Merge pull request #2797 from dm0-/docker

Update Docker

sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/docker-1.12-no.json

@@ -4,7 +4,7 @@
         "images": [
             {
                 "name": "docker",
-                "reference": "17.06"
+                "reference": "17.09"
             }
         ]
     }

sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/Manifest

@@ -1,2 +1,3 @@
 DIST containerd-0.2.5.tar.gz 1003500 SHA256 88e099af66b50abe7f2159f13bdab793fa5199d8d5b9a9ef7a68171abb4359be SHA512 ba1e074bb7556a7c4be4d68dc62aa2fa4b823682c209d1609c1f11518a7b7167139ea159d31e0b21ba190d83115a67e5e45b54b6a4770742d49e9e561309551f WHIRLPOOL eb3622ba99c4d4806bda9a45853422a5b0b884869ed3be4c3caec4c20f49027e8db78b9885eca7bc83a0f3b08e9a66eca950390f0eda1ef2535fd3ab41623bf4
-DIST containerd-0.2.9_p7.tar.gz 1229549 SHA256 c506121c49e3bfea27018aa77e09e4734067f84ae85b6ef75ec31b488a91ae54 SHA512 900cf9c251c4de0f9848fb5bf26537226c1361d1a64a0fba853bda3805cb141fc2a849442fe885f0ee228b3e3a7018440af18898b484a54a7b75b4a86538aaa9 WHIRLPOOL 880f19a994f623b7cd8c3f771b5c56468681de349ae4196e60ffcb5a34d42ef423d8eefc82c07134c9e50c33bc0ecbfc1a9e47c3df987050d8dcb82da0178d80
+DIST containerd-0.2.6.tar.gz 1020572 SHA256 a67c4153ac5ae26b9d11daac133b90cba059ba16de7579e39c3e82bcda856493 SHA512 41018bda556a3ddfb1bd3a16e642548ba06f413b13fd1488e731896e277ba6c84a393ebd5de067ecaeccc695297a2b74edf22e5a3fe8f2e3eadf78d080bdeff6 WHIRLPOOL 98f64c888ea580074e51b91311ab186291cb2d3ecc9f178d828687dbb60b35104237041699b6125cf026edd245459a052fda1801ac3cd7e1efe34606c3d9a4eb
+DIST containerd-0.2.9_p27.tar.gz 1140788 SHA256 4d2b6e30bcc6c4bb901d6b9f19b5ac1d4a2d9b17075a9b1f110102920d01f64a SHA512 c749bda691197ec8a7603db9ad92f2800a3f065143430a660333b7862518deb4c158a1c1fd01671dff438b40988d4a64d8f06bab05496b8728c6e2f57cd7da0a WHIRLPOOL 75cb3467a94af50bef52377f309d7c85386475789fab3d2758679f022b516735728a1ac2c54307954a14100c4f84059d8fd5e8376270fdd69e572cff43453fa0

sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-0.2.6.ebuild

@@ -0,0 +1,45 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+GITHUB_URI="github.com/docker/containerd"
+COREOS_GO_PACKAGE="${GITHUB_URI}"
+COREOS_GO_VERSION="go1.7"
+
+EGIT_COMMIT="4ab9917febca54791c5f071a9d1f404867857fcc" # v0.2.6
+SRC_URI="https://${GITHUB_URI}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+KEYWORDS="amd64 arm64"
+
+inherit coreos-go systemd
+
+DESCRIPTION="A daemon to control runC"
+HOMEPAGE="https://containerd.tools"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE="hardened +seccomp"
+
+DEPEND=""
+RDEPEND=">=app-emulation/docker-runc-1.0.0_rc2
+	seccomp? ( sys-libs/libseccomp )"
+
+S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}
+
+RESTRICT="test"
+
+src_unpack() {
+	mkdir -p "${S}"
+	tar --strip-components=1 -C "${S}" -xf "${DISTDIR}/${A}"
+}
+
+src_compile() {
+	local options=( $(usex seccomp "seccomp" '') )
+	export GOPATH="${WORKDIR}/${P}" # ${PWD}/vendor
+	LDFLAGS=$(usex hardened '-extldflags -fno-PIC' '') emake GIT_COMMIT="$EGIT_COMMIT" BUILDTAGS="${options[@]}"
+}
+
+src_install() {
+	dobin bin/containerd* bin/ctr
+	systemd_dounit "${FILESDIR}/containerd.service"
+}

sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-9999.ebuild

@@ -15,7 +15,7 @@ else
 	# The patch number is arbitrarily chosen as the number of commits since the
 	# tagged version.
 	# e.g. git log --oneline v0.2.9..${EGIT_COMMIT} | wc -l
-	EGIT_COMMIT="6e23458c129b551d5c9871e5174f6b1b7f6d1170"
+	EGIT_COMMIT="06b9cb35161009dcb7123345749fef02f7cea8e0"
 	SRC_URI="https://${GITHUB_URI}/archive/${EGIT_COMMIT}.tar.gz -> ${P}.tar.gz"
 	KEYWORDS="amd64 arm64"
 	inherit vcs-snapshot
@@ -31,7 +31,7 @@ SLOT="0"
 IUSE="hardened +seccomp"
 
