diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.03.2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.03.2-r1.ebuild similarity index 99% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.03.2.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.03.2-r1.ebuild index 6ef3ede90f..ba66913717 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.03.2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.03.2-r1.ebuild @@ -12,7 +12,7 @@ if [[ ${PV} == *9999 ]]; then DOCKER_GITCOMMIT="unknown" KEYWORDS="~amd64 ~arm64" else - CROS_WORKON_COMMIT="a662a4c026af44b573f6f7851ae467d8e86f2162" # coreos-17.03.2-ce + CROS_WORKON_COMMIT="236043027bc7199ec691f98c49bb2f0ec6a316d5" # coreos-17.03.2-ce DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}" KEYWORDS="amd64 arm64" fi diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.09.0.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.09.0-r1.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.09.0.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.09.0-r1.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild index 5b7d221118..ce331a74c3 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild @@ -74,9 +74,7 @@ RESTRICT="installsources strip" S="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}" -ENGINE_PATCHES=( - "${FILESDIR}/patches/engine/revert-make-overlay-home-dir-private.patch" -) +ENGINE_PATCHES=() # see "contrib/check-config.sh" from upstream's sources CONFIG_CHECK=" @@ -212,7 +210,7 @@ src_unpack() { DOCKER_GITCOMMIT=$(git -C "${S}" rev-parse HEAD | head -c 7) DOCKER_BUILD_DATE=$(git -C "${S}" log -1 --format="%ct") fi - eapply -d"${S}"/components/engine "${ENGINE_PATCHES[@]}" + [ "${#ENGINE_PATCHES[@]}" -gt 0 ] && eapply -d"${S}"/components/engine "${ENGINE_PATCHES[@]}" } src_compile() { diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/engine/revert-make-overlay-home-dir-private.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/engine/revert-make-overlay-home-dir-private.patch deleted file mode 100644 index 7a21b2c3ff..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/engine/revert-make-overlay-home-dir-private.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 699fab4877c3ff5d7f935bd3977e413c31269c7c Mon Sep 17 00:00:00 2001 -From: Euan Kemp -Date: Fri, 22 Sep 2017 12:01:04 -0700 -Subject: [PATCH] Revert "Make overlay home dir Private mount" - -This reverts commit e076bccb458aeadab9380ce0636456ad6317a85f. -It also reverts it for the overlay2 package, which didn't exist at the -time the commit was made but is a direct successor with copy-pasted -code. - -The original commit was meant to fix a bug whereby `docker cp` -(implemented via chrootarchive) could inadvertantly lead to shared -mounts getting unmounted on the host too. - -The fix, however, had side effects. It results in overlay mounts being -private, and thus being quite easy to leak copies that are hard to -umount into other mount namespaces on the box. - -This hasn't been noticed until now because on kernels prior to v4.13, -temporarily leaking overlayfs mounts to other namespaces didn't have any -ill effects. - -Starting with v4.13, setting the mount to private and thus leaking -mounts results in errors. See https://github.com/moby/moby/issues/34672 - -The correct fix for the original issue was implemented later in -https://github.com/moby/moby/pull/27609, and since that code is now -merged we can safely throw away this less ideal fix. - -Signed-off-by: Euan Kemp ---- - daemon/graphdriver/overlay/overlay.go | 12 +++--------- - daemon/graphdriver/overlay2/overlay.go | 12 +++--------- - 2 files changed, 6 insertions(+), 18 deletions(-) - -diff --git a/daemon/graphdriver/overlay/overlay.go b/daemon/graphdriver/overlay/overlay.go -index 9012722c20d..8ed51e6c384 100644 ---- a/daemon/graphdriver/overlay/overlay.go -+++ b/daemon/graphdriver/overlay/overlay.go -@@ -19,7 +19,6 @@ import ( - "github.com/docker/docker/pkg/fsutils" - "github.com/docker/docker/pkg/idtools" - "github.com/docker/docker/pkg/locker" -- "github.com/docker/docker/pkg/mount" - "github.com/docker/docker/pkg/system" - "github.com/opencontainers/selinux/go-selinux/label" - "github.com/sirupsen/logrus" -@@ -139,10 +138,6 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap - return nil, err - } - -- if err := mount.MakePrivate(home); err != nil { -- return nil, err -- } -- - supportsDType, err := fsutils.SupportsDType(home) - if err != nil { - return nil, err -@@ -227,11 +222,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) { - return metadata, nil - } - --// Cleanup any state created by overlay which should be cleaned when daemon --// is being shutdown. For now, we just have to unmount the bind mounted --// we had created. -+// Cleanup simply returns nil and do not change the existing filesystem. -+// This is required to satisfy the graphdriver.Driver interface. - func (d *Driver) Cleanup() error { -- return mount.Unmount(d.home) -+ return nil - } - - // CreateReadWrite creates a layer that is writable for use as a container -diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go -index f350ca9c0b8..5aaf8c0cefe 100644 ---- a/daemon/graphdriver/overlay2/overlay.go -+++ b/daemon/graphdriver/overlay2/overlay.go -@@ -28,7 +28,6 @@ import ( - "github.com/docker/docker/pkg/fsutils" - "github.com/docker/docker/pkg/idtools" - "github.com/docker/docker/pkg/locker" -- "github.com/docker/docker/pkg/mount" - "github.com/docker/docker/pkg/parsers" - "github.com/docker/docker/pkg/parsers/kernel" - "github.com/docker/docker/pkg/system" -@@ -175,10 +174,6 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap - return nil, err - } - -- if err := mount.MakePrivate(home); err != nil { -- return nil, err -- } -- - supportsDType, err := fsutils.SupportsDType(home) - if err != nil { - return nil, err -@@ -314,11 +309,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) { - return metadata, nil - } - --// Cleanup any state created by overlay which should be cleaned when daemon --// is being shutdown. For now, we just have to unmount the bind mounted --// we had created. -+// Cleanup simply returns nil and do not change the existing filesystem. -+// This is required to satisfy the graphdriver.Driver interface. - func (d *Driver) Cleanup() error { -- return mount.Unmount(d.home) -+ return nil - } - - // CreateReadWrite creates a layer that is writable for use as a container diff --git a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.03.ebuild b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.03.ebuild index 0cb31a14d9..f91bb94d2e 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.03.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.03.ebuild @@ -11,7 +11,7 @@ KEYWORDS="amd64 arm64" # Explicitly list all packages that will be built into the image. RDEPEND=" - =app-emulation/docker-17.03.2 + =app-emulation/docker-17.03.2-r1 =app-emulation/containerd-0.2.6 =app-emulation/docker-proxy-0.8.0_p20161019 =app-emulation/docker-runc-1.0.0_rc2_p136 diff --git a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.09.ebuild b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.09.ebuild index 5766885de9..2d71774bc1 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.09.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.09.ebuild @@ -11,7 +11,7 @@ KEYWORDS="amd64 arm64" # Explicitly list all packages that will be built into the image. RDEPEND=" - =app-emulation/docker-17.09.0 + =app-emulation/docker-17.09.0-r1 =app-emulation/containerd-0.2.9_p27 =app-emulation/docker-proxy-0.8.0_p20170917 =app-emulation/docker-runc-1.0.0_rc4_p25