Merge pull request #2317 from flatcar/containerd-1.7.22-main

upgrade Go, Runc, Docker and Containerd
2025-08-16 01:16:59 +02:00 · 2024-10-02 16:50:39 +02:00 · 2024-10-02 16:50:39 +02:00 · e7c66ef410
commit e7c66ef410
parent 0f9c68d263 04fc05be43
17 changed files with 499 additions and 8 deletions
--- a/build_library/sysext_mangle_docker-flatcar
+++ b/build_library/sysext_mangle_docker-flatcar
@ -6,6 +6,9 @@ rootfs="${1}"
 # Remove debug and contrib
 echo ">>> NOTICE: $0: removing '/usr/lib/debug/', '/usr/share/docker/contrib' from sysext"
 rm -rf "${rootfs}/usr/lib/debug/" "${rootfs}/usr/share/docker/contrib/"
+# For Docker 27.2.1, two files are symlinked to /usr/share/docker/contrib
+# There were previously shipped directly in /usr/share/docker/contrib folder
+rm -f "${rootfs}/usr/bin/dockerd-rootless-setuptool.sh" "${rootfs}/usr/bin/dockerd-rootless.sh"

 script_root="$(cd "$(dirname "$0")/../"; pwd)"
 files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker"
--- a/changelog/security/2024-09-27-docker-go.md
+++ b/changelog/security/2024-09-27-docker-go.md
@ -0,0 +1,3 @@
+- docker ([CVE-2024-41110](https://nvd.nist.gov/vuln/detail/CVE-2024-41110))
+- Go ([CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155), [CVE-2024-34156](https://nvd.nist.gov/vuln/detail/CVE-2024-34156), [CVE-2024-34158](https://nvd.nist.gov/vuln/detail/CVE-2024-34158))
+- runc ([CVE-2024-45310](https://nvd.nist.gov/vuln/detail/CVE-2024-45310))
--- a/changelog/updates/2024-09-27-containerd-docker-go-runc.md
+++ b/changelog/updates/2024-09-27-containerd-docker-go-runc.md
@ -0,0 +1,4 @@
+- containerd ([1.7.22](https://github.com/containerd/containerd/releases/tag/v1.7.22))
+- docker ([27.2.1](https://docs.docker.com/engine/release-notes/27/#2721), includes changes from [26.1.0](https://docs.docker.com/engine/release-notes/26.1/#2610)))
+- Go ([1.22.7](https://go.dev/doc/devel/release#go1.22.7))
+- runc ([1.1.14](https://github.com/opencontainers/runc/releases/tag/v1.1.14))
--- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest
@ -1,4 +1,4 @@
 DIST containerd-1.7.1.tar.gz 9682254 BLAKE2B f168070caf2b76f0be350a98f41bfdbfe6d78344d68821fb92a29f839a6e847d795e5b79436e36f985aa88028ff1c3f44f134cf6bd502ddac22453a457bd952b SHA512 e9b00ba8f4dd1b5b1088060d3822f684611d43b367ddfeb1bee1660140af85f31e9c9bfc600a67e8fc8645a625dc4e1919d9af7291bdeaa607bff7065a4fc945
 DIST containerd-1.7.2.tar.gz 9688701 BLAKE2B d31cd0e96bb2675390cc63d06114e37d532b7c666b3ffc5b0087dfcef8de23559471f08bf8a52b164c5f645faf1b8102ab2ccdd8ec417a1c74336097f0c3a899 SHA512 c0d4c02991b7e9fc341c4ef3df2d93097f5854a51b99596ed95436a79f7a586820bb8bb7c17fc43b5f38d97ea942e59490fbbf6c9710391ef9caae3d34627bc5
-DIST containerd-1.7.21.tar.gz 10188737 BLAKE2B 0a3eef5bd97b4249963d6e6b80652e2abef0ac7ece726d15efc3b1d364b3525ac7602afecfde3d376bdbec7d5ca39636e09dd8d2a96c420012ef4232afc2a6dd SHA512 fba998c8d7f2907b3e5fb09c3947c3272661ec33379c611c5110ca0151812adcd70ff6b837e97a5d4228d685902276eeb98cd82bb4c46149686e169e81943c75
+DIST containerd-1.7.22.tar.gz 10189969 BLAKE2B b1fac9764a8bac0b883849786bd20c9a8e64d764186c6362978faec5ba360636caccc6c1a7c51c6781aa51f96a4e713968d1e86b54b6fe2fa9e3dfcc07727e64 SHA512 9572f2b0f49365cc3888999a0c0b7d29694922f0cbefb33e1fbbfc71781cde402537da3a23e36fd3a600a1d819bcef9acbeee423df2699fa9e3f07cfde7f9128
