Merge pull request #2562 from euank/fixup-docker

deprecate dockerd script, misc fixups

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.6-r5.ebuild

@@ -7,9 +7,9 @@ EAPI=5
 CROS_WORKON_PROJECT="coreos/docker"
 CROS_WORKON_LOCALNAME="docker"
 CROS_WORKON_REPO="git://github.com"
-COREOS_GO_VERSION="go1.6"
+COREOS_GO_VERSION="go1.7"
 
-CROS_WORKON_COMMIT="d5236f0452873048a28c1ecd63d40513efa66542" # coreos-1.12.6
+CROS_WORKON_COMMIT="a82d35e3daba1a2cd48c66e57a4f9975c39c45c6" # coreos-1.12.6
 DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}"
 KEYWORDS="amd64 arm64"
 
@@ -248,9 +248,6 @@ src_compile() {
 		unset DOCKER_EXPERIMENTAL
 	fi
 
-	# disable optimizations due to https://github.com/golang/go/issues/14669
-	CFLAGS+=" -O0"
-
 	go_export
 
 	# verbose building
@@ -273,6 +270,7 @@ src_install() {
 	newconfd contrib/init/openrc/docker.confd docker
 
 	exeinto /usr/lib/coreos
+	# Create /usr/lib/coreos/dockerd script for backwards compatibility
 	doexe "${FILESDIR}/dockerd"
 
 	systemd_dounit "${FILESDIR}/docker.service"

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild

@@ -1,6 +1,5 @@
-# Copyright 1999-2015 Gentoo Foundation
+# Copyright 1999-2017 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Id$
 
 EAPI=5
 
@@ -24,8 +23,7 @@ DESCRIPTION="Docker complements kernel namespacing with a high-level API which o
 HOMEPAGE="https://dockerproject.org"
 LICENSE="Apache-2.0"
 SLOT="0"
-IUSE="apparmor aufs +btrfs contrib +device-mapper experimental +overlay seccomp
-	+selinux vim-syntax zsh-completion +journald"
+IUSE="apparmor aufs +btrfs +container-init +device-mapper +overlay pkcs11 +journald seccomp +selinux vim-syntax zsh-completion"
 
 # https://github.com/docker/docker/blob/v17.04.0-ce/project/PACKAGERS.md#build-dependencies
 CDEPEND="
@@ -36,9 +34,6 @@ CDEPEND="
 	seccomp? (
 		>=sys-libs/libseccomp-2.2.1[static-libs]
 	)
-	journald? (
-		>=sys-apps/systemd-225
-	)
 "
 
 DEPEND="
@@ -69,6 +64,7 @@ RDEPEND="
 	=app-emulation/containerd-0.2.3_p109[seccomp?]
 	=app-emulation/runc-1.0.0_rc2_p137[apparmor?,seccomp?]
 	app-emulation/docker-proxy
+	container-init? ( >=sys-process/tini-0.13.1 )
 "
 
 RESTRICT="installsources strip"
@@ -77,24 +73,29 @@ RESTRICT="installsources strip"
 CONFIG_CHECK="
 	~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
 	~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
-	~KEYS ~MACVLAN ~VETH ~BRIDGE ~BRIDGE_NETFILTER
-	~NF_NAT_IPV4 ~IP_NF_FILTER ~IP_NF_MANGLE ~IP_NF_TARGET_MASQUERADE
-	~IP_VS ~IP_VS_RR
+	~KEYS
+	~VETH ~BRIDGE ~BRIDGE_NETFILTER
+	~NF_NAT_IPV4 ~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
 	~NETFILTER_XT_MATCH_ADDRTYPE ~NETFILTER_XT_MATCH_CONNTRACK
-	~NETFILTER_XT_MATCH_IPVS
-	~NETFILTER_XT_MARK ~NETFILTER_XT_TARGET_REDIRECT
 	~NF_NAT ~NF_NAT_NEEDED
-
 	~POSIX_MQUEUE
 
