diff --git a/.github/workflows/docker-apply-patch.sh b/.github/workflows/docker-apply-patch.sh deleted file mode 100755 index ac9606c45b..0000000000 --- a/.github/workflows/docker-apply-patch.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -source "${GHA_SCRIPTS_DIR}/.github/workflows/common.sh" - -prepare_git_repo - -if ! check_remote_branch "docker-${VERSION_NEW}-${TARGET_BRANCH}"; then - echo "remote branch already exists, nothing to do" - exit 0 -fi - -pushd "${SDK_OUTER_OVERLAY}" - -VERSION_OLD=$(sed -n "s/^DIST docker-\([0-9]*.[0-9]*.[0-9]*\).*/\1/p" app-containers/docker/Manifest | sort -ruV | head -n1) -if [[ "${VERSION_NEW}" = "${VERSION_OLD}" ]]; then - echo "already the latest Docker, nothing to do" - exit 0 -fi - -# we need to update not only the main ebuild file, but also its DOCKER_GITCOMMIT, -# which needs to point to COMMIT_HASH that matches with $VERSION_NEW from upstream docker-ce. -dockerEbuildOld=$(get_ebuild_filename app-containers/docker "${VERSION_OLD}") -dockerEbuildNew="app-containers/docker/docker-${VERSION_NEW}.ebuild" -git mv "${dockerEbuildOld}" "${dockerEbuildNew}" -sed -i "s/GIT_COMMIT=\(.*\)/GIT_COMMIT=${COMMIT_HASH_MOBY}/g" "${dockerEbuildNew}" -sed -i "s/v${VERSION_OLD}/v${VERSION_NEW}/g" "${dockerEbuildNew}" - -cliEbuildOld=$(get_ebuild_filename app-containers/docker-cli "${VERSION_OLD}") -cliEbuildNew="app-containers/docker-cli/docker-cli-${VERSION_NEW}.ebuild" -git mv "${cliEbuildOld}" "${cliEbuildNew}" -sed -i "s/GIT_COMMIT=\(.*\)/GIT_COMMIT=${COMMIT_HASH_CLI}/g" "${cliEbuildNew}" -sed -i "s/v${VERSION_OLD}/v${VERSION_NEW}/g" "${cliEbuildNew}" - -# update also docker versions used by the current runc ebuild file. -versionRunc=$(sed -n "s/^DIST runc-\([0-9]*.[0-9]*.*\)\.tar.*/\1/p" app-containers/runc/Manifest | sort -ruV | head -n1) -runcEbuildFile=$(get_ebuild_filename app-containers/runc "${versionRunc}") -sed -i "s/github.com\/docker\/docker-ce\/blob\/v${VERSION_OLD}/github.com\/docker\/docker-ce\/blob\/v${VERSION_NEW}/g" ${runcEbuildFile} - -popd - -# URL for Docker release notes has a specific format of -# https://docs.docker.com/engine/release-notes/MAJOR.MINOR/#COMBINEDFULLVERSION -# To get the subfolder part MAJOR.MINOR, drop the patchlevel of the semver. -# e.g. 20.10.23 -> 20.10 -# To get the combined full version, drop all dots from the full version. -# e.g. 20.10.23 -> 201023 -# So the result becomes like: -# https://docs.docker.com/engine/release-notes/20.10/#201023 -URLSUBFOLDER=${VERSION_NEW%.*} -URLVERSION="${VERSION_NEW//./}" -URL="https://docs.docker.com/engine/release-notes/${URLSUBFOLDER}/#${URLVERSION}" - -generate_update_changelog 'Docker' "${VERSION_NEW}" "${URL}" 'docker' - -regenerate_manifest app-containers/docker-cli "${VERSION_NEW}" -commit_changes app-containers/docker "${VERSION_OLD}" "${VERSION_NEW}" \ - app-containers/docker-cli \ - app-containers/runc - -cleanup_repo - -echo "VERSION_OLD=${VERSION_OLD}" >>"${GITHUB_OUTPUT}" -echo 'UPDATE_NEEDED=1' >>"${GITHUB_OUTPUT}" diff --git a/.github/workflows/docker-release-main.yaml b/.github/workflows/docker-release-main.yaml deleted file mode 100644 index 84c0ef4fca..0000000000 --- a/.github/workflows/docker-release-main.yaml +++ /dev/null @@ -1,53 +0,0 @@ -name: Get the latest Docker release for main -on: - schedule: - - cron: '35 7 * * 3' - workflow_dispatch: - -jobs: - get-docker-release: - runs-on: ubuntu-latest - steps: - - name: Check out scripts - uses: actions/checkout@v3 - with: - token: ${{ secrets.BOT_PR_TOKEN }} - path: scripts - - name: Figure out latest Docker release version - id: docker-latest-release - run: | - versionCommitPairMoby=( $(git ls-remote --tags https://github.com/moby/moby | grep 'refs/tags/v[0-9]*\.[0-9]*\.[0-9]*$' | sed -e 's#^\([0-9a-fA-F]*\)[[:space:]]*refs/tags/v\(.*\)$#\2 \1#g' | sort --reverse --unique --version-sort | head --lines 1) ) - commitHashCLI=$(git ls-remote --tags https://github.com/docker/cli | grep 'refs/tags/v'"${versionCommitPairMoby[0]}"'$' | cut -f1) - - echo "VERSION_NEW=${versionCommitPairMoby[0]}" >>"${GITHUB_OUTPUT}" - echo "COMMIT_HASH_MOBY=${versionCommitPairMoby[1]}" >>"${GITHUB_OUTPUT}" - echo "COMMIT_HASH_CLI=${commitHashCLI}" >>"${GITHUB_OUTPUT}" - - name: Set up Flatcar SDK - id: setup-flatcar-sdk - env: - WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts" - CHANNEL: main - run: scripts/.github/workflows/setup-flatcar-sdk.sh - - name: Apply patch for main - id: apply-patch-main - env: - GHA_SCRIPTS_DIR: "${{ github.workspace }}/scripts" - WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts" - VERSION_NEW: ${{ steps.docker-latest-release.outputs.VERSION_NEW }} - COMMIT_HASH_MOBY: ${{ steps.docker-latest-release.outputs.COMMIT_HASH_MOBY }} - COMMIT_HASH_CLI: ${{ steps.docker-latest-release.outputs.COMMIT_HASH_CLI }} - PACKAGES_CONTAINER: ${{ steps.setup-flatcar-sdk.outputs.PACKAGES_CONTAINER }} - SDK_NAME: ${{ steps.setup-flatcar-sdk.outputs.SDK_NAME }} - TARGET_BRANCH: main - run: scripts/.github/workflows/docker-apply-patch.sh - - name: Create pull request for main - uses: peter-evans/create-pull-request@v5 - if: steps.apply-patch-main.outputs.UPDATE_NEEDED == 1 - with: - token: ${{ secrets.BOT_PR_TOKEN }} - path: scripts - branch: docker-${{ steps.docker-latest-release.outputs.VERSION_NEW }}-main - base: main - title: Upgrade Docker in main from ${{ steps.apply-patch-main.outputs.VERSION_OLD }} to ${{ steps.docker-latest-release.outputs.VERSION_NEW }} - body: Subject says it all. - labels: main diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index b825817ae6..689cffbccc 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -87,6 +87,12 @@ app-arch/zstd app-cdr/cdrtools +app-containers/cri-tools +app-containers/docker +app-containers/docker-cli +app-containers/docker-proxy +app-containers/runc + app-crypt/adcli app-crypt/libb2 app-crypt/libmd diff --git a/.github/workflows/runc-apply-patch.sh b/.github/workflows/runc-apply-patch.sh deleted file mode 100755 index 8aa1b4a495..0000000000 --- a/.github/workflows/runc-apply-patch.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -source "${GHA_SCRIPTS_DIR}/.github/workflows/common.sh" - -prepare_git_repo - -if ! check_remote_branch "runc-${VERSION_NEW}-${TARGET_BRANCH}"; then - echo "remote branch already exists, nothing to do" - exit 0 -fi - -pushd "${SDK_OUTER_OVERLAY}" - -# Get the newest runc version, including official releases and rc -# versions. We need some sed tweaks like replacing dots with -# underscores, adding trailing underscore, sort, and trim the trailing -# underscore and replace other underscores with dots again, so that -# sort -V can properly sort "1.0.0" as newer than "1.0.0-rc95" and -# "0.0.2.1" as newer than "0.0.2". -VERSION_OLD=$(sed -n "s/^DIST runc-\([0-9]*\.[0-9]*.*\)\.tar.*/\1_/p" app-containers/runc/Manifest | tr '.' '_' | sort -ruV | sed -e 's/_$//' | tr '_' '.' | head -n1) -if [[ "${VERSION_NEW}" = "${VERSION_OLD}" ]]; then - echo "already the latest Runc, nothing to do" - exit 0 -fi - -runcEbuildOld=$(get_ebuild_filename app-containers/runc "${VERSION_OLD}") -runcEbuildNew="app-containers/runc/runc-${VERSION_NEW}.ebuild" -git mv "${runcEbuildOld}" "${runcEbuildNew}" -sed -i "s/${VERSION_OLD}/${VERSION_NEW}/g" "${runcEbuildNew}" -sed -i "s/COMMIT_ID=\"\(.*\)\"/COMMIT_ID=\"${COMMIT_HASH}\"/g" "${runcEbuildNew}" - -# update also runc versions used by docker and containerd -sed -i "s/runc-${VERSION_OLD}/runc-${VERSION_NEW}/g" app-containers/containerd/containerd-9999.ebuild - -dockerVersion=$(sed -n "s/^DIST docker-\([0-9]*.[0-9]*.[0-9]*\).*/\1/p" app-containers/docker/Manifest | sort -ruV | head -n1) - -popd - -URL="https://github.com/opencontainers/runc/releases/tag/v${VERSION_NEW}" - -generate_update_changelog 'runc' "${VERSION_NEW}" "${URL}" 'runc' - -commit_changes app-containers/runc "${VERSION_OLD}" "${VERSION_NEW}" \ - app-containers/containerd - -cleanup_repo - -echo "VERSION_OLD=${VERSION_OLD}" >>"${GITHUB_OUTPUT}" -echo 'UPDATE_NEEDED=1' >>"${GITHUB_OUTPUT}" diff --git a/.github/workflows/runc-release-main.yaml b/.github/workflows/runc-release-main.yaml deleted file mode 100644 index f674810b38..0000000000 --- a/.github/workflows/runc-release-main.yaml +++ /dev/null @@ -1,65 +0,0 @@ -name: Get the latest Runc release for main -on: - schedule: - - cron: '50 7 * * 4' - workflow_dispatch: - -jobs: - get-runc-release: - runs-on: ubuntu-latest - steps: - - name: Check out scripts - uses: actions/checkout@v3 - with: - token: ${{ secrets.BOT_PR_TOKEN }} - path: scripts - - name: Figure out latest Runc release version - id: runc-latest-release - run: | - REMOTE='https://github.com/opencontainers/runc' - # Get the newest runc version, including official releases - # and rc versions. We need some sed tweaks like replacing - # dots with underscores, adding trailing underscore, sort, - # and trim the trailing underscore and replace other - # underscores with dots again, so that sort -V can properly - # sort "1.0.0" as newer than "1.0.0-rc95" and "0.0.2.1" as - # newer than "0.0.2". - versionCommitPair=( $(git ls-remote --tags "${REMOTE}" | grep 'refs/tags/v[a-z0-9._-]*$' | sed -e 's#^\([0-9a-fA-F]*\)[[:space:]]*refs/tags/v\(.*\)$#\2_ \1#g' -e 's/\./_/g' | sort --reverse --unique --version-sort --key=1,1 | sed -e 's/_ / /' -e 's/_/./g' | head --lines=1) ) - versionNew="${versionCommitPair[0]}" - # Gentoo expects an underline between version and rc, so - # "1.1.0-rc.1" becomes "1.1.0_rc.1". - versionNew="${versionNew//-/_}" - # Gentoo expects no separators between rc and the number, so - # "1.1.0_rc.1" becomes "1.1.0_rc1" - versionNew="${versionNew//rc./rc}" - commitHash="${versionCommitPair[1]}" - echo "VERSION_NEW=${versionNew}" >>"${GITHUB_OUTPUT}" - echo "COMMIT_HASH=${commitHash}" >>"${GITHUB_OUTPUT}" - - name: Set up Flatcar SDK - id: setup-flatcar-sdk - env: - WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts" - CHANNEL: main - run: scripts/.github/workflows/setup-flatcar-sdk.sh - - name: Apply patch for main - id: apply-patch-main - env: - GHA_SCRIPTS_DIR: "${{ github.workspace }}/scripts" - WORK_SCRIPTS_DIR: "${{ github.workspace }}/scripts" - VERSION_NEW: ${{ steps.runc-latest-release.outputs.VERSION_NEW }} - COMMIT_HASH: ${{ steps.runc-latest-release.outputs.COMMIT_HASH }} - PACKAGES_CONTAINER: ${{ steps.setup-flatcar-sdk.outputs.PACKAGES_CONTAINER }} - SDK_NAME: ${{ steps.setup-flatcar-sdk.outputs.SDK_NAME }} - TARGET_BRANCH: main - run: scripts/.github/workflows/runc-apply-patch.sh - - name: Create pull request for main - uses: peter-evans/create-pull-request@v5 - if: steps.apply-patch-main.outputs.UPDATE_NEEDED == 1 - with: - token: ${{ secrets.BOT_PR_TOKEN }} - path: scripts - branch: runc-${{ steps.runc-latest-release.outputs.VERSION_NEW }}-main - base: main - title: Upgrade Runc in main from ${{ steps.apply-patch-main.outputs.VERSION_OLD }} to ${{ steps.runc-latest-release.outputs.VERSION_NEW }} - body: Subject says it all. - labels: main diff --git a/build_image b/build_image index 6cd84d91b6..697c109cee 100755 --- a/build_image +++ b/build_image @@ -33,8 +33,8 @@ DEFINE_string base_pkg "coreos-base/coreos" \ "The base portage package to base the build off of (only applies to prod images)" DEFINE_string base_dev_pkg "coreos-base/coreos-dev" \ "The base portage package to base the build off of (only applies to dev containers)" -DEFINE_string base_sysexts "containerd-flatcar:app-containers/containerd,docker-flatcar:app-containers/docker" \ - "Comma-separated list of name:package - build 'package' into sysext 'name', and include with OS image and update payload. Must be in order of dependencies, base sysexts come first." +DEFINE_string base_sysexts "containerd-flatcar:app-containers/containerd,docker-flatcar:app-containers/docker&app-containers/docker-cli" \ + "Comma-separated list of name:package[&package[&package]] - build 'package' (a single package or a list of packages separated by '&') into sysext 'name', and include with OS image and update payload. Must be in order of dependencies, base sysexts come first." DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \ "Directory in which to place image result directories (named by version)" DEFINE_string disk_layout "" \ diff --git a/build_library/sysext_mangle_containerd-flatcar b/build_library/sysext_mangle_containerd-flatcar index ff5c5d3695..1d3502d33a 100755 --- a/build_library/sysext_mangle_containerd-flatcar +++ b/build_library/sysext_mangle_containerd-flatcar @@ -3,5 +3,16 @@ set -euo pipefail rootfs="${1}" + +# No manpages on Flatcar, no need to ship "stress" tool +echo ">>> NOTICE: $0: removing 'gen-manpages', 'containerd-stress' from sysext" +rm -f "${rootfs}/usr/bin/gen-manpages" "${rootfs}/usr/bin/containerd-stress" + +script_root="$(cd "$(dirname "$0")/../"; pwd)" +files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd" + +echo ">>> NOTICE $0: installing extra files from '${files_dir}'" +cp -va "${files_dir}/"* "${rootfs}" + mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d" { echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf" diff --git a/build_library/sysext_mangle_docker-flatcar b/build_library/sysext_mangle_docker-flatcar index 4cb6996103..b2c055324d 100755 --- a/build_library/sysext_mangle_docker-flatcar +++ b/build_library/sysext_mangle_docker-flatcar @@ -3,5 +3,15 @@ set -euo pipefail rootfs="${1}" +# Remove debug and contrib +echo ">>> NOTICE: $0: removing '/usr/lib/debug/', '/usr/share/docker/contrib' from sysext" +rm -rf "${rootfs}/usr/lib/debug/" "${rootfs}/usr/share/docker/contrib/" + +script_root="$(cd "$(dirname "$0")/../"; pwd)" +files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker" + +echo ">>> NOTICE $0: installing extra files from '${files_dir}'" +cp -va "${files_dir}/"* "${rootfs}" + mkdir -p "${rootfs}/usr/lib/systemd/system/sockets.target.d" { echo "[Unit]"; echo "Upholds=docker.socket"; } > "${rootfs}/usr/lib/systemd/system/sockets.target.d/10-docker-socket.conf" diff --git a/build_library/sysext_prod_builder b/build_library/sysext_prod_builder index 73afbb6cb4..53ba386425 100755 --- a/build_library/sysext_prod_builder +++ b/build_library/sysext_prod_builder @@ -30,17 +30,19 @@ create_prod_sysext() { local base_sysext="$4" local install_root="$5" local name="$6" - local grp_pkg="$7" + local grp_pkgs="$7" local pkginfo="${8:-}" local -a build_sysext_opts=() - local msg="Installing ${grp_pkg}' in sysext ${name}.raw" + local -a grp_pkg + mapfile -t grp_pkg <<<"${grp_pkgs//&/$'\n'}" + local msg="Installing ${grp_pkg[*]} in sysext ${name}.raw" # Include previous sysexts' pkginfo if supplied if [[ -n "${pkginfo}" ]] ; then if [[ ! -f "${output_dir}/${pkginfo}" ]] ; then - die "Sysext build '${grp_pkg}': unable to find package info at '${output_dir}/${pkginfo}'." + die "Sysext build '${name}': unable to find package info at '${output_dir}/${pkginfo}'." fi msg="${msg} w/ package info '${pkginfo}'" build_sysext_opts+=( "--base_pkginfo=${output_dir}/${pkginfo}" ) @@ -60,7 +62,7 @@ create_prod_sysext() { --squashfs_base="${base_sysext}" \ --generate_pkginfo \ "${build_sysext_opts[@]}" \ - "${name}" "${grp_pkg}" + "${name}" "${grp_pkg[@]}" sudo mv "${workdir}/sysext-build/${name}.raw" "${workdir}/sysext-build/${name}_pkginfo.raw" \ "${workdir}/sysext-build/${name}"_*.txt "${output_dir}" diff --git a/build_sysext b/build_sysext index bd819e281c..95bc35c569 100755 --- a/build_sysext +++ b/build_sysext @@ -25,6 +25,8 @@ DEFINE_string squashfs_base '' \ "The path to the squashfs base image. Defaults to the most current image built in '${default_imagedir}/${FLATCAR_PRODUCTION_IMAGE_SYSEXT_BASE}'." DEFINE_string image_builddir '' \ "Custom directory to build the sysext in. Defaults to a 'sysext' sub-directory of the directory the squashfs base image resides in; '${default_imagedir}/sysext' by default." +DEFINE_boolean strip_binaries "${FLAGS_FALSE}" \ + "After installation, scan sysext root for unstripped binaries and strip these. WARNING - this can subtly break some packages, e.g. Docker (see https://github.com/moby/moby/blob/master/project/PACKAGERS.md#stripping-binaries)." DEFINE_string manglefs_script '' \ "A path to executable that will customize the rootfs of the sysext image." DEFINE_boolean generate_pkginfo "${FLAGS_FALSE}" \ @@ -231,6 +233,22 @@ info "Writing ${SYSEXTNAME}_packages.txt" ROOT="${BUILD_DIR}/install-root" PORTAGE_CONFIGROOT="${BUILD_DIR}/install-root" \ equery --no-color list --format '$cpv::$repo' '*' > "${BUILD_DIR}/${SYSEXTNAME}_packages.txt" + +if [[ "${FLAGS_strip_binaries}" = "${FLAGS_TRUE}" ]]; then + chost="$("portageq-${BOARD}" envvar CHOST)" + strip="${chost}-strip" + + info "Stripping all non-stripped binaries in sysext using '${strip}'" + + # Find all non-stripped binaries, remove ':' from filepath, and strip 'em + find "${BUILD_DIR}/install-root" -exec file \{\} \; \ + | awk '/not stripped/ {print substr($1, 1, length($1)-1)}' \ + | while read bin; do + info " ${strip} ${bin}" + "${strip}" "${bin}" + done +fi + if [[ -n "${FLAGS_manglefs_script}" ]]; then if [[ ! -x "${FLAGS_manglefs_script}" ]]; then die "${FLAGS_manglefs_script} is not executable" diff --git a/changelog/changes/2023-10-25-docker-gentoo-upstream.md b/changelog/changes/2023-10-25-docker-gentoo-upstream.md new file mode 100644 index 0000000000..0f80ccdfd0 --- /dev/null +++ b/changelog/changes/2023-10-25-docker-gentoo-upstream.md @@ -0,0 +1,6 @@ +- cri-tools, runc, containerd, docker, and docker-cli are now shipped without debugging symbols and built from Gentoo upstream ebuilds. Docker was updated to Docker 24 (see "updates"). + - **NOTE** The docker btrfs storage driver has been de-prioritised; BTRFS backed storage will now default to the `overlay2` driver + ([changelog](https://docs.docker.com/engine/release-notes/23.0/#bug-fixes-and-enhancements-6), [upstream pr](https://github.com/moby/moby/pull/42661)). + Using the btrfs driver can still be enforced by creating a respective [docker config](https://docs.docker.com/storage/storagedriver/btrfs-driver/#configure-docker-to-use-the-btrfs-storage-driver) at `/etc/docker/daemon.json`. + - **NOTE** that if you are already using btrfs-backed Docker storage and are upgrading to this new version, Docker will automatically use the `btrfs` storage driver for backwards-compatibility with your deployment. + - **Docker will remove the `btrfs` driver entirely in a future version. Please consider migrating your deployments to the `overlay2` driver.