 DEPEND=""
-RDEPEND=">=app-emulation/docker-runc-1.0.0_rc3
+RDEPEND=">=app-emulation/docker-runc-1.0.0_rc4
 	seccomp? ( sys-libs/libseccomp )"
 
 S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-proxy/Manifest

@@ -1 +1,2 @@
-DIST docker-proxy-0.8.0_p20170410.tar.gz 2176893 SHA256 49d31e8b386b88d45d9c417d8d775fa647ecdc66f8e2a93a35f401c7bc8c9c1c SHA512 6bd82d64d2847a01feb6004ad180f77e767d4a27ca742a66c411f2824f50ca4439974010e32a18a6b03bc1f6186ee7a7c5f86f6c9cbbd8c275fb7fdd345b7bc1 WHIRLPOOL 575e0c9476fdfbbafc35ef29c43725f51dc00e00517293d3fc4218e5cbc6fe1056a1b1e5498c981856af17e2add7df9841485b4f20b49f8cbefe1f20f1e4c68c
+DIST docker-proxy-0.8.0_p20161019.tar.gz 2112423 SHA256 170d355ad613cc28245a6d9501bcaba930cb594a632fdd9bd52a4fa90b406932 SHA512 a7b040cdeaf15054d436b184370af0f9b23a5b6d0b2c01530b7ad539040186888bb030309e18a1a02ad252753cf4f08aa5e5ec504480a8ffb7050db76764db5b WHIRLPOOL 83fed4162e1fbe2a640dfb720ca85583f923166d0f7da3e397ec20a333dddc42d7def2231de8877569cb63bb37435d23f772413ffd6d82f8a4a8c453d75f669c
+DIST docker-proxy-0.8.0_p20170917.tar.gz 2177045 SHA256 2eee331b6ded567a36e7db708405b34032b93938682cf049025f48b96d755bf6 SHA512 673ea638fa5c560d8238d7c1d88f114430f9d8efe701804bfe30044d0c059a688cbf6b62922be50834e16ee055ef6cf015f6232f76f0d942768f9e84e95496cd WHIRLPOOL 27b33b36bbdeaff3d25977b50aa11fc5a4708482f44efe583223c1aab40091e28824eda6eb5ac8a7f20be24ef4ddcf9b6e4a043c52c9e6953ec2c95f266fb296

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-proxy/docker-proxy-0.8.0_p20161019.ebuild

@@ -0,0 +1,42 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+EGO_PN="github.com/docker/libnetwork"
+
+COREOS_GO_PACKAGE="${EGO_PN}"
+COREOS_GO_VERSION="go1.7"
+
+if [[ ${PV} == *9999 ]]; then
+	KEYWORDS="~amd64 ~arm64"
+	inherit golang-vcs
+else
+	EGIT_COMMIT="0f534354b813003a754606689722fe253101bc4e"
+	SRC_URI="https://${EGO_PN}/archive/${EGIT_COMMIT}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="amd64 arm64"
+	inherit golang-vcs-snapshot
+fi
+
+inherit coreos-go
+
+DESCRIPTION="Docker container networking"
+HOMEPAGE="https://github.com/docker/libnetwork"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE=""
+
+S=${WORKDIR}/${P}/src/${EGO_PN}
+
+RDEPEND="!<app-emulation/docker-1.13.0_rc1"
+
+RESTRICT="test" # needs dockerd
+
+src_compile() {
+	go_build "${COREOS_GO_PACKAGE}/cmd/proxy"
+}
+
+src_install() {
+	dodoc ROADMAP.md README.md CHANGELOG.md
+	newbin "${GOBIN}"/proxy docker-proxy
+}

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-proxy/docker-proxy-9999.ebuild

@@ -1,6 +1,5 @@
-# Copyright 1999-2016 Gentoo Foundation
+# Copyright 1999-2017 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Id$
 
 EAPI=6
 EGO_PN="github.com/docker/libnetwork"
@@ -21,7 +20,7 @@ fi
 inherit coreos-go
 
 DESCRIPTION="Docker container networking"
-HOMEPAGE="http://github.com/docker/libnetwork"
+HOMEPAGE="https://github.com/docker/libnetwork"
 
 LICENSE="Apache-2.0"
 SLOT="0"
@@ -29,12 +28,15 @@ IUSE=""
 
 S=${WORKDIR}/${P}/src/${EGO_PN}
 
-RDEPEND="!<app-emulation/docker-17.04.0"
+RDEPEND="!<app-emulation/docker-1.13.0_rc1"
+
+RESTRICT="test" # needs dockerd
 
 src_compile() {
 	go_build "${COREOS_GO_PACKAGE}/cmd/proxy"
 }
 
 src_install() {
+	dodoc ROADMAP.md README.md CHANGELOG.md
 	newbin "${GOBIN}"/proxy docker-proxy
 }