 DIST containerd-1.7.6.tar.gz 9714550 BLAKE2B 863df1a8ab0f0fe6ec62893ed64824763c1b5230fe830fa268820ce0d6254c79e1ac62ab1261a74785b86b01dff83ea9109a899857fa47a48f2cf2eaf298fea8 SHA512 8b7e13c6ea544754ba7d53092d143f3fd2224b9bc874a33d8a00b781e719927f1b22ad5cd1e35b7b95e4890e630f4b92308549a970587ccdf9dbb8eb470e2703
--- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.22.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.22.ebuild
@ -3,7 +3,7 @@

 EAPI=8
 inherit go-module systemd
-GIT_REVISION=174e0d1785eeda18dc2beba45e1d5a188771636b
+GIT_REVISION=b2ce781edcbd6cb758f172ecab61c79d607cc41d

 DESCRIPTION="A daemon to control runC"
 HOMEPAGE="https://containerd.io/"
@ -22,7 +22,7 @@ DEPEND="
 # recommended version of runc is found in script/setup/runc-version
 RDEPEND="
 	${DEPEND}
-	~app-containers/runc-1.1.13[apparmor?,seccomp?]
+	~app-containers/runc-1.1.14[apparmor?,seccomp?]
 "

 BDEPEND="
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r212.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r212.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
@ -36,7 +36,7 @@ RDEPEND="${RDEPEND}
 	app-text/xmlto
 	dev-build/gtk-doc-am
 	dev-lang/go-bootstrap
-	dev-lang/go:1.21
+	dev-lang/go:1.22
 	dev-lang/nasm
 	=dev-lang/python-3*
 	dev-lang/swig
--- a/sdk_container/src/third_party/coreos-overlay/dev-lang/go/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/go/Manifest
@ -1 +1 @@
-DIST go1.21.13.src.tar.gz 26997630 BLAKE2B 41098fcd889b0501b2580933b144b317e28f86aee30352f32fafdc66f7607677a62927104b10702f01464fe3eff3ed2999c9913756ed8526df49f523c8a6f945 SHA512 f316984154ead8256d9ec0613e3cfef5699553387d87c24bb2a96265f986bf4450838e6451841def3713d65ebaa9bf55e36ff39c5690d79522e1c1ba7655be2f
+DIST go1.22.7.src.tar.gz 27562038 BLAKE2B c4dd868ac6966029fd72e61d9c82ac26162f4eb26f77a3a6a7e8bc609223069c004786066ca66f24f4d595de1da4f4ee18b368f80ac94e832c8bd9edde407094 SHA512 60b37916e31c3482e8395580a29757971df5e1783dc13a9914261007e07aa8b1b9c1a0b874883e297903e16c7831117b8f814aeff0a0d4398948c97c9d73b73a
--- a/sdk_container/src/third_party/coreos-overlay/dev-lang/go/go-1.21.13.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-lang/go/go-1.21.13.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-depend.eclass
+++ b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-go-depend.eclass
@ -13,7 +13,7 @@
 # @CODE
 # COREOS_GO_VERSION=go1.20
 # @CODE
-export COREOS_GO_VERSION="${COREOS_GO_VERSION:-go1.21}"
+export COREOS_GO_VERSION="${COREOS_GO_VERSION:-go1.22}"

 case "${EAPI:-0}" in
 	5|6) DEPEND="dev-lang/go:${COREOS_GO_VERSION#go}=" ;;
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@ -8,7 +8,7 @@
 # (the following packages are "unstable" upstream; we're stabilising these)

 # Handled by automation
-=app-containers/containerd-1.7.21 ~amd64 ~arm64 # DO NOT EDIT THIS LINE. Added by containerd-apply-patch.sh on 2024-08-30 08:19:45
+=app-containers/containerd-1.7.22 ~amd64 ~arm64 # DO NOT EDIT THIS LINE. Added by containerd-apply-patch.sh on 2024-09-13 08:19:35

