From 39247c794534cb151f1cb59428973a9df3c97072 Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Fri, 5 May 2017 16:45:22 -0700 Subject: [PATCH 1/3] app-emulation/docker: Fix docker-init & cleanup Notable changes: 1.12.6: * Bump to go 1.7 * Remove go1.6-specific cflags workaround 17.04: * Remove go1.6-specific cflags workaround * Fix docker-init in the docker-17.04 ebuild * Sync with upstream a bit --- ...12.6-r3.ebuild => docker-1.12.6-r4.ebuild} | 5 +- ...4.0-r1.ebuild => docker-17.04.0-r2.ebuild} | 0 .../app-emulation/docker/docker-9999.ebuild | 64 ++++++------------- 3 files changed, 20 insertions(+), 49 deletions(-) rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker/{docker-1.12.6-r3.ebuild => docker-1.12.6-r4.ebuild} (98%) rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker/{docker-17.04.0-r1.ebuild => docker-17.04.0-r2.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r4.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r3.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r4.ebuild index 5c94c1532c..1aaa094235 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r4.ebuild @@ -7,7 +7,7 @@ EAPI=5 CROS_WORKON_PROJECT="coreos/docker" CROS_WORKON_LOCALNAME="docker" CROS_WORKON_REPO="git://github.com" -COREOS_GO_VERSION="go1.6" +COREOS_GO_VERSION="go1.7" CROS_WORKON_COMMIT="d5236f0452873048a28c1ecd63d40513efa66542" # coreos-1.12.6 DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}" @@ -248,9 +248,6 @@ src_compile() { unset DOCKER_EXPERIMENTAL fi - # disable optimizations due to https://github.com/golang/go/issues/14669 - CFLAGS+=" -O0" - go_export # verbose building diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.04.0-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.04.0-r2.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.04.0-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.04.0-r2.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild index c190508033..c655b638bb 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild @@ -1,6 +1,5 @@ -# Copyright 1999-2015 Gentoo Foundation +# Copyright 1999-2017 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Id$ EAPI=5 @@ -24,8 +23,7 @@ DESCRIPTION="Docker complements kernel namespacing with a high-level API which o HOMEPAGE="https://dockerproject.org" LICENSE="Apache-2.0" SLOT="0" -IUSE="apparmor aufs +btrfs contrib +device-mapper experimental +overlay seccomp - +selinux vim-syntax zsh-completion +journald" +IUSE="apparmor aufs +btrfs +container-init +device-mapper +overlay pkcs11 +journald seccomp +selinux vim-syntax zsh-completion" # https://github.com/docker/docker/blob/v17.04.0-ce/project/PACKAGERS.md#build-dependencies CDEPEND=" @@ -36,9 +34,6 @@ CDEPEND=" seccomp? ( >=sys-libs/libseccomp-2.2.1[static-libs] ) - journald? ( - >=sys-apps/systemd-225 - ) " DEPEND=" @@ -69,6 +64,7 @@ RDEPEND=" =app-emulation/containerd-0.2.3_p109[seccomp?] =app-emulation/runc-1.0.0_rc2_p137[apparmor?,seccomp?] app-emulation/docker-proxy + container-init? ( >=sys-process/tini-0.13.1 ) " RESTRICT="installsources strip" @@ -77,24 +73,29 @@ RESTRICT="installsources strip" CONFIG_CHECK=" ~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS ~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG - ~KEYS ~MACVLAN ~VETH ~BRIDGE ~BRIDGE_NETFILTER - ~NF_NAT_IPV4 ~IP_NF_FILTER ~IP_NF_MANGLE ~IP_NF_TARGET_MASQUERADE - ~IP_VS ~IP_VS_RR + ~KEYS + ~VETH ~BRIDGE ~BRIDGE_NETFILTER + ~NF_NAT_IPV4 ~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE ~NETFILTER_XT_MATCH_ADDRTYPE ~NETFILTER_XT_MATCH_CONNTRACK - ~NETFILTER_XT_MATCH_IPVS - ~NETFILTER_XT_MARK ~NETFILTER_XT_TARGET_REDIRECT ~NF_NAT ~NF_NAT_NEEDED - ~POSIX_MQUEUE + ~USER_NS + ~SECCOMP + ~CGROUP_PIDS ~MEMCG_SWAP ~MEMCG_SWAP_ENABLED - ~BLK_CGROUP ~IOSCHED_CFQ + ~BLK_CGROUP ~BLK_DEV_THROTTLING ~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED ~CGROUP_PERF ~CGROUP_HUGETLB ~NET_CLS_CGROUP ~CFS_BANDWIDTH ~FAIR_GROUP_SCHED ~RT_GROUP_SCHED + ~IP_VS ~IP_VS_PROTO_TCP ~IP_VS_PROTO_UDP ~IP_VS_NFCT ~IP_VS_RR + + ~VXLAN ~XFRM_ALGO ~XFRM_USER + ~IPVLAN + ~MACVLAN ~DUMMY " ERROR_KEYS="CONFIG_KEYS: is mandatory" @@ -112,7 +113,7 @@ pkg_setup() { if kernel_is lt 3 10; then ewarn "" ewarn "Using Docker with kernels older than 3.10 is unstable and unsupported." - ewarn " - http://docs.docker.com/installation/binaries/#check-kernel-dependencies" + ewarn " - http://docs.docker.com/engine/installation/binaries/#check-kernel-dependencies" fi # for where these kernel versions come from, see: @@ -170,6 +171,7 @@ pkg_setup() { if use btrfs; then CONFIG_CHECK+=" ~BTRFS_FS + ~BTRFS_FS_POSIX_ACL " fi @@ -185,12 +187,6 @@ pkg_setup() { " fi - if use seccomp; then - CONFIG_CHECK+=" - ~SECCOMP - " - fi - linux-info_pkg_setup # create docker group for the code checking for it in /etc/group @@ -234,29 +230,12 @@ src_compile() { fi done - for tag in apparmor seccomp selinux journald; do + for tag in apparmor pkcs11 seccomp selinux journald; do if use $tag; then DOCKER_BUILDTAGS+=" $tag" fi done - if has_version ' Date: Fri, 5 May 2017 17:05:55 -0700 Subject: [PATCH 2/3] app-emulation/docker: restart on-failure This also syncs a few other small changes from upstream. See https://github.com/moby/moby/pull/30210 for the network-online change / bugs references. There doesn't appear to be a reason the socket's user differed from upstream, so there's no intended meaning to that change beyond syncing with upstream. --- .../app-emulation/docker/files/docker.service | 9 ++++++++- .../app-emulation/docker/files/docker.socket | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service index adc12da849..2b6470ecdd 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service @@ -1,7 +1,8 @@ [Unit] Description=Docker Application Container Engine Documentation=http://docs.docker.com -After=containerd.service docker.socket network.target +After=containerd.service docker.socket network-online.target +Wants=network-online.target Requires=containerd.service docker.socket [Service] @@ -24,6 +25,12 @@ TasksMax=infinity TimeoutStartSec=0 # set delegate yes so that systemd does not reset the cgroups of docker containers Delegate=yes +# kill only the docker process, not all processes in the cgroup +KillMode=process +# restart the docker process if it exits prematurely +Restart=on-failure +StartLimitBurst=3 +StartLimitInterval=60s [Install] WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.socket b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.socket index 5a96c40f83..53133c4f8f 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.socket +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.socket @@ -5,7 +5,7 @@ PartOf=docker.service [Socket] ListenStream=/var/run/docker.sock SocketMode=0660 -SocketUser=docker +SocketUser=root SocketGroup=docker [Install] From 1d499f2ce4e2ff5ecf1978f86ce6da528b4ebcee Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Tue, 9 May 2017 10:45:26 -0700 Subject: [PATCH 3/3] app-emulation/docker: deprecate dockerd script This script had two main functions: 1. Select the graphdriver This functionality is now handled in the docker daemon. It defaults to overlay2 on recent docker versions, and does its own fs detection for btrfs etc. We carry a patch for 1.12.6 now to prefer overlay to devicemapper 2. Avoid enabling selinux on btrfs This no longer matters since as of v1.10, selinux on btrfs is supported. See moby/moby#16452 This PR replaces that original functionality with a simpler systemd environment variable, which is also more in-line with what we do for other similar choices. The environment variable is also more discoverable and easier for users to edit. Note: for backwards compatibility with DOCKER_OPTS=--selinux-enabled=false (to make that take precedent), we intentionally put the environment variable as the first option. However, for backwards compatibility with older units, we also retain the script. We are able to remove the graphdriver detection/selection since that behavior now happens appropriately in docker, but we need to keep the selinux defaulting so that people who are executing the script and expecting selinux to work (e.g. if they copied an old docker.service) will continue to get selinux as expected. --- ...12.6-r4.ebuild => docker-1.12.6-r5.ebuild} | 3 +- ...4.0-r2.ebuild => docker-17.04.0-r3.ebuild} | 0 .../app-emulation/docker/docker-9999.ebuild | 1 + .../app-emulation/docker/files/docker.service | 3 +- .../app-emulation/docker/files/dockerd | 59 ++----------------- 5 files changed, 10 insertions(+), 56 deletions(-) rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker/{docker-1.12.6-r4.ebuild => docker-1.12.6-r5.ebuild} (98%) rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker/{docker-17.04.0-r2.ebuild => docker-17.04.0-r3.