** diff --git a/changelog/updates/2023-10-25-docker-24-critools-1.27.md b/changelog/updates/2023-10-25-docker-24-critools-1.27.md new file mode 100644 index 0000000000..9db5a411d6 --- /dev/null +++ b/changelog/updates/2023-10-25-docker-24-critools-1.27.md @@ -0,0 +1,2 @@ +- docker ([24.0.6](https://docs.docker.com/engine/release-notes/24.0/), includes changes from [23.0](https://docs.docker.com/engine/release-notes/23.0/)) +- cri-tools ([1.27.0](https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.27.0)) diff --git a/ci-automation/vendor-testing/qemu_update.sh b/ci-automation/vendor-testing/qemu_update.sh index 986685c918..4795e27871 100755 --- a/ci-automation/vendor-testing/qemu_update.sh +++ b/ci-automation/vendor-testing/qemu_update.sh @@ -99,6 +99,8 @@ run_kola_tests() { image="tmp/flatcar_production_image_previous.bin" elif [ "${instance_type}" = "first_dual" ]; then image="tmp/flatcar_production_image_first_dual.bin" + # Test docker 20 -> docker 24 migration btrfs storage driver backwards compatibility + tests+=("cl.update.docker-btrfs-compat") # Only run this test if the Azure dev payload exists on bincache because the fallback download needs it if curl --head -o /dev/null -fsSL --retry-delay 1 --retry 60 --retry-connrefused --retry-max-time 60 --connect-timeout 20 "https://bincache.flatcar-linux.net/images/${CIA_ARCH}/${CIA_VERNUM}/flatcar_test_update-oem-azure.gz"; then tests+=("cl.update.oem") diff --git a/run_local_tests.sh b/run_local_tests.sh index e70676a377..85670e2810 100755 --- a/run_local_tests.sh +++ b/run_local_tests.sh @@ -71,19 +71,27 @@ function run_local_tests() ( rm -f results.* local mantle_container="$(cat "sdk_container/.repo/manifests/mantle-container")" - local custom_test_list=false + local tests="" + local update_tests=false # Generate list of all tests for qemu w/o the devcontainer tests. # This will generate globs for top-level test modules, e.g. "cl.update.oem" will become cl.*. # Globs are necessary because tests ignore OS min/max version specification if a test was specified with its full name. # Using globs will prevent tests to be run which aren't meant for the OS version we're testing. + # NOTE that update tests get special handling because qemu_update is a separate "platform". if [[ $# -eq 0 ]] ; then tests="$(docker run "${mantle_container}" \ kola list --platform qemu \ | awk '!/^(devcontainer|Test)/ {if ($1 != "") print gensub(/^([^.]+).*/,"\\1",1,$1) ".*"}' | uniq)" - set -- ${tests} + update_tests=true else - custom_test_list=true + tests="${@}" + if [[ "$tests" = *"qemu_update"* ]] ; then + update_tests=true + fi + if [[ "$tests" = "qemu_update" ]] ; then + tests="" + fi fi source ci-automation/test.sh || exit 1 @@ -93,8 +101,15 @@ function run_local_tests() ( echo "Using Mantle docker image '${mantle_container}'" rm -f results.sqlite - test_run "${arch}" qemu_uefi "${@}" - if [[ "${custom_test_list}" = "false" ]] ; then + if [[ -n "${tests}" ]] ; then + echo "=================================" + echo "Running qemu_uefi tests" + test_run "${arch}" qemu_uefi "${tests}" + fi + + if ${update_tests} ; then + echo "=================================" + echo "Running qemu_update tests" test_run "${arch}" qemu_update fi diff --git a/sdk_container/.repo/manifests/mantle-container b/sdk_container/.repo/manifests/mantle-container index c4d2c67fb1..3e02248b40 100644 --- a/sdk_container/.repo/manifests/mantle-container +++ b/sdk_container/.repo/manifests/mantle-container @@ -1 +1 @@ -ghcr.io/flatcar/mantle:git-9eef5e9f00c307469b1cd7e6ad276075fc8b6695 +ghcr.io/flatcar/mantle:git-99dccdb94e34d02566d4bf155a89763c7dd74e4f diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest index ad19489093..96a5233078 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest @@ -1 +1,4 @@ +DIST containerd-1.7.1.tar.gz 9682254 BLAKE2B f168070caf2b76f0be350a98f41bfdbfe6d78344d68821fb92a29f839a6e847d795e5b79436e36f985aa88028ff1c3f44f134cf6bd502ddac22453a457bd952b SHA512 e9b00ba8f4dd1b5b1088060d3822f684611d43b367ddfeb1bee1660140af85f31e9c9bfc600a67e8fc8645a625dc4e1919d9af7291bdeaa607bff7065a4fc945 +DIST containerd-1.7.2.tar.gz 9688701 BLAKE2B d31cd0e96bb2675390cc63d06114e37d532b7c666b3ffc5b0087dfcef8de23559471f08bf8a52b164c5f645faf1b8102ab2ccdd8ec417a1c74336097f0c3a899 SHA512 c0d4c02991b7e9fc341c4ef3df2d93097f5854a51b99596ed95436a79f7a586820bb8bb7c17fc43b5f38d97ea942e59490fbbf6c9710391ef9caae3d34627bc5 +DIST containerd-1.7.6.tar.gz 9714550 BLAKE2B 863df1a8ab0f0fe6ec62893ed64824763c1b5230fe830fa268820ce0d6254c79e1ac62ab1261a74785b86b01dff83ea9109a899857fa47a48f2cf2eaf298fea8 SHA512 8b7e13c6ea544754ba7d53092d143f3fd2224b9bc874a33d8a00b781e719927f1b22ad5cd1e35b7b95e4890e630f4b92308549a970587ccdf9dbb8eb470e2703 DIST containerd-1.7.7.tar.gz 9910424 BLAKE2B 623315962233fe3ce965c17c37c950dc1ded8b381012ed50d2bee8b1cea134bc9ef5a1cf5599b6bcd121cabe204fe61015526226131954364a976ebb08d8c353 SHA512 a44e901b017522639963bb415f666599af04335d8ccbd28899712606a4692c1601e95eaa2f1db32a3c077ad2c3f332f37393154ad6c2660646b7e8365a6ab720 diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.1-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.1-r1.ebuild new file mode 100644 index 0000000000..cc7ea05162 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.1-r1.ebuild @@ -0,0 +1,86 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module systemd +GIT_REVISION=2806fc1057397dbaeefbea0e4e17bddfbd388f38 + +DESCRIPTION="A daemon to control runC" +HOMEPAGE="https://containerd.io/" +SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" +IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test" + +DEPEND=" + btrfs? ( sys-fs/btrfs-progs ) + seccomp? ( sys-libs/libseccomp ) +" + +# recommended version of runc is found in script/setup/runc-version +RDEPEND=" + ${DEPEND} + ~app-containers/runc-1.1.7[apparmor?,seccomp?] +" + +BDEPEND=" + dev-go/go-md2man + virtual/pkgconfig +" + +# tests require root or docker +RESTRICT+="test" + +src_prepare() { + default + sed -i \ + -e "s/-s -w//" \ + -e "s/-mod=readonly//" \ + Makefile || die + sed -i \ + -e "s:/usr/local:/usr:" \ + containerd.service || die +} + +src_compile() { + local options=( + $(usev apparmor) + $(usex btrfs "" "no_btrfs") + $(usex cri "" "no_cri") + $(usex device-mapper "" "no_devmapper") + $(usev seccomp) + $(usev selinux) + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" + REVISION="${GIT_REVISION}" + VERSION=v${PV} + ) + + # race condition in man target https://bugs.gentoo.org/765100 + # we need to explicitly specify GOFLAGS for "go run" to use vendor source + emake "${myemakeargs[@]}" man -j1 #nowarn + emake "${myemakeargs[@]}" all + +} + +src_install() { + rm "${D}"/bin/gen-manpages + dobin bin/* + doman man/* + newconfd "${FILESDIR}"/${PN}.confd "${PN}" + newinitd "${FILESDIR}"/${PN}.initd "${PN}" + systemd_dounit containerd.service + keepdir /var/lib/containerd + + # we already installed manpages, remove markdown source + # before installing docs directory + rm -r docs/man || die + + local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. ) + einstalldocs +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.2.ebuild new file mode 100644 index 0000000000..498fb8d90a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.2.ebuild @@ -0,0 +1,86 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module systemd +GIT_REVISION=0cae528dd6cb557f7201036e9f43420650207b58 + +DESCRIPTION="A daemon to control runC" +HOMEPAGE="https://containerd.io/" +SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test" + +DEPEND=" + btrfs? ( sys-fs/btrfs-progs ) + seccomp? ( sys-libs/libseccomp ) +" + +# recommended version of runc is found in script/setup/runc-version +RDEPEND=" + ${DEPEND} + ~app-containers/runc-1.1.7[apparmor?,seccomp?] +" + +BDEPEND=" + dev-go/go-md2man + virtual/pkgconfig +" + +# tests require root or docker +RESTRICT+="test" + +src_prepare() { + default + sed -i \ + -e "s/-s -w//" \ + -e "s/-mod=readonly//" \ + Makefile || die + sed -i \ + -e "s:/usr/local:/usr:" \ + containerd.service || die +} + +src_compile() { + local options=( + $(usev apparmor) + $(usex btrfs "" "no_btrfs") + $(usex cri "" "no_cri") + $(usex device-mapper "" "no_devmapper") + $(usev seccomp) + $(usev selinux) + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" + REVISION="${GIT_REVISION}" + VERSION=v${PV} + ) + + # race condition in man target https://bugs.gentoo.org/765100 + # we need to explicitly specify GOFLAGS for "go run" to use vendor source + emake "${myemakeargs[@]}" man -j1 #nowarn + emake "${myemakeargs[@]}" all + +} + +src_install() { + rm "${D}"/bin/gen-manpages + dobin bin/* + doman man/* + newconfd "${FILESDIR}"/${PN}.confd "${PN}" + newinitd "${FILESDIR}"/${PN}.initd "${PN}" + systemd_dounit containerd.service + keepdir /var/lib/containerd + + # we already installed manpages, remove markdown source + # before installing docs directory + rm -r docs/man || die + + local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. ) + einstalldocs +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.6.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.6.ebuild new file mode 100644 index 0000000000..8ce5ddd813 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.6.ebuild @@ -0,0 +1,86 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module systemd +GIT_REVISION=091922f03c2762540fd057fba91260237ff86acb + +DESCRIPTION="A daemon to control runC" +HOMEPAGE="https://containerd.io/" +SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test" + +DEPEND=" + btrfs? ( sys-fs/btrfs-progs ) + seccomp? ( sys-libs/libseccomp ) +" + +# recommended version of runc is found in script/setup/runc-version +RDEPEND=" + ${DEPEND} + ~app-containers/runc-1.1.9[apparmor?,seccomp?] +" + +BDEPEND=" + dev-go/go-md2man + virtual/pkgconfig +" + +# tests require root or docker +RESTRICT+="test" + +src_prepare() { + default + sed -i \ + -e "s/-s -w//" \ + -e "s/-mod=readonly//" \ + Makefile || die + sed -i \ + -e "s:/usr/local:/usr:" \ + containerd.service || die +} + +src_compile() { + local options=( + $(usev apparmor) + $(usex btrfs "" "no_btrfs") + $(usex cri "" "no_cri") + $(usex device-mapper "" "no_devmapper") + $(usev seccomp) + $(usev selinux) + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" + REVISION="${GIT_REVISION}" + VERSION=v${PV} + ) + + # race condition in man target https://bugs.gentoo.org/765100 + # we need to explicitly specify GOFLAGS for "go run" to use vendor source + emake "${myemakeargs[@]}" man -j1 #nowarn + emake "${myemakeargs[@]}" all + +} + +src_install() { + rm "${D}"/bin/gen-manpages + dobin bin/* + doman man/* + newconfd "${FILESDIR}"/${PN}.confd "${PN}" + newinitd "${FILESDIR}"/${PN}.initd "${PN}" + systemd_dounit containerd.service + keepdir /var/lib/containerd + + # we already installed manpages, remove markdown source + # before installing docs directory + rm -r docs/man || die + + local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. ) + einstalldocs +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.7.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.7.ebuild deleted file mode 120000 index c5606b90ce..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.7.ebuild +++ /dev/null @@ -1 +0,0 @@ -containerd-9999.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.7.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.7.ebuild new file mode 100644 index 0000000000..8ce5ddd813 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.7.ebuild @@ -0,0 +1,86 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module systemd +GIT_REVISION=091922f03c2762540fd057fba91260237ff86acb + +DESCRIPTION="A daemon to control runC" +HOMEPAGE="https://containerd.io/" +SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test" + +DEPEND=" + btrfs? ( sys-fs/btrfs-progs ) + seccomp? ( sys-libs/libseccomp ) +" + +# recommended version of runc is found in script/setup/runc-version +RDEPEND=" + ${DEPEND} + ~app-containers/runc-1.1.9[apparmor?,seccomp?] +" + +BDEPEND=" + dev-go/go-md2man + virtual/pkgconfig +" + +# tests require root or docker +RESTRICT+="test" + +src_prepare() { + default + sed -i \ + -e "s/-s -w//" \ + -e "s/-mod=readonly//" \ + Makefile || die + sed -i \ + -e "s:/usr/local:/usr:" \ + containerd.service || die +} + +src_compile() { + local options=( + $(usev apparmor) + $(usex btrfs "" "no_btrfs") + $(usex cri "" "no_cri") + $(usex device-mapper "" "no_devmapper") + $(usev seccomp) + $(usev selinux) + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" + REVISION="${GIT_REVISION}" + VERSION=v${PV} + ) + + # race condition in man target https://bugs.gentoo.org/765100 + # we need to explicitly specify GOFLAGS for "go run" to use vendor source + emake "${myemakeargs[@]}" man -j1 #nowarn + emake "${myemakeargs[@]}" all + +} + +src_install() { + rm "${D}"/bin/gen-manpages + dobin bin/* + doman man/* + newconfd "${FILESDIR}"/${PN}.confd "${PN}" + newinitd "${FILESDIR}"/${PN}.initd "${PN}" + systemd_dounit containerd.service + keepdir /var/lib/containerd + + # we already installed manpages, remove markdown source + # before installing docs directory + rm -r docs/man || die + + local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. ) + einstalldocs +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-9999.ebuild deleted file mode 100644 index 0cd73e67f5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-9999.ebuild +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -GITHUB_URI="github.com/containerd/containerd" -COREOS_GO_PACKAGE="${GITHUB_URI}" -COREOS_GO_VERSION="go1.19" - -if [[ ${PV} == *9999 ]]; then - EGIT_REPO_URI="https://${GITHUB_URI}.git" - inherit git-r3 -else - MY_PV="${PV/_rc/-rc.}" - EGIT_COMMIT="v${MY_PV}" - CONTAINERD_COMMIT="c676287c3e99d785927d9775eb4bcf9facdd4159" - SRC_URI="https://${GITHUB_URI}/archive/${EGIT_COMMIT}.tar.gz -> ${P}.tar.gz" - KEYWORDS="amd64 arm64" - inherit vcs-snapshot -fi - -inherit coreos-go systemd - -DESCRIPTION="A daemon to control runC" -HOMEPAGE="https://containerd.tools" - -LICENSE="Apache-2.0" -SLOT="0" -IUSE="+btrfs hardened" - -DEPEND="btrfs? ( sys-fs/btrfs-progs )" -RDEPEND="~app-containers/runc-1.1.9 - sys-libs/libseccomp" - -S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE} - -RESTRICT="test" - -src_unpack() { - mkdir -p "${S}" - tar --strip-components=1 -C "${S}" -xf "${DISTDIR}/${A}" -} - -src_prepare() { - coreos-go_src_prepare - if [[ ${PV} != *9999* ]]; then - sed -i -e "s/git describe --match.*$/echo ${PV})/"\ - -e "s/git rev-parse HEAD.*$/echo $CONTAINERD_COMMIT)/"\ - -e "s/-s -w//" \ - Makefile || die - fi -} - -src_compile() { - local options=( $(usex btrfs "" "no_btrfs") ) - export GOPATH="${WORKDIR}/${P}" # ${PWD}/vendor - export GO111MODULE=on - export GOFLAGS="-v -x -mod=vendor" - LDFLAGS=$(usex hardened '-extldflags -fno-PIC' '') emake BUILDTAGS="${options[*]}" -} - -src_install() { - dobin bin/containerd{-shim,-shim-runc-v*,} bin/ctr - systemd_newunit "${FILESDIR}/${PN}-1.0.0.service" "${PN}.service" - systemd_enable_service multi-user.target "${PN}.service" - insinto /usr/share/containerd - doins "${FILESDIR}/config.toml" - doins "${FILESDIR}/config-cgroupfs.toml" -} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.confd b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.confd new file mode 100644 index 0000000000..22ef83205e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.confd @@ -0,0 +1,3 @@ +# This is the delay to be used in the start_post function to wait for +# the socket to be active. +#containerd_socket_delay=5 diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.initd b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.initd new file mode 100644 index 0000000000..143305c033 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.initd @@ -0,0 +1,26 @@ +#!