 # Keep versions on both arches in sync.
 =app-containers/cri-tools-1.27.0 ~arm64
@ -20,7 +20,7 @@
 # modifications made to the ebuilds were clobbered, so these are here
 # to keep using the same version. Can be dropped when these or newer
 # get stabilized in Gentoo.
-=app-containers/runc-1.1.13 ~amd64 ~arm64
+=app-containers/runc-1.1.14 ~amd64 ~arm64

 # Seems to be the only available ebuild in portage-stable right now.
 =app-crypt/adcli-0.9.2 ~arm64
@ -109,3 +109,7 @@ dev-util/catalyst ~amd64 ~arm64
 =virtual/perl-Exporter-5.780.0 ~arm64
 =virtual/perl-File-Spec-3.900.0 ~arm64
 =virtual/perl-IO-1.550.0 ~arm64
+
+# Accept unstable for Docker and its CLI.
+=app-containers/docker-27.2.1 ~amd64 ~arm64
+=app-containers/docker-cli-27.2.1 ~amd64 ~arm64
--- a/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/Manifest
@ -2,3 +2,4 @@ DIST docker-cli-26.1.0-man.tar.xz 79004 BLAKE2B 36dcf969c6567680990420d6d177101b
 DIST docker-cli-26.1.0.tar.gz 7213165 BLAKE2B 302236467f2b6f3f46b0f0c75e89c2cef0cd251d36e12f78a67c906cfb85b842b998fd3b07f4a2dfc0a04825a9b105d90f11d176055ded397f2d4e9145639d5d SHA512 1a1e9af1a836765ffa91f7f2e1b27911e2b6b373c308a7db332a7cd1825459ab1c04a93d03c9947b631bead0af21d9f03e06c3a60855cc56ca7039e50e38ba87
 DIST docker-cli-27.2.0-man.tar.xz 79052 BLAKE2B 019299b8cd0adbb1a3749f9aa37b1e38bf212b2c13eee81ae49f843bcc56ff3f41413e1021bebf5c88b4406d7928c2c40de026df861195aa2df79d9c724f8b87 SHA512 d61d6f9f9139f2d22268932d795a50e7b9b1ff993699ba87ca9353cb9908ac18c103a34ee9a486f3537988d6ba7317b05588cd84ff8327b86826ab7ed5023947
 DIST docker-cli-27.2.0.tar.gz 7236608 BLAKE2B 828f002d83de47efad370e28df2f5e50f75da7952bf4fcbe30d3d66c9bc281ee99fab820f7bca002c8eb13fa29b7518e951974b62008e213662c1d384a286c0d SHA512 5dce9e974a96b2518a73d50a9421d12feeb9cc792bb89000f26e04a91fdddade2648dea39aa721e48c9b07bfc18f7a6676fb7e286ae779556753886ec45e86c3
+DIST docker-cli-27.2.1.tar.gz 7235741 BLAKE2B 461d177ff05cf27cf271e355cb6ce65a908e6263e10042bb1ae3963e376461d18a93ed79119b3551350a513ce065af3dbbcc9c82d0c7a68b366b3f012a9563f8 SHA512 2e89062fc906eec6879787b21a76d291159fb5e22c6a30c78d915c7a1c76ae03fca0cb7e4fc7f78e1747120fb64b652dbc9ca925a77c41ec9df44136bb2a83fa
--- a/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-27.2.1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-27.2.1.ebuild
@ -0,0 +1,74 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+GIT_COMMIT=9e34c9bb39efd8bf96d4ec044de454ef1f24c668
+
+EGO_PN="github.com/docker/cli"
+MY_PV=${PV/_/-}
+inherit bash-completion-r1  golang-vcs-snapshot
+
+DESCRIPTION="the command line binary for docker"
+HOMEPAGE="https://www.docker.com/"
+SRC_URI="https://github.com/docker/cli/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+# SRC_URI+=" https://dev.gentoo.org/~williamh/dist/${P}-man.tar.xz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc64 ~riscv ~x86"
+IUSE="hardened selinux"
+
+RDEPEND="!<app-containers/docker-20.10.1
+	selinux? ( sec-policy/selinux-docker )"
+BDEPEND="
+	>=dev-lang/go-1.16.6"
+
+RESTRICT="installsources strip test"
+
+S="${WORKDIR}/${P}/src/${EGO_PN}"
+
+src_unpack() {
+	golang-vcs-snapshot_src_unpack
+	set -- ${A}
+	# Flatcar: skip unpacking temporarily
+	# unpack ${2}
+}
+
+src_prepare() {
+	default
