Merge pull request #2787 from euank/docker-ebusy

app-emulation/docker: apply ebusy overlayfs patch
2025-08-22 06:51:26 +02:00 · 2017-09-22 18:04:59 -07:00 · 2017-09-22 18:04:59 -07:00 · eab9ac0cd8
commit eab9ac0cd8
parent 6f322807fb 1ccbcc4073
7 changed files with 161 additions and 4 deletions
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc3_p53-r1.ebuild
@ -44,6 +44,7 @@ src_unpack() {

 PATCHES=(
 	"${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch"
+	"${FILESDIR}/0002-libcontainer-default-mount-propagation-correctly.patch"
 )

 src_compile() {
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-libcontainer-default-mount-propagation-correctly.patch
@ -0,0 +1,41 @@
+From db55cd4f29298ae08b20f92b8953735723ee2167 Mon Sep 17 00:00:00 2001
+From: Euan Kemp <euan.kemp@coreos.com>
+Date: Fri, 22 Sep 2017 02:31:17 -0700
+Subject: [PATCH] libcontainer: default mount propagation correctly
+
+The code in prepareRoot (https://github.com/opencontainers/runc/blob/e385f67a0e45fa1d8ef8154e2aea5128ea1d331b/libcontainer/rootfs_linux.go#L599-L605)
+attempts to default the rootfs mount to `rslave`. However, since the spec
+conversion has already defaulted it to `rprivate`, that code doesn't
+actually ever do anything.
+
+This changes the spec conversion code to accept "" and treat it as 0.
+
+Implicitly, this makes rootfs propagation default to `rslave`, which is
+a part of fixing the moby bug https://github.com/moby/moby/issues/34672
+
+Alternate implementatoins include changing this defaulting to be
+`rslave` and removing the defaulting code in prepareRoot, or skipping
+the mapping entirely for "", but I think this change is the cleanest of
+those options.
+
+Signed-off-by: Euan Kemp <euan.kemp@coreos.com>
+---
+ libcontainer/specconv/spec_linux.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
+index 1575ae03..8a2947f6 100644
+--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
+@@ -36,7 +36,7 @@ var mountPropagationMapping = map[string]int{
+ 	"slave":    syscall.MS_SLAVE,
+ 	"rshared":  syscall.MS_SHARED | syscall.MS_REC,
+ 	"shared":   syscall.MS_SHARED,
+-	"":         syscall.MS_PRIVATE | syscall.MS_REC,
+	"":         0,
+ }
+ 
+ var allowedDevices = []*configs.Device{
+-- 
+2.13.5
+
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.2-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.2-r3.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
@ -65,7 +65,7 @@ RDEPEND="
 	>=app-arch/xz-utils-4.9

 	=app-emulation/containerd-0.2.9_p7[seccomp?]
-	=app-emulation/docker-runc-1.0.0_rc3_p53[apparmor?,seccomp?]
+	=app-emulation/docker-runc-1.0.0_rc3_p53-r1[apparmor?,seccomp?]
 	app-emulation/docker-proxy
 	container-init? ( >=sys-process/tini-0.13.1 )
 "
@ -75,7 +75,10 @@ RESTRICT="installsources strip"
 S="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}"

 PATCHES=(
-	"${FILESDIR}/allow-override-build-date.patch"
+	"${FILESDIR}/patches/allow-override-build-date.patch"
+)
+ENGINE_PATCHES=(
+	"${FILESDIR}/patches/engine/revert-make-overlay-home-dir-private.patch"
 )

 # see "contrib/check-config.sh" from upstream's sources
@ -212,6 +215,7 @@ src_unpack() {
 		DOCKER_GITCOMMIT=$(git -C "${S}" rev-parse HEAD | head -c 7)
 		DOCKER_BUILD_DATE=$(git -C "${S}" log -1 --format="%ct")
 	fi
+	eapply -d"${S}"/components/engine "${ENGINE_PATCHES[@]}"
 }