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/Manifest

@@ -1 +1,2 @@
-DIST docker-runc-1.0.0_rc3_p53.tar.gz 1042839 SHA256 d09b31b9a5adf0a3295d10b20e5f65ec8e1c52a371d463218694c37e075829e9 SHA512 8e937e8ccaa114913d61a450b030496668c1e2d80eecccf5e4914c5685d7dde9a0d50bc2aef9be844dc69eab81621aa1c043abbc72ba28ab6bdb9db5e86daeaf WHIRLPOOL bec7b506a6b2522d401733b32a9f500aec69920dc6d8072ab434c7bfbb1c88a6fb00afa1d2728f78fbaac1d58f890a2b5932fdbe2b0e87b749293f2b48ed2e8a
+DIST docker-runc-1.0.0_rc2_p136.tar.gz 561705 SHA256 2954cb6b468b3806a08c45656acc2019035bc9994c2a9b4249cfde4d9b3a7c93 SHA512 6052b95042082c3345caf25d3646f47b82c151ff3aca2ca4510dbf72ee80056d8c4077f2a1b48a9f4178c41185835ff51461e52ad47969534ea6febf7cac74f1 WHIRLPOOL ede821987006a54e7a87f88d9a5104d4a4ecc05a614e111fefa669f5ae436c11004debfe919bec0808194f2d96442775718a0208a1a374a9dd56a896f7dd8640
+DIST docker-runc-1.0.0_rc4_p25.tar.gz 1094599 SHA256 d5820f1c655061be79441bd57efea4e5b60b25b6a451214b64172395b9fda383 SHA512 0cb0748812296294a87dda257dbf0947897a1ada2aa861ff3e65309a6bbecebbe798929845fca6f23b66fd0dc019bca0a032737c7192fe20618d8e1849866f3d WHIRLPOOL ed34894a3878c0cae50888c936eba1dad8d58da8d7042d5e421f06e4e98c1d7701a5c877baaba14a46d588b2ee3354e19d72bb141d5d8e7f6c0bed2d3a6b71b6

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc2_p136.ebuild

@@ -0,0 +1,71 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+GITHUB_URI="github.com/docker/runc"
+COREOS_GO_PACKAGE="${GITHUB_URI}"
+COREOS_GO_VERSION="go1.7"
+# the commit of runc that docker uses.
+# see https://github.com/moby/moby/blob/v17.03.2-ce/hack/dockerfile/binaries-commits#L6
+# Note: this commit is only really present in the `docker/runc` repository.
+# Update the patch number when this commit is changed (i.e. the _p in the ebuild).
+# The patch version is arbitrarily the number of commits since the tag version
+# spcified in the ebuild name. For example:
+# $ git log --oneline v1.0.0-rc2..${COMMIT_ID} | wc -l
+COMMIT_ID="54296cf40ad8143b62dbcaa1d90e520a2136ddfe"
+
+inherit eutils flag-o-matic coreos-go vcs-snapshot
+
+SRC_URI="https://${GITHUB_URI}/archive/${COMMIT_ID}.tar.gz -> ${P}.tar.gz"
+KEYWORDS="amd64 arm64"
+
+DESCRIPTION="runc container cli tools (docker fork)"
+HOMEPAGE="http://runc.io"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE="apparmor hardened +seccomp selinux"
+
+RDEPEND="
+	apparmor? ( sys-libs/libapparmor )
+	seccomp? ( sys-libs/libseccomp )
+	!app-emulation/runc
+"
+
+S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}
+
+RESTRICT="test"
+
+src_unpack() {
+	mkdir -p "${S}"
+	tar --strip-components=1 -C "${S}" -xf "${DISTDIR}/${A}"
+}
+
+PATCHES=(
+	"${FILESDIR}/${PN}-1.0.0_rc2-mount-propagation.patch"
+)
+
+src_compile() {
+	# Taken from app-emulation/docker-1.7.0-r1
+	export CGO_CFLAGS="-I${ROOT}/usr/include"
+	export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')
+		-L${ROOT}/usr/$(get_libdir)"
+
+	# build up optional flags
+	local options=(
+		$(usex apparmor 'apparmor')
+		$(usex seccomp 'seccomp')
+		$(usex selinux 'selinux')
+	)
+
+	# CoreOS: Don't try to install dependencies.
+	sed -i 's/go build -i /go build /' Makefile
+
+	emake BUILDTAGS="${options[*]}" \
+		COMMIT="${COMMIT_ID}"
+}
+
+src_install() {
+	dobin runc
+}