+	sed -i 's@dockerd\?\.exe@@g' contrib/completion/bash/docker || die
+}
+
+src_compile() {
+	export DISABLE_WARN_OUTSIDE_CONTAINER=1
+	export GOPATH="${WORKDIR}/${P}"
+	# setup CFLAGS and LDFLAGS for separate build target
+	# see https://github.com/tianon/docker-overlay/pull/10
+	CGO_CFLAGS+=" -I${ESYSROOT}/usr/include"
+	CGO_LDFLAGS+=" -L${ESYSROOT}/usr/$(get_libdir)"
+		emake \
+		LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" \
+		VERSION="${PV}" \
+		GITCOMMIT="${GIT_COMMIT}" \
+		dynbinary
+}
+
+src_install() {
+	dobin build/docker
+	# Flatcar: skip installing manpages temporarily
+	# doman "${WORKDIR}"/man/man?/*
+	dobashcomp contrib/completion/bash/*
+	bashcomp_alias docker dockerd
+	insinto /usr/share/fish/vendor_completions.d/
+	doins contrib/completion/fish/docker.fish
+	insinto /usr/share/zsh/site-functions
+	doins contrib/completion/zsh/_*
+}
+
+pkg_postinst() {
+	has_version "app-containers/docker-buildx" && return
+	ewarn "the 'docker build' command is deprecated and will be removed in a"
+	ewarn "future release. If you need this functionality, install"
+	ewarn "app-containers/docker-buildx."
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/docker/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/docker/Manifest
@ -1,2 +1,3 @@
 DIST docker-26.1.0.tar.gz 16390376 BLAKE2B 6703e9b153c430bc28aed2e7de7bada0203353d61f0a2ce3d49ddbd017eab196a685dd1ab1e719a6b287813eb5fa4f2c612e2cf1ab95789d6e79ebe5dac7ace3 SHA512 47b6b9af9947016884614b6bc25977e1db281da95c9b8b34c753c21c664a737a893f9fa65d92cbb897735aae3893567e106e6bababb5507e069b1e0981e48d50
 DIST docker-27.2.0.tar.gz 16689537 BLAKE2B faf0bae9f7da127d5b65b9989acd82dc726bc3f09ace502df151b9f03a84b6f1ec2a946d905263aaa7d2e7d7a3cd4ad1a09291dcfc6691e73cc9a8738f150d55 SHA512 97abaf56d2249c1514beacf17fc9096848b960846e064f1a9bd800a59762a1f1888b32e83b3e8289e23656496ca0293fea65931210d68faaa8a713aab6e48b65
+DIST docker-27.2.1.tar.gz 16769375 BLAKE2B a2a33d76702f5a208b22cbb12202f4fd69dfce79a6a8ed3c3fe0df161696c922ab764a1796cd265a0cba0737894daf759baf21ecff364f3caea5fd440831dcb9 SHA512 2ca29e53074c1ff7b527f709ae542daa2754cfc35c70ae92bd71b4c7d5d54cd6d373ab078c811900dc694347cb149387681f6cf26634c81651a8e91e31790de7
--- a/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-27.2.1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-27.2.1.ebuild
@ -0,0 +1,323 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+EGO_PN=github.com/docker/docker
+MY_PV=${PV/_/-}
+inherit golang-vcs-snapshot linux-info optfeature systemd udev
+GIT_COMMIT=8b539b8df24032dabeaaa099cf1d0535ef0286a3
+
+DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
+HOMEPAGE="https://www.docker.com/"
+SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor btrfs +container-init +overlay2 seccomp selinux systemd"
+
+DEPEND="
+	acct-group/docker
+	>=dev-db/sqlite-3.7.9:3
+	apparmor? ( sys-libs/libapparmor )
+	btrfs? ( >=sys-fs/btrfs-progs-3.16.1 )
+	seccomp? ( >=sys-libs/libseccomp-2.2.1 )
+	systemd? ( sys-apps/systemd )
+"
+
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
+RDEPEND="
+	${DEPEND}
+	>=net-firewall/iptables-1.4
+	sys-process/procps
+	>=dev-vcs/git-1.7
+	>=app-arch/xz-utils-4.9
+	>=app-containers/containerd-1.7.21[apparmor?,btrfs?,seccomp?]