/sbin/openrc-run +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +description="Containerd container runtime" +command="/usr/bin/containerd" +command_args="${command_args:-}" +command_background="true" +pidfile="${pidfile:-/run/${RC_SVCNAME}.pid}" +start_stop_daemon_args="--stderr /var/log/${RC_SVCNAME}/${RC_SVCNAME}.log --stdout /var/log/${RC_SVCNAME}/${RC_SVCNAME}.log" + +start_pre() { + checkpath -m 0750 -d "/var/log/${RC_SVCNAME}" + + ulimit -n 1048576 + + # Having non-zero limits causes performance problems due to accounting overhead + # in the kernel. We recommend using cgroups to do container-local accounting. + ulimit -u unlimited + + return 0 +} + +start_post() { + ewaitfile ${containerd_socket_delay:-5} /run/containerd/containerd.sock +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.service b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.service deleted file mode 100644 index 4a71b0736b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=containerd container runtime -Documentation=https://containerd.io -After=network.target local-fs.target - -[Service] -ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/bin/containerd --listen unix:///var/run/docker/libcontainerd/docker-containerd.sock --shim /usr/bin/containerd-shim --state-dir /var/run/docker/libcontainerd/containerd --start-timeout 2m - -Type=notify -Delegate=yes -KillMode=process -Restart=always -RestartSec=5 -# Having non-zero Limit*s causes performance problems due to accounting overhead -# in the kernel. We recommend using cgroups to do container-local accounting. -LimitNPROC=infinity -LimitCORE=infinity -LimitNOFILE=infinity -TasksMax=infinity -OOMScoreAdjust=-999 - -[Install] -WantedBy=multi-user.target early-docker.target diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/metadata.xml index 7cc4630534..5d63e8606e 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/metadata.xml @@ -1,5 +1,5 @@ - + Containerd is a daemon with an API and a command line client, to manage @@ -8,22 +8,21 @@ and user namespace support as well as checkpoint and restore for cloning and live migration of containers. - - admwiggin@gmail.com - Tianon - - - mrueg@gentoo.org - Manuel RĂ¼ger - williamh@gentoo.org William Hubbs + + gyakovlev@gentoo.org + Georgy Yakovlev + Support for BTRFS snapshot driver + Support for Kubernetes CRI + Support for device mapper snapshot driver - docker/containerd + containerd/containerd + cpe:/a:linuxfoundation:containerd diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/Manifest b/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/Manifest deleted file mode 100644 index 519a794127..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/Manifest +++ /dev/null @@ -1 +0,0 @@ -DIST cri-tools-1.24.2.tar.gz 5968560 BLAKE2B 8dce8d16d5218aa73705b4a49b31391eaa25b21deb97f3dfe553f43d7371adf58206d9198f3e22e1c9cbcb7f41b832b0600b324d7c0f943ef313dc89900da46d SHA512 9b5907b37bb5f00295eff4fa4207ae55d930feae7e0f48fa130c7ecc936bcd259a11d59ed240684a3e12c8bcee40f2c67d7f4af52c2a76df3d7bf82e5e388a75 diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/cri-tools-1.24.2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/cri-tools-1.24.2.ebuild deleted file mode 100644 index ec5b2f855c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/cri-tools-1.24.2.ebuild +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2021-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -# Flatcar: remove bash-completion, inherit coreos-go -inherit go-module coreos-go - -COREOS_GO_VERSION="go1.19" -COREOS_GO_PACKAGE="github.com/kubernetes-sigs/cri-tools" -COREOS_GO_MOD="vendor" - -MY_PV="v${PV/_beta/-beta.}" - -EGO_PN="${COREOS_GO_PACKAGE}" -DESCRIPTION="CLI and validation tools for Kubelet Container Runtime (CRI)" -HOMEPAGE="https://github.com/kubernetes-sigs/cri-tools" -SRC_URI="https://github.com/kubernetes-sigs/cri-tools/archive/v${PV}.tar.gz -> ${P}.tar.gz" - -LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0" -SLOT="0" -# Flatcar: keyword arm64 -KEYWORDS="amd64 arm64" - -S=${WORKDIR}/cri-tools-${PV} - -RESTRICT+=" test" - -src_compile() { - # Flatcar: make use of the existing helpers provided by `coreos-go.eclass`. - # To optimize the binary size of crictl, add "-X" to GO_LDFLAGS, - # like "-X $(PROJECT)/pkg/version.Version=$(VERSION)" in the original - # Makefile of cri-tools. We cannot follow way of Gentoo ebuilds like `emake`, - # because Makefile of cri-tools does not allow users to pass in ${GOARCH}. - # Remove shell completions. - GO_LDFLAGS="-s -w -extldflags=-Wl,-z,now,-z,relro,-z,defs " - GO_LDFLAGS+="-X ${COREOS_GO_PACKAGE}/pkg/version.Version=${PV} " - go_build "${COREOS_GO_PACKAGE}/cmd/crictl" -} - -src_install() { - # Flatcar: install only crictl binary, remove shell completions. - dobin "${GOBIN}/crictl" - - dodoc -r docs {README,RELEASE,CHANGELOG,CONTRIBUTING}.md -} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/Manifest b/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/Manifest deleted file mode 100644 index 934f8dcbab..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/Manifest +++ /dev/null @@ -1 +0,0 @@ -DIST docker-cli-20.10.24.tar.gz 7589761 BLAKE2B 353298fba483dc9ce2797397398bb99f9194302e09f943614b5101f24d7a6b404c5e8a1890acf76450e85d295e623f18fb21ab55a3faabfd04596ca520f740c5 SHA512 5996c24070986e18c0530d0db1a9b4a2c0188c1d22b4c0d99161b2f69bb9cecd4221b628afc0db3078d17918a6e312c6b6ca63f889e634006d4e04c677257a27 diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/files/0001-20.10-vendor-docker-v20.10.25-45-g0d4b9ed98b-v20.10..patch b/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/files/0001-20.10-vendor-docker-v20.10.25-45-g0d4b9ed98b-v20.10..patch deleted file mode 100644 index d35abf1783..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/files/0001-20.10-vendor-docker-v20.10.25-45-g0d4b9ed98b-v20.10..patch +++ /dev/null @@ -1,104 +0,0 @@ -From 5d4e44df90bb913f30a1f0215f9715cb60e17d75 Mon Sep 17 00:00:00 2001 -Message-Id: <5d4e44df90bb913f30a1f0215f9715cb60e17d75.1689769748.git.dpark@linux.microsoft.com> -From: Sebastiaan van Stijn -Date: Mon, 17 Jul 2023 16:48:27 +0200 -Subject: [PATCH] [20.10] vendor: docker v20.10.25-45-g0d4b9ed98b - (v20.10.26-dev) - -full diff: https://github.com/docker/docker/compare/v20.10.25...0d4b9ed98be2aecf27e8dd014bef7bad0be15457 - -Signed-off-by: Sebastiaan van Stijn ---- - .../github.com/docker/docker/client/client.go | 30 +++++++++++++++++++ - .../github.com/docker/docker/client/hijack.go | 6 +++- - .../docker/docker/client/request.go | 14 ++++----- - vendor/github.com/docker/docker/vendor.conf | 2 +- - 5 files changed, 43 insertions(+), 11 deletions(-) - -diff --git a/vendor/github.com/docker/docker/client/client.go b/vendor/github.com/docker/docker/client/client.go -index 0d3614d5..d0ce09ae 100644 ---- a/vendor/github.com/docker/docker/client/client.go -+++ b/vendor/github.com/docker/docker/client/client.go -@@ -56,6 +56,36 @@ import ( - "github.com/pkg/errors" - ) - -+// DummyHost is a hostname used for local communication. -+// -+// It acts as a valid formatted hostname for local connections (such as "unix://" -+// or "npipe://") which do not require a hostname. It should never be resolved, -+// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2] -+// and [RFC 6761, Section 6.3]). -+// -+// [RFC 7230, Section 5.4] defines that an empty header must be used for such -+// cases: -+// -+// If the authority component is missing or undefined for the target URI, -+// then a client MUST send a Host header field with an empty field-value. -+// -+// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not -+// allow an empty header to be used, and requires req.URL.Scheme to be either -+// "http" or "https". -+// -+// For further details, refer to: -+// -+// - https://github.com/docker/engine-api/issues/189 -+// - https://github.com/golang/go/issues/13624 -+// - https://github.com/golang/go/issues/61076 -+// - https://github.com/moby/moby/issues/45935 -+// -+// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2 -+// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3 -+// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4 -+// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569 -+const DummyHost = "api.moby.localhost" -+ - // ErrRedirect is the error returned by checkRedirect when the request is non-GET. - var ErrRedirect = errors.New("unexpected redirect in response") - -diff --git a/vendor/github.com/docker/docker/client/hijack.go b/vendor/github.com/docker/docker/client/hijack.go -index e1dc49ef..b8fac0be 100644 ---- a/vendor/github.com/docker/docker/client/hijack.go -+++ b/vendor/github.com/docker/docker/client/hijack.go -@@ -62,7 +62,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) { - } - - func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, error) { -- req.Host = cli.addr -+ req.URL.Host = cli.addr -+ if cli.proto == "unix" || cli.proto == "npipe" { -+ // Override host header for non-tcp connections. -+ req.Host = DummyHost -+ } - req.Header.Set("Connection", "Upgrade") - req.Header.Set("Upgrade", proto) - -diff --git a/vendor/github.com/docker/docker/client/request.go b/vendor/github.com/docker/docker/client/request.go -index d3d9a3fe..66530d4b 100644 ---- a/vendor/github.com/docker/docker/client/request.go -+++ b/vendor/github.com/docker/docker/client/request.go -@@ -88,15 +88,13 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea - return nil, err - } - req = cli.addHeaders(req, headers) -- -- if cli.proto == "unix" || cli.proto == "npipe" { -- // For local communications, it doesn't matter what the host is. We just -- // need a valid and meaningful host name. (See #189) -- req.Host = "docker" -- } -- -- req.URL.Host = cli.addr - req.URL.Scheme = cli.scheme -+ req.URL.Host = cli.addr -+ -+ if cli.proto == "unix" || cli.proto == "npipe" { -+ // Override host header for non-tcp connections. -+ req.Host = DummyHost -+ } - - if expectedPayload && req.Header.Get("Content-Type") == "" { - req.Header.Set("Content-Type", "text/plain") --- -2.34.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/Manifest b/sdk_container/src/third_party/coreos-overlay/app-containers/docker/Manifest deleted file mode 100644 index 9f7524a118..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/Manifest +++ /dev/null @@ -1 +0,0 @@ -DIST docker-20.10.24.tar.gz 11235129 BLAKE2B abeae0ff9e2d03bd7c901a9e3c1f5a3ccf84afefb034ce032f4e559349ea01ab69ebe120d6c0992885aafa153a784a8c253ed3f7345b921860b758da8e0474ef SHA512 2e82d8048fbf53e3d8ac87eb155d2e321378ca9c9ee038d13bb1b510db31df0f9951db51df81bad28a64c25285e21f8e541b4ce58a68af81fa66d5c07dd3f4d3 diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/docker-20.10.24-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/docker/docker-20.10.24-r3.ebuild deleted file mode 100644 index fd5dc6e762..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/docker-20.10.24-r3.ebuild +++ /dev/null @@ -1,332 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 -EGO_PN=github.com/docker/docker -MY_PV=${PV/_/-} -GIT_COMMIT=d6cbf44b8c -inherit linux-info systemd udev golang-vcs-snapshot - -COREOS_GO_VERSION="go1.19" -COREOS_GO_GO111MODULE="off" - -inherit coreos-go-depend - -DESCRIPTION="The core functions you need to create Docker images and run Docker containers" -HOMEPAGE="https://www.docker.com/" -SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" - -LICENSE="Apache-2.0" -SLOT="0" -KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" -# Flatcar: default enable required USE flags -IUSE="apparmor aufs +btrfs +cli +container-init +device-mapper +hardened -+overlay +seccomp selinux" - -DEPEND=" - acct-group/docker - >=dev-db/sqlite-3.7.9:3 - apparmor? ( sys-libs/libapparmor ) - btrfs? ( >=sys-fs/btrfs-progs-3.16.1 ) - device-mapper? ( >=sys-fs/lvm2-2.02.89[thin] ) - seccomp? ( >=sys-libs/libseccomp-2.2.1 ) -" - -# Flatcar: -# For CoreOS builds coreos-kernel must be installed because this ebuild -# checks the kernel config. The kernel config is left by the kernel compile -# or an explicit copy when installing binary packages. See coreos-kernel.eclass -DEPEND+=" - sys-kernel/coreos-kernel -" - -# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies -# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies -# https://github.com/moby/moby/tree/master//hack/dockerfile/install -# make sure docker-proxy is pinned to exact version from ^, -# for appropriate branchch/version of course -# Flatcar: -# containerd ebuild doesn't support apparmor, device-mapper and seccomp use flags -RDEPEND=" - ${DEPEND} - >=net-firewall/iptables-1.4 - sys-process/procps - >=dev-vcs/git-1.7 - >=app-arch/xz-utils-4.9 - dev-libs/libltdl - >=app-containers/containerd-1.6.16[btrfs?] - ~app-containers/docker-proxy-0.8.0_p20230118 - cli? ( ~app-containers/docker-cli-${PV} ) - container-init? ( >=sys-process/tini-0.19.0[static] ) - selinux? ( sec-policy/selinux-docker ) -" - -# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies -# Flatcar: drop go-md2man -BDEPEND=" - >=dev-lang/go-1.16.12 - virtual/pkgconfig -" -# tests require running dockerd as root and downloading containers -RESTRICT="installsources strip test" - -S="${WORKDIR}/${P}/src/${EGO_PN}" - -# Flatcar: Dropped outdated bug links, dropped openrc init script patch, -# backport upstream patches for fixing invalid headers issue when building -# with Go 1.19.11+. -PATCHES=( - "${FILESDIR}/ppc64-buildmode.patch" - "${FILESDIR}/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch" - "${FILESDIR}/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch" -) - -# see "contrib/check-config.sh" from upstream's sources -CONFIG_CHECK=" - ~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS - ~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG - ~CGROUP_NET_PRIO - ~KEYS - ~VETH ~BRIDGE ~BRIDGE_NETFILTER - ~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE ~NETFILTER_XT_MARK - ~NETFILTER_NETLINK ~NETFILTER_XT_MATCH_ADDRTYPE ~NETFILTER_XT_MATCH_CONNTRACK ~NETFILTER_XT_MATCH_IPVS - ~IP_NF_NAT ~NF_NAT - ~POSIX_MQUEUE - - ~USER_NS - ~SECCOMP - ~CGROUP_PIDS - - ~BLK_CGROUP ~BLK_DEV_THROTTLING - ~CGROUP_PERF - ~CGROUP_HUGETLB - ~NET_CLS_CGROUP - ~CFS_BANDWIDTH ~FAIR_GROUP_SCHED - ~IP_VS ~IP_VS_PROTO_TCP ~IP_VS_PROTO_UDP ~IP_VS_NFCT ~IP_VS_RR - - ~VXLAN - ~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH ~XFRM_ALGO ~XFRM_USER - ~IPVLAN - ~MACVLAN ~DUMMY - - ~OVERLAY_FS ~!OVERLAY_FS_REDIRECT_DIR - ~EXT4_FS_SECURITY - ~EXT4_FS_POSIX_ACL -" - -ERROR_KEYS="CONFIG_KEYS: is mandatory" -ERROR_MEMCG_SWAP="CONFIG_MEMCG_SWAP: is required if you wish to limit swap usage of containers" -ERROR_RESOURCE_COUNTERS="CONFIG_RESOURCE_COUNTERS: is optional for container statistics gathering" - -ERROR_BLK_CGROUP="CONFIG_BLK_CGROUP: is optional for container statistics gathering" -ERROR_IOSCHED_CFQ="CONFIG_IOSCHED_CFQ: is optional for container statistics gathering" -ERROR_CGROUP_PERF="CONFIG_CGROUP_PERF: is optional for container statistics gathering" -ERROR_CFS_BANDWIDTH="CONFIG_CFS_BANDWIDTH: is optional for container statistics gathering" -ERROR_XFRM_ALGO="CONFIG_XFRM_ALGO: is optional for secure networks" -ERROR_XFRM_USER="CONFIG_XFRM_USER: is optional for secure networks" - -pkg_setup() { - - if kernel_is lt 4 5; then - CONFIG_CHECK+=" - ~MEMCG_KMEM - " - ERROR_MEMCG_KMEM="CONFIG_MEMCG_KMEM: is optional" - fi - - if kernel_is lt 4 7; then - CONFIG_CHECK+=" - ~DEVPTS_MULTIPLE_INSTANCES - " - fi - - if kernel_is lt 5 1; then - CONFIG_CHECK+=" - ~NF_NAT_IPV4 - ~IOSCHED_CFQ - ~CFQ_GROUP_IOSCHED - " - fi - - if kernel_is lt 5 2; then - CONFIG_CHECK+=" - ~NF_NAT_NEEDED - " - fi - - if kernel_is lt 5 8; then - CONFIG_CHECK+=" - ~MEMCG_SWAP_ENABLED - " - fi - - if kernel_is lt 6 1; then - CONFIG_CHECK+=" - ~MEMCG_SWAP - " - fi - - if use aufs; then - CONFIG_CHECK+=" - ~AUFS_FS - ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY - " - ERROR_AUFS_FS="CONFIG_AUFS_FS: is required to be set if and only if aufs is patched to kernel instead of using standalone" - fi - - if use btrfs; then - CONFIG_CHECK+=" - ~BTRFS_FS - ~BTRFS_FS_POSIX_ACL - " - fi - - if use device-mapper; then - CONFIG_CHECK+=" - ~BLK_DEV_DM ~DM_THIN_PROVISIONING ~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY - " - fi - - linux-info_pkg_setup -} - -src_compile() { - # Flatcar: for cross-compilation - go_export - export DOCKER_GITCOMMIT="${GIT_COMMIT}" - export GOPATH="${WORKDIR}/${P}" - export VERSION=${PV} - - # setup CFLAGS and LDFLAGS for separate build target - # see https://github.com/tianon/docker-overlay/pull/10 - # Flatcar: allow injecting CFLAGS/LDFLAGS, which is needed for torcx rpath - export CGO_CFLAGS="${CGO_CFLAGS} -I${ESYSROOT}/usr/include" - export CGO_LDFLAGS="${CGO_LDFLAGS} -L${ESYSROOT}/usr/$(get_libdir)" - - # let's set up some optional features :) - export DOCKER_BUILDTAGS='' - for gd in aufs btrfs device-mapper overlay; do - if ! use $gd; then - DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}" - fi - done - - for tag in apparmor seccomp; do - if use $tag; then - DOCKER_BUILDTAGS+=" $tag" - fi - done - # Flatcar: Add journald to build tags. - DOCKER_BUILDTAGS+=' journald' - - # Flatcar: - # inject LDFLAGS for torcx - if use hardened; then - sed -i "s#EXTLDFLAGS_STATIC='#&-fno-PIC $LDFLAGS #" hack/make.sh || die - grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed' - sed "s#LDFLAGS_STATIC_DOCKER='#&-extldflags \"-fno-PIC $LDFLAGS\" #" \ - -i hack/make/dynbinary-daemon || die - grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed' - fi - - # build daemon - ./hack/make.sh dynbinary || die 'dynbinary failed' -} - -src_install() { - dosym containerd /usr/bin/docker-containerd - dosym containerd-shim /usr/bin/docker-containerd-shim - dosym runc /usr/bin/docker-runc - use container-init && dosym tini /usr/bin/docker-init - newbin bundles/dynbinary-daemon/dockerd dockerd - - newinitd contrib/init/openrc/docker.initd docker - newconfd contrib/init/openrc/docker.confd docker - - # Flatcar: - # install our systemd units/network config and our wrapper into - # /usr/lib/flatcar/docker for backwards compatibility instead of - # the units from contrib/init/systemd directory. - # - # systemd_dounit contrib/init/systemd/docker.