Merge pull request #2368 from euank/update-docker

Update docker

sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/Manifest

@@ -1 +1 @@
-DIST containerd-0.2.3.tar.gz 997239 SHA256 247c459179b451cb235354d3f23876ad1a326a6bda430608f9306beeb0364287 SHA512 f850ea7558a3c772930d42352d7913ec00ec24536676720f8872153ec87b92785259645648d885bb5b27514ca01de7f207a931665c3074e787d8b74b48c51952 WHIRLPOOL ac5f5f38ce874146571017bb5ac0229af43782ccf7eb378c6c39ecfb4725cf6941a12a1b05b9a6840a75c85599a881d429eaea030148356a36d2b401874e01e4
+DIST containerd-0.2.5.tar.gz 1003500 SHA256 88e099af66b50abe7f2159f13bdab793fa5199d8d5b9a9ef7a68171abb4359be SHA512 ba1e074bb7556a7c4be4d68dc62aa2fa4b823682c209d1609c1f11518a7b7167139ea159d31e0b21ba190d83115a67e5e45b54b6a4770742d49e9e561309551f WHIRLPOOL eb3622ba99c4d4806bda9a45853422a5b0b884869ed3be4c3caec4c20f49027e8db78b9885eca7bc83a0f3b08e9a66eca950390f0eda1ef2535fd3ab41623bf4

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild

@@ -13,7 +13,7 @@ if [[ ${PV} == *9999 ]]; then
 	DOCKER_GITCOMMIT="unknown"
 	KEYWORDS="~amd64 ~arm64"
 else
-	CROS_WORKON_COMMIT="58b471c7e83faa71c6737ad9de8fe8d4df6269a6" # coreos-1.12.5
+	CROS_WORKON_COMMIT="d5236f0452873048a28c1ecd63d40513efa66542" #coreos-1.12.6
 	DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}"
 	KEYWORDS="amd64 arm64"
 fi
@@ -66,8 +66,8 @@ RDEPEND="
 	>=app-arch/xz-utils-4.9
 	>=sys-apps/shadow-4.4
 
-	>=app-emulation/containerd-0.2.3[seccomp?]
-	>=app-emulation/runc-1.0.0_rc1_p20160615[apparmor?,seccomp?]
+	>=app-emulation/containerd-0.2.5[seccomp?]
+	>=app-emulation/runc-1.0.0_rc2-r2[apparmor?,seccomp?]
 "
 
 RESTRICT="installsources strip"

sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest

@@ -1 +1 @@
-DIST runc-1.0.0_rc1_p20160615.tar.gz 535401 SHA256 196b78c6caf1a4c6257314b393381baffa7c82bb2690ac02a7b3d6cd6cfe7776 SHA512 0bf8ce3bb15caaf09214f23a411003fd5b660d291662ad513c3d944647a0fa9b270d18902706b7e6aa3c30eb0f676e73af46b8249d1e2484e1dc40d6ffd5a80d WHIRLPOOL 9d15d069e00fe38e2bbda84b477dc0cf9f3431d3587919a80164d550a6d882d8742a5c2a8cdb7645509dec8d55b545912c0287785d0ca7e79acc0a08eace6f47
+DIST runc-1.0.0_rc2.tar.gz 550449 SHA256 638742c48426b9a3281aeb619e27513d972de228bdbd43b478baea99c186d491 SHA512 83a3d45efbb86d3d583b96062202b9e60121d250af2c0dd37d07fda574b642aa6f05e29cac6644ad3d624647400db694082e280383e41ca9f31dc0a33b87ed76 WHIRLPOOL 990a45739689db80bbeed43b0fd3a4ce4d0563ea833361b9112e750782313f19e638c4bfbd455f5dd1882d64c724dcf0213701322029c2c9f98f624863c744f3

sdk_container/src/third_party/coreos-overlay/app-emulation/runc/files/0002-Add-security-patches-for-runc.patch