+	>=app-containers/runc-1.1.13[apparmor?,seccomp?]
+	!app-containers/docker-proxy
+	container-init? ( >=sys-process/tini-0.19.0[static] )
+	selinux? ( sec-policy/selinux-docker )
+"
+
+# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
+BDEPEND="
+	>=dev-lang/go-1.16.12
+	dev-go/go-md2man
+	virtual/pkgconfig
+"
+# tests require running dockerd as root and downloading containers
+RESTRICT="installsources strip test"
+
+S="${WORKDIR}/${P}/src/${EGO_PN}"
+
+# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552
+PATCHES=(
+	"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
+)
+
+pkg_setup() {
+	# this is based on "contrib/check-config.sh" from upstream's sources
+	# required features.
+	CONFIG_CHECK="
+		~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
+		~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
+		~KEYS
+		~VETH ~BRIDGE ~BRIDGE_NETFILTER
+		~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
+		~NETFILTER_XT_MATCH_ADDRTYPE
+		~NETFILTER_XT_MATCH_CONNTRACK
+		~NETFILTER_XT_MATCH_IPVS
+		~NETFILTER_XT_MARK
+		~IP_NF_NAT ~NF_NAT
+		~POSIX_MQUEUE
+	"
+	WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers"
+
+	if kernel_is lt 4 8; then
+		CONFIG_CHECK+="
+			~DEVPTS_MULTIPLE_INSTANCES
+		"
+	fi
+
+	if kernel_is le 5 1; then
+		CONFIG_CHECK+="
+			~NF_NAT_IPV4
+		"
+	fi
+
+	if kernel_is le 5 2; then
+		CONFIG_CHECK+="
+			~NF_NAT_NEEDED
+		"
+	fi
+
+	if kernel_is ge 4 15; then
+		CONFIG_CHECK+="
+			~CGROUP_BPF
+		"
+	fi
+
+	# optional features
+	CONFIG_CHECK+="
+		~USER_NS
+	"
+
+	if use seccomp; then
+		CONFIG_CHECK+="
+			~SECCOMP ~SECCOMP_FILTER
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~CGROUP_PIDS
+	"
+
+	if kernel_is lt 6 1; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP
+			"
+	fi
+
+	if kernel_is le 5 8; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP_ENABLED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NATIVE
+		"
+	if kernel_is lt 5 19; then
+		CONFIG_CHECK+="
+			~LEGACY_VSYSCALL_EMULATE
+			"
+	fi
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NONE
+		"
+	WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \
+		Containers with <=glibc-2.13 will not work"
+
+	if kernel_is le 4 5; then
+		CONFIG_CHECK+="
+			~MEMCG_KMEM
+		"
+	fi
+
+	if kernel_is lt 5; then
+		CONFIG_CHECK+="
+			~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~BLK_CGROUP ~BLK_DEV_THROTTLING
+		~CGROUP_PERF
+		~CGROUP_HUGETLB
+		~NET_CLS_CGROUP ~CGROUP_NET_PRIO
+		~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
+		~IP_NF_TARGET_REDIRECT
+		~IP_VS
+		~IP_VS_NFCT
+		~IP_VS_PROTO_TCP
+		~IP_VS_PROTO_UDP
+		~IP_VS_RR
+		"
+
+	if use selinux; then
+		CONFIG_CHECK+="
+			~SECURITY_SELINUX
+			"
+	fi
+
+	if use apparmor; then
+		CONFIG_CHECK+="
+			~SECURITY_APPARMOR
+			"
+	fi
+
+	# if ! is_set EXT4_USE_FOR_EXT2; then
+	#	check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY
+	#	if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then
+	#		echo "    $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)"
+	#	fi
+	# fi
+
+	CONFIG_CHECK+="
+		~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+	"
+