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc4_p25.ebuild

@@ -7,13 +7,13 @@ GITHUB_URI="github.com/opencontainers/runc"
 COREOS_GO_PACKAGE="${GITHUB_URI}"
 COREOS_GO_VERSION="go1.8"
 # the commit of runc that docker uses.
-# see https://github.com/docker/docker-ce/blob/v17.06.2-ce/components/engine/hack/dockerfile/binaries-commits#L6
-# Note: this commit is only really present in `docker/runc` in the 'docker/17.06' branch
+# see https://github.com/docker/docker-ce/blob/v17.09.0-ce/components/engine/hack/dockerfile/binaries-commits#L6
+# Note: this commit is only really present in the `docker/runc` repository.
 # Update the patch number when this commit is changed (i.e. the _p in the ebuild).
 # The patch version is arbitrarily the number of commits since the tag version
 # spcified in the ebuild name. For example:
-# $ git log --oneline v1.0.0-rc3..${COMMIT_ID} | wc -l
-COMMIT_ID="810190ceaa507aa2727d7ae6f4790c76ec150bd2"
+# $ git log --oneline v1.0.0-rc4..${COMMIT_ID} | wc -l
+COMMIT_ID="3f2f8b84a77f73d38244dd690525642a72156c64"
 
 inherit eutils flag-o-matic coreos-go vcs-snapshot
 
@@ -25,7 +25,7 @@ HOMEPAGE="http://runc.io"
 
 LICENSE="Apache-2.0"
 SLOT="0"
-IUSE="apparmor ambient hardened +seccomp selinux"
+IUSE="ambient apparmor hardened +seccomp selinux"
 
 RDEPEND="
 	apparmor? ( sys-libs/libapparmor )
@@ -55,8 +55,8 @@ src_compile() {
 
 	# build up optional flags
 	local options=(
-		$(usex apparmor 'apparmor' '')
 		$(usex ambient 'ambient' '')
+		$(usex apparmor 'apparmor' '')
 		$(usex seccomp 'seccomp' '')
 		$(usex selinux 'selinux' '')
 	)

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch

@@ -27,11 +27,11 @@ diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_li
 index 1575ae03..8a2947f6 100644
 --- a/libcontainer/specconv/spec_linux.go
 +++ b/libcontainer/specconv/spec_linux.go
-@@ -36,7 +36,7 @@ var mountPropagationMapping = map[string]int{
- 	"slave":    syscall.MS_SLAVE,
- 	"rshared":  syscall.MS_SHARED | syscall.MS_REC,
- 	"shared":   syscall.MS_SHARED,
--	"":         syscall.MS_PRIVATE | syscall.MS_REC,
+@@ -37,7 +37,7 @@ var mountPropagationMapping = map[string]int{
+ 	"slave":    unix.MS_SLAVE,
+ 	"rshared":  unix.MS_SHARED | unix.MS_REC,
+ 	"shared":   unix.MS_SHARED,
+-	"":         unix.MS_PRIVATE | unix.MS_REC,
 +	"":         0,
  }
  

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/docker-runc-1.0.0_rc2-mount-propagation.patch

@@ -0,0 +1,41 @@
+From db55cd4f29298ae08b20f92b8953735723ee2167 Mon Sep 17 00:00:00 2001
+From: Euan Kemp <euan.kemp@coreos.com>
+Date: Fri, 22 Sep 2017 02:31:17 -0700
+Subject: [PATCH] libcontainer: default mount propagation correctly
+
+The code in prepareRoot (https://github.com/opencontainers/runc/blob/e385f67a0e45fa1d8ef8154e2aea5128ea1d331b/libcontainer/rootfs_linux.go#L599-L605)
+attempts to default the rootfs mount to `rslave`. However, since the spec
+conversion has already defaulted it to `rprivate`, that code doesn't
+actually ever do anything.
+
+This changes the spec conversion code to accept "" and treat it as 0.
+
+Implicitly, this makes rootfs propagation default to `rslave`, which is
+a part of fixing the moby bug https://github.com/moby/moby/issues/34672
+
+Alternate implementatoins include changing this defaulting to be
+`rslave` and removing the defaulting code in prepareRoot, or skipping
+the mapping entirely for "", but I think this change is the cleanest of
+those options.
+
+Signed-off-by: Euan Kemp <euan.kemp@coreos.com>
+---
+ libcontainer/specconv/spec_linux.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
+index 1575ae03..8a2947f6 100644
+--- a/libcontainer/specconv/spec_linux.go
++++ b/libcontainer/specconv/spec_linux.go
+@@ -36,7 +36,7 @@ var mountPropagationMapping = map[string]int{
+ 	"slave":    syscall.MS_SLAVE,
+ 	"rshared":  syscall.MS_SHARED | syscall.MS_REC,
+ 	"shared":   syscall.MS_SHARED,
+-	"":         syscall.MS_PRIVATE | syscall.MS_REC,
++	"":         0,
+ }
+ 
+ var allowedDevices = []*configs.Device{
+-- 
+2.13.5
+