{service,socket} - exeinto /usr/lib/flatcar - doexe "${FILESDIR}/dockerd" - - systemd_dounit "${FILESDIR}/docker.service" - systemd_dounit "${FILESDIR}/docker.socket" - - insinto /usr/lib/systemd/network - doins "${FILESDIR}/50-docker.network" - doins "${FILESDIR}/90-docker-veth.network" - - udev_dorules contrib/udev/*.rules - - dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md - dodoc -r docs/* - - # Flatcar: - # don't install contrib bits - # # note: intentionally not using "doins" so that we preserve +x bits - # dodir /usr/share/${PN}/contrib - # cp -R contrib/* "${ED}/usr/share/${PN}/contrib" -} - -pkg_postinst() { - udev_reload - - elog - elog "To use Docker, the Docker daemon must be running as root. To automatically" - elog "start the Docker daemon at boot:" - if systemd_is_booted || has_version sys-apps/systemd; then - elog " systemctl enable docker.service" - else - elog " rc-update add docker default" - fi - elog - elog "To use Docker as a non-root user, add yourself to the 'docker' group:" - elog ' usermod -aG docker ' - elog - - if use device-mapper; then - elog " Devicemapper storage driver has been deprecated" - elog " It will be removed in a future release" - elog - fi - - if use overlay; then - elog " Overlay storage driver/USEflag has been deprecated" - elog " in favor of overlay2 (enabled unconditionally)" - elog - fi - - if has_version sys-fs/zfs; then - elog " ZFS storage driver is available" - elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info" - elog - fi - - if use cli; then - ewarn "Starting with docker 20.10.2, docker has been split into" - ewarn "two packages upstream, so Gentoo has followed suit." - ewarn - ewarn "app-containers/docker contains the daemon and" - ewarn "app-containers/docker-cli contains the docker command." - ewarn - ewarn "docker currently installs docker-cli using the cli use flag." - ewarn - ewarn "This use flag is temporary, so you need to take the" - ewarn "following actions:" - ewarn - ewarn "First, disable the cli use flag for app-containers/docker" - ewarn - ewarn "Then, if you need docker-cli and docker on the same machine," - ewarn "run the following command:" - ewarn - ewarn "# emerge --noreplace docker-cli" - ewarn - fi -} - -pkg_postrm() { - udev_reload -} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch b/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch deleted file mode 100644 index 2009922b4d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch +++ /dev/null @@ -1,161 +0,0 @@ -From 74b4974cb7e7e81e57661f93b03c94a95a15472e Mon Sep 17 00:00:00 2001 -Message-Id: <74b4974cb7e7e81e57661f93b03c94a95a15472e.1689689028.git.dpark@linux.microsoft.com> -From: Sebastiaan van Stijn -Date: Wed, 12 Jul 2023 14:15:38 +0200 -Subject: [PATCH 1/2] client: define a "dummy" hostname to use for local - connections - -For local communications (npipe://, unix://), the hostname is not used, -but we need valid and meaningful hostname. - -The current code used the client's `addr` as hostname in some cases, which -could contain the path for the unix-socket (`/var/run/docker.sock`), which -gets rejected by go1.20.6 and go1.19.11 because of a security fix for -[CVE-2023-29406 ][1], which was implemented in https://go.dev/issue/60374. - -Prior versions go Go would clean the host header, and strip slashes in the -process, but go1.20.6 and go1.19.11 no longer do, and reject the host -header. - -This patch introduces a `DummyHost` const, and uses this dummy host for -cases where we don't need an actual hostname. - -Before this patch (using go1.20.6): - - make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration - === RUN TestAttachWithTTY - attach_test.go:46: assertion failed: error is not nil: http: invalid Host header - --- FAIL: TestAttachWithTTY (0.11s) - === RUN TestAttachWithoutTTy - attach_test.go:46: assertion failed: error is not nil: http: invalid Host header - --- FAIL: TestAttachWithoutTTy (0.02s) - FAIL - -With this patch applied: - - make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration - INFO: Testing against a local daemon - === RUN TestAttachWithTTY - --- PASS: TestAttachWithTTY (0.12s) - === RUN TestAttachWithoutTTy - --- PASS: TestAttachWithoutTTy (0.02s) - PASS - -[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx - -Signed-off-by: Sebastiaan van Stijn -(cherry picked from commit 92975f0c11f0566cc3c36659f5e3bb9faf5cb176) -Signed-off-by: Sebastiaan van Stijn ---- - client/client.go | 30 ++++++++++++++++++++++++++++++ - client/hijack.go | 6 +++++- - client/request.go | 14 ++++++-------- - client/request_test.go | 4 ++-- - 4 files changed, 43 insertions(+), 11 deletions(-) - -diff --git a/client/client.go b/client/client.go -index 0d3614d5..d0ce09ae 100644 ---- a/client/client.go -+++ b/client/client.go -@@ -56,6 +56,36 @@ import ( - "github.com/pkg/errors" - ) - -+// DummyHost is a hostname used for local communication. -+// -+// It acts as a valid formatted hostname for local connections (such as "unix://" -+// or "npipe://") which do not require a hostname. It should never be resolved, -+// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2] -+// and [RFC 6761, Section 6.3]). -+// -+// [RFC 7230, Section 5.4] defines that an empty header must be used for such -+// cases: -+// -+// If the authority component is missing or undefined for the target URI, -+// then a client MUST send a Host header field with an empty field-value. -+// -+// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not -+// allow an empty header to be used, and requires req.URL.Scheme to be either -+// "http" or "https". -+// -+// For further details, refer to: -+// -+// - https://github.com/docker/engine-api/issues/189 -+// - https://github.com/golang/go/issues/13624 -+// - https://github.com/golang/go/issues/61076 -+// - https://github.com/moby/moby/issues/45935 -+// -+// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2 -+// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3 -+// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4 -+// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569 -+const DummyHost = "api.moby.localhost" -+ - // ErrRedirect is the error returned by checkRedirect when the request is non-GET. - var ErrRedirect = errors.New("unexpected redirect in response") - -diff --git a/client/hijack.go b/client/hijack.go -index e1dc49ef..b8fac0be 100644 ---- a/client/hijack.go -+++ b/client/hijack.go -@@ -62,7 +62,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) { - } - - func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, error) { -- req.Host = cli.addr -+ req.URL.Host = cli.addr -+ if cli.proto == "unix" || cli.proto == "npipe" { -+ // Override host header for non-tcp connections. -+ req.Host = DummyHost -+ } - req.Header.Set("Connection", "Upgrade") - req.Header.Set("Upgrade", proto) - -diff --git a/client/request.go b/client/request.go -index d3d9a3fe..66530d4b 100644 ---- a/client/request.go -+++ b/client/request.go -@@ -88,15 +88,13 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea - return nil, err - } - req = cli.addHeaders(req, headers) -- -- if cli.proto == "unix" || cli.proto == "npipe" { -- // For local communications, it doesn't matter what the host is. We just -- // need a valid and meaningful host name. (See #189) -- req.Host = "docker" -- } -- -- req.URL.Host = cli.addr - req.URL.Scheme = cli.scheme -+ req.URL.Host = cli.addr -+ -+ if cli.proto == "unix" || cli.proto == "npipe" { -+ // Override host header for non-tcp connections. -+ req.Host = DummyHost -+ } - - if expectedPayload && req.Header.Get("Content-Type") == "" { - req.Header.Set("Content-Type", "text/plain") -diff --git a/client/request_test.go b/client/request_test.go -index a3be507b..c1a10923 100644 ---- a/client/request_test.go -+++ b/client/request_test.go -@@ -27,12 +27,12 @@ func TestSetHostHeader(t *testing.T) { - }{ - { - "unix:///var/run/docker.sock", -- "docker", -+ DummyHost, - "/var/run/docker.sock", - }, - { - "npipe:////./pipe/docker_engine", -- "docker", -+ DummyHost, - "//./pipe/docker_engine", - }, - { --- -2.34.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch b/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch deleted file mode 100644 index da7e0dbc11..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 1603196c5bc3e3b826c841e599bc45fc33562633 Mon Sep 17 00:00:00 2001 -Message-Id: <1603196c5bc3e3b826c841e599bc45fc33562633.1689689028.git.dpark@linux.microsoft.com> -In-Reply-To: <74b4974cb7e7e81e57661f93b03c94a95a15472e.1689689028.git.dpark@linux.microsoft.com> -References: <74b4974cb7e7e81e57661f93b03c94a95a15472e.1689689028.git.dpark@linux.microsoft.com> -From: Sebastiaan van Stijn -Date: Wed, 12 Jul 2023 15:07:59 +0200 -Subject: [PATCH 2/2] pkg/plugins: use a dummy hostname for local connections - -For local communications (npipe://, unix://), the hostname is not used, -but we need valid and meaningful hostname. - -The current code used the socket path as hostname, which gets rejected by -go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1], -which was implemented in https://go.dev/issue/60374. - -Prior versions go Go would clean the host header, and strip slashes in the -process, but go1.20.6 and go1.19.11 no longer do, and reject the host -header. - -Before this patch, tests would fail on go1.20.6: - - === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s) - time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s" - time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s" - time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s" - time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s" - authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header - -[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx - -Signed-off-by: Sebastiaan van Stijn -(cherry picked from commit 6b7705d5b29e226a24902a8dcc488836faaee33c) -Signed-off-by: Sebastiaan van Stijn ---- - pkg/plugins/client.go | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/pkg/plugins/client.go b/pkg/plugins/client.go -index 752fecd0..e683eb77 100644 ---- a/pkg/plugins/client.go -+++ b/pkg/plugins/client.go -@@ -18,6 +18,12 @@ import ( - - const ( - defaultTimeOut = 30 -+ -+ // dummyHost is a hostname used for local communication. -+ // -+ // For local communications (npipe://, unix://), the hostname is not used, -+ // but we need valid and meaningful hostname. -+ dummyHost = "plugin.moby.localhost" - ) - - func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transport, error) { -@@ -44,8 +50,12 @@ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transpor - return nil, err - } - scheme := httpScheme(u) -- -- return transport.NewHTTPTransport(tr, scheme, socket), nil -+ hostName := u.Host -+ if hostName == "" || u.Scheme == "unix" || u.Scheme == "npipe" { -+ // Override host header for non-tcp connections. -+ hostName = dummyHost -+ } -+ return transport.NewHTTPTransport(tr, scheme, hostName), nil - } - - // NewClient creates a new plugin client (http). --- -2.34.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/ppc64-buildmode.patch b/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/ppc64-buildmode.patch deleted file mode 100644 index 2d677a71ab..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/ppc64-buildmode.patch +++ /dev/null @@ -1,30 +0,0 @@ -From c4135e37e54a6480abfe18746f227f05cb9269ab Mon Sep 17 00:00:00 2001 -From: Georgy Yakovlev -Date: Thu, 10 Jun 2021 16:19:22 -0700 -Subject: [PATCH] don't use buildmode=pie on ppc64 - -It's already omitted for ppc64 in -hack/dockerfile/install/install.sh -not using wildcard, because GOARCH=ppc64le supports pie - -Signed-off-by: Georgy Yakovlev ---- - hack/make/.binary | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hack/make/.binary b/hack/make/.binary -index 5ea3e373f2..7a911de15a 100644 ---- a/hack/make/.binary -+++ b/hack/make/.binary -@@ -70,7 +70,7 @@ hash_files() { - if [[ " $BUILDFLAGS " != *" -race "* ]]; then - # -buildmode=pie is not supported on Windows and Linux on mips and riscv64. - case "$(go env GOOS)/$(go env GOARCH)" in -- windows/* | linux/mips* | linux/riscv*) ;; -+ windows/* | linux/mips* | linux/riscv* | linux/ppc64) ;; - - *) - BUILDFLAGS+=("-buildmode=pie") --- -2.32.0 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/Manifest b/sdk_container/src/third_party/coreos-overlay/app-containers/runc/Manifest deleted file mode 100644 index 83bd124b39..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/Manifest +++ /dev/null @@ -1 +0,0 @@ -DIST runc-1.1.9.tar.gz 2514790 BLAKE2B dec0766c96fb2d264ee8d693adafd2b1f94a2f30329b41f966441f1632ceda83835f4aa8ad46966a04d890cb4c5107f6880ad911ed2b879d2c72565ba5d513e6 SHA512 722ed7d58eccfb37357d85e69b2a8f7fa23ed3553e3b6541e9f26946896dc0c2955e5e4708ee77765ad2d3e4dd9c9722fbcefce1f2a96111240edd445cf902ba diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch b/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch deleted file mode 100644 index d9b38e9a88..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch +++ /dev/null @@ -1,46 +0,0 @@ -From ab3a3b89d712bb1c6ca2e09ffc375f4b837e9401 Mon Sep 17 00:00:00 2001 -From: Mrunal Patel -Date: Thu, 2 Feb 2017 11:23:26 -0800 -Subject: [PATCH] Delay unshare of CLONE_NEWIPC for SELinux - -We ensure that mqueue is owned by user namespace root -by unsharing CLONE_NEWIPC after we become user namespace -root. This allows us to apply the container SELinux label -to mqueue. - -Signed-off-by: Mrunal Patel -(dpark: Adjust the logic according to the new code of v1.1.5) -Signed-off-by: Dongsu Park ---- - libcontainer/nsenter/nsexec.