mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-22 06:51:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2787 from euank/docker-ebusy

Browse Source 
app-emulation/docker: apply ebusy overlayfs patch
This commit is contained in:
Euan Kemp 2017-09-22 18:04:59 -07:00 committed by GitHub
commit eab9ac0cd8
7 changed files with 161 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53.ebuild → sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53-r1.ebuild vendored
View File

@ -44,6 +44,7 @@ src_unpack() {
PATCHES=( PATCHES=(
"${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch" "${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch"
"${FILESDIR}/0002-libcontainer-default-mount-propagation-correctly.patch"
) )
src_compile() { src_compile() {

41
sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch vendored Normal file
View File

@ -0,0 +1,41 @@
From db55cd4f29298ae08b20f92b8953735723ee2167 Mon Sep 17 00:00:00 2001
From: Euan Kemp <euan.kemp@coreos.com>
Date: Fri, 22 Sep 2017 02:31:17 -0700
Subject: [PATCH] libcontainer: default mount propagation correctly
The code in prepareRoot (https://github.com/opencontainers/runc/blob/e385f67a0e45fa1d8ef8154e2aea5128ea1d331b/libcontainer/rootfs_linux.go#L599-L605)
attempts to default the rootfs mount to `rslave`. However, since the spec
conversion has already defaulted it to `rprivate`, that code doesn't
actually ever do anything.
This changes the spec conversion code to accept "" and treat it as 0.
Implicitly, this makes rootfs propagation default to `rslave`, which is
a part of fixing the moby bug https://github.com/moby/moby/issues/34672
Alternate implementatoins include changing this defaulting to be
`rslave` and removing the defaulting code in prepareRoot, or skipping
the mapping entirely for "", but I think this change is the cleanest of
those options.
Signed-off-by: Euan Kemp <euan.kemp@coreos.com>
---
libcontainer/specconv/spec_linux.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 1575ae03..8a2947f6 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -36,7 +36,7 @@ var mountPropagationMapping = map[string]int{
"slave": syscall.MS_SLAVE,
"rshared": syscall.MS_SHARED | syscall.MS_REC,
"shared": syscall.MS_SHARED,
- "": syscall.MS_PRIVATE | syscall.MS_REC,
+ "": 0,
}
var allowedDevices = []*configs.Device{
--
2.13.5

0
sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.2-r2.ebuild → sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.2-r3.ebuild vendored
View File

8
sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild vendored
View File

@ -65,7 +65,7 @@ RDEPEND="
>=app-arch/xz-utils-4.9 >=app-arch/xz-utils-4.9
=app-emulation/containerd-0.2.9_p7[seccomp?] =app-emulation/containerd-0.2.9_p7[seccomp?]
=app-emulation/docker-runc-1.0.0_rc3_p53[apparmor?,seccomp?] =app-emulation/docker-runc-1.0.0_rc3_p53-r1[apparmor?,seccomp?]
app-emulation/docker-proxy app-emulation/docker-proxy
container-init? ( >=sys-process/tini-0.13.1 ) container-init? ( >=sys-process/tini-0.13.1 )
" "
@ -75,7 +75,10 @@ RESTRICT="installsources strip"
S="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}" S="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}"
PATCHES=( PATCHES=(
"${FILESDIR}/allow-override-build-date.patch" "${FILESDIR}/patches/allow-override-build-date.patch"
)
ENGINE_PATCHES=(
"${FILESDIR}/patches/engine/revert-make-overlay-home-dir-private.patch"
) )
# see "contrib/check-config.sh" from upstream's sources # see "contrib/check-config.sh" from upstream's sources
@ -212,6 +215,7 @@ src_unpack() {
DOCKER_GITCOMMIT=$(git -C "${S}" rev-parse HEAD | head -c 7) DOCKER_GITCOMMIT=$(git -C "${S}" rev-parse HEAD | head -c 7)
DOCKER_BUILD_DATE=$(git -C "${S}" log -1 --format="%ct") DOCKER_BUILD_DATE=$(git -C "${S}" log -1 --format="%ct")
fi fi
eapply -d"${S}"/components/engine "${ENGINE_PATCHES[@]}"
} }
src_compile() { src_compile() {

0
sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/allow-override-build-date.patch → sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/allow-override-build-date.patch vendored
View File

111
sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/engine/revert-make-overlay-home-dir-private.patch vendored Normal file
View File