@@ -1,112 +0,0 @@
-From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001
-From: Michael Crosby <crosbymichael@gmail.com>
-Date: Wed, 7 Dec 2016 15:05:51 -0800
-Subject: [PATCH] Set init processes as non-dumpable
-
-This sets the init processes that join and setup the container's
-namespaces as non-dumpable before they setns to the container's pid (or
-any other ) namespace.
-
-This settings is automatically reset to the default after the Exec in
-the container so that it does not change functionality for the
-applications that are running inside, just our init processes.
-
-This prevents parent processes, the pid 1 of the container, to ptrace
-the init process before it drops caps and other sets LSMs.
-
-This patch also ensures that the stateDirFD being used is still closed
-prior to exec, even though it is set as O_CLOEXEC, because of the order
-in the kernel.
-
-https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
-
-The order during the exec syscall is that the process is set back to
-dumpable before O_CLOEXEC are processed.
-
-Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
----
- libcontainer/init_linux.go          | 3 ++-
- libcontainer/nsenter/nsexec.c       | 5 +++++
- libcontainer/setns_init_linux.go    | 7 ++++++-
- libcontainer/standard_init_linux.go | 3 +++
- 4 files changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
-index b1e6762..4043d51 100644
---- a/libcontainer/init_linux.go
-+++ b/libcontainer/init_linux.go
-@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD int) (initer, error)
- 	switch t {
- 	case initSetns:
- 		return &linuxSetnsInit{
--			config: config,
-+			config:     config,
-+			stateDirFD: stateDirFD,
- 		}, nil
- 	case initStandard:
- 		return &linuxStandardInit{
-diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
-index b93f827..4b5398b 100644
---- a/libcontainer/nsenter/nsexec.c
-+++ b/libcontainer/nsenter/nsexec.c
-@@ -362,6 +362,12 @@ void nsexec(void)
- 	if (pipenum == -1)
- 		return;
- 
-+	/* make the process non-dumpable */
-+	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
-+		pr_perror("failed to set process as non-dumpable");
-+		exit(1);
-+	}
-+
- 	// Retrieve the netlink header
- 	struct nlmsghdr nl_msg_hdr;
- 
-diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
-index 2a8f345..7f5f182 100644
---- a/libcontainer/setns_init_linux.go
-+++ b/libcontainer/setns_init_linux.go
-@@ -5,6 +5,7 @@ package libcontainer
- import (
- 	"fmt"
- 	"os"
-+	"syscall"
- 
- 	"github.com/opencontainers/runc/libcontainer/apparmor"
- 	"github.com/opencontainers/runc/libcontainer/keys"
-@@ -16,7 +17,8 @@ import (
- // linuxSetnsInit performs the container's initialization for running a new process
- // inside an existing container.
- type linuxSetnsInit struct {
--	config *initConfig
-+	config     *initConfig
-+	stateDirFD int
- }
- 
- func (l *linuxSetnsInit) getSessionRingName() string {
-@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error {
- 	if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
- 		return err
- 	}
-+	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
-+	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
-+	syscall.Close(l.stateDirFD)
- 	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
- }
-diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
-index 2104f1a..6a65154 100644
---- a/libcontainer/standard_init_linux.go
-+++ b/libcontainer/standard_init_linux.go
-@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error {
- 			return newSystemErrorWithCause(err, "init seccomp")
- 		}
- 	}
-+	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
-+	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
-+	syscall.Close(l.stateDirFD)
- 	if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
- 		return newSystemErrorWithCause(err, "exec user process")
- 	}
--- 
-2.11.0
-

sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc2-r2.ebuild

@@ -8,8 +8,8 @@ GITHUB_URI="github.com/opencontainers/runc"
 COREOS_GO_PACKAGE="${GITHUB_URI}"
 COREOS_GO_VERSION="go1.6"
 # the commit of runc that docker uses.
-# see https://github.com/docker/docker/blob/v1.12.0/Dockerfile#L236
-COMMIT_ID="cc29e3dded8e27ba8f65738f40d251c885030a28"
+# see https://github.com/docker/docker/blob/v1.12.6/Dockerfile#L245
+COMMIT_ID="50a19c6ff828c58e5dab13830bd3dacde268afe5"
 
 inherit eutils flag-o-matic coreos-go-depend vcs-snapshot
 
@@ -31,7 +31,6 @@ RDEPEND="
 
 src_prepare() {
 	epatch "${FILESDIR}/0001-Makefile-do-not-install-dependencies-of-target.patch"
-	epatch "${FILESDIR}/0002-Add-security-patches-for-runc.patch"
 
 	# Work around https://github.com/golang/go/issues/14669
 	# Remove after updating to go1.7