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index 2d224bab..4865261f 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -1241,7 +1241,12 @@ void nsexec(void) - * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID) - * was broken, so we'll just do it the long way anyway. - */ -- try_unshare(config.cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)"); -+ uint32_t apply_cloneflags = config.cloneflags; -+ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) { -+ apply_cloneflags &= ~CLONE_NEWIPC; -+ } -+ -+ try_unshare(apply_cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)"); - - /* Ask our parent to send the mount sources fds. */ - if (config.mountsources) { -@@ -1362,6 +1367,10 @@ void nsexec(void) - try_unshare(CLONE_NEWCGROUP, "cgroup namespace"); - } - -+ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) { -+ try_unshare(CLONE_NEWIPC, "ipc namespace"); -+ } -+ - write_log(DEBUG, "signal completion to stage-0"); - s = SYNC_CHILD_FINISH; - if (write(syncfd, &s, sizeof(s)) != sizeof(s)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch b/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch deleted file mode 100644 index 92b024eb4e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch +++ /dev/null @@ -1,334 +0,0 @@ -From 2d069bb79260e594870ce3e7466477e54a0c5307 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Wed, 9 Jan 2019 13:40:01 +1100 -Subject: [PATCH] nsenter: clone /proc/self/exe to avoid exposing host binary - to container - -There are quite a few circumstances where /proc/self/exe pointing to a -pretty important container binary is a _bad_ thing, so to avoid this we -have to make a copy (preferably doing self-clean-up and not being -writeable). - -We require memfd_create(2) -- though there is an O_TMPFILE fallback -- -but we can always extend this to use a scratch MNT_DETACH overlayfs or -tmpfs. The main downside to this approach is no page-cache sharing for -the runc binary (which overlayfs would give us) but this is far less -complicated. - -This is only done during nsenter so that it happens transparently to the -Go code, and any libcontainer users benefit from it. This also makes -ExtraFiles and --preserve-fds handling trivial (because we don't need to -worry about it). - -Fixes: CVE-2019-5736 -Co-developed-by: Christian Brauner -Signed-off-by: Aleksa Sarai ---- - libcontainer/nsenter/cloned_binary.c | 268 +++++++++++++++++++++++++++ - libcontainer/nsenter/nsexec.c | 11 ++ - 2 files changed, 279 insertions(+) - create mode 100644 libcontainer/nsenter/cloned_binary.c - -diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c -new file mode 100644 -index 000000000000..c8a42c23f73f ---- /dev/null -+++ b/libcontainer/nsenter/cloned_binary.c -@@ -0,0 +1,268 @@ -+/* -+ * Copyright (C) 2019 Aleksa Sarai -+ * Copyright (C) 2019 SUSE LLC -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+/* Use our own wrapper for memfd_create. */ -+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create) -+# define SYS_memfd_create __NR_memfd_create -+#endif -+#ifdef SYS_memfd_create -+# define HAVE_MEMFD_CREATE -+/* memfd_create(2) flags -- copied from . */ -+# ifndef MFD_CLOEXEC -+# define MFD_CLOEXEC 0x0001U -+# define MFD_ALLOW_SEALING 0x0002U -+# endif -+int memfd_create(const char *name, unsigned int flags) -+{ -+ return syscall(SYS_memfd_create, name, flags); -+} -+#endif -+ -+/* This comes directly from . */ -+#ifndef F_LINUX_SPECIFIC_BASE -+# define F_LINUX_SPECIFIC_BASE 1024 -+#endif -+#ifndef F_ADD_SEALS -+# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) -+# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) -+#endif -+#ifndef F_SEAL_SEAL -+# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */ -+# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */ -+# define F_SEAL_GROW 0x0004 /* prevent file from growing */ -+# define F_SEAL_WRITE 0x0008 /* prevent writes */ -+#endif -+ -+#define RUNC_SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */ -+#ifdef HAVE_MEMFD_CREATE -+# define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe" -+# define RUNC_MEMFD_SEALS \ -+ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) -+#endif -+ -+static void *must_realloc(void *ptr, size_t size) -+{ -+ void *old = ptr; -+ do { -+ ptr = realloc(old, size); -+ } while(!ptr); -+ return ptr; -+} -+ -+/* -+ * Verify whether we are currently in a self-cloned program (namely, is -+ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather -+ * for shmem files), and we want to be sure it's actually sealed. -+ */ -+static int is_self_cloned(void) -+{ -+ int fd, ret, is_cloned = 0; -+ -+ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC); -+ if (fd < 0) -+ return -ENOTRECOVERABLE; -+ -+#ifdef HAVE_MEMFD_CREATE -+ ret = fcntl(fd, F_GET_SEALS); -+ is_cloned = (ret == RUNC_MEMFD_SEALS); -+#else -+ struct stat statbuf = {0}; -+ ret = fstat(fd, &statbuf); -+ if (ret >= 0) -+ is_cloned = (statbuf.st_nlink == 0); -+#endif -+ close(fd); -+ return is_cloned; -+} -+ -+/* -+ * Basic wrapper around mmap(2) that gives you the file length so you can -+ * safely treat it as an ordinary buffer. Only gives you read access. -+ */ -+static char *read_file(char *path, size_t *length) -+{ -+ int fd; -+ char buf[4096], *copy = NULL; -+ -+ if (!length) -+ return NULL; -+ -+ fd = open(path, O_RDONLY | O_CLOEXEC); -+ if (fd < 0) -+ return NULL; -+ -+ *length = 0; -+ for (;;) { -+ int n; -+ -+ n = read(fd, buf, sizeof(buf)); -+ if (n < 0) -+ goto error; -+ if (!n) -+ break; -+ -+ copy = must_realloc(copy, (*length + n) * sizeof(*copy)); -+ memcpy(copy + *length, buf, n); -+ *length += n; -+ } -+ close(fd); -+ return copy; -+ -+error: -+ close(fd); -+ free(copy); -+ return NULL; -+} -+ -+/* -+ * A poor-man's version of "xargs -0". Basically parses a given block of -+ * NUL-delimited data, within the given length and adds a pointer to each entry -+ * to the array of pointers. -+ */ -+static int parse_xargs(char *data, int data_length, char ***output) -+{ -+ int num = 0; -+ char *cur = data; -+ -+ if (!data || *output != NULL) -+ return -1; -+ -+ while (cur < data + data_length) { -+ num++; -+ *output = must_realloc(*output, (num + 1) * sizeof(**output)); -+ (*output)[num - 1] = cur; -+ cur += strlen(cur) + 1; -+ } -+ (*output)[num] = NULL; -+ return num; -+} -+ -+/* -+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ. -+ * This is necessary because we are running in a context where we don't have a -+ * main() that we can just get the arguments from. -+ */ -+static int fetchve(char ***argv, char ***envp) -+{ -+ char *cmdline = NULL, *environ = NULL; -+ size_t cmdline_size, environ_size; -+ -+ cmdline = read_file("/proc/self/cmdline", &cmdline_size); -+ if (!cmdline) -+ goto error; -+ environ = read_file("/proc/self/environ", &environ_size); -+ if (!environ) -+ goto error; -+ -+ if (parse_xargs(cmdline, cmdline_size, argv) <= 0) -+ goto error; -+ if (parse_xargs(environ, environ_size, envp) <= 0) -+ goto error; -+ -+ return 0; -+ -+error: -+ free(environ); -+ free(cmdline); -+ return -EINVAL; -+} -+ -+static int clone_binary(void) -+{ -+ int binfd, memfd; -+ ssize_t sent = 0; -+ -+#ifdef HAVE_MEMFD_CREATE -+ memfd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING); -+#else -+ memfd = open("/tmp", O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0711); -+#endif -+ if (memfd < 0) -+ return -ENOTRECOVERABLE; -+ -+ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); -+ if (binfd < 0) -+ goto error; -+ -+ sent = sendfile(memfd, binfd, NULL, RUNC_SENDFILE_MAX); -+ close(binfd); -+ if (sent < 0) -+ goto error; -+ -+#ifdef HAVE_MEMFD_CREATE -+ int err = fcntl(memfd, F_ADD_SEALS, RUNC_MEMFD_SEALS); -+ if (err < 0) -+ goto error; -+#else -+ /* Need to re-open "memfd" as read-only to avoid execve(2) giving -EXTBUSY. */ -+ int newfd; -+ char *fdpath = NULL; -+ -+ if (asprintf(&fdpath, "/proc/self/fd/%d", memfd) < 0) -+ goto error; -+ newfd = open(fdpath, O_RDONLY | O_CLOEXEC); -+ free(fdpath); -+ if (newfd < 0) -+ goto error; -+ -+ close(memfd); -+ memfd = newfd; -+#endif -+ return memfd; -+ -+error: -+ close(memfd); -+ return -EIO; -+} -+ -+int ensure_cloned_binary(void) -+{ -+ int execfd; -+ char **argv = NULL, **envp = NULL; -+ -+ /* Check that we're not self-cloned, and if we are then bail. */ -+ int cloned = is_self_cloned(); -+ if (cloned > 0 || cloned == -ENOTRECOVERABLE) -+ return cloned; -+ -+ if (fetchve(&argv, &envp) < 0) -+ return -EINVAL; -+ -+ execfd = clone_binary(); -+ if (execfd < 0) -+ return -EIO; -+ -+ fexecve(execfd, argv, envp); -+ return -ENOEXEC; -+} -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index 28269dfc027f..7750af35ea92 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -534,6 +534,9 @@ void join_namespaces(char *nslist) - free(namespaces); - } - -+/* Defined in cloned_binary.c. */ -+extern int ensure_cloned_binary(void); -+ - void nsexec(void) - { - int pipenum; -@@ -549,6 +552,14 @@ void nsexec(void) - if (pipenum == -1) - return; - -+ /* -+ * We need to re-exec if we are not in a cloned binary. This is necessary -+ * to ensure that containers won't be able to access the host binary -+ * through /proc/self/exe. See CVE-2019-5736. -+ */ -+ if (ensure_cloned_binary() < 0) -+ bail("could not ensure we are a cloned binary"); -+ - /* Parse all of the netlink configuration. */ - nl_parse(pipenum, &config); - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/docker-runc-1.0.0_rc2-mount-propagation.patch b/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/docker-runc-1.0.0_rc2-mount-propagation.patch deleted file mode 100644 index c284e9972d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/docker-runc-1.0.0_rc2-mount-propagation.patch +++ /dev/null @@ -1,41 +0,0 @@ -From db55cd4f29298ae08b20f92b8953735723ee2167 Mon Sep 17 00:00:00 2001 -From: Euan Kemp -Date: Fri, 22 Sep 2017 02:31:17 -0700 -Subject: [PATCH] libcontainer: default mount propagation correctly - -The code in prepareRoot (https://github.com/opencontainers/runc/blob/e385f67a0e45fa1d8ef8154e2aea5128ea1d331b/libcontainer/rootfs_linux.go#L599-L605) -attempts to default the rootfs mount to `rslave`. However, since the spec -conversion has already defaulted it to `rprivate`, that code doesn't -actually ever do anything. - -This changes the spec conversion code to accept "" and treat it as 0. - -Implicitly, this makes rootfs propagation default to `rslave`, which is -a part of fixing the moby bug https://github.com/moby/moby/issues/34672 - -Alternate implementatoins include changing this defaulting to be -`rslave` and removing the defaulting code in prepareRoot, or skipping -the mapping entirely for "", but I think this change is the cleanest of -those options. - -Signed-off-by: Euan Kemp ---- - libcontainer/specconv/spec_linux.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go -index 1575ae03..8a2947f6 100644 ---- a/libcontainer/specconv/spec_linux.go -+++ b/libcontainer/specconv/spec_linux.go -@@ -36,7 +36,7 @@ var mountPropagationMapping = map[string]int{ - "slave": syscall.MS_SLAVE, - "rshared": syscall.MS_SHARED | syscall.MS_REC, - "shared": syscall.MS_SHARED, -- "": syscall.MS_PRIVATE | syscall.MS_REC, -+ "": 0, - } - - var allowedDevices = []*configs.Device{ --- -2.13.5 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-containers/runc/metadata.xml deleted file mode 100644 index 9fe8126b58..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/metadata.xml +++ /dev/null @@ -1,19 +0,0 @@ - - - - - runc is a CLI tool for spawning and running containers according - to the OCF (Open Container Format) specification. - - - mrueg@gentoo.org - Manuel RĂ¼ger - - - Enable support for ambient capability - Enable AppArmor support - - - docker/runc - - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/runc-1.1.9.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/runc/runc-1.1.9.ebuild deleted file mode 100644 index 319370f2c7..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/runc-1.1.9.ebuild +++ /dev/null @@ -1,64 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -GITHUB_URI="github.com/opencontainers/runc" -COREOS_GO_PACKAGE="${GITHUB_URI}" -COREOS_GO_VERSION="go1.19" -# the commit of runc that docker uses. -# see https://github.com/docker/docker-ce/blob/v19.03.15/components/engine/hack/dockerfile/install/runc.installer#L4 -COMMIT_ID="f1136b082cc1c2840cdb3e0debf45e7ef832c918" - -inherit eutils flag-o-matic coreos-go vcs-snapshot - -SRC_URI="https://${GITHUB_URI}/archive/${COMMIT_ID}.tar.gz -> ${P}.tar.gz" -KEYWORDS="amd64 arm64" - -DESCRIPTION="runc container cli tools (docker fork)" -HOMEPAGE="http://runc.io" - -LICENSE="Apache-2.0" -SLOT="0" -IUSE="ambient apparmor hardened +seccomp selinux" - -RDEPEND=" - apparmor? ( sys-libs/libapparmor ) - seccomp? ( sys-libs/libseccomp ) -" - -S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE} - -RESTRICT="test" - -src_unpack() { - mkdir -p "${S}" - tar --strip-components=1 -C "${S}" -xf "${DISTDIR}/${A}" -} - -PATCHES=( - "${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch" -) - -src_compile() { - # Taken from app-containers/docker-1.7.0-r1 - export CGO_CFLAGS="-I${SYSROOT}/usr/include" - export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') - -L${SYSROOT}/usr/$(get_libdir)" - - # build up optional flags - local options=( - $(usex ambient 'ambient' '') - $(usex apparmor 'apparmor' '') - $(usex seccomp 'seccomp' '') - $(usex selinux 'selinux' '') - ) - - GOPATH="${WORKDIR}/${P}" emake BUILDTAGS="${options[*]}" \ - VERSION=1.1.9+dev.docker-20.10 \ - COMMIT="${COMMIT_ID}" -} - -src_install() { - dobin runc -} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r12.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r13.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r12.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1-r13.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild index d736953495..308ff191e5 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild @@ -31,6 +31,7 @@ RDEPEND=" ) app-containers/containerd app-containers/docker + app-containers/docker-cli app-emulation/amazon-ssm-agent app-emulation/wa-linux-agent coreos-base/coreos diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd-1.0.0.service b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/lib/systemd/system/containerd.service similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd-1.0.0.service rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/lib/systemd/system/containerd.service diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/lib/systemd/system/multi-user.target.wants/containerd.service b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/lib/systemd/system/multi-user.target.wants/containerd.service new file mode 120000 index 0000000000..9125c4ffa4 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/lib/systemd/system/multi-user.target.wants/containerd.service @@ -0,0 +1 @@ +../containerd.service \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/config-cgroupfs.toml b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/share/containerd/config-cgroupfs.toml similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/config-cgroupfs.toml rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/share/containerd/config-cgroupfs.toml diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/config.toml b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/share/containerd/config.toml similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/config.toml rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/share/containerd/config.toml diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/dockerd b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/flatcar/dockerd old mode 100644 new mode 100755 similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/dockerd rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/flatcar/dockerd diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/50-docker.network b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/network/50-docker.network similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/50-docker.network rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/network/50-docker.network diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/90-docker-veth.network b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/network/90-docker-veth.network similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/90-docker-veth.network rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/network/90-docker-veth.network diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/docker.service b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/system/docker.service similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/docker.service rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/system/docker.service diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/docker.socket b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/system/docker.socket similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/docker.socket rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/system/docker.socket diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults index 1b49142ee6..6f15ef413a 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults @@ -127,3 +127,6 @@ DONT_MOUNT_BOOT=1 # inside the scripts repository that poke binary packages assume that # bzip2 is used, not zstd. Eventually we will want to move to zstd. BINPKG_COMPRESS=bzip2 + +# Enable cgo by default. Required for the docker device-mapper driver to compile. +CGO_ENABLED=1 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 368f634630..2b1f0b7adf 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -4,6 +4,15 @@ # # Keywords for all packages used by Flatcar. +# Gentoo upstream package stabilisation +# (the following packages are "unstable" upstream; we're stabilising these) + +=app-containers/containerd-1.7.7 ~amd64 ~arm64 # NOTE this doesn't even exist upstream; Gentoo is on 1.7.6. +=app-containers/cri-tools-1.27.0 ~amd64 ~arm64 +=app-containers/docker-24.0.6 ~amd64 ~arm64 +=app-containers/docker-cli-24.0.6 ~amd64 ~arm64 +=app-containers/runc-1.1.9 ~amd64 ~arm64 + # Seems to be the only available ebuild in portage-stable right now. =app-crypt/adcli-0.9.2 ~amd64 ~arm64 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 75a0218508..a2e84ccbec 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -148,3 +148,8 @@ net-analyzer/tcpdump -ssl -smi -samba # selinux: to find files with a particular SElinux label sys-apps/findutils selinux + +# Flatcar defaults formerly defined in coreos-overlay ebuilds +app-containers/containerd btrfs device-mapper +app-containers/docker btrfs device-mapper overlay seccomp +app-containers/docker-cli hardened diff --git a/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/Manifest new file mode 100644 index 0000000000..a67abf87f2 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/Manifest @@ -0,0 +1,2 @@ +DIST cri-tools-1.25.0.tar.gz 7905707 BLAKE2B 79595f31fc22aff608406bad4319a60dddcabda5f4dab8706305f11500b3db43f1d7021a340a096227d4580212953f32a95b05bbf81c1236f8fa8cf635017abb SHA512 dc04359320d59d6b3789e4e81fb613f3795b7e82dbad681393eaeff2c876e5b0393dd9384d7857d24ada5de34d03e151f7cf121367cc20e71d0b78607372b3a1 +DIST cri-tools-1.27.0.tar.gz 8465050 BLAKE2B d6c0429271ebc4085e75b54d7f3b9f75ab796e63bc9ae7562105296b13bbad8b512293a7d25abf1ab946f4bf54e672016fdb72696c12c730d21ac74724da465c SHA512 b94122e6401eb0c33b9c3d112274b7ab20cbbad05e76a54933e79d2e42ded2d684771cb9ed703a6c1afa381844142b6f1b4dc77d17e915f9a42c236fd8426b9b diff --git a/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.25.0.