+	~USER_NS
+	~SECCOMP
+	~CGROUP_PIDS
 	~MEMCG_SWAP ~MEMCG_SWAP_ENABLED
 
-	~BLK_CGROUP ~IOSCHED_CFQ
+	~BLK_CGROUP ~BLK_DEV_THROTTLING ~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED
 	~CGROUP_PERF
 	~CGROUP_HUGETLB
 	~NET_CLS_CGROUP
 	~CFS_BANDWIDTH ~FAIR_GROUP_SCHED ~RT_GROUP_SCHED
+	~IP_VS ~IP_VS_PROTO_TCP ~IP_VS_PROTO_UDP ~IP_VS_NFCT ~IP_VS_RR
+
+	~VXLAN
 	~XFRM_ALGO ~XFRM_USER
+	~IPVLAN
+	~MACVLAN ~DUMMY
 "
 
 ERROR_KEYS="CONFIG_KEYS: is mandatory"
@@ -112,7 +113,7 @@ pkg_setup() {
 	if kernel_is lt 3 10; then
 		ewarn ""
 		ewarn "Using Docker with kernels older than 3.10 is unstable and unsupported."
-		ewarn " - http://docs.docker.com/installation/binaries/#check-kernel-dependencies"
+		ewarn " - http://docs.docker.com/engine/installation/binaries/#check-kernel-dependencies"
 	fi
 
 	# for where these kernel versions come from, see:
@@ -170,6 +171,7 @@ pkg_setup() {
 	if use btrfs; then
 		CONFIG_CHECK+="
 			~BTRFS_FS
+			~BTRFS_FS_POSIX_ACL
 		"
 	fi
 
@@ -185,12 +187,6 @@ pkg_setup() {
 		"
 	fi
 
-	if use seccomp; then
-		CONFIG_CHECK+="
-			~SECCOMP
-		"
-	fi
-
 	linux-info_pkg_setup
 
 	# create docker group for the code checking for it in /etc/group
@@ -234,29 +230,12 @@ src_compile() {
 		fi
 	done
 
-	for tag in apparmor seccomp selinux journald; do
+	for tag in apparmor pkcs11 seccomp selinux journald; do
 		if use $tag; then
 			DOCKER_BUILDTAGS+=" $tag"
 		fi
 	done
 
-	if has_version '<sys-fs/lvm2-2.02.110' ; then
-		# Docker uses the host files when testing features, so force
-		# docker to not use dm_task_deferred_remove to cover cross
-		# builds.
-		DOCKER_BUILDTAGS+=' libdm_no_deferred_remove'
-	fi
-
-	# https://github.com/docker/docker/pull/13338
-	if use experimental; then
-		export DOCKER_EXPERIMENTAL=1
-	else
-		unset DOCKER_EXPERIMENTAL
-	fi
-
-	# disable optimizations due to https://github.com/golang/go/issues/14669
-	CFLAGS+=" -O0"
-
 	go_export
 
 	# verbose building
@@ -273,11 +252,13 @@ src_install() {
 	dosym containerd /usr/bin/docker-containerd
 	dosym containerd-shim /usr/bin/docker-containerd-shim
 	dosym runc /usr/bin/docker-runc
+	use container-init && dosym tini /usr/bin/docker-init
 
 	newinitd contrib/init/openrc/docker.initd docker
 	newconfd contrib/init/openrc/docker.confd docker
 
 	exeinto /usr/lib/coreos
+	# Create /usr/lib/coreos/dockerd for backwards compatibility
 	doexe "${FILESDIR}/dockerd"
 
 	systemd_dounit "${FILESDIR}/docker.service"
@@ -304,12 +285,6 @@ src_install() {
 		doins -r contrib/syntax/vim/ftdetect
 		doins -r contrib/syntax/vim/syntax
 	fi
-
-	if use contrib; then
-		# note: intentionally not using "doins" so that we preserve +x bits
-		mkdir -p "${D}/usr/share/${PN}/contrib"
-		cp -R contrib/* "${D}/usr/share/${PN}/contrib"
-	fi
 }
 
 pkg_postinst() {

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service

@@ -1,17 +1,19 @@
 [Unit]
 Description=Docker Application Container Engine
 Documentation=http://docs.docker.com
-After=containerd.service docker.socket network.target
+After=containerd.service docker.socket network-online.target
+Wants=network-online.target
 Requires=containerd.service docker.socket
 