@ -0,0 +1,111 @@
From 699fab4877c3ff5d7f935bd3977e413c31269c7c Mon Sep 17 00:00:00 2001
From: Euan Kemp <euan.kemp@coreos.com>
Date: Fri, 22 Sep 2017 12:01:04 -0700
Subject: [PATCH] Revert "Make overlay home dir Private mount"
This reverts commit e076bccb458aeadab9380ce0636456ad6317a85f.
It also reverts it for the overlay2 package, which didn't exist at the
time the commit was made but is a direct successor with copy-pasted
code.
The original commit was meant to fix a bug whereby `docker cp`
(implemented via chrootarchive) could inadvertantly lead to shared
mounts getting unmounted on the host too.
The fix, however, had side effects. It results in overlay mounts being
private, and thus being quite easy to leak copies that are hard to
umount into other mount namespaces on the box.
This hasn't been noticed until now because on kernels prior to v4.13,
temporarily leaking overlayfs mounts to other namespaces didn't have any
ill effects.
Starting with v4.13, setting the mount to private and thus leaking
mounts results in errors. See https://github.com/moby/moby/issues/34672
The correct fix for the original issue was implemented later in
https://github.com/moby/moby/pull/27609, and since that code is now
merged we can safely throw away this less ideal fix.
Signed-off-by: Euan Kemp <euan.kemp@coreos.com>
---
daemon/graphdriver/overlay/overlay.go | 12 +++---------
daemon/graphdriver/overlay2/overlay.go | 12 +++---------
2 files changed, 6 insertions(+), 18 deletions(-)
diff --git a/daemon/graphdriver/overlay/overlay.go b/daemon/graphdriver/overlay/overlay.go
index 9012722c20d..8ed51e6c384 100644
--- a/daemon/graphdriver/overlay/overlay.go
+++ b/daemon/graphdriver/overlay/overlay.go
@@ -19,7 +19,6 @@ import (
"github.com/docker/docker/pkg/fsutils"
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/locker"
- "github.com/docker/docker/pkg/mount"
"github.com/docker/docker/pkg/system"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/sirupsen/logrus"
@@ -139,10 +138,6 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
return nil, err
}
- if err := mount.MakePrivate(home); err != nil {
- return nil, err
- }
-
supportsDType, err := fsutils.SupportsDType(home)
if err != nil {
return nil, err
@@ -227,11 +222,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
return metadata, nil
}
-// Cleanup any state created by overlay which should be cleaned when daemon
-// is being shutdown. For now, we just have to unmount the bind mounted
-// we had created.
+// Cleanup simply returns nil and do not change the existing filesystem.
+// This is required to satisfy the graphdriver.Driver interface.
func (d *Driver) Cleanup() error {
- return mount.Unmount(d.home)
+ return nil
}
// CreateReadWrite creates a layer that is writable for use as a container
diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go
index f350ca9c0b8..5aaf8c0cefe 100644
--- a/daemon/graphdriver/overlay2/overlay.go
+++ b/daemon/graphdriver/overlay2/overlay.go
@@ -28,7 +28,6 @@ import (
"github.com/docker/docker/pkg/fsutils"
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/locker"
- "github.com/docker/docker/pkg/mount"
"github.com/docker/docker/pkg/parsers"
"github.com/docker/docker/pkg/parsers/kernel"
"github.com/docker/docker/pkg/system"
@@ -175,10 +174,6 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
return nil, err
}
- if err := mount.MakePrivate(home); err != nil {
- return nil, err
- }
-
supportsDType, err := fsutils.SupportsDType(home)
if err != nil {
return nil, err
@@ -314,11 +309,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
return metadata, nil
}
-// Cleanup any state created by overlay which should be cleaned when daemon
-// is being shutdown. For now, we just have to unmount the bind mounted
-// we had created.
+// Cleanup simply returns nil and do not change the existing filesystem.
+// This is required to satisfy the graphdriver.Driver interface.
func (d *Driver) Cleanup() error {
- return mount.Unmount(d.home)
+ return nil
}
// CreateReadWrite creates a layer that is writable for use as a container

4
sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild vendored
View File

@ -11,10 +11,10 @@ KEYWORDS="amd64 arm64"
# Explicitly list all packages that will be built into the image. # Explicitly list all packages that will be built into the image.
RDEPEND=" RDEPEND="
=app-emulation/docker-17.06.2-r2 =app-emulation/docker-17.06.2-r3
=app-emulation/containerd-0.2.9_p7 =app-emulation/containerd-0.2.9_p7
=app-emulation/docker-proxy-0.8.0_p20170410-r1 =app-emulation/docker-proxy-0.8.0_p20170410-r1
=app-emulation/docker-runc-1.0.0_rc3_p53 =app-emulation/docker-runc-1.0.0_rc3_p53-r1
=dev-libs/libltdl-2.4.6 =dev-libs/libltdl-2.4.6
=sys-process/tini-0.13.2 =sys-process/tini-0.13.2
" "