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.25.0.ebuild new file mode 100644 index 0000000000..67c3e8b388 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.25.0.ebuild @@ -0,0 +1,34 @@ +# Copyright 2021-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit bash-completion-r1 go-module + +DESCRIPTION="CLI and validation tools for Kubelet Container Runtime (CRI)" +HOMEPAGE="https://github.com/kubernetes-sigs/cri-tools" +SRC_URI="https://github.com/kubernetes-sigs/cri-tools/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0" +SLOT="0" +KEYWORDS="amd64 ~arm64" + +DEPEND="dev-lang/go" + +RESTRICT+=" test" + +src_compile() { + emake VERSION="${PV}" + ./build/bin/crictl completion bash > "crictl.bash" || die + ./build/bin/crictl completion zsh > "crictl.zsh" || die +} + +src_install() { + dobin ./build/bin/crictl + + newbashcomp crictl.bash crictl + insinto /usr/share/zsh/site-functions + newins crictl.zsh _crictl + + dodoc -r docs {README,RELEASE,CHANGELOG,CONTRIBUTING}.md +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.27.0.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.27.0.ebuild new file mode 100644 index 0000000000..ae910c91f7 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.27.0.ebuild @@ -0,0 +1,33 @@ +# Copyright 2021-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit bash-completion-r1 go-module + +DESCRIPTION="CLI and validation tools for Kubelet Container Runtime (CRI)" +HOMEPAGE="https://github.com/kubernetes-sigs/cri-tools" +SRC_URI="https://github.com/kubernetes-sigs/cri-tools/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0" +SLOT="0" +KEYWORDS="amd64 ~arm64" +RESTRICT="test" + +DOCS=( docs {README,RELEASE,CHANGELOG,CONTRIBUTING}.md ) + +src_compile() { + emake VERSION="${PV}" + find build/ -name crictl -exec cp {} build/bin/ \; || die + ./build/bin/crictl completion bash > "crictl.bash" || die + ./build/bin/crictl completion zsh > "crictl.zsh" || die +} + +src_install() { + einstalldocs + + dobin ./build/bin/crictl + newbashcomp crictl.bash crictl + insinto /usr/share/zsh/site-functions + newins crictl.zsh _crictl +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/metadata.xml b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/metadata.xml similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/metadata.xml rename to sdk_container/src/third_party/portage-stable/app-containers/cri-tools/metadata.xml diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/Manifest new file mode 100644 index 0000000000..1dac761372 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/Manifest @@ -0,0 +1,4 @@ +DIST docker-cli-24.0.5-man.tar.xz 82496 BLAKE2B f3295b684dbf8d251ba13a19b9bad9b828fce7d2f76b6643b1cf579cd297b770e8f7304bd3fce823badfbe97e9b760a108b819ca3c760a55e352cf3c5235d815 SHA512 683b0f131902e0a57512207daa49534d73aac6db99dc8621ac6b48eeef26b873e2ba03fe4afe6f1e84c5922e4c60bf0e80e24cc95cdbf2a4953d1c11b80d56ad +DIST docker-cli-24.0.5.tar.gz 6243993 BLAKE2B a7ce84ecf329bc74e48f3a6e1b12a9e310a8f27ac68918ffeb40ab9c4eab8b79e753265b48220fcd3ab40b4136de5ebd44607831f642664eaf732111bd8f41b1 SHA512 765c67634d91d248b156d3e407398b98b7a0a89507bbac0310d4a68b95aa1a05e3af43c8b90bc10166748749d8cc36670619fc9efca110beefbdcd4385dc96be +DIST docker-cli-24.0.6-man.tar.xz 82600 BLAKE2B 9e39bf200d252a0d91b0b6f17680a4c1b34e55cc9f357a59f124138cef39c5ff10fb104c51efe3010bca9a4f72447764ced1c02e3bb3924051fa6f1f01a8f6fa SHA512 5e972647961899e438b765f53afff570b9f0c1742c7c72a3a424887719c3a6afbd467d15884d44ac64b752c984261967f304afa5c168466fe6f611967d18a578 +DIST docker-cli-24.0.6.tar.gz 6244014 BLAKE2B c5f2082e44a568d3f6ee2ff5df9e9b727808f0b70d7d0c6c18b9769c1c4d0f49d371cbd08c95e748d441dc0ef011b66446527b0eeb33368ee59b85496185ba12 SHA512 55c56ae08eb314cce5f4c93544c6748586eadb3abe502d39d4d297e14d274af37346b38695a20a91dcfe51d3d35a77ddd7aa69d170b525e5e6ba345161869cd8 diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/docker-cli-20.10.24-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-24.0.5.ebuild similarity index 55% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/docker-cli-20.10.24-r1.ebuild rename to sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-24.0.5.ebuild index e5181c72ea..4e1f622ad7 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/docker-cli-20.10.24-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-24.0.5.ebuild @@ -1,35 +1,36 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -GIT_COMMIT=e78084afe5 +GIT_COMMIT=ced0996600 EGO_PN="github.com/docker/cli" - -COREOS_GO_PACKAGE="${EGO_PN}" -COREOS_GO_VERSION="go1.19" - -inherit bash-completion-r1 golang-vcs-snapshot coreos-go-depend +MY_PV=${PV/_/-} +inherit bash-completion-r1 golang-vcs-snapshot DESCRIPTION="the command line binary for docker" HOMEPAGE="https://www.docker.com/" -MY_PV=${PV/_/-} SRC_URI="https://github.com/docker/cli/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" +SRC_URI+=" https://dev.gentoo.org/~williamh/dist/${P}-man.tar.xz" LICENSE="Apache-2.0" SLOT="0" -KEYWORDS="amd64 arm64" -IUSE="hardened" +KEYWORDS="amd64 ~arm arm64 ~loong ppc64 ~riscv ~x86" +IUSE="hardened selinux" -RDEPEND="! + + + + williamh@gentoo.org + William Hubbs + + + gyakovlev@gentoo.org + Georgy Yakovlev + + + docker/cli + + diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/Manifest similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/Manifest rename to sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/Manifest diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild similarity index 69% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild rename to sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild index bb3ea78ae7..a39b18d1ae 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild @@ -6,13 +6,6 @@ EGO_PN=github.com/moby/libnetwork GIT_COMMIT=05b93e0d3a95952f70c113b0bc5bdb538d7afdd7 inherit golang-vcs-snapshot -# Flatcar: Add coreos go goo. -COREOS_GO_PACKAGE="${EGO_PN}" -COREOS_GO_VERSION="go1.19" -COREOS_GO_GO111MODULE="off" - -inherit coreos-go - DESCRIPTION="Docker container networking" HOMEPAGE="https://github.com/docker/libnetwork" SRC_URI="https://github.com/moby/libnetwork/archive/${GIT_COMMIT}.tar.gz -> ${P}.tar.gz" @@ -26,13 +19,12 @@ S=${WORKDIR}/${P}/src/${EGO_PN} # needs dockerd RESTRICT="strip test" -# Flatcar: Rewrite src_compile src_compile() { - go_build "${COREOS_GO_PACKAGE}/cmd/proxy" + GO111MODULE=auto GOPATH="${WORKDIR}/${P}" \ + go build -o "bin/docker-proxy" ./cmd/proxy || die } -# Flatcar: Rewrite src_install src_install() { + dobin bin/docker-proxy dodoc README.md CHANGELOG.md - newbin "${GOBIN}"/proxy docker-proxy } diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/metadata.xml b/sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/metadata.xml similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/metadata.xml rename to sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/metadata.xml diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/docker/Manifest new file mode 100644 index 0000000000..674239bbd1 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker/Manifest @@ -0,0 +1,2 @@ +DIST docker-24.0.5.tar.gz 14456089 BLAKE2B be13a4256787152cb35ddb96d80e97a5e5b587094f1c61d18158737a037c4e81b88c186098ba7416eb7778022ece07bc31ee55af13d3e3da8e0bbd5452ad027f SHA512 cde2e47e7658b153399ee29154ec21eebf54b292185e07d43b968895dcfdfead95e4507fefb713859a4540f21d8007116d3ebeaa1fb7ba305fb2a0449ba1bee6 +DIST docker-24.0.6.tar.gz 14462378 BLAKE2B bced8e687abac59254a9969df46f323a835627a724889e5966bea08df8766b4291914442001d1b573280c45ac4d357a673e98e8fba2b8d116a1dbd65424ccf78 SHA512 d9bf0ba756b1ebe69a44819d7c6aa5d66dad8db5bcc41233e2bfce8131334a2fe1af3972de7f602b7911231288d29aaea797b7a05b335c2d7214a613b27c4b63 diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.5.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.5.ebuild new file mode 100644 index 0000000000..ac578996d4 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.5.ebuild @@ -0,0 +1,330 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 +EGO_PN=github.com/docker/docker +MY_PV=${PV/_/-} +inherit linux-info systemd udev golang-vcs-snapshot +GIT_COMMIT=4ffc61430bbe6d3d405bdf357b766bf303ff3cc5 + +DESCRIPTION="The core functions you need to create Docker images and run Docker containers" +HOMEPAGE="https://www.docker.com/" +SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" +IUSE="apparmor btrfs +container-init device-mapper overlay seccomp selinux" + +DEPEND=" + acct-group/docker + >=dev-db/sqlite-3.7.9:3 + apparmor? ( sys-libs/libapparmor ) + btrfs? ( >=sys-fs/btrfs-progs-3.16.1 ) + device-mapper? ( >=sys-fs/lvm2-2.02.89[thin] ) + seccomp? ( >=sys-libs/libseccomp-2.2.1 ) +" + +# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies +# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies +RDEPEND=" + ${DEPEND} + >=net-firewall/iptables-1.4 + sys-process/procps + >=dev-vcs/git-1.7 + >=app-arch/xz-utils-4.9 + dev-libs/libltdl + >=app-containers/containerd-1.7.1[apparmor?,btrfs?,device-mapper?,seccomp?] + !app-containers/docker-proxy + container-init? ( >=sys-process/tini-0.19.0[static] ) + selinux? ( sec-policy/selinux-docker ) +" + +# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies +BDEPEND=" + >=dev-lang/go-1.16.12 + dev-go/go-md2man + virtual/pkgconfig +" +# tests require running dockerd as root and downloading containers +RESTRICT="installsources strip test" + +S="${WORKDIR}/${P}/src/${EGO_PN}" + +# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552 +PATCHES=( + "${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch" +) + +pkg_setup() { + # this is based on "contrib/check-config.sh" from upstream's sources + # required features. + CONFIG_CHECK=" + ~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS + ~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG + ~KEYS + ~VETH ~BRIDGE ~BRIDGE_NETFILTER + ~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE + ~NETFILTER_XT_MATCH_ADDRTYPE + ~NETFILTER_XT_MATCH_CONNTRACK + ~NETFILTER_XT_MATCH_IPVS + ~NETFILTER_XT_MARK + ~IP_NF_NAT ~NF_NAT + ~POSIX_MQUEUE + " + WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers" + + if kernel_is lt 4 8; then + CONFIG_CHECK+=" + ~DEVPTS_MULTIPLE_INSTANCES + " + fi + + if kernel_is le 5 1; then + CONFIG_CHECK+=" + ~NF_NAT_IPV4 + " + fi + + if kernel_is le 5 2; then + CONFIG_CHECK+=" + ~NF_NAT_NEEDED + " + fi + + if kernel_is ge 4 15; then + CONFIG_CHECK+=" + ~CGROUP_BPF + " + fi + + # optional features + CONFIG_CHECK+=" + ~USER_NS + " + + if use seccomp; then + CONFIG_CHECK+=" + ~SECCOMP ~SECCOMP_FILTER + " + fi + + CONFIG_CHECK+=" + ~CGROUP_PIDS + " + + if kernel_is lt 6 1; then + CONFIG_CHECK+=" + ~MEMCG_SWAP + " + fi + + if kernel_is le 5 8; then + CONFIG_CHECK+=" + ~MEMCG_SWAP_ENABLED + " + fi + + CONFIG_CHECK+=" + ~!LEGACY_VSYSCALL_NATIVE + " + if kernel_is lt 5 19; then + CONFIG_CHECK+=" + ~LEGACY_VSYSCALL_EMULATE + " + fi + CONFIG_CHECK+=" + ~!LEGACY_VSYSCALL_NONE + " + WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \ + Containers with <=glibc-2.13 will not work" + + if kernel_is le 4 5; then + CONFIG_CHECK+=" + ~MEMCG_KMEM + " + fi + + if kernel_is lt 5; then + CONFIG_CHECK+=" + ~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED + " + fi + + CONFIG_CHECK+=" + ~BLK_CGROUP ~BLK_DEV_THROTTLING + ~CGROUP_PERF + ~CGROUP_HUGETLB + ~NET_CLS_CGROUP ~CGROUP_NET_PRIO + ~CFS_BANDWIDTH ~FAIR_GROUP_SCHED + ~IP_NF_TARGET_REDIRECT + ~IP_VS + ~IP_VS_NFCT + ~IP_VS_PROTO_TCP + ~IP_VS_PROTO_UDP + ~IP_VS_RR + " + + if use selinux; then + CONFIG_CHECK+=" + ~SECURITY_SELINUX + " + fi + + if use apparmor; then + CONFIG_CHECK+=" + ~SECURITY_APPARMOR + " + fi + + # if ! is_set EXT4_USE_FOR_EXT2; then + # check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY + # if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then + # echo " $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)" + # fi + # fi + + CONFIG_CHECK+=" + ~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY + " + + # if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then + # if is_set EXT4_USE_FOR_EXT2; then + # echo " $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)" + # else + # echo " $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)" + # fi + # fi + + # network drivers + CONFIG_CHECK+=" + ~VXLAN ~BRIDGE_VLAN_FILTERING + ~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH + ~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP + " + if kernel_is le 5 3; then + CONFIG_CHECK+=" + ~INET_XFRM_MODE_TRANSPORT + " + fi + + CONFIG_CHECK+=" + ~IPVLAN + " + CONFIG_CHECK+=" + ~MACVLAN ~DUMMY + " + CONFIG_CHECK+=" + ~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP + " + + # storage drivers + if use btrfs; then + CONFIG_CHECK+=" + ~BTRFS_FS + ~BTRFS_FS_POSIX_ACL + " + fi + + if use device-mapper; then + CONFIG_CHECK+=" + ~BLK_DEV_DM ~DM_THIN_PROVISIONING + " + fi + + CONFIG_CHECK+=" + ~OVERLAY_FS + " + + linux-info_pkg_setup +} + +src_compile() { + export DOCKER_GITCOMMIT="${GIT_COMMIT}" + export GOPATH="${WORKDIR}/${P}" + export VERSION=${PV} + + # setup CFLAGS and LDFLAGS for separate build target + # see https://github.com/tianon/docker-overlay/pull/10 + export CGO_CFLAGS="-I${ESYSROOT}/usr/include" + export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)" + + # let's set up some optional features :) + export DOCKER_BUILDTAGS='' + for gd in btrfs device-mapper overlay; do + if ! use $gd; then + DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}" + fi + done + + for tag in apparmor seccomp; do + if use $tag; then + DOCKER_BUILDTAGS+=" $tag" + fi + done + + # build binaries + ./hack/make.sh dynbinary || die 'dynbinary failed' +} + +src_install() { + dosym containerd /usr/bin/docker-containerd + dosym containerd-shim /usr/bin/docker-containerd-shim + dosym runc /usr/bin/docker-runc + use container-init && dosym tini /usr/bin/docker-init + dobin bundles/dynbinary-daemon/dockerd + dobin bundles/dynbinary-daemon/docker-proxy + + newinitd contrib/init/openrc/docker.initd docker + newconfd contrib/init/openrc/docker.confd docker + + systemd_dounit contrib/init/systemd/docker.{service,socket} + + udev_dorules contrib/udev/*.rules + + dodoc AUTHORS CONTRIBUTING.md NOTICE README.md + dodoc -r docs/* + + # note: intentionally not using "doins" so that we preserve +x bits + dodir /usr/share/${PN}/contrib + cp -R contrib/* "${ED}/usr/share/${PN}/contrib" +} + +pkg_postinst() { + udev_reload + + elog + elog "To use Docker, the Docker daemon must be running as root. To automatically" + elog "start the Docker daemon at boot:" + if systemd_is_booted || has_version sys-apps/systemd; then + elog " systemctl enable docker.service" + else + elog " rc-update add docker default" + fi + elog + elog "To use Docker as a non-root user, add yourself to the 'docker' group:" + elog ' usermod -aG docker ' + elog + + if use device-mapper; then + elog " Devicemapper storage driver has been deprecated" + elog " It will be removed in a future release" + elog + fi + + if use overlay; then + elog " Overlay storage driver/USEflag has been deprecated" + elog " in favor of overlay2 (enabled unconditionally)" + elog + fi + + if has_version sys-fs/zfs; then + elog " ZFS storage driver is available" + elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info" + elog + fi +} + +pkg_postrm() { + udev_reload +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.6.