+	# if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then
+	#	if is_set EXT4_USE_FOR_EXT2; then
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)"
+	#	else
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"
+	#	fi
+	# fi
+
+	# network drivers
+	CONFIG_CHECK+="
+		~VXLAN ~BRIDGE_VLAN_FILTERING
+		~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH
+		~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP
+	"
+	if kernel_is le 5 3; then
+		CONFIG_CHECK+="
+			~INET_XFRM_MODE_TRANSPORT
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~IPVLAN
+		"
+	CONFIG_CHECK+="
+		~MACVLAN ~DUMMY
+		"
+	CONFIG_CHECK+="
+		~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP
+	"
+
+	# storage drivers
+	if use btrfs; then
+		CONFIG_CHECK+="
+			~BTRFS_FS
+			~BTRFS_FS_POSIX_ACL
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~OVERLAY_FS
+	"
+
+	linux-info_pkg_setup
+}
+
+src_compile() {
+	export DOCKER_GITCOMMIT="${GIT_COMMIT}"
+	export GOPATH="${WORKDIR}/${P}"
+	export VERSION=${PV}
+	tc-export PKG_CONFIG
+
+	# setup CFLAGS and LDFLAGS for separate build target
+	# see https://github.com/tianon/docker-overlay/pull/10
+	CGO_CFLAGS+=" -I${ESYSROOT}/usr/include"
+	CGO_LDFLAGS+=" -L${ESYSROOT}/usr/$(get_libdir)"
+
+	# let's set up some optional features :)
+	export DOCKER_BUILDTAGS=''
+	for gd in btrfs overlay2; do
+		if ! use $gd; then
+			DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
+		fi
+	done
+
+	for tag in apparmor seccomp; do
+		if use $tag; then
+			DOCKER_BUILDTAGS+=" $tag"
+		fi
+	done
+
+	export EXCLUDE_AUTO_BUILDTAG_JOURNALD=$(usex systemd '' 'y')
+
+	# build binaries
+	./hack/make.sh dynbinary || die 'dynbinary failed'
+}
+
+src_install() {
+	dosym containerd /usr/bin/docker-containerd
+	dosym containerd-shim /usr/bin/docker-containerd-shim
+	dosym runc /usr/bin/docker-runc
+	use container-init && dosym tini /usr/bin/docker-init
+	dobin bundles/dynbinary-daemon/dockerd
+	dobin bundles/dynbinary-daemon/docker-proxy
+	for f in dockerd-rootless-setuptool.sh dockerd-rootless.sh; do
+		dosym ../share/docker/contrib/${f} /usr/bin/${f}
+	done
+
+	newinitd contrib/init/openrc/docker.initd docker
+	newconfd contrib/init/openrc/docker.confd docker
+
+	systemd_dounit contrib/init/systemd/docker.{service,socket}
+
+	udev_dorules contrib/udev/*.rules
+
+	dodoc AUTHORS CONTRIBUTING.md NOTICE README.md
+	dodoc -r docs/*
+
+	# note: intentionally not using "doins" so that we preserve +x bits
+	dodir /usr/share/${PN}/contrib
+	cp -R contrib/* "${ED}/usr/share/${PN}/contrib"
+}
+
+pkg_postinst() {
+	udev_reload
+
+	elog
+	elog "To use Docker, the Docker daemon must be running as root. To automatically"
+	elog "start the Docker daemon at boot:"
+	if systemd_is_booted || has_version sys-apps/systemd; then
+		elog "  systemctl enable docker.service"
+	else
+		elog "  rc-update add docker default"
+	fi
+	elog
+	elog "To use Docker as a non-root user, add yourself to the 'docker' group:"
+	elog '  usermod -aG docker <youruser>'
+	elog
+
+	if has_version sys-fs/zfs; then
+		elog " ZFS storage driver is available"
+		elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info"
+		elog
+	fi
+