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/Manifest

@@ -1 +1 @@
-DIST docker-17.06.2.tar.gz 9684548 SHA256 cfcb5646db32f52c4c394bc688fff405e585beab4ded64251958804a102a5269 SHA512 0a9b7b122aadef911141ec1f606759e892c0673821ddf5f3247a5b2d4476a20018add84a22c5aca32f0f91c1046e5be6d8d3f9ce65c3e4244896bf061b1eac6b WHIRLPOOL d0cc166319dbf735d67796df3836f79b24b9108327276ca0ba272398cdc70d6fae4649d9097b6dd29e62633ee636a216343e0d3ffd781cf63ef4c7a7c8cea259
+DIST docker-17.09.0.tar.gz 10132253 SHA256 ef1d7f2c48824495e4109426ba85b75c09cc9463b9ba92703e25ffcbe14536ae SHA512 d96570825fb3dc24516b3b9666e935d5277674221452d8a23e6bcd1116f0bb3a2b8b315f47b98f52e681ab79309c099bb3b5c437af942539708ff3126c993638 WHIRLPOOL ca96166ff3573138713d3d45fcfc42cfed99a70e9db17a1763a9e157e6ce3f301fd01ab3c579aacfcbcab7639986e97bbbbc680fbc65edd76047aee079239b6b

