app-containers: use upstream docker, containerd, runc

This change removes Flatcar specific builds of docker[-cli], containerd,
runc, and cri-tools and instead switches to upstream Gentoo ebuilds
added to portage-stable.

The change updates docker to 24.0.6.

NOTE that there currently is no upstream ebuild for containerd-1.7.7, so
this change adds that ebuild based on the upstream containerd-1.7.6
ebuild.

Flatcar customisations like systemd units etc. are now applied in the
manglefs script of the respective sysexts, based on file system trees in
coreos-overlay/coreos/sysext/(containerd|docker).

The build_sysext script has been extended by an option to strip all
binaries in a sysext; the option is active by default. This takes care
of removing debug symbols from docker and containerd - which are not
removed by the default Gentoo build. The overall size of both containerd
and docker sysext is reduced by ~50%.

Lastly, the sysext command line syntax of build_image has been extended
to allow specifying multiple packages for a sysext. This was necessary
because docker-cli and docker do not have any runtime relationships and
therefore must both be specified for installation to correctly mirror
Flatcar's own docker packaging.

Signed-off-by: Thilo Fromm <[email protected]>

build_image

@@ -33,8 +33,8 @@ DEFINE_string base_pkg "coreos-base/coreos" \
   "The base portage package to base the build off of (only applies to prod images)"
 DEFINE_string base_dev_pkg "coreos-base/coreos-dev" \
   "The base portage package to base the build off of (only applies to dev containers)"
-DEFINE_string base_sysexts "containerd-flatcar:app-containers/containerd,docker-flatcar:app-containers/docker" \
-  "Comma-separated list of name:package - build 'package' into sysext 'name', and include with OS image and update payload. Must be in order of dependencies, base sysexts come first."
+DEFINE_string base_sysexts "containerd-flatcar:app-containers/containerd,docker-flatcar:app-containers/docker&app-containers/docker-cli" \
+  "Comma-separated list of name:package[&package[&package]] - build 'package' (a single package or a list of packages separated by '&') into sysext 'name', and include with OS image and update payload. Must be in order of dependencies, base sysexts come first."
 DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \
   "Directory in which to place image result directories (named by version)"
 DEFINE_string disk_layout "" \

build_library/sysext_mangle_containerd-flatcar

@@ -3,5 +3,16 @@
 set -euo pipefail
 rootfs="${1}"
 
+
+# No manpages on Flatcar, no need to ship "stress" tool
+echo ">>> NOTICE: $0: removing 'gen-manpages', 'containerd-stress' from sysext"
+rm -f "${rootfs}/usr/bin/gen-manpages" "${rootfs}/usr/bin/containerd-stress"
+
+script_root="$(cd "$(dirname "$0")/../"; pwd)"
+files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd"
+
+echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
+cp -va "${files_dir}/"* "${rootfs}"
+
 mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d"
 { echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf"

build_library/sysext_mangle_docker-flatcar

@@ -3,5 +3,15 @@
 set -euo pipefail
 rootfs="${1}"
 
+# Remove debug and contrib
+echo ">>> NOTICE: $0: removing '/usr/lib/debug/', '/usr/share/docker/contrib' from sysext"
+rm -rf "${rootfs}/usr/lib/debug/" "${rootfs}/usr/share/docker/contrib/"
+
+script_root="$(cd "$(dirname "$0")/../"; pwd)"
+files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker"
+
+echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
+cp -va "${files_dir}/"* "${rootfs}"
+
 mkdir -p "${rootfs}/usr/lib/systemd/system/sockets.target.d"
 { echo "[Unit]"; echo "Upholds=docker.socket"; } > "${rootfs}/usr/lib/systemd/system/sockets.target.d/10-docker-socket.conf"

build_library/sysext_prod_builder

@@ -30,12 +30,14 @@ create_prod_sysext() {
   local base_sysext="$4"
   local install_root="$5"
   local name="$6"
-  local grp_pkg="$7"
+  local grp_pkgs="$7"
   local pkginfo="${8:-}"
 
   local -a build_sysext_opts=()
 
-  local msg="Installing ${grp_pkg}' in sysext ${name}.raw"
+  local grp_pkg="${grp_pkgs//&/ }"
+
+  local msg="Installing ${grp_pkg} in sysext ${name}.raw"
 
   # Include previous sysexts' pkginfo if supplied
   if [[ -n "${pkginfo}" ]] ; then
@@ -60,7 +62,7 @@ create_prod_sysext() {
             --squashfs_base="${base_sysext}" \
             --generate_pkginfo \
             "${build_sysext_opts[@]}" \
-            "${name}" "${grp_pkg}"
+            "${name}" ${grp_pkg}
 
   sudo mv "${workdir}/sysext-build/${name}.raw" "${workdir}/sysext-build/${name}_pkginfo.raw" \
                               "${workdir}/sysext-build/${name}"_*.txt "${output_dir}"

build_sysext

@@ -25,6 +25,8 @@ DEFINE_string squashfs_base '' \
   "The path to the squashfs base image. Defaults to the most current image built in '${default_imagedir}/${FLATCAR_PRODUCTION_IMAGE_SYSEXT_BASE}'."
 DEFINE_string image_builddir '' \
   "Custom directory to build the sysext in. Defaults to a 'sysext' sub-directory of the directory the squashfs base image resides in; '${default_imagedir}/sysext' by default."
+DEFINE_boolean strip_binaries "${FLAGS_TRUE}" \
+  "After installation, scan sysext root for unstripped binaries and strip these."
 DEFINE_string manglefs_script '' \
   "A path to executable that will customize the rootfs of the sysext image."
 DEFINE_boolean generate_pkginfo "${FLAGS_FALSE}" \
@@ -231,6 +233,22 @@ info "Writing ${SYSEXTNAME}_packages.txt"
 ROOT="${BUILD_DIR}/install-root" PORTAGE_CONFIGROOT="${BUILD_DIR}/install-root" \
       equery --no-color list --format '$cpv::$repo' '*' > "${BUILD_DIR}/${SYSEXTNAME}_packages.txt"
 
+
+if [[ "${FLAGS_strip_binaries}" = "${FLAGS_TRUE}" ]]; then
+    chost="$("portageq-${BOARD}" envvar CHOST)"
+    strip="${chost}-strip"
+
+    info "Stripping all non-stripped binaries in sysext using '${strip}'"
+
+    # Find all non-stripped binaries, remove ':' from filepath, and strip 'em
+    find "${BUILD_DIR}/install-root" -exec file \{\} \; \
+         | awk '/not stripped/ {print substr($1, 1, length($1)-1)}' \
+         | while read bin; do
+                info "     ${strip} ${bin}"
+                "${strip}" "${bin}"
+           done
+fi
+
 if [[ -n "${FLAGS_manglefs_script}" ]]; then
   if [[ ! -x "${FLAGS_manglefs_script}" ]]; then
     die "${FLAGS_manglefs_script} is not executable"