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.6.ebuild new file mode 100644 index 0000000000..6a8cc58fd1 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.6.ebuild @@ -0,0 +1,331 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 +EGO_PN=github.com/docker/docker +MY_PV=${PV/_/-} +inherit linux-info systemd udev golang-vcs-snapshot +GIT_COMMIT=1a7969545d73537545645f5cd2c79b7a77e7d39f + +DESCRIPTION="The core functions you need to create Docker images and run Docker containers" +HOMEPAGE="https://www.docker.com/" +SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor btrfs +container-init device-mapper overlay seccomp selinux" + +DEPEND=" + acct-group/docker + >=dev-db/sqlite-3.7.9:3 + apparmor? ( sys-libs/libapparmor ) + btrfs? ( >=sys-fs/btrfs-progs-3.16.1 ) + device-mapper? ( >=sys-fs/lvm2-2.02.89[thin] ) + seccomp? ( >=sys-libs/libseccomp-2.2.1 ) +" + +# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies +# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies +RDEPEND=" + ${DEPEND} + >=net-firewall/iptables-1.4 + sys-process/procps + >=dev-vcs/git-1.7 + >=app-arch/xz-utils-4.9 + dev-libs/libltdl + >=app-containers/containerd-1.7.3[apparmor?,btrfs?,device-mapper?,seccomp?] + >=app-containers/runc-1.1.9[apparmor?,seccomp?] + !app-containers/docker-proxy + container-init? ( >=sys-process/tini-0.19.0[static] ) + selinux? ( sec-policy/selinux-docker ) +" + +# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies +BDEPEND=" + >=dev-lang/go-1.16.12 + dev-go/go-md2man + virtual/pkgconfig +" +# tests require running dockerd as root and downloading containers +RESTRICT="installsources strip test" + +S="${WORKDIR}/${P}/src/${EGO_PN}" + +# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552 +PATCHES=( + "${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch" +) + +pkg_setup() { + # this is based on "contrib/check-config.sh" from upstream's sources + # required features. + CONFIG_CHECK=" + ~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS + ~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG + ~KEYS + ~VETH ~BRIDGE ~BRIDGE_NETFILTER + ~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE + ~NETFILTER_XT_MATCH_ADDRTYPE + ~NETFILTER_XT_MATCH_CONNTRACK + ~NETFILTER_XT_MATCH_IPVS + ~NETFILTER_XT_MARK + ~IP_NF_NAT ~NF_NAT + ~POSIX_MQUEUE + " + WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers" + + if kernel_is lt 4 8; then + CONFIG_CHECK+=" + ~DEVPTS_MULTIPLE_INSTANCES + " + fi + + if kernel_is le 5 1; then + CONFIG_CHECK+=" + ~NF_NAT_IPV4 + " + fi + + if kernel_is le 5 2; then + CONFIG_CHECK+=" + ~NF_NAT_NEEDED + " + fi + + if kernel_is ge 4 15; then + CONFIG_CHECK+=" + ~CGROUP_BPF + " + fi + + # optional features + CONFIG_CHECK+=" + ~USER_NS + " + + if use seccomp; then + CONFIG_CHECK+=" + ~SECCOMP ~SECCOMP_FILTER + " + fi + + CONFIG_CHECK+=" + ~CGROUP_PIDS + " + + if kernel_is lt 6 1; then + CONFIG_CHECK+=" + ~MEMCG_SWAP + " + fi + + if kernel_is le 5 8; then + CONFIG_CHECK+=" + ~MEMCG_SWAP_ENABLED + " + fi + + CONFIG_CHECK+=" + ~!LEGACY_VSYSCALL_NATIVE + " + if kernel_is lt 5 19; then + CONFIG_CHECK+=" + ~LEGACY_VSYSCALL_EMULATE + " + fi + CONFIG_CHECK+=" + ~!LEGACY_VSYSCALL_NONE + " + WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \ + Containers with <=glibc-2.13 will not work" + + if kernel_is le 4 5; then + CONFIG_CHECK+=" + ~MEMCG_KMEM + " + fi + + if kernel_is lt 5; then + CONFIG_CHECK+=" + ~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED + " + fi + + CONFIG_CHECK+=" + ~BLK_CGROUP ~BLK_DEV_THROTTLING + ~CGROUP_PERF + ~CGROUP_HUGETLB + ~NET_CLS_CGROUP ~CGROUP_NET_PRIO + ~CFS_BANDWIDTH ~FAIR_GROUP_SCHED + ~IP_NF_TARGET_REDIRECT + ~IP_VS + ~IP_VS_NFCT + ~IP_VS_PROTO_TCP + ~IP_VS_PROTO_UDP + ~IP_VS_RR + " + + if use selinux; then + CONFIG_CHECK+=" + ~SECURITY_SELINUX + " + fi + + if use apparmor; then + CONFIG_CHECK+=" + ~SECURITY_APPARMOR + " + fi + + # if ! is_set EXT4_USE_FOR_EXT2; then + # check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY + # if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then + # echo " $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)" + # fi + # fi + + CONFIG_CHECK+=" + ~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY + " + + # if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then + # if is_set EXT4_USE_FOR_EXT2; then + # echo " $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)" + # else + # echo " $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)" + # fi + # fi + + # network drivers + CONFIG_CHECK+=" + ~VXLAN ~BRIDGE_VLAN_FILTERING + ~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH + ~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP + " + if kernel_is le 5 3; then + CONFIG_CHECK+=" + ~INET_XFRM_MODE_TRANSPORT + " + fi + + CONFIG_CHECK+=" + ~IPVLAN + " + CONFIG_CHECK+=" + ~MACVLAN ~DUMMY + " + CONFIG_CHECK+=" + ~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP + " + + # storage drivers + if use btrfs; then + CONFIG_CHECK+=" + ~BTRFS_FS + ~BTRFS_FS_POSIX_ACL + " + fi + + if use device-mapper; then + CONFIG_CHECK+=" + ~BLK_DEV_DM ~DM_THIN_PROVISIONING + " + fi + + CONFIG_CHECK+=" + ~OVERLAY_FS + " + + linux-info_pkg_setup +} + +src_compile() { + export DOCKER_GITCOMMIT="${GIT_COMMIT}" + export GOPATH="${WORKDIR}/${P}" + export VERSION=${PV} + + # setup CFLAGS and LDFLAGS for separate build target + # see https://github.com/tianon/docker-overlay/pull/10 + export CGO_CFLAGS="-I${ESYSROOT}/usr/include" + export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)" + + # let's set up some optional features :) + export DOCKER_BUILDTAGS='' + for gd in btrfs device-mapper overlay; do + if ! use $gd; then + DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}" + fi + done + + for tag in apparmor seccomp; do + if use $tag; then + DOCKER_BUILDTAGS+=" $tag" + fi + done + + # build binaries + ./hack/make.sh dynbinary || die 'dynbinary failed' +} + +src_install() { + dosym containerd /usr/bin/docker-containerd + dosym containerd-shim /usr/bin/docker-containerd-shim + dosym runc /usr/bin/docker-runc + use container-init && dosym tini /usr/bin/docker-init + dobin bundles/dynbinary-daemon/dockerd + dobin bundles/dynbinary-daemon/docker-proxy + + newinitd contrib/init/openrc/docker.initd docker + newconfd contrib/init/openrc/docker.confd docker + + systemd_dounit contrib/init/systemd/docker.{service,socket} + + udev_dorules contrib/udev/*.rules + + dodoc AUTHORS CONTRIBUTING.md NOTICE README.md + dodoc -r docs/* + + # note: intentionally not using "doins" so that we preserve +x bits + dodir /usr/share/${PN}/contrib + cp -R contrib/* "${ED}/usr/share/${PN}/contrib" +} + +pkg_postinst() { + udev_reload + + elog + elog "To use Docker, the Docker daemon must be running as root. To automatically" + elog "start the Docker daemon at boot:" + if systemd_is_booted || has_version sys-apps/systemd; then + elog " systemctl enable docker.service" + else + elog " rc-update add docker default" + fi + elog + elog "To use Docker as a non-root user, add yourself to the 'docker' group:" + elog ' usermod -aG docker ' + elog + + if use device-mapper; then + elog " Devicemapper storage driver has been deprecated" + elog " It will be removed in a future release" + elog + fi + + if use overlay; then + elog " Overlay storage driver/USEflag has been deprecated" + elog " in favor of overlay2 (enabled unconditionally)" + elog + fi + + if has_version sys-fs/zfs; then + elog " ZFS storage driver is available" + elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info" + elog + fi +} + +pkg_postrm() { + udev_reload +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch b/sdk_container/src/third_party/portage-stable/app-containers/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch new file mode 100644 index 0000000000..22aa145f33 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch @@ -0,0 +1,28 @@ +From bb69104381805014eb7675682d204fe460a52388 Mon Sep 17 00:00:00 2001 +From: Jan Breig +Date: Mon, 16 May 2022 14:58:36 +0200 +Subject: [PATCH] Openrc: Depend on containerd init script + +Signed-off-by: Jan Breig +--- + contrib/init/openrc/docker.initd | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/contrib/init/openrc/docker.initd b/contrib/init/openrc/docker.initd +index 3229223bad..57defb8f57 100644 +--- a/contrib/init/openrc/docker.initd ++++ b/contrib/init/openrc/docker.initd +@@ -17,6 +17,10 @@ rc_ulimit="${DOCKER_ULIMIT:--c unlimited -n 1048576 -u unlimited}" + + retry="${DOCKER_RETRY:-TERM/60/KILL/10}" + ++depend() { ++ need containerd ++} ++ + start_pre() { + checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE" + } +-- +2.35.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/metadata.xml b/sdk_container/src/third_party/portage-stable/app-containers/docker/metadata.xml similarity index 76% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker/metadata.xml rename to sdk_container/src/third_party/portage-stable/app-containers/docker/metadata.xml index 5f16394188..d58b9b295f 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker/metadata.xml @@ -17,19 +17,9 @@ Georgy Yakovlev - - Enables dependencies for the "aufs" graph driver, including - necessary kernel flags. - Enables dependencies for the "btrfs" graph driver, including necessary kernel flags. - - - This is a temporary use flag which pulls in - app-containers/docker-cli, the docker command line client. - This flag is here to assist in the transition to split packages - and will be removed in a future release. Makes the a staticly-linked init system tini available inside a diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest new file mode 100644 index 0000000000..6d16b6ad96 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest @@ -0,0 +1,2 @@ +DIST runc-1.1.7.tar.gz 2511464 BLAKE2B 63f09052659636b62185abbb178f7e104d22125190899e80e71ed2ba35567eb855abf786d3c7fff3dd9a1ab43ee282fcaecb6650cd8a1ce49c05acefd7c12cde SHA512 e3a18f04ac2c3553a815074ca64e04cfd71af54d78edbd4a13819f187476f96d7311c23bb63fb5c311b91865db4540985a6f9daa84819b0bac5f023b3b2a832c +DIST runc-1.1.9.tar.gz 2512231 BLAKE2B 4e8e2a454231492f83de34bf66ba25a02b8925b6ef0af2206cdf4ab3299173d3452cea4d51fcfeb02026df288dd8ca6c44ecd35fb075f25f56fd7bc07f873af7 SHA512 020986f2df49c45394d0acbfa4da62663353004550d9b4409f6cfe8369972a090fb8020e4a05342754bde5c1fbe9fcf3868faed2dceed5d54460c3373cdd2278 diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/metadata.xml b/sdk_container/src/third_party/portage-stable/app-containers/runc/metadata.xml new file mode 100644 index 0000000000..76423a9031 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/metadata.xml @@ -0,0 +1,25 @@ + + + + + runc is a CLI tool for spawning and running containers according + to the OCF (Open Container Format) specification. + + + williamh@gentoo.org + William Hubbs + + + gyakovlev@gentoo.org + Georgy Yakovlev + + + + Enable Kernel Memory Accounting. + + + + opencontainers/runc + cpe:/a:linuxfoundation:runc + + diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.7.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.7.ebuild new file mode 100644 index 0000000000..01b66cb348 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.7.ebuild @@ -0,0 +1,78 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module linux-info + +# update on bump, look for https://github.com/docker\ +# docker-ce/blob//components/engine/hack/dockerfile/install/runc.installer +RUNC_COMMIT=4ffc61430bbe6d3d405bdf357b766bf303ff3cc5 +CONFIG_CHECK="~USER_NS" + +DESCRIPTION="runc container cli tools" +HOMEPAGE="http://github.com/opencontainers/runc/" +MY_PV="${PV/_/-}" +SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0 BSD-2 BSD MIT" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" +IUSE="apparmor hardened +kmem +seccomp selinux test" + +DEPEND="seccomp? ( sys-libs/libseccomp )" + +RDEPEND=" + ${DEPEND} + !app-emulation/docker-runc + apparmor? ( sys-libs/libapparmor ) + selinux? ( sec-policy/selinux-container ) +" + +BDEPEND=" + dev-go/go-md2man + test? ( "${RDEPEND}" ) +" + +# tests need busybox binary, and portage namespace +# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox +# majority of tests pass +RESTRICT+=" test" + +S="${WORKDIR}/${PN}-${MY_PV}" + +src_compile() { + # Taken from app-containers/docker-1.7.0-r1 + export CGO_CFLAGS="-I${ESYSROOT}/usr/include" + export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') + -L${ESYSROOT}/usr/$(get_libdir)" + + # build up optional flags + local options=( + $(usev apparmor) + $(usev seccomp) + $(usex kmem '' 'nokmem') + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + COMMIT="${RUNC_COMMIT}" + ) + + emake "${myemakeargs[@]}" runc man +} + +src_install() { + myemakeargs+=( + PREFIX="${ED}/usr" + BINDIR="${ED}/usr/bin" + MANDIR="${ED}/usr/share/man" + ) + emake "${myemakeargs[@]}" install install-man install-bash + + local DOCS=( README.md PRINCIPLES.md docs/. ) + einstalldocs +} + +src_test() { + emake "${myemakeargs[@]}" localunittest +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.9.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.9.ebuild new file mode 100644 index 0000000000..6282b7e079 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.9.ebuild @@ -0,0 +1,78 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module linux-info + +# update on bump, look for https://github.com/docker\ +# docker-ce/blob//components/engine/hack/dockerfile/install/runc.installer +RUNC_COMMIT=ccaecfcbc907d70a7aa870a6650887b901b25b82 +CONFIG_CHECK="~USER_NS" + +DESCRIPTION="runc container cli tools" +HOMEPAGE="http://github.com/opencontainers/runc/" +MY_PV="${PV/_/-}" +SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0 BSD-2 BSD MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor hardened +kmem +seccomp selinux test" + +DEPEND="seccomp? ( sys-libs/libseccomp )" + +RDEPEND=" + ${DEPEND} + !app-emulation/docker-runc + apparmor? ( sys-libs/libapparmor ) + selinux? ( sec-policy/selinux-container ) +" + +BDEPEND=" + dev-go/go-md2man + test? ( "${RDEPEND}" ) +" + +# tests need busybox binary, and portage namespace +# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox +# majority of tests pass +RESTRICT+=" test" + +S="${WORKDIR}/${PN}-${MY_PV}" + +src_compile() { + # Taken from app-containers/docker-1.7.0-r1 + export CGO_CFLAGS="-I${ESYSROOT}/usr/include" + export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') + -L${ESYSROOT}/usr/$(get_libdir)" + + # build up optional flags + local options=( + $(usev apparmor) + $(usev seccomp) + $(usex kmem '' 'nokmem') + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + COMMIT="${RUNC_COMMIT}" + ) + + emake "${myemakeargs[@]}" runc man +} + +src_install() { + myemakeargs+=( + PREFIX="${ED}/usr" + BINDIR="${ED}/usr/bin" + MANDIR="${ED}/usr/share/man" + ) + emake "${myemakeargs[@]}" install install-man install-bash + + local DOCS=( README.md PRINCIPLES.md docs/. ) + einstalldocs +} + +src_test() { + emake "${myemakeargs[@]}" localunittest +} diff --git a/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/Manifest b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/Manifest new file mode 100644 index 0000000000..ac3ef5d418 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/Manifest @@ -0,0 +1 @@ +DIST go-md2man-2.0.2.tar.gz 64353 BLAKE2B cc9ce9d14b61e600cf5179b72e08bc7e6ae5fcf31d3e00d6e5f7e5e77a26dd2b2b8a938e168e0053b2a9f9aab734d9beb02f7d95549fbf073125ad42b03cf478 SHA512 c81edfdc0b6647ef699cc908a1a7038d98da34df6d48b223b83a0699de91a7e322e70d67645acf1fc848918f4c1ea310160c7ccb75e6f97b53af7103c7aa18b3 diff --git a/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/go-md2man-2.0.2.ebuild b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/go-md2man-2.0.2.ebuild new file mode 100644 index 0000000000..8d9a92730d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/go-md2man-2.0.2.ebuild @@ -0,0 +1,32 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module + +DESCRIPTION="A utility to convert markdown to man pages" + SRC_URI="https://github.com/cpuguy83/go-md2man/archive/v${PV}.tar.gz -> ${P}.tar.gz" +HOMEPAGE="https://github.com/cpuguy83/go-md2man" + +LICENSE="BSD-2 MIT" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ~loong ppc64 ~riscv ~x86" + +# restrict tests because they need network-sandbox disabled +# bug https://bugs.gentoo.org/715028 +RESTRICT+=" test" + +src_compile() { + emake BUILD_FLAGS="-mod=vendor" build +} + +src_install() { + "${S}"/bin/go-md2man -in go-md2man.1.md -out go-md2man.1 || + die "Unable to create man page" + dobin bin/go-md2man + doman go-md2man.1 +} + +src_test() { + emake test +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/metadata.xml b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/metadata.xml