="
~USER_NS
"
if use seccomp; then
CONFIG_CHECK+="
~SECCOMP ~SECCOMP_FILTER
"
fi
CONFIG_CHECK+="
~CGROUP_PIDS
"
if kernel_is lt 6 1; then
CONFIG_CHECK+="
~MEMCG_SWAP
"
fi
if kernel_is le 5 8; then
CONFIG_CHECK+="
~MEMCG_SWAP_ENABLED
"
fi
CONFIG_CHECK+="
~!LEGACY_VSYSCALL_NATIVE
"
if kernel_is lt 5 19; then
CONFIG_CHECK+="
~LEGACY_VSYSCALL_EMULATE
"
fi
CONFIG_CHECK+="
~!LEGACY_VSYSCALL_NONE
"
WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \
Containers with <=glibc-2.13 will not work"
if kernel_is le 4 5; then
CONFIG_CHECK+="
~MEMCG_KMEM
"
fi
if kernel_is lt 5; then
CONFIG_CHECK+="
~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED
"
fi
CONFIG_CHECK+="
~BLK_CGROUP ~BLK_DEV_THROTTLING
~CGROUP_PERF
~CGROUP_HUGETLB
~NET_CLS_CGROUP ~CGROUP_NET_PRIO
~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
~IP_NF_TARGET_REDIRECT
~IP_VS
~IP_VS_NFCT
~IP_VS_PROTO_TCP
~IP_VS_PROTO_UDP
~IP_VS_RR
"
if use selinux; then
CONFIG_CHECK+="
~SECURITY_SELINUX
"
fi
if use apparmor; then
CONFIG_CHECK+="
~SECURITY_APPARMOR
"
fi
# if ! is_set EXT4_USE_FOR_EXT2; then
# check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY
# if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then
# echo " $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)"
# fi
# fi
CONFIG_CHECK+="
~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
"
# if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then
# if is_set EXT4_USE_FOR_EXT2; then
# echo " $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)"
# else
# echo " $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"
# fi
# fi
# network drivers
CONFIG_CHECK+="
~VXLAN ~BRIDGE_VLAN_FILTERING
~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH
~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP
"
if kernel_is le 5 3; then
CONFIG_CHECK+="
~INET_XFRM_MODE_TRANSPORT
"
fi
CONFIG_CHECK+="
~IPVLAN
"
CONFIG_CHECK+="
~MACVLAN ~DUMMY
"
CONFIG_CHECK+="
~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP
"
# storage drivers
if use btrfs; then
CONFIG_CHECK+="
~BTRFS_FS
~BTRFS_FS_POSIX_ACL
"
fi
if use device-mapper; then
CONFIG_CHECK+="
~BLK_DEV_DM ~DM_THIN_PROVISIONING
"
fi
CONFIG_CHECK+="
~OVERLAY_FS
"
linux-info_pkg_setup
}
src_compile() {
export DOCKER_GITCOMMIT="${GIT_COMMIT}"
export GOPATH="${WORKDIR}/${P}"
export VERSION=${PV}
# setup CFLAGS and LDFLAGS for separate build target
# see https://github.com/tianon/docker-overlay/pull/10
export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)"
# let's set up some optional features :)
export DOCKER_BUILDTAGS=''
for gd in btrfs device-mapper overlay; do
if ! use $gd; then
DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
fi
done
for tag in apparmor seccomp; do
if use $tag; then
DOCKER_BUILDTAGS+=" $tag"
fi
done
# build binaries
./hack/make.sh dynbinary || die 'dynbinary failed'
}
src_install() {
dosym containerd /usr/bin/docker-containerd
dosym containerd-shim /usr/bin/docker-containerd-shim
dosym runc /usr/bin/docker-runc
use container-init && dosym tini /usr/bin/docker-init
dobin bundles/dynbinary-daemon/dockerd
dobin bundles/dynbinary-daemon/docker-proxy
newinitd contrib/init/openrc/docker.initd docker
newconfd contrib/init/openrc/docker.confd docker
systemd_dounit contrib/init/systemd/docker.{service,socket}
udev_dorules contrib/udev/*.rules
dodoc AUTHORS CONTRIBUTING.md NOTICE README.md
dodoc -r docs/*
# note: intentionally not using "doins" so that we preserve +x bits
dodir /usr/share/${PN}/contrib
cp -R contrib/* "${ED}/usr/share/${PN}/contrib"
}
pkg_postinst() {
udev_reload
elog
elog "To use Docker, the Docker daemon must be running as root. To automatically"
elog "start the Docker daemon at boot:"
if systemd_is_booted || has_version sys-apps/systemd; then
elog " systemctl enable docker.service"
else
elog " rc-update add docker default"
fi
elog
elog "To use Docker as a non-root user, add yourself to the 'docker' group:"
elog ' usermod -aG docker <youruser>'
elog
if use device-mapper; then
elog " Devicemapper storage driver has been deprecated"
elog " It will be removed in a future release"
elog
fi
if use overlay; then
elog " Overlay storage driver/USEflag has been deprecated"
elog " in favor of overlay2 (enabled unconditionally)"
elog
fi
if has_version sys-fs/zfs; then
elog " ZFS storage driver is available"
elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info"
elog
fi
}
pkg_postrm() {
udev_reload
}