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.03.2.ebuild

@@ -0,0 +1,292 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+CROS_WORKON_PROJECT="coreos/docker"
+CROS_WORKON_LOCALNAME="docker"
+CROS_WORKON_REPO="git://github.com"
+COREOS_GO_VERSION="go1.7"
+
+if [[ ${PV} == *9999 ]]; then
+	DOCKER_GITCOMMIT="unknown"
+	KEYWORDS="~amd64 ~arm64"
+else
+	CROS_WORKON_COMMIT="a662a4c026af44b573f6f7851ae467d8e86f2162" # coreos-17.03.2-ce
+	DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}"
+	KEYWORDS="amd64 arm64"
+fi
+
+inherit bash-completion-r1 eutils linux-info multilib systemd udev user cros-workon coreos-go-depend
+
+DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
+HOMEPAGE="https://dockerproject.org"
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE="apparmor aufs +btrfs +container-init +device-mapper hardened +overlay pkcs11 seccomp +journald +selinux"
+
+# https://github.com/moby/moby/blob/v17.03.2-ce/project/PACKAGERS.md#build-dependencies
+CDEPEND="
+	>=dev-db/sqlite-3.7.9:3
+	device-mapper? (
+		>=sys-fs/lvm2-2.02.89[thin]
+	)
+	journald? ( >=sys-apps/systemd-225 )
+	seccomp? ( >=sys-libs/libseccomp-2.2.1[static-libs] )
+	apparmor? ( sys-libs/libapparmor )
+"
+
+DEPEND="
+	${CDEPEND}
+
+	btrfs? (
+		>=sys-fs/btrfs-progs-3.16.1
+	)
+"
+
+# For CoreOS builds coreos-kernel must be installed because this ebuild
+# checks the kernel config. The kernel config is left by the kernel compile
+# or an explicit copy when installing binary packages. See coreos-kernel.eclass
+DEPEND+="sys-kernel/coreos-kernel"
+
+# https://github.com/moby/moby/blob/v17.03.2-ce/project/PACKAGERS.md#runtime-dependencies
+# https://github.com/moby/moby/blob/v17.03.2-ce/project/PACKAGERS.md#optional-dependencies
+# Runc/Containerd: Unfortunately docker does not version the releases, in order to avoid 
+# 	incompatiblities we depend on snapshots
+RDEPEND="
+	${CDEPEND}
+
+	!app-emulation/docker-bin
+	>=net-firewall/iptables-1.4
+	sys-process/procps
+	>=dev-vcs/git-1.7
+	>=app-arch/xz-utils-4.9
+
+	=app-emulation/containerd-0.2.6[seccomp?]
+	=app-emulation/docker-runc-1.0.0_rc2_p136[apparmor?,seccomp?]
+	=app-emulation/docker-proxy-0.8.0_p20161019
+	container-init? ( >=sys-process/tini-0.13.0 )
+"
+
+RESTRICT="installsources strip"
+
+# see "contrib/check-config.sh" from upstream's sources
+CONFIG_CHECK="
+	~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
+	~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
+	~KEYS
+	~VETH ~BRIDGE ~BRIDGE_NETFILTER
+	~NF_NAT_IPV4 ~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
+	~NETFILTER_XT_MATCH_ADDRTYPE ~NETFILTER_XT_MATCH_CONNTRACK
+	~NF_NAT ~NF_NAT_NEEDED
+	~POSIX_MQUEUE
+
+	~USER_NS
+	~SECCOMP
+	~CGROUP_PIDS
+	~MEMCG_SWAP ~MEMCG_SWAP_ENABLED
+
+	~BLK_CGROUP ~BLK_DEV_THROTTLING ~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED
+	~CGROUP_PERF
+	~CGROUP_HUGETLB
+	~NET_CLS_CGROUP
+	~CFS_BANDWIDTH ~FAIR_GROUP_SCHED ~RT_GROUP_SCHED
+	~IP_VS ~IP_VS_PROTO_TCP ~IP_VS_PROTO_UDP ~IP_VS_NFCT ~IP_VS_RR
+
+	~VXLAN
+	~XFRM_ALGO ~XFRM_USER
+	~IPVLAN
+	~MACVLAN ~DUMMY
+"
+
+ERROR_KEYS="CONFIG_KEYS: is mandatory"
+ERROR_MEMCG_SWAP="CONFIG_MEMCG_SWAP: is required if you wish to limit swap usage of containers"
+ERROR_RESOURCE_COUNTERS="CONFIG_RESOURCE_COUNTERS: is optional for container statistics gathering"
+
+ERROR_BLK_CGROUP="CONFIG_BLK_CGROUP: is optional for container statistics gathering"
+ERROR_IOSCHED_CFQ="CONFIG_IOSCHED_CFQ: is optional for container statistics gathering"
+ERROR_CGROUP_PERF="CONFIG_CGROUP_PERF: is optional for container statistics gathering"
+ERROR_CFS_BANDWIDTH="CONFIG_CFS_BANDWIDTH: is optional for container statistics gathering"
+ERROR_XFRM_ALGO="CONFIG_XFRM_ALGO: is optional for secure networks"
+ERROR_XFRM_USER="CONFIG_XFRM_USER: is optional for secure networks"
+
+pkg_setup() {
+	if kernel_is lt 3 10; then
+		ewarn ""
+		ewarn "Using Docker with kernels older than 3.10 is unstable and unsupported."
+		ewarn " - http://docs.docker.com/engine/installation/binaries/#check-kernel-dependencies"
+	fi
+
+	# for where these kernel versions come from, see:
+	# https://www.google.com/search?q=945b2b2d259d1a4364a2799e80e8ff32f8c6ee6f+site%3Akernel.org%2Fpub%2Flinux%2Fkernel+file%3AChangeLog*
+	if ! {
+		kernel_is ge 3 16 \
+		|| { kernel_is 3 15 && kernel_is ge 3 15 5; } \
+		|| { kernel_is 3 14 && kernel_is ge 3 14 12; } \
+		|| { kernel_is 3 12 && kernel_is ge 3 12 25; }