+	optfeature "rootless mode support" sys-apps/shadow
+	optfeature "rootless mode support" sys-apps/rootlesskit
+	optfeature_header "for rootless mode you also need a network stack"
+	optfeature "rootless mode network stack" app-containers/slirp4netns
+}
+
+pkg_postrm() {
+	udev_reload
+}
--- a/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest
@ -1,2 +1,3 @@
 DIST runc-1.1.12.tar.gz 2522196 BLAKE2B 14fe8d5f82d5b4d7f6b4bb9111c5d258e74f6a44aeb51fc87c69104e95b9bf24a3d503f4cc5dedb40d542fbd4b6e27273f456bda4fcf3bc298eb93ae292d9663 SHA512 92e8ac54a77d7ebcc76b5a9cc08d9a064211f12e9d26f064070cc203a5afb11c3af28d8f556f297513f797a2933d50bf10a8f22e307724041d66aa8c5ca1d9d3
 DIST runc-1.1.13.tar.gz 2532849 BLAKE2B f3d3171ffce2bb833bfb5cc21d0dc034fd7e38c47ee098cc1fc75c06fd4dfae21dfe25c2e69a1ca93b29d36e8799727ea41725eee8aca3a059c14dab6c8a435f SHA512 644bf9e6359bf49bbdec667c0f7c69ded78c7eacfc2d1b730d52fdcf7348571c6406b8e5790811fe3662a458c878e4225c3559885f0d95f8905273e7e40e55ad
+DIST runc-1.1.14.tar.gz 2543890 BLAKE2B 3eede8cd7d04d2a3826cfc7caae032744551799e8262d28e989d3d5c66ca3969ce8dede064ebd37361a00eb276fa7c9961180dd9fc9b0d53535421ecc99acb39 SHA512 bdefbf34cf57485c6b961babc8294d0e6b2e003eb836b8e99c49ef4d00acf11f30a46ad0bcd399ee9346610419591daf1eecb3b6b127962357d629bf5f252e22
--- a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.14.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.14.ebuild
@ -0,0 +1,77 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit go-module linux-info
+
+# update on bump, look for commit ID on release tag.
+# https://github.com/opencontainers/runc
+RUNC_COMMIT=2c9f5602f0ba3d9da1c2596322dfc4e156844890
+CONFIG_CHECK="~USER_NS"
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="https://github.com/opencontainers/runc/"
+MY_PV="${PV/_/-}"
+SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+S="${WORKDIR}/${PN}-${MY_PV}"
+
+LICENSE="Apache-2.0 BSD-2 BSD MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor hardened +kmem +seccomp selinux test"
+
+DEPEND="seccomp? ( sys-libs/libseccomp )"
+
+RDEPEND="
+	${DEPEND}
+	!app-emulation/docker-runc
+	apparmor? ( sys-libs/libapparmor )
+	selinux? ( sec-policy/selinux-container )
+"
+
+BDEPEND="
+	dev-go/go-md2man
+	test? ( "${RDEPEND}" )
+"
+
+# tests need busybox binary, and portage namespace
+# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox
+# majority of tests pass
+RESTRICT+=" test"
+
+src_compile() {
+	# Taken from app-containers/docker-1.7.0-r1
+	CGO_CFLAGS+=" -I${ESYSROOT}/usr/include"
+	CGO_LDFLAGS+=" $(usex hardened '-fno-PIC ' '')
+		-L${ESYSROOT}/usr/$(get_libdir)"
+
+	# build up optional flags
+	local options=(
+		$(usev apparmor)
+		$(usev seccomp)
+		$(usex kmem '' 'nokmem')
+	)
+
+	myemakeargs=(
+		BUILDTAGS="${options[*]}"
+		COMMIT="${RUNC_COMMIT}"
+	)
+
+	emake "${myemakeargs[@]}" runc man
+}
+
+src_install() {
+	myemakeargs+=(
+		PREFIX="${ED}/usr"
+		BINDIR="${ED}/usr/bin"
+		MANDIR="${ED}/usr/share/man"
+	)
+	emake "${myemakeargs[@]}" install install-man install-bash
+
+	local DOCS=( README.md PRINCIPLES.md docs/. )
+	einstalldocs
+}
+
+src_test() {
+	emake "${myemakeargs[@]}" localunittest
+}