331
sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.6.ebuild vendored Normal file
View File

@ -0,0 +1,331 @@
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
EGO_PN=github.com/docker/docker
MY_PV=${PV/_/-}
inherit linux-info systemd udev golang-vcs-snapshot
GIT_COMMIT=1a7969545d73537545645f5cd2c79b7a77e7d39f
DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
HOMEPAGE="https://www.docker.com/"
SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
IUSE="apparmor btrfs +container-init device-mapper overlay seccomp selinux"
DEPEND="
acct-group/docker
>=dev-db/sqlite-3.7.9:3
apparmor? ( sys-libs/libapparmor )
btrfs? ( >=sys-fs/btrfs-progs-3.16.1 )
device-mapper? ( >=sys-fs/lvm2-2.02.89[thin] )
seccomp? ( >=sys-libs/libseccomp-2.2.1 )
"
# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
RDEPEND="
${DEPEND}
>=net-firewall/iptables-1.4
sys-process/procps
>=dev-vcs/git-1.7
>=app-arch/xz-utils-4.9
dev-libs/libltdl
>=app-containers/containerd-1.7.3[apparmor?,btrfs?,device-mapper?,seccomp?]
>=app-containers/runc-1.1.9[apparmor?,seccomp?]
!app-containers/docker-proxy
container-init? ( >=sys-process/tini-0.19.0[static] )
selinux? ( sec-policy/selinux-docker )
"
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
BDEPEND="
>=dev-lang/go-1.16.12
dev-go/go-md2man
virtual/pkgconfig
"
# tests require running dockerd as root and downloading containers
RESTRICT="installsources strip test"
S="${WORKDIR}/${P}/src/${EGO_PN}"
# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552
PATCHES=(
"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
)
pkg_setup() {
# this is based on "contrib/check-config.sh" from upstream's sources
# required features.
CONFIG_CHECK="
~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
~KEYS
~VETH ~BRIDGE ~BRIDGE_NETFILTER
~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
~NETFILTER_XT_MATCH_ADDRTYPE
~NETFILTER_XT_MATCH_CONNTRACK
~NETFILTER_XT_MATCH_IPVS
~NETFILTER_XT_MARK
~IP_NF_NAT ~NF_NAT
~POSIX_MQUEUE
"
WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers"
if kernel_is lt 4 8; then
CONFIG_CHECK+="
~DEVPTS_MULTIPLE_INSTANCES
"
fi
if kernel_is le 5 1; then
CONFIG_CHECK+="
~NF_NAT_IPV4
"
fi
if kernel_is le 5 2; then
CONFIG_CHECK+="
~NF_NAT_NEEDED
"
fi
if kernel_is ge 4 15; then
CONFIG_CHECK+="
~CGROUP_BPF
"
fi
# optional features
CONFIG_CHECK+="
~USER_NS
"
if use seccomp; then
CONFIG_CHECK+="
~SECCOMP ~SECCOMP_FILTER
"
fi
CONFIG_CHECK+="
~CGROUP_PIDS
"
if kernel_is lt 6 1; then
CONFIG_CHECK+="
~MEMCG_SWAP
"
fi
if kernel_is le 5 8; then
CONFIG_CHECK+="
~MEMCG_SWAP_ENABLED
"
fi
CONFIG_CHECK+="
~!LEGACY_VSYSCALL_NATIVE
"
if kernel_is lt 5 19; then
CONFIG_CHECK+="
~LEGACY_VSYSCALL_EMULATE
"
fi
CONFIG_CHECK+="
~!LEGACY_VSYSCALL_NONE
"
WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \
Containers with <=glibc-2.13 will not work"
if kernel_is le 4 5; then
CONFIG_CHECK+="
~MEMCG_KMEM
"
fi
if kernel_is lt 5; then
CONFIG_CHECK+="
~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED
"
fi
CONFIG_CHECK+="
~BLK_CGROUP ~BLK_DEV_THROTTLING
~CGROUP_PERF
~CGROUP_HUGETLB
~NET_CLS_CGROUP ~CGROUP_NET_PRIO
~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
~IP_NF_TARGET_REDIRECT
~IP_VS
~IP_VS_NFCT
~IP_VS_PROTO_TCP
~IP_VS_PROTO_UDP
~IP_VS_RR
"
if use selinux; then
CONFIG_CHECK+="
~SECURITY_SELINUX
"
fi
if use apparmor; then
CONFIG_CHECK+="
~SECURITY_APPARMOR
"
fi