+	}; then
+		ewarn ""
+		ewarn "There is a serious Docker-related kernel panic that has been fixed in 3.16+"
+		ewarn "  (and was backported to 3.15.5+, 3.14.12+, and 3.12.25+)"
+		ewarn ""
+		ewarn "See also https://github.com/docker/docker/issues/2960"
+	fi
+
+	if kernel_is le 3 18; then
+		CONFIG_CHECK+="
+			~RESOURCE_COUNTERS
+		"
+	fi
+
+	if kernel_is le 3 13; then
+		CONFIG_CHECK+="
+			~NETPRIO_CGROUP
+		"
+	else
+		CONFIG_CHECK+="
+			~CGROUP_NET_PRIO
+		"
+	fi
+
+	if kernel_is lt 4 5; then
+		CONFIG_CHECK+="
+			~MEMCG_KMEM
+		"
+		ERROR_MEMCG_KMEM="CONFIG_MEMCG_KMEM: is optional"
+	fi
+
+	if kernel_is lt 4 7; then
+		CONFIG_CHECK+="
+			~DEVPTS_MULTIPLE_INSTANCES
+		"
+	fi
+
+	if use aufs; then
+		CONFIG_CHECK+="
+			~AUFS_FS
+			~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+		"
+		ERROR_AUFS_FS="CONFIG_AUFS_FS: is required to be set if and only if aufs-sources are used instead of aufs4/aufs3"
+	fi
+
+	if use btrfs; then
+		CONFIG_CHECK+="
+			~BTRFS_FS
+			~BTRFS_FS_POSIX_ACL
+		"
+	fi
+
+	if use device-mapper; then
+		CONFIG_CHECK+="
+			~BLK_DEV_DM ~DM_THIN_PROVISIONING ~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+		"
+	fi
+
+	if use overlay; then
+		CONFIG_CHECK+="
+			~OVERLAY_FS ~EXT4_FS_SECURITY ~EXT4_FS_POSIX_ACL
+		"
+	fi
+
+	linux-info_pkg_setup
+
+	# create docker group for the code checking for it in /etc/group
+	enewgroup docker
+}
+
+src_compile() {
+	go_export
+
+	# if we treat them right, Docker's build scripts will set up a
+	# reasonable GOPATH for us
+	export AUTO_GOPATH=1
+
+	# setup CFLAGS and LDFLAGS for separate build target
+	# see https://github.com/tianon/docker-overlay/pull/10
+	export CGO_CFLAGS="${CGO_CFLAGS} -I${ROOT}/usr/include"
+	export CGO_LDFLAGS="${CGO_LDFLAGS} -L${ROOT}/usr/$(get_libdir)"
+
+	# if we're building from a tarball, we need the GITCOMMIT value
+	[ "$DOCKER_GITCOMMIT" ] && export DOCKER_GITCOMMIT
+
+	if use hardened; then
+		sed -i "s#EXTLDFLAGS_STATIC='#&-fno-PIC $LDFLAGS #" hack/make.sh || die
+		grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'
+
+		sed  "s#LDFLAGS_STATIC_DOCKER='#&-extldflags \"-fno-PIC $LDFLAGS\" #" \
+			-i hack/make/dynbinary-client || die
+		sed  "s#LDFLAGS_STATIC_DOCKER='#&-extldflags \"-fno-PIC $LDFLAGS\" #" \
+			-i hack/make/dynbinary-daemon || die
+		grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed'
+		grep -q -- '-fno-PIC' hack/make/dynbinary-client || die 'hardened sed failed'
+	fi
+
+	# let's set up some optional features :)
+	export DOCKER_BUILDTAGS=''
+	for gd in aufs btrfs device-mapper overlay; do
+		if ! use $gd; then
+			DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
+		fi
+	done
+
+	for tag in apparmor pkcs11 seccomp selinux journald; do
+		if use $tag; then
+			DOCKER_BUILDTAGS+=" $tag"
+		fi
+	done
+
+	# time to build!
+	./hack/make.sh dynbinary || die 'dynbinary failed'
+}
+
+src_install() {
+	VERSION="$(cat VERSION)"
+	newbin "bundles/$VERSION/dynbinary-client/docker-$VERSION" docker
+	newbin "bundles/$VERSION/dynbinary-daemon/dockerd-$VERSION" dockerd
+	dosym containerd /usr/bin/docker-containerd
+	dosym containerd-shim /usr/bin/docker-containerd-shim
+	dosym runc /usr/bin/docker-runc
+	use container-init && dosym tini /usr/bin/docker-init
+
+	newinitd contrib/init/openrc/docker.initd docker
+	newconfd contrib/init/openrc/docker.confd docker
+
+	exeinto /usr/lib/coreos
+	doexe "${FILESDIR}/dockerd"
+
+	systemd_dounit "${FILESDIR}/docker.service"
+	systemd_dounit "${FILESDIR}/docker.socket"
+
+	insinto /usr/lib/systemd/network
+	doins "${FILESDIR}"/50-docker.network
+	doins "${FILESDIR}"/90-docker-veth.network
+
+	udev_dorules contrib/udev/*.rules
+
+	dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md
+	dodoc -r docs/*
+
+	dobashcomp contrib/completion/bash/*
+
+	insinto /usr/share/zsh/site-functions
+	doins contrib/completion/zsh/_*
+
+	insinto /usr/share/vim/vimfiles
+	doins -r contrib/syntax/vim/ftdetect
+	doins -r contrib/syntax/vim/syntax
+}
+
+pkg_postinst() {
+	udev_reload
+
+	elog
+	elog "To use Docker, the Docker daemon must be running as root. To automatically"
+	elog "start the Docker daemon at boot, add Docker to the default runlevel:"
+	elog "  rc-update add docker default"
+	elog "Similarly for systemd:"
+	elog "  systemctl enable docker.service"
+	elog
+	elog "To use Docker as a non-root user, add yourself to the 'docker' group:"
+	elog "  usermod -aG docker youruser"
+	elog
+}