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r5.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r4.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r5.ebuild index 1aaa094235..4fd32b6442 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r5.ebuild @@ -9,7 +9,7 @@ CROS_WORKON_LOCALNAME="docker" CROS_WORKON_REPO="git://github.com" COREOS_GO_VERSION="go1.7" -CROS_WORKON_COMMIT="d5236f0452873048a28c1ecd63d40513efa66542" # coreos-1.12.6 +CROS_WORKON_COMMIT="a82d35e3daba1a2cd48c66e57a4f9975c39c45c6" # coreos-1.12.6 DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}" KEYWORDS="amd64 arm64" @@ -270,6 +270,7 @@ src_install() { newconfd contrib/init/openrc/docker.confd docker exeinto /usr/lib/coreos + # Create /usr/lib/coreos/dockerd script for backwards compatibility doexe "${FILESDIR}/dockerd" systemd_dounit "${FILESDIR}/docker.service" diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.04.0-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.04.0-r3.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.04.0-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.04.0-r3.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild index c655b638bb..1c690e9451 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild @@ -258,6 +258,7 @@ src_install() { newconfd contrib/init/openrc/docker.confd docker exeinto /usr/lib/coreos + # Create /usr/lib/coreos/dockerd for backwards compatibility doexe "${FILESDIR}/dockerd" systemd_dounit "${FILESDIR}/docker.service" diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service index 2b6470ecdd..a8f1bf4ef5 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service @@ -8,11 +8,12 @@ Requires=containerd.service docker.socket [Service] Type=notify EnvironmentFile=-/run/flannel/flannel_docker_opts.env +Environment=DOCKER_SELINUX=--selinux-enabled=true # the default is not to use systemd for cgroups because the delegate issues still # exists and systemd currently does not support the cgroup feature set required # for containers run by docker -ExecStart=/usr/lib/coreos/dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ +ExecStart=/usr/bin/dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock $DOCKER_SELINUX $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ ExecReload=/bin/kill -s HUP $MAINPID LimitNOFILE=1048576 # Having non-zero Limit*s causes performance problems due to accounting overhead diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd index 9260e127d8..2a94d06561 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd @@ -1,5 +1,7 @@ #!/bin/bash -# Wrapper for launching docker daemons with an appropriate backend. +# Wrapper for launching docker daemons with selinux default on +# This wrapper script has been deprecated (euank: 2017-05-09) and is retained +# for backwards compatibility. set -e @@ -16,14 +18,6 @@ parse_docker_args() { fi case "${flag}" in - -g|--graph) - ARG_ROOT="$1" - shift - ;; - -s|--storage-driver) - ARG_DRIVER="$1" - shift - ;; --selinux-enabled) ARG_SELINUX="$1" shift @@ -35,56 +29,13 @@ parse_docker_args() { done } -select_docker_driver() { - local fstype - - # mimic docker's behavior to ensure we stat the right filesystem. - if [[ -L "${ARG_ROOT}" ]]; then - ARG_ROOT="$(readlink -f "${ARG_ROOT}")" - fi - - mkdir --parents --mode=0700 "${ARG_ROOT}" - fstype=$(findmnt --noheadings --output FSTYPE --target "${ARG_ROOT}") - - case "${fstype}" in - btrfs) - export DOCKER_DRIVER=btrfs - ;; - ext4|tmpfs|xfs) # As of 4.1 - export DOCKER_DRIVER=overlay - ;; - *) - # Fall back to whatever docker's default behavior is. - ;; - esac -} - -# Enable selinux except when known to be unsupported (btrfs). -maybe_enable_selinux() { - case "${DOCKER_DRIVER}" in - btrfs) - USE_SELINUX="" - ;; - *) - # Enable for everything else. - USE_SELINUX="--selinux-enabled" - ;; - esac -} - -ARG_ROOT="/var/lib/docker" -ARG_DRIVER="" parse_docker_args "$@" -# Do not override the driver if it is already explicitly configured. -if [[ -z "${ARG_DRIVER}" && -z "${DOCKER_DRIVER}" ]]; then - select_docker_driver -fi - USE_SELINUX="" # Do not override selinux if it is already explicitly configured. if [[ -z "${ARG_SELINUX}" ]]; then - maybe_enable_selinux + # If unspecified, default on + USE_SELINUX="--selinux-enabled" fi exec dockerd "$@" ${USE_SELINUX}