# if ! is_set EXT4_USE_FOR_EXT2; then
# check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY
# if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then
# echo " $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)"
# fi
# fi
CONFIG_CHECK+="
~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
"
# if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then
# if is_set EXT4_USE_FOR_EXT2; then
# echo " $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)"
# else
# echo " $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"
# fi
# fi
# network drivers
CONFIG_CHECK+="
~VXLAN ~BRIDGE_VLAN_FILTERING
~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH
~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP
"
if kernel_is le 5 3; then
CONFIG_CHECK+="
~INET_XFRM_MODE_TRANSPORT
"
fi
CONFIG_CHECK+="
~IPVLAN
"
CONFIG_CHECK+="
~MACVLAN ~DUMMY
"
CONFIG_CHECK+="
~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP
"
# storage drivers
if use btrfs; then
CONFIG_CHECK+="
~BTRFS_FS
~BTRFS_FS_POSIX_ACL
"
fi
if use device-mapper; then
CONFIG_CHECK+="
~BLK_DEV_DM ~DM_THIN_PROVISIONING
"
fi
CONFIG_CHECK+="
~OVERLAY_FS
"
linux-info_pkg_setup
}
src_compile() {
export DOCKER_GITCOMMIT="${GIT_COMMIT}"
export GOPATH="${WORKDIR}/${P}"
export VERSION=${PV}
# setup CFLAGS and LDFLAGS for separate build target
# see https://github.com/tianon/docker-overlay/pull/10
export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)"
# let's set up some optional features :)
export DOCKER_BUILDTAGS=''
for gd in btrfs device-mapper overlay; do
if ! use $gd; then
DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
fi
done
for tag in apparmor seccomp; do
if use $tag; then
DOCKER_BUILDTAGS+=" $tag"
fi
done
# build binaries
./hack/make.sh dynbinary || die 'dynbinary failed'
}
src_install() {
dosym containerd /usr/bin/docker-containerd
dosym containerd-shim /usr/bin/docker-containerd-shim
dosym runc /usr/bin/docker-runc
use container-init && dosym tini /usr/bin/docker-init
dobin bundles/dynbinary-daemon/dockerd
dobin bundles/dynbinary-daemon/docker-proxy
newinitd contrib/init/openrc/docker.initd docker
newconfd contrib/init/openrc/docker.confd docker
systemd_dounit contrib/init/systemd/docker.{service,socket}
udev_dorules contrib/udev/*.rules
dodoc AUTHORS CONTRIBUTING.md NOTICE README.md
dodoc -r docs/*
# note: intentionally not using "doins" so that we preserve +x bits
dodir /usr/share/${PN}/contrib
cp -R contrib/* "${ED}/usr/share/${PN}/contrib"
}
pkg_postinst() {
udev_reload
elog
elog "To use Docker, the Docker daemon must be running as root. To automatically"
elog "start the Docker daemon at boot:"
if systemd_is_booted || has_version sys-apps/systemd; then
elog " systemctl enable docker.service"
else
elog " rc-update add docker default"
fi
elog
elog "To use Docker as a non-root user, add yourself to the 'docker' group:"
elog ' usermod -aG docker <youruser>'
elog
if use device-mapper; then
elog " Devicemapper storage driver has been deprecated"
elog " It will be removed in a future release"
elog
fi
if use overlay; then
elog " Overlay storage driver/USEflag has been deprecated"
elog " in favor of overlay2 (enabled unconditionally)"
elog
fi
if has_version sys-fs/zfs; then
elog " ZFS storage driver is available"
elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info"
elog
fi
}
pkg_postrm() {
udev_reload
}