 [Service]
 Type=notify
 EnvironmentFile=-/run/flannel/flannel_docker_opts.env
+Environment=DOCKER_SELINUX=--selinux-enabled=true
 
 # the default is not to use systemd for cgroups because the delegate issues still
 # exists and systemd currently does not support the cgroup feature set required
 # for containers run by docker
-ExecStart=/usr/lib/coreos/dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
+ExecStart=/usr/bin/dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock $DOCKER_SELINUX $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
 ExecReload=/bin/kill -s HUP $MAINPID
 LimitNOFILE=1048576
 # Having non-zero Limit*s causes performance problems due to accounting overhead
@@ -24,6 +26,12 @@ TasksMax=infinity
 TimeoutStartSec=0
 # set delegate yes so that systemd does not reset the cgroups of docker containers
 Delegate=yes
+# kill only the docker process, not all processes in the cgroup
+KillMode=process
+# restart the docker process if it exits prematurely
+Restart=on-failure
+StartLimitBurst=3
+StartLimitInterval=60s
 
 [Install]
 WantedBy=multi-user.target

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.socket

@@ -5,7 +5,7 @@ PartOf=docker.service
 [Socket]
 ListenStream=/var/run/docker.sock
 SocketMode=0660
-SocketUser=docker
+SocketUser=root
 SocketGroup=docker
 
 [Install]

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd

@@ -1,5 +1,7 @@
 #!/bin/bash
-# Wrapper for launching docker daemons with an appropriate backend.
+# Wrapper for launching docker daemons with selinux default on
+# This wrapper script has been deprecated (euank: 2017-05-09) and is retained
+# for backwards compatibility.
 
 set -e
 
@@ -16,14 +18,6 @@ parse_docker_args() {
         fi
 
         case "${flag}" in
-            -g|--graph)
-                ARG_ROOT="$1"
-                shift
-                ;;
-            -s|--storage-driver)
-                ARG_DRIVER="$1"
-                shift
-                ;;
             --selinux-enabled)
                 ARG_SELINUX="$1"
                 shift
@@ -35,56 +29,13 @@ parse_docker_args() {
     done
 }
 
-select_docker_driver() {
-    local fstype
-
-    # mimic docker's behavior to ensure we stat the right filesystem.
-    if [[ -L "${ARG_ROOT}" ]]; then
-        ARG_ROOT="$(readlink -f "${ARG_ROOT}")"
-    fi
-
-    mkdir --parents --mode=0700 "${ARG_ROOT}"
-    fstype=$(findmnt --noheadings --output FSTYPE --target "${ARG_ROOT}")
-
-    case "${fstype}" in
-        btrfs)
-            export DOCKER_DRIVER=btrfs
-            ;;
-        ext4|tmpfs|xfs) # As of 4.1
-            export DOCKER_DRIVER=overlay
-            ;;
-        *)
-            # Fall back to whatever docker's default behavior is.
-            ;;
-    esac
-}
-
-# Enable selinux except when known to be unsupported (btrfs).
-maybe_enable_selinux() {
-    case "${DOCKER_DRIVER}" in
-        btrfs)
-            USE_SELINUX=""
-            ;;
-        *)
-            # Enable for everything else.
-            USE_SELINUX="--selinux-enabled"
-            ;;
-    esac
-}
-
-ARG_ROOT="/var/lib/docker"
-ARG_DRIVER=""
 parse_docker_args "$@"
 
-# Do not override the driver if it is already explicitly configured.
-if [[ -z "${ARG_DRIVER}" && -z "${DOCKER_DRIVER}" ]]; then
-    select_docker_driver
-fi
-
 USE_SELINUX=""
 # Do not override selinux if it is already explicitly configured.
 if [[ -z "${ARG_SELINUX}" ]]; then
-        maybe_enable_selinux
+        # If unspecified, default on
+        USE_SELINUX="--selinux-enabled"
 fi
 
 exec dockerd "$@" ${USE_SELINUX}