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild

@@ -19,7 +19,7 @@ else
 	else
 		MY_PV="$PV-ce"
 	fi
-	DOCKER_GITCOMMIT="cec0b72"
+	DOCKER_GITCOMMIT="afdb6d4"
 	SRC_URI="https://${COREOS_GO_PACKAGE}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
 	KEYWORDS="amd64 arm64"
 	[ "$DOCKER_GITCOMMIT" ] || die "DOCKER_GITCOMMIT must be added manually for each bump!"
@@ -74,9 +74,6 @@ RESTRICT="installsources strip"
 
 S="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}"
 
-PATCHES=(
-	"${FILESDIR}/patches/allow-override-build-date.patch"
-)
 ENGINE_PATCHES=(
 	"${FILESDIR}/patches/engine/revert-make-overlay-home-dir-private.patch"
 )
@@ -259,14 +256,14 @@ src_compile() {
 	fi
 
 	# build daemon
-	SOURCE_DATE_EPOCH="${DOCKER_BUILD_DATE}" ./hack/make.sh dynbinary || die 'dynbinary failed'
+	SOURCE_DATE_EPOCH="${DOCKER_BUILD_DATE}" \
+	./hack/make.sh dynbinary || die 'dynbinary failed'
 
 	popd || die # components/engine
 
 	pushd components/cli || die
 
-
-	# Imitating https://github.com/docker/docker-ce/blob/v17.06.2-ce/components/cli/scripts/build/.variables#L7
+	# Imitating https://github.com/docker/docker-ce/blob/v17.09.0-ce/components/cli/scripts/build/.variables#L6
 	CLI_BUILDTIME="$(date -d "@${DOCKER_BUILD_DATE}" --utc --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')"
 	# build cli
 	emake \
@@ -274,6 +271,7 @@ src_compile() {
 		LDFLAGS="$(usex hardened "-extldflags \"-fno-PIC $LDFLAGS\"" '')" \
 		VERSION="$(cat ../../VERSION)" \
 		GITCOMMIT="${DOCKER_GITCOMMIT}" \
+		DISABLE_WARN_OUTSIDE_CONTAINER=1 \
 		dynbinary || die
 
 	popd || die # components/cli

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/allow-override-build-date.patch

@@ -1,30 +0,0 @@
-From 336f19edea1f15d9a96ebee604f160df43653503 Mon Sep 17 00:00:00 2001
-From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
-Date: Wed, 19 Jul 2017 06:17:19 +0200
-Subject: [PATCH] Allow to override build date
-
-in order to make builds reproducible.
-See https://reproducible-builds.org/ for why this is good
-and https://reproducible-builds.org/specs/source-date-epoch/
-for the definition of this variable.
-
-Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
-Upstream-commit: 760763e9957840f1983a5006f4e66d6920ec496e
-Component: engine
----
- components/engine/hack/make.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh
-index b7d59ba94a..7d18d649b5 100755
---- a/components/engine/hack/make.sh
-+++ b/components/engine/hack/make.sh
-@@ -68,7 +68,7 @@ DEFAULT_BUNDLES=(
- )
- 
- VERSION=$(< ./VERSION)
--! BUILDTIME=$(date --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
-+! BUILDTIME=$(date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
- if [ "$DOCKER_GITCOMMIT" ]; then
- 	GITCOMMIT="$DOCKER_GITCOMMIT"
- elif command -v git &> /dev/null && [ -d .git ] && git rev-parse &> /dev/null; then

sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.03.ebuild

@@ -0,0 +1,28 @@
+# Copyright (c) 2017 CoreOS, Inc.. All rights reserved.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=2
+
+DESCRIPTION="Packages to be installed in a torcx image for Docker"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 arm64"
+
+# Explicitly list all packages that will be built into the image.
+RDEPEND="
+	=app-emulation/docker-17.03.2
+	=app-emulation/containerd-0.2.6
+	=app-emulation/docker-proxy-0.8.0_p20161019
+	=app-emulation/docker-runc-1.0.0_rc2_p136
+	=sys-process/tini-0.13.2
+"
+
+src_install() {
+	insinto /.torcx
+	newins "${FILESDIR}/${PN}-${PV}-manifest.json" manifest.json
+
+	# Enable the Docker socket by default.
+	local unitdir=/usr/lib/systemd/system
+	dosym ../docker.socket "${unitdir}/sockets.target.wants/docker.socket"
+}

sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.09.ebuild

@@ -11,10 +11,10 @@ KEYWORDS="amd64 arm64"
 
 # Explicitly list all packages that will be built into the image.
 RDEPEND="
-	=app-emulation/docker-17.06.2-r3
-	=app-emulation/containerd-0.2.9_p7
-	=app-emulation/docker-proxy-0.8.0_p20170410-r1
-	=app-emulation/docker-runc-1.0.0_rc3_p53-r1
+	=app-emulation/docker-17.09.0
+	=app-emulation/containerd-0.2.9_p27
+	=app-emulation/docker-proxy-0.8.0_p20170917
+	=app-emulation/docker-runc-1.0.0_rc4_p25
 	=dev-libs/libltdl-2.4.6
 	=sys-process/tini-0.13.2
 "

sdk_container/src/third_party/coreos-overlay/app-torcx/docker/files/docker-17.09-manifest.json

@@ -0,0 +1,29 @@
+{
+    "kind": "image-manifest-v0",
+    "value": {
+        "bin": [
+            "/bin/containerd",
+            "/bin/containerd-shim",
+            "/bin/ctr",
+            "/bin/docker",
+            "/bin/docker-containerd",
+            "/bin/docker-containerd-shim",
+            "/bin/docker-init",
+            "/bin/docker-proxy",
+            "/bin/docker-runc",
+            "/bin/dockerd",
+            "/bin/runc",
+            "/bin/tini"
+        ],
+        "network": [
+            "/lib/systemd/network/50-docker.network",
+            "/lib/systemd/network/90-docker-veth.network"
+        ],
+        "units": [
+            "/lib/systemd/system/containerd.service",
+            "/lib/systemd/system/docker.service",
+            "/lib/systemd/system/docker.socket",
+            "/lib/systemd/system/sockets.target.wants"
+        ]
+    }
+}