28
sdk_container/src/third_party/portage-stable/app-containers/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch vendored Normal file
View File

@ -0,0 +1,28 @@
From bb69104381805014eb7675682d204fe460a52388 Mon Sep 17 00:00:00 2001
From: Jan Breig <git@pygos.space>
Date: Mon, 16 May 2022 14:58:36 +0200
Subject: [PATCH] Openrc: Depend on containerd init script
Signed-off-by: Jan Breig <git@pygos.space>
---
contrib/init/openrc/docker.initd | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/contrib/init/openrc/docker.initd b/contrib/init/openrc/docker.initd
index 3229223bad..57defb8f57 100644
--- a/contrib/init/openrc/docker.initd
+++ b/contrib/init/openrc/docker.initd
@@ -17,6 +17,10 @@ rc_ulimit="${DOCKER_ULIMIT:--c unlimited -n 1048576 -u unlimited}"
retry="${DOCKER_RETRY:-TERM/60/KILL/10}"
+depend() {
+ need containerd
+}
+
start_pre() {
checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE"
}
--
2.35.1

10
sdk_container/src/third_party/coreos-overlay/app-containers/docker/metadata.xml → sdk_container/src/third_party/portage-stable/app-containers/docker/metadata.xml vendored
View File

@ -17,19 +17,9 @@
<name>Georgy Yakovlev</name> <name>Georgy Yakovlev</name>
</maintainer> </maintainer>
<use> <use>
<flag name="aufs">
Enables dependencies for the "aufs" graph driver, including
necessary kernel flags.
</flag>
<flag name="btrfs"> <flag name="btrfs">
Enables dependencies for the "btrfs" graph driver, including Enables dependencies for the "btrfs" graph driver, including
necessary kernel flags. necessary kernel flags.
</flag>
<flag name="cli">
This is a temporary use flag which pulls in
<pkg>app-containers/docker-cli</pkg>, the docker command line client.
This flag is here to assist in the transition to split packages
and will be removed in a future release.
</flag> </flag>
<flag name="container-init"> <flag name="container-init">
Makes the a staticly-linked init system tini available inside a Makes the a staticly-linked init system tini available inside a

2
sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest vendored Normal file
View File