 src_compile() {
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/allow-override-build-date.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/allow-override-build-date.patch
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/engine/revert-make-overlay-home-dir-private.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/engine/revert-make-overlay-home-dir-private.patch
@ -0,0 +1,111 @@
+From 699fab4877c3ff5d7f935bd3977e413c31269c7c Mon Sep 17 00:00:00 2001
+From: Euan Kemp <euan.kemp@coreos.com>
+Date: Fri, 22 Sep 2017 12:01:04 -0700
+Subject: [PATCH] Revert "Make overlay home dir Private mount"
+
+This reverts commit e076bccb458aeadab9380ce0636456ad6317a85f.
+It also reverts it for the overlay2 package, which didn't exist at the
+time the commit was made but is a direct successor with copy-pasted
+code.
+
+The original commit was meant to fix a bug whereby `docker cp`
+(implemented via chrootarchive) could inadvertantly lead to shared
+mounts getting unmounted on the host too.
+
+The fix, however, had side effects. It results in overlay mounts being
+private, and thus being quite easy to leak copies that are hard to
+umount into other mount namespaces on the box.
+
+This hasn't been noticed until now because on kernels prior to v4.13,
+temporarily leaking overlayfs mounts to other namespaces didn't have any
+ill effects.
+
+Starting with v4.13, setting the mount to private and thus leaking
+mounts results in errors. See https://github.com/moby/moby/issues/34672
+
+The correct fix for the original issue was implemented later in
+https://github.com/moby/moby/pull/27609, and since that code is now
+merged we can safely throw away this less ideal fix.
+
+Signed-off-by: Euan Kemp <euan.kemp@coreos.com>
+---
+ daemon/graphdriver/overlay/overlay.go  | 12 +++---------
+ daemon/graphdriver/overlay2/overlay.go | 12 +++---------
+ 2 files changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/daemon/graphdriver/overlay/overlay.go b/daemon/graphdriver/overlay/overlay.go
+index 9012722c20d..8ed51e6c384 100644
+--- a/daemon/graphdriver/overlay/overlay.go
+++ b/daemon/graphdriver/overlay/overlay.go
+@@ -19,7 +19,6 @@ import (
+ 	"github.com/docker/docker/pkg/fsutils"
+ 	"github.com/docker/docker/pkg/idtools"
+ 	"github.com/docker/docker/pkg/locker"
+-	"github.com/docker/docker/pkg/mount"
+ 	"github.com/docker/docker/pkg/system"
+ 	"github.com/opencontainers/selinux/go-selinux/label"
+ 	"github.com/sirupsen/logrus"
+@@ -139,10 +138,6 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
+ 		return nil, err
+ 	}
+ 
+-	if err := mount.MakePrivate(home); err != nil {
+-		return nil, err
+-	}
+-
+ 	supportsDType, err := fsutils.SupportsDType(home)
+ 	if err != nil {
+ 		return nil, err
+@@ -227,11 +222,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
+ 	return metadata, nil
+ }
+ 
+-// Cleanup any state created by overlay which should be cleaned when daemon
+-// is being shutdown. For now, we just have to unmount the bind mounted
+-// we had created.
+// Cleanup simply returns nil and do not change the existing filesystem.
+// This is required to satisfy the graphdriver.Driver interface.
+ func (d *Driver) Cleanup() error {
+-	return mount.Unmount(d.home)
+	return nil
+ }
+ 
+ // CreateReadWrite creates a layer that is writable for use as a container
+diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go
+index f350ca9c0b8..5aaf8c0cefe 100644
+--- a/daemon/graphdriver/overlay2/overlay.go
+++ b/daemon/graphdriver/overlay2/overlay.go
+@@ -28,7 +28,6 @@ import (
+ 	"github.com/docker/docker/pkg/fsutils"
+ 	"github.com/docker/docker/pkg/idtools"
+ 	"github.com/docker/docker/pkg/locker"
+-	"github.com/docker/docker/pkg/mount"
+ 	"github.com/docker/docker/pkg/parsers"
+ 	"github.com/docker/docker/pkg/parsers/kernel"
+ 	"github.com/docker/docker/pkg/system"
+@@ -175,10 +174,6 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
+ 		return nil, err
+ 	}
+ 
+-	if err := mount.MakePrivate(home); err != nil {
+-		return nil, err
+-	}
+-
+ 	supportsDType, err := fsutils.SupportsDType(home)
+ 	if err != nil {
+ 		return nil, err
+@@ -314,11 +309,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
+ 	return metadata, nil
+ }
+ 
+-// Cleanup any state created by overlay which should be cleaned when daemon
+-// is being shutdown. For now, we just have to unmount the bind mounted
+-// we had created.
+// Cleanup simply returns nil and do not change the existing filesystem.
+// This is required to satisfy the graphdriver.Driver interface.
+ func (d *Driver) Cleanup() error {
+-	return mount.Unmount(d.home)
+	return nil
+ }
+ 
+ // CreateReadWrite creates a layer that is writable for use as a container
--- a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild
@ -11,10 +11,10 @@ KEYWORDS="amd64 arm64"

 # Explicitly list all packages that will be built into the image.
 RDEPEND="
-	=app-emulation/docker-17.06.2-r2
+	=app-emulation/docker-17.06.2-r3
 	=app-emulation/containerd-0.2.9_p7
 	=app-emulation/docker-proxy-0.8.0_p20170410-r1
-	=app-emulation/docker-runc-1.0.0_rc3_p53
+	=app-emulation/docker-runc-1.0.0_rc3_p53-r1
 	=dev-libs/libltdl-2.4.6
 	=sys-process/tini-0.13.2
 "