similarity index 53% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/metadata.xml rename to sdk_container/src/third_party/portage-stable/dev-go/go-md2man/metadata.xml index c36c37139f..ef82969b8c 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/metadata.xml @@ -1,8 +1,11 @@ - + williamh@gentoo.org William Hubbs + + cpuguy83/go-md2man + diff --git a/sdk_container/src/third_party/portage-stable/eclass/go-env.eclass b/sdk_container/src/third_party/portage-stable/eclass/go-env.eclass new file mode 100644 index 0000000000..5e5681ff15 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/eclass/go-env.eclass @@ -0,0 +1,48 @@ +# Copyright 2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# @ECLASS: go-env.eclass +# @MAINTAINER: +# Flatcar Maintainers +# @AUTHOR: +# Flatcar Maintainers +# @BLURB: Helper eclass for setting the Go compile environment. Required for cross-compiling. +# @DESCRIPTION: +# This eclass includes a helper function for setting the compile environment for Go ebuilds. +# Intended to be called by other Go eclasses in an early build stage, e.g. src_unpack. + +if [[ -z ${_GO_ENV_ECLASS} ]]; then +_GO_ENV_ECLASS=1 + +inherit toolchain-funcs + +# @FUNCTION: go-env_set_compile_environment +# @DESCRIPTION: +# Set up basic compile environment: CC, CXX, and GOARCH. +# Also carry over CFLAGS, LDFLAGS and friends. +# Required for cross-compiling with crossdev. +# If not set, host defaults will be used and the resulting binaries are host arch. +# (e.g. "emerge-aarch64-cross-linux-gnu foo" run on x86_64 will emerge "foo" for x86_64 +# instead of aarch64) +go-env_set_compile_environment() { + local arch=$(tc-arch "${CHOST}}") + case "${arch}" in + x86) GOARCH="386" ;; + x64-*) GOARCH="amd64" ;; + ppc64) if [[ "$(tc-endian "${${CHOST}}")" = "big" ]] ; then + GOARCH="ppc64" + else + GOARCH="ppc64le" + fi ;; + *) GOARCH="${arch}" ;; + esac + + tc-export CC CXX + export GOARCH + export CGO_CFLAGS="${CGO_CFLAGS:-$CFLAGS}" + export CGO_CPPFLAGS="${CGO_CPPFLAGS:-$CPPFLAGS}" + export CGO_CXXFLAGS="${CGO_CXXFLAGS:-$CXXFLAGS}" + export CGO_LDFLAGS="${CGO_LDFLAGS:-$LDFLAGS}" +} + +fi diff --git a/sdk_container/src/third_party/portage-stable/eclass/go-module.eclass b/sdk_container/src/third_party/portage-stable/eclass/go-module.eclass index 817f8a9fd3..07757ca44e 100644 --- a/sdk_container/src/third_party/portage-stable/eclass/go-module.eclass +++ b/sdk_container/src/third_party/portage-stable/eclass/go-module.eclass @@ -1,4 +1,4 @@ -# Copyright 2019-2022 Gentoo Authors +# Copyright 2019-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: go-module.eclass @@ -26,7 +26,9 @@ # If the software has a directory named vendor in its # top level directory, the only thing you need to do is inherit the # eclass. If it doesn't, you need to also create a dependency tarball and -# host it somewhere, for example in your dev space. +# host it somewhere, for example in your dev space. It's recommended that +# a format supporting parallel decompression is used and developers should +# use higher levels of compression like '-9' for xz. # # Here is an example of how to create a dependency tarball. # The base directory in the GOMODCACHE setting must be go-mod in order @@ -36,7 +38,7 @@ # # $ cd /path/to/project # $ GOMODCACHE="${PWD}"/go-mod go mod download -modcacherw -# $ tar -acf project-1.0-deps.tar.xz go-mod +# $ XZ_OPT='-T0 -9' tar -acf project-1.0-deps.tar.xz go-mod # # @CODE # @@ -63,20 +65,20 @@ case ${EAPI} in *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; esac -if [[ -z ${_GO_MODULE} ]]; then +if [[ -z ${_GO_MODULE_ECLASS} ]]; then +_GO_MODULE_ECLASS=1 -_GO_MODULE=1 +# Flatcar: Keep this change until upstream has merged https://github.com/gentoo/gentoo/pull/33539 +inherit multiprocessing toolchain-funcs go-env if [[ ! ${GO_OPTIONAL} ]]; then - BDEPEND=">=dev-lang/go-1.16" + BDEPEND=">=dev-lang/go-1.18" # Workaround for pkgcheck false positive: https://github.com/pkgcore/pkgcheck/issues/214 # MissingUnpackerDep: version ...: missing BDEPEND="app-arch/unzip" # Added here rather than to each affected package, so it can be cleaned up just # once when pkgcheck is improved. BDEPEND+=" app-arch/unzip" - - EXPORT_FUNCTIONS src_unpack fi # Force go to build in module mode. @@ -93,10 +95,12 @@ export GOCACHE="${T}/go-build" export GOMODCACHE="${WORKDIR}/go-mod" # The following go flags should be used for all builds. +# -buildmode=pie builds position independent executables +# -buildvcs=false omits version control information # -modcacherw makes the build cache read/write # -v prints the names of packages as they are compiled # -x prints commands as they are executed -export GOFLAGS="-modcacherw -v -x" +export GOFLAGS="-buildvcs=false -modcacherw -v -x" # Do not complain about CFLAGS etc since go projects do not use them. QA_FLAGS_IGNORED='.*' @@ -104,8 +108,8 @@ QA_FLAGS_IGNORED='.*' # Go packages should not be stripped with strip(1). RESTRICT+=" strip" -# @ECLASS-VARIABLE: EGO_SUM -# @DEPRECATED: +# @ECLASS_VARIABLE: EGO_SUM +# @DEPRECATED: none # @DESCRIPTION: # This is replaced by a dependency tarball, see above for how to create # one. @@ -152,8 +156,8 @@ RESTRICT+=" strip" # This decision does NOT weaken Go module security, as Go will verify the # go.sum copy of the Hash1 values during building of the package. -# @ECLASS-VARIABLE: _GOMODULE_GOPROXY_BASEURI -# @DEPRECATED: +# @ECLASS_VARIABLE: _GOMODULE_GOPROXY_BASEURI +# @DEPRECATED: none # @DESCRIPTION: # Golang module proxy service to fetch module files from. Note that the module # proxy generally verifies modules via the Hash1 code. @@ -175,15 +179,15 @@ RESTRICT+=" strip" # below, so please do not rely on it. : "${_GOMODULE_GOPROXY_BASEURI:=mirror://goproxy/}" -# @ECLASS-VARIABLE: _GOMODULE_GOSUM_REVERSE_MAP -# @DEPRECATED: +# @ECLASS_VARIABLE: _GOMODULE_GOSUM_REVERSE_MAP +# @DEPRECATED: none # @DESCRIPTION: # Mapping back from Gentoo distfile name to upstream distfile path. # Associative array to avoid O(N*M) performance when populating the GOPROXY # directory structure. declare -A -g _GOMODULE_GOSUM_REVERSE_MAP -# @ECLASS-VARIABLE: GO_OPTIONAL +# @ECLASS_VARIABLE: GO_OPTIONAL # @DEFAULT_UNSET # @PRE_INHERIT # @DESCRIPTION: @@ -206,7 +210,7 @@ ego() { } # @FUNCTION: go-module_set_globals -# @DEPRECATED: +# @DEPRECATED: none # @DESCRIPTION: # Convert the information in EGO_SUM for other usage in the ebuild. # - Populates EGO_SUM_SRC_URI that can be added to SRC_URI @@ -259,7 +263,22 @@ go-module_set_globals() { continue fi - _dir=$(_go-module_gomod_encode "${module}") + # Encode the name(path) of a Golang module in the format expected by Goproxy. + # Upper letters are replaced by their lowercase version with a '!' prefix. + # The transformed result of 'module' is stored in the '_dir' variable. + # + ## Python: + # return re.sub('([A-Z]{1})', r'!\1', s).lower() + ## Sed: + ## This uses GNU Sed extension \l to downcase the match + # echo "${module}" |sed 's,[A-Z],!\l&,g' + local re _dir lower + _dir="${module}" + re='(.*)([A-Z])(.*)' + while [[ ${_dir} =~ ${re} ]]; do + lower='!'"${BASH_REMATCH[2],}" + _dir="${BASH_REMATCH[1]}${lower}${BASH_REMATCH[3]}" + done for _ext in "${exts[@]}" ; do # Relative URI within a GOPROXY for a file @@ -297,7 +316,7 @@ go-module_set_globals() { } # @FUNCTION: go-module_setup_proxy -# @DEPRECATED: +# @DEPRECATED: none # @DESCRIPTION: # If your ebuild redefines src_unpack and uses EGO_SUM you need to call # this function in src_unpack. @@ -340,11 +359,18 @@ go-module_setup_proxy() { # @FUNCTION: go-module_src_unpack # @DESCRIPTION: -# If EGO_SUM is set, unpack the base tarball(s) and set up the -# local go proxy. Also warn that this usage is deprecated. -# - Otherwise, if EGO_VENDOR is set, bail out. -# - Otherwise do a normal unpack. +# Sets up GOFLAGS for the system and then unpacks based on the following rules: +# 1. If EGO_SUM is set, unpack the base tarball(s) and set up the +# local go proxy. This mode is deprecated. +# 2. Otherwise, if EGO_VENDOR is set, bail out, as this functionality was removed. +# 3. Otherwise, call 'ego mod verify' and then do a normal unpack. +# Set compile env via go-env. go-module_src_unpack() { + if use amd64 || use arm || use arm64 || + ( use ppc64 && [[ $(tc-endian) == "little" ]] ) || use s390 || use x86; then + GOFLAGS="-buildmode=pie ${GOFLAGS}" + fi + GOFLAGS="${GOFLAGS} -p=$(makeopts_jobs)" if [[ "${#EGO_SUM[@]}" -gt 0 ]]; then eqawarn "This ebuild uses EGO_SUM which is deprecated" eqawarn "Please migrate to a dependency tarball" @@ -355,11 +381,20 @@ go-module_src_unpack() { die "Please update this ebuild" else default + if [[ ! -d "${S}"/vendor ]]; then + cd "${S}" + local nf + [[ -n ${NONFATAL_VERIFY} ]] && nf=nonfatal + ${nf} ego mod verify + fi fi + + # Flatcar: Keep this change until upstream has merged https://github.com/gentoo/gentoo/pull/33539 + go-env_set_compile_environment } # @FUNCTION: _go-module_src_unpack_gosum -# @DEPRECATED: +# @DEPRECATED: none # @DESCRIPTION: # Populate a GOPROXY directory hierarchy with distfiles from EGO_SUM and # unpack the base distfiles. @@ -405,7 +440,7 @@ _go-module_src_unpack_gosum() { } # @FUNCTION: _go-module_gosum_synthesize_files -# @DEPRECATED: +# @DEPRECATED: none # @DESCRIPTION: # Given a path & version, populate all Goproxy metadata files which aren't # needed to be downloaded directly. @@ -433,7 +468,7 @@ _go-module_gosum_synthesize_files() { } # @FUNCTION: _go-module_src_unpack_verify_gosum -# @DEPRECATED: +# @DEPRECATED: none # @DESCRIPTION: # Validate the Go modules declared by EGO_SUM are sufficient to cover building # the package, without actually building it yet. @@ -481,31 +516,8 @@ go-module_live_vendor() { popd >& /dev/null || die } -# @FUNCTION: _go-module_gomod_encode -# @DEPRECATED: -# @DESCRIPTION: -# Encode the name(path) of a Golang module in the format expected by Goproxy. -# -# Upper letters are replaced by their lowercase version with a '!' prefix. -# -_go-module_gomod_encode() { - ## Python: - # return re.sub('([A-Z]{1})', r'!\1', s).lower() - - ## Sed: - ## This uses GNU Sed extension \l to downcase the match - #echo "${module}" |sed 's,[A-Z],!\l&,g' - # - # Bash variant: - debug-print-function "${FUNCNAME}" "$@" - #local re input lower - re='(.*)([A-Z])(.*)' - input="${1}" - while [[ ${input} =~ ${re} ]]; do - lower='!'"${BASH_REMATCH[2],}" - input="${BASH_REMATCH[1]}${lower}${BASH_REMATCH[3]}" - done - echo "${input}" -} - +fi + +if [[ ! ${GO_OPTIONAL} ]]; then + EXPORT_FUNCTIONS src_unpack fi diff --git a/sdk_container/src/third_party/portage-stable/eclass/golang-base.eclass b/sdk_container/src/third_party/portage-stable/eclass/golang-base.eclass index bcb37d432c..4bba00200c 100644 --- a/sdk_container/src/third_party/portage-stable/eclass/golang-base.eclass +++ b/sdk_container/src/third_party/portage-stable/eclass/golang-base.eclass @@ -1,12 +1,12 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: golang-base.eclass # @MAINTAINER: # William Hubbs # @SUPPORTED_EAPIS: 5 6 7 -# @DEPRECATED: go-module.eclass # @BLURB: Eclass that provides base functions for Go packages. +# @DEPRECATED: go-module.eclass # @DESCRIPTION: # This eclass provides base functions for software written in the Go # programming language; it also provides the build-time dependency on @@ -40,7 +40,7 @@ RESTRICT="strip" # force GO111MODULE to be auto for bug https://bugs.gentoo.org/771129 export GO111MODULE=auto -# @ECLASS-VARIABLE: EGO_PN +# @ECLASS_VARIABLE: EGO_PN # @REQUIRED # @DESCRIPTION: # This is the import path for the go package to build. Please emerge diff --git a/sdk_container/src/third_party/portage-stable/eclass/golang-vcs-snapshot.eclass b/sdk_container/src/third_party/portage-stable/eclass/golang-vcs-snapshot.eclass index fb1e3c4a1e..637042f1b2 100644 --- a/sdk_container/src/third_party/portage-stable/eclass/golang-vcs-snapshot.eclass +++ b/sdk_container/src/third_party/portage-stable/eclass/golang-vcs-snapshot.eclass @@ -1,10 +1,10 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: golang-vcs-snapshot.eclass # @MAINTAINER: # William Hubbs -# @SUPPORTED_EAPIS: 5 6 7 +# @SUPPORTED_EAPIS: 6 7 # @PROVIDES: golang-base # @BLURB: eclass to unpack VCS snapshot tarballs for Go software # @DEPRECATED: go-module.eclass @@ -44,16 +44,18 @@ # ${WORKDIR}/${P}/src/github.com/user/package # and add the vendored tarballs to ${WORKDIR}/src/${EGO_PN}/vendor -inherit golang-base - -case ${EAPI:-0} in - 5|6|7) ;; - *) die "${ECLASS} API in EAPI ${EAPI} not yet established." +case ${EAPI} in + 6|7) ;; + *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; esac -EXPORT_FUNCTIONS src_unpack +if [[ -z ${_GOLANG_VCS_SNAPSHOT_ECLASS} ]]; then +_GOLANG_VCS_SNAPSHOT_ECLASS=1 -# @ECLASS-VARIABLE: EGO_VENDOR +# Flatcar: Keep this change until upstream has merged https://github.com/gentoo/gentoo/pull/33539 +inherit golang-base go-env + +# @ECLASS_VARIABLE: EGO_VENDOR # @DESCRIPTION: # This variable contains a list of vendored packages. # The items of this array are strings that contain the @@ -82,7 +84,7 @@ unset -f _golang-vcs-snapshot_set_vendor_uri _golang-vcs-snapshot_dovendor() { local VENDOR_PATH=$1 VENDORPN=$2 TARBALL=$3 - rm -fr "${VENDOR_PATH}/${VENDORPN}" || die + rm -rf "${VENDOR_PATH}/${VENDORPN}" || die mkdir -p "${VENDOR_PATH}/${VENDORPN}" || die tar -C "${VENDOR_PATH}/${VENDORPN}" -x --strip-components 1\ -f "${DISTDIR}"/${TARBALL} || die @@ -91,6 +93,7 @@ _golang-vcs-snapshot_dovendor() { # @FUNCTION: golang-vcs-snapshot_src_unpack # @DESCRIPTION: # Extract the first archive from ${A} to the appropriate location for GOPATH. +# Set compile env via go-env. golang-vcs-snapshot_src_unpack() { local lib vendor_path x ego_pn_check @@ -116,4 +119,11 @@ golang-vcs-snapshot_src_unpack() { fi done fi + + # Flatcar: Keep this change until upstream has merged https://github.com/gentoo/gentoo/pull/33539 + go-env_set_compile_environment } + +fi + +EXPORT_FUNCTIONS src_unpack diff --git a/sdk_container/src/third_party/portage-stable/eclass/golang-vcs.eclass b/sdk_container/src/third_party/portage-stable/eclass/golang-vcs.eclass index 6492fe4378..90245c1660 100644 --- a/sdk_container/src/third_party/portage-stable/eclass/golang-vcs.eclass +++ b/sdk_container/src/third_party/portage-stable/eclass/golang-vcs.eclass @@ -1,10 +1,10 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: golang-vcs.eclass # @MAINTAINER: # William Hubbs -# @SUPPORTED_EAPIS: 5 6 7 +# @SUPPORTED_EAPIS: 6 7 # @PROVIDES: golang-base # @BLURB: Eclass for fetching and unpacking go repositories. # @DEPRECATED: go-module.eclass @@ -12,25 +12,20 @@ # This eclass is written to ease the maintenance of live ebuilds # of software written in the Go programming language. -inherit estack eutils golang-base - -case "${EAPI:-0}" in - 5|6|7) - ;; - *) - die "${ECLASS}: Unsupported eapi (EAPI=${EAPI})" - ;; +case ${EAPI} in + 6|7) ;; + *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; esac -EXPORT_FUNCTIONS src_unpack +if [[ -z ${_GOLANG_VCS_ECLASS} ]]; then +_GOLANG_VCS_ECLASS=1 -if [[ -z ${_GOLANG_VCS} ]]; then - -_GOLANG_VCS=1 +# Flatcar: Keep this change until upstream has merged https://github.com/gentoo/gentoo/pull/33539 +inherit estack golang-base go-env PROPERTIES+=" live" -# @ECLASS-VARIABLE: EGO_PN +# @ECLASS_VARIABLE: EGO_PN # @REQUIRED # @DESCRIPTION: # This is the import path for the go package(s). Please emerge dev-lang/go @@ -42,7 +37,7 @@ PROPERTIES+=" live" # EGO_PN="github.com/user1/package1 github.com/user2/package2" # @CODE -# @ECLASS-VARIABLE: EGO_STORE_DIR +# @ECLASS_VARIABLE: EGO_STORE_DIR # @USER_VARIABLE # @DESCRIPTION: # Storage directory for Go sources. @@ -52,12 +47,12 @@ PROPERTIES+=" live" # # EGO_STORE_DIR=${DISTDIR}/go-src -# @ECLASS-VARIABLE: EVCS_OFFLINE +# @ECLASS_VARIABLE: EVCS_OFFLINE # @DEFAULT_UNSET # @DESCRIPTION: # If non-empty, this variable prevents any online operations. -# @ECLASS-VARIABLE: EVCS_UMASK +# @ECLASS_VARIABLE: EVCS_UMASK # @DEFAULT_UNSET # @DESCRIPTION: # Set this variable to a custom umask. This is intended to be set by @@ -69,11 +64,12 @@ PROPERTIES+=" live" # @INTERNAL # @DESCRIPTION: # Create EGO_STORE_DIR if necessary. +# Set compile env via go-env. _golang-vcs_env_setup() { debug-print-function ${FUNCNAME} "$@" local distdir=${PORTAGE_ACTUAL_DISTDIR:-${DISTDIR}} - : ${EGO_STORE_DIR:=${distdir}/go-src} + : "${EGO_STORE_DIR:=${distdir}/go-src}" [[ -n ${EVCS_UMASK} ]] && eumask_push $EVCS_UMASK @@ -90,6 +86,9 @@ _golang-vcs_env_setup() { mkdir -p "${WORKDIR}/${P}/src" || die "${ECLASS}: unable to create ${WORKDIR}/${P}" return 0 + + # Flatcar: Keep this change until upstream has merged https://github.com/gentoo/gentoo/pull/33539 + go-env_set_compile_environment } # @FUNCTION: _golang-vcs_fetch @@ -139,3 +138,5 @@ golang-vcs_src_unpack() { } fi + +EXPORT_FUNCTIONS src_unpack