@ -0,0 +1,2 @@
DIST runc-1.1.7.tar.gz 2511464 BLAKE2B 63f09052659636b62185abbb178f7e104d22125190899e80e71ed2ba35567eb855abf786d3c7fff3dd9a1ab43ee282fcaecb6650cd8a1ce49c05acefd7c12cde SHA512 e3a18f04ac2c3553a815074ca64e04cfd71af54d78edbd4a13819f187476f96d7311c23bb63fb5c311b91865db4540985a6f9daa84819b0bac5f023b3b2a832c
DIST runc-1.1.9.tar.gz 2512231 BLAKE2B 4e8e2a454231492f83de34bf66ba25a02b8925b6ef0af2206cdf4ab3299173d3452cea4d51fcfeb02026df288dd8ca6c44ecd35fb075f25f56fd7bc07f873af7 SHA512 020986f2df49c45394d0acbfa4da62663353004550d9b4409f6cfe8369972a090fb8020e4a05342754bde5c1fbe9fcf3868faed2dceed5d54460c3373cdd2278

25
sdk_container/src/third_party/portage-stable/app-containers/runc/metadata.xml vendored Normal file
View File

@ -0,0 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<longdescription lang="en">
runc is a CLI tool for spawning and running containers according
to the OCF (Open Container Format) specification.
</longdescription>
<maintainer type="person">
<email>williamh@gentoo.org</email>
<name>William Hubbs</name>
</maintainer>
<maintainer type="person">
<email>gyakovlev@gentoo.org</email>
<name>Georgy Yakovlev</name>
</maintainer>
<use>
<flag name="kmem">
Enable Kernel Memory Accounting.
</flag>
</use>
<upstream>
<remote-id type="github">opencontainers/runc</remote-id>
<remote-id type="cpe">cpe:/a:linuxfoundation:runc</remote-id>
</upstream>
</pkgmetadata>

78
sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.7.ebuild vendored Normal file
View File

@ -0,0 +1,78 @@
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-module linux-info
# update on bump, look for https://github.com/docker\
# docker-ce/blob/<docker ver OR branch>/components/engine/hack/dockerfile/install/runc.installer
RUNC_COMMIT=4ffc61430bbe6d3d405bdf357b766bf303ff3cc5
CONFIG_CHECK="~USER_NS"
DESCRIPTION="runc container cli tools"
HOMEPAGE="http://github.com/opencontainers/runc/"
MY_PV="${PV/_/-}"
SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0 BSD-2 BSD MIT"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
IUSE="apparmor hardened +kmem +seccomp selinux test"
DEPEND="seccomp? ( sys-libs/libseccomp )"
RDEPEND="
${DEPEND}
!app-emulation/docker-runc
apparmor? ( sys-libs/libapparmor )
selinux? ( sec-policy/selinux-container )
"
BDEPEND="
dev-go/go-md2man
test? ( "${RDEPEND}" )
"
# tests need busybox binary, and portage namespace
# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox
# majority of tests pass
RESTRICT+=" test"
S="${WORKDIR}/${PN}-${MY_PV}"
src_compile() {
# Taken from app-containers/docker-1.7.0-r1
export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')
-L${ESYSROOT}/usr/$(get_libdir)"
# build up optional flags
local options=(
$(usev apparmor)
$(usev seccomp)
$(usex kmem '' 'nokmem')
)
myemakeargs=(
BUILDTAGS="${options[*]}"
COMMIT="${RUNC_COMMIT}"
)
emake "${myemakeargs[@]}" runc man
}
src_install() {
myemakeargs+=(
PREFIX="${ED}/usr"
BINDIR="${ED}/usr/bin"
MANDIR="${ED}/usr/share/man"
)
emake "${myemakeargs[@]}" install install-man install-bash
local DOCS=( README.md PRINCIPLES.md docs/. )
einstalldocs
}
src_test() {
emake "${myemakeargs[@]}" localunittest
}

78
sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.9.ebuild vendored Normal file
View File

