From 6edec6a89c6c55f75366165a7b0648c39da65985 Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Fri, 22 Sep 2017 14:41:36 -0700 Subject: [PATCH 1/4] app-emulation/runc: apply mount propagation patch Upstream as https://github.com/opencontainers/runc/pull/1598 See discussion there and in linked issues for the full details. --- ...ld => docker-runc-1.0.0_rc3_p53-r1.ebuild} | 1 + ...-default-mount-propagation-correctly.patch | 41 +++++++++++++++++++ .../app-emulation/docker/docker-9999.ebuild | 2 +- 3 files changed, 43 insertions(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/{docker-runc-1.0.0_rc3_p53.ebuild => docker-runc-1.0.0_rc3_p53-r1.ebuild} (96%) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53-r1.ebuild similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53-r1.ebuild index 8daf9c2d3c..0a7f6c700e 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53-r1.ebuild @@ -44,6 +44,7 @@ src_unpack() { PATCHES=( "${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch" + "${FILESDIR}/0002-libcontainer-default-mount-propagation-correctly.patch" ) src_compile() { diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch new file mode 100644 index 0000000000..c284e9972d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch @@ -0,0 +1,41 @@ +From db55cd4f29298ae08b20f92b8953735723ee2167 Mon Sep 17 00:00:00 2001 +From: Euan Kemp +Date: Fri, 22 Sep 2017 02:31:17 -0700 +Subject: [PATCH] libcontainer: default mount propagation correctly + +The code in prepareRoot (https://github.com/opencontainers/runc/blob/e385f67a0e45fa1d8ef8154e2aea5128ea1d331b/libcontainer/rootfs_linux.go#L599-L605) +attempts to default the rootfs mount to `rslave`. However, since the spec +conversion has already defaulted it to `rprivate`, that code doesn't +actually ever do anything. + +This changes the spec conversion code to accept "" and treat it as 0. + +Implicitly, this makes rootfs propagation default to `rslave`, which is +a part of fixing the moby bug https://github.com/moby/moby/issues/34672 + +Alternate implementatoins include changing this defaulting to be +`rslave` and removing the defaulting code in prepareRoot, or skipping +the mapping entirely for "", but I think this change is the cleanest of +those options. + +Signed-off-by: Euan Kemp +--- + libcontainer/specconv/spec_linux.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go +index 1575ae03..8a2947f6 100644 +--- a/libcontainer/specconv/spec_linux.go ++++ b/libcontainer/specconv/spec_linux.go +@@ -36,7 +36,7 @@ var mountPropagationMapping = map[string]int{ + "slave": syscall.MS_SLAVE, + "rshared": syscall.MS_SHARED | syscall.MS_REC, + "shared": syscall.MS_SHARED, +- "": syscall.MS_PRIVATE | syscall.MS_REC, ++ "": 0, + } + + var allowedDevices = []*configs.Device{ +-- +2.13.5 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild index 1e6c7b4f8e..bc05b480d6 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild @@ -65,7 +65,7 @@ RDEPEND=" >=app-arch/xz-utils-4.9 =app-emulation/containerd-0.2.9_p7[seccomp?] - =app-emulation/docker-runc-1.0.0_rc3_p53[apparmor?,seccomp?] + =app-emulation/docker-runc-1.0.0_rc3_p53-r1[apparmor?,seccomp?] app-emulation/docker-proxy container-init? ( >=sys-process/tini-0.13.1 ) " From e312b48b011cf6e38d34fea5d826d16a18cb8702 Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Fri, 22 Sep 2017 14:20:49 -0700 Subject: [PATCH 2/4] app-emulation/docker: apply ebusy overlayfs patch See https://github.com/coreos/bugs/issues/2127 and https://github.com/moby/moby/issues/34672 for discussion. Patch files have been split into more folders, plus some manual eapply calls, to allow moby/moby patches to be used unmodified against docker-ce --- ...6.2-r2.ebuild => docker-17.06.2-r3.ebuild} | 0 .../app-emulation/docker/docker-9999.ebuild | 9 +- .../allow-override-build-date.patch | 0 ...revert-make-overlay-home-dir-private.patch | 111 ++++++++++++++++++ 4 files changed, 119 insertions(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker/{docker-17.06.2-r2.ebuild => docker-17.06.2-r3.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/{ => patches}/allow-override-build-date.patch (100%) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/engine/revert-make-overlay-home-dir-private.patch diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.2-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.2-r3.