@ -0,0 +1,78 @@
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-module linux-info
# update on bump, look for https://github.com/docker\
# docker-ce/blob/<docker ver OR branch>/components/engine/hack/dockerfile/install/runc.installer
RUNC_COMMIT=ccaecfcbc907d70a7aa870a6650887b901b25b82
CONFIG_CHECK="~USER_NS"
DESCRIPTION="runc container cli tools"
HOMEPAGE="http://github.com/opencontainers/runc/"
MY_PV="${PV/_/-}"
SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
LICENSE="Apache-2.0 BSD-2 BSD MIT"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
IUSE="apparmor hardened +kmem +seccomp selinux test"
DEPEND="seccomp? ( sys-libs/libseccomp )"
RDEPEND="
${DEPEND}
!app-emulation/docker-runc
apparmor? ( sys-libs/libapparmor )
selinux? ( sec-policy/selinux-container )
"
BDEPEND="
dev-go/go-md2man
test? ( "${RDEPEND}" )
"
# tests need busybox binary, and portage namespace
# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox
# majority of tests pass
RESTRICT+=" test"
S="${WORKDIR}/${PN}-${MY_PV}"
src_compile() {
# Taken from app-containers/docker-1.7.0-r1
export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')
-L${ESYSROOT}/usr/$(get_libdir)"
# build up optional flags
local options=(
$(usev apparmor)
$(usev seccomp)
$(usex kmem '' 'nokmem')
)
myemakeargs=(
BUILDTAGS="${options[*]}"
COMMIT="${RUNC_COMMIT}"
)
emake "${myemakeargs[@]}" runc man
}
src_install() {
myemakeargs+=(
PREFIX="${ED}/usr"
BINDIR="${ED}/usr/bin"
MANDIR="${ED}/usr/share/man"
)
emake "${myemakeargs[@]}" install install-man install-bash
local DOCS=( README.md PRINCIPLES.md docs/. )
einstalldocs
}
src_test() {
emake "${myemakeargs[@]}" localunittest
}

1
sdk_container/src/third_party/portage-stable/dev-go/go-md2man/Manifest vendored Normal file
View File

@ -0,0 +1 @@
DIST go-md2man-2.0.2.tar.gz 64353 BLAKE2B cc9ce9d14b61e600cf5179b72e08bc7e6ae5fcf31d3e00d6e5f7e5e77a26dd2b2b8a938e168e0053b2a9f9aab734d9beb02f7d95549fbf073125ad42b03cf478 SHA512 c81edfdc0b6647ef699cc908a1a7038d98da34df6d48b223b83a0699de91a7e322e70d67645acf1fc848918f4c1ea310160c7ccb75e6f97b53af7103c7aa18b3

32
sdk_container/src/third_party/portage-stable/dev-go/go-md2man/go-md2man-2.0.2.ebuild vendored Normal file
View File

@ -0,0 +1,32 @@
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit go-module
DESCRIPTION="A utility to convert markdown to man pages"
SRC_URI="https://github.com/cpuguy83/go-md2man/archive/v${PV}.tar.gz -> ${P}.tar.gz"
HOMEPAGE="https://github.com/cpuguy83/go-md2man"
LICENSE="BSD-2 MIT"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ~loong ppc64 ~riscv ~x86"
# restrict tests because they need network-sandbox disabled
# bug https://bugs.gentoo.org/715028
RESTRICT+=" test"
src_compile() {
emake BUILD_FLAGS="-mod=vendor" build
}
src_install() {
"${S}"/bin/go-md2man -in go-md2man.1.md -out go-md2man.1 ||
die "Unable to create man page"
dobin bin/go-md2man
doman go-md2man.1
}
src_test() {
emake test
}

5
sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/metadata.xml → sdk_container/src/third_party/portage-stable/dev-go/go-md2man/metadata.xml vendored
View File

@ -1,8 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata> <pkgmetadata>
<maintainer type="person"> <maintainer type="person">
<email>williamh@gentoo.org</email> <email>williamh@gentoo.org</email>
<name>William Hubbs</name> <name>William Hubbs</name>
</maintainer> </maintainer>
<upstream>
<remote-id type="github">cpuguy83/go-md2man</remote-id>
</upstream>
</pkgmetadata> </pkgmetadata>