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.2-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.2-r3.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild index bc05b480d6..176cc81773 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild @@ -75,8 +75,11 @@ RESTRICT="installsources strip" S="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}" PATCHES=( - "${FILESDIR}/allow-override-build-date.patch" + "${FILESDIR}/patches/allow-override-build-date.patch" ) +# Note: patches in the 'engine' subfolder are automatically applied to the +# engine component; because docker-ce has subfolders for each component, +# backporting specific component's patches has this extra complexity # see "contrib/check-config.sh" from upstream's sources CONFIG_CHECK=" @@ -212,6 +215,10 @@ src_unpack() { DOCKER_GITCOMMIT=$(git -C "${S}" rev-parse HEAD | head -c 7) DOCKER_BUILD_DATE=$(git -C "${S}" log -1 --format="%ct") fi + pushd "${S}"/components/engine || die + EPATCH_SOURCE="${FILESDIR}/patches/engine" EPATCH_SUFFIX="patch" \ + EPATCH_FORCE="yes" epatch + popd || die } src_compile() { diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/allow-override-build-date.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/allow-override-build-date.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/allow-override-build-date.patch rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/allow-override-build-date.patch diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/engine/revert-make-overlay-home-dir-private.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/engine/revert-make-overlay-home-dir-private.patch new file mode 100644 index 0000000000..7a21b2c3ff --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/engine/revert-make-overlay-home-dir-private.patch @@ -0,0 +1,111 @@ +From 699fab4877c3ff5d7f935bd3977e413c31269c7c Mon Sep 17 00:00:00 2001 +From: Euan Kemp +Date: Fri, 22 Sep 2017 12:01:04 -0700 +Subject: [PATCH] Revert "Make overlay home dir Private mount" + +This reverts commit e076bccb458aeadab9380ce0636456ad6317a85f. +It also reverts it for the overlay2 package, which didn't exist at the +time the commit was made but is a direct successor with copy-pasted +code. + +The original commit was meant to fix a bug whereby `docker cp` +(implemented via chrootarchive) could inadvertantly lead to shared +mounts getting unmounted on the host too. + +The fix, however, had side effects. It results in overlay mounts being +private, and thus being quite easy to leak copies that are hard to +umount into other mount namespaces on the box. + +This hasn't been noticed until now because on kernels prior to v4.13, +temporarily leaking overlayfs mounts to other namespaces didn't have any +ill effects. + +Starting with v4.13, setting the mount to private and thus leaking +mounts results in errors. See https://github.com/moby/moby/issues/34672 + +The correct fix for the original issue was implemented later in +https://github.com/moby/moby/pull/27609, and since that code is now +merged we can safely throw away this less ideal fix. + +Signed-off-by: Euan Kemp +--- + daemon/graphdriver/overlay/overlay.go | 12 +++--------- + daemon/graphdriver/overlay2/overlay.go | 12 +++--------- + 2 files changed, 6 insertions(+), 18 deletions(-) + +diff --git a/daemon/graphdriver/overlay/overlay.go b/daemon/graphdriver/overlay/overlay.go +index 9012722c20d..8ed51e6c384 100644 +--- a/daemon/graphdriver/overlay/overlay.go ++++ b/daemon/graphdriver/overlay/overlay.go +@@ -19,7 +19,6 @@ import ( + "github.com/docker/docker/pkg/fsutils" + "github.com/docker/docker/pkg/idtools" + "github.com/docker/docker/pkg/locker" +- "github.com/docker/docker/pkg/mount" + "github.com/docker/docker/pkg/system" + "github.com/opencontainers/selinux/go-selinux/label" + "github.com/sirupsen/logrus" +@@ -139,10 +138,6 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap + return nil, err + } + +- if err := mount.MakePrivate(home); err != nil { +- return nil, err +- } +- + supportsDType, err := fsutils.SupportsDType(home) + if err != nil { + return nil, err +@@ -227,11 +222,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) { + return metadata, nil + } + +-// Cleanup any state created by overlay which should be cleaned when daemon +-// is being shutdown. For now, we just have to unmount the bind mounted +-// we had created. ++// Cleanup simply returns nil and do not change the existing filesystem. ++// This is required to satisfy the graphdriver.Driver interface. + func (d *Driver) Cleanup() error { +- return mount.Unmount(d.home) ++ return nil + } + + // CreateReadWrite creates a layer that is writable for use as a container +diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go +index f350ca9c0b8..5aaf8c0cefe 100644 +--- a/daemon/graphdriver/overlay2/overlay.go ++++ b/daemon/graphdriver/overlay2/overlay.go +@@ -28,7 +28,6 @@ import ( + "github.com/docker/docker/pkg/fsutils" + "github.com/docker/docker/pkg/idtools" + "github.com/docker/docker/pkg/locker" +- "github.com/docker/docker/pkg/mount" + "github.com/docker/docker/pkg/parsers" + "github.com/docker/docker/pkg/parsers/kernel" + "github.com/docker/docker/pkg/system" +@@ -175,10 +174,6 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap + return nil, err + } + +- if err := mount.MakePrivate(home); err != nil { +- return nil, err +- } +- + supportsDType, err := fsutils.SupportsDType(home) + if err != nil { + return nil, err +@@ -314,11 +309,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) { + return metadata, nil + } + +-// Cleanup any state created by overlay which should be cleaned when daemon +-// is being shutdown. For now, we just have to unmount the bind mounted +-// we had created. ++// Cleanup simply returns nil and do not change the existing filesystem. ++// This is required to satisfy the graphdriver.Driver interface. + func (d *Driver) Cleanup() error { +- return mount.Unmount(d.home) ++ return nil + } + + // CreateReadWrite creates a layer that is writable for use as a container From e3d0b5edb2de54d5275c7eb38d292af4b82f5765 Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Fri, 22 Sep 2017 14:43:15 -0700 Subject: [PATCH 3/4] app-torcx/docker: update to include patches --- .../coreos-overlay/app-torcx/docker/docker-17.06.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild index 14131fa562..b518b943f3 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild @@ -11,10 +11,10 @@ KEYWORDS="amd64 arm64" # Explicitly list all packages that will be built into the image. RDEPEND=" - =app-emulation/docker-17.06.2-r2 + =app-emulation/docker-17.06.2-r3 =app-emulation/containerd-0.2.9_p7 =app-emulation/docker-proxy-0.8.0_p20170410-r1 - =app-emulation/docker-runc-1.0.0_rc3_p53 + =app-emulation/docker-runc-1.0.0_rc3_p53-r1 =dev-libs/libltdl-2.4.6 =sys-process/tini-0.13.2 " From 1ccbcc4073ae24da32ce237384e030d483cb8cec Mon Sep 17 00:00:00 2001 From: Euan Kemp Date: Fri, 22 Sep 2017 17:19:49 -0700 Subject: [PATCH 4/4] app-emulation/docker: eapply engine patches Also split them into an array so we can decouple the files in patches/engine from those applied, e.g. to allow carrying patches for only specific ebuilds. --- .../app-emulation/docker/docker-9999.ebuild | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild index 176cc81773..a2f654e7b4 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild @@ -77,9 +77,9 @@ S="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}" PATCHES=( "${FILESDIR}/patches/allow-override-build-date.patch" ) -# Note: patches in the 'engine' subfolder are automatically applied to the -# engine component; because docker-ce has subfolders for each component, -# backporting specific component's patches has this extra complexity +ENGINE_PATCHES=( + "${FILESDIR}/patches/engine/revert-make-overlay-home-dir-private.patch" +) # see "contrib/check-config.sh" from upstream's sources CONFIG_CHECK=" @@ -215,10 +215,7 @@ src_unpack() { DOCKER_GITCOMMIT=$(git -C "${S}" rev-parse HEAD | head -c 7) DOCKER_BUILD_DATE=$(git -C "${S}" log -1 --format="%ct") fi - pushd "${S}"/components/engine || die - EPATCH_SOURCE="${FILESDIR}/patches/engine" EPATCH_SUFFIX="patch" \ - EPATCH_FORCE="yes" epatch - popd || die + eapply -d"${S}"/components/engine "${ENGINE_PATCHES[@]}" } src_compile() {