From 1b698eb82a99474c56c7d6060ce6236e58085e1f Mon Sep 17 00:00:00 2001 From: Thilo Fromm Date: Tue, 24 Oct 2023 18:57:10 +0200 Subject: [PATCH] app-containers: use upstream docker, containerd, runc This change removes Flatcar specific builds of docker[-cli], containerd, runc, and cri-tools and instead switches to upstream Gentoo ebuilds added to portage-stable. The change updates docker to 24.0.6. NOTE that there currently is no upstream ebuild for containerd-1.7.7, so this change adds that ebuild based on the upstream containerd-1.7.6 ebuild. Flatcar customisations like systemd units etc. are now applied in the manglefs script of the respective sysexts, based on file system trees in coreos-overlay/coreos/sysext/(containerd|docker). The build_sysext script has been extended by an option to strip all binaries in a sysext; the option is active by default. This takes care of removing debug symbols from docker and containerd - which are not removed by the default Gentoo build. The overall size of both containerd and docker sysext is reduced by ~50%. Lastly, the sysext command line syntax of build_image has been extended to allow specifying multiple packages for a sysext. This was necessary because docker-cli and docker do not have any runtime relationships and therefore must both be specified for installation to correctly mirror Flatcar's own docker packaging. Signed-off-by: Thilo Fromm --- build_image | 4 +- .../sysext_mangle_containerd-flatcar | 11 + build_library/sysext_mangle_docker-flatcar | 10 + build_library/sysext_prod_builder | 8 +- build_sysext | 18 + .../app-containers/containerd/Manifest | 1 - .../containerd/containerd-1.7.7.ebuild | 1 - .../containerd/containerd-9999.ebuild | 69 ---- .../containerd/files/containerd.service | 24 -- .../app-containers/cri-tools/Manifest | 1 - .../cri-tools/cri-tools-1.24.2.ebuild | 46 --- .../app-containers/docker-cli/Manifest | 1 - ...ker-v20.10.25-45-g0d4b9ed98b-v20.10..patch | 104 ------ .../app-containers/docker/Manifest | 1 - .../docker/docker-20.10.24-r3.ebuild | 332 ----------------- ...dummy-hostname-to-use-for-local-conn.patch | 161 --------- ...a-dummy-hostname-for-local-connectio.patch | 72 ---- .../docker/files/ppc64-buildmode.patch | 30 -- .../app-containers/runc/Manifest | 1 - ...-unshare-of-clone-newipc-for-selinux.patch | 46 --- ...oc-self-exe-to-avoid-exposing-host-b.patch | 334 ------------------ ...ker-runc-1.0.0_rc2-mount-propagation.patch | 41 --- .../app-containers/runc/metadata.xml | 19 - .../app-containers/runc/runc-1.1.9.ebuild | 64 ---- .../board-packages-0.0.1.ebuild | 1 + .../lib/systemd/system/containerd.service} | 0 .../containerd.service | 1 + .../share/containerd}/config-cgroupfs.toml | 0 .../usr/share/containerd}/config.toml | 0 .../sysext/docker/usr/lib/flatcar}/dockerd | 0 .../lib/systemd/network}/50-docker.network | 0 .../systemd/network}/90-docker-veth.network | 0 .../usr/lib/systemd/system}/docker.service | 0 .../usr/lib/systemd/system}/docker.socket | 0 .../coreos/base/package.accept_keywords | 10 + .../profiles/coreos/base/package.use | 4 + .../app-containers/containerd/Manifest | 4 + .../containerd/containerd-1.7.1-r1.ebuild | 86 +++++ .../containerd/containerd-1.7.2.ebuild | 86 +++++ .../containerd/containerd-1.7.6.ebuild | 86 +++++ .../containerd/containerd-1.7.7.ebuild | 86 +++++ .../containerd/files/containerd.confd | 3 + .../containerd/files/containerd.initd | 26 ++ .../app-containers/containerd/metadata.xml | 19 +- .../app-containers/cri-tools/Manifest | 2 + .../cri-tools/cri-tools-1.25.0.ebuild | 34 ++ .../cri-tools/cri-tools-1.27.0.ebuild | 33 ++ .../app-containers/cri-tools/metadata.xml | 0 .../app-containers/docker-cli/Manifest | 4 + .../docker-cli/docker-cli-24.0.5.ebuild} | 49 +-- .../docker-cli/docker-cli-24.0.6.ebuild | 70 ++++ .../app-containers/docker-cli/metadata.xml | 15 + .../app-containers/docker-proxy/Manifest | 0 .../docker-proxy-0.8.0_p20230118.ebuild | 14 +- .../app-containers/docker-proxy/metadata.xml | 0 .../app-containers/docker/Manifest | 2 + .../docker/docker-24.0.5.ebuild | 330 +++++++++++++++++ .../docker/docker-24.0.6.ebuild | 331 +++++++++++++++++ ...nrc-Depend-on-containerd-init-script.patch | 28 ++ .../app-containers/docker/metadata.xml | 10 - .../app-containers/runc/Manifest | 2 + .../app-containers/runc/metadata.xml | 25 ++ .../app-containers/runc/runc-1.1.7.ebuild | 78 ++++ .../app-containers/runc/runc-1.1.9.ebuild | 78 ++++ .../portage-stable/dev-go/go-md2man/Manifest | 1 + .../dev-go/go-md2man/go-md2man-2.0.2.ebuild | 32 ++ .../dev-go/go-md2man}/metadata.xml | 5 +- 67 files changed, 1547 insertions(+), 1407 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest delete mode 120000 sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.7.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-9999.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.service delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/Manifest delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/cri-tools-1.24.2.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/Manifest delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/files/0001-20.10-vendor-docker-v20.10.25-45-g0d4b9ed98b-v20.10..patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/docker/Manifest delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/docker/docker-20.10.24-r3.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/ppc64-buildmode.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/runc/Manifest delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/docker-runc-1.0.0_rc2-mount-propagation.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/runc/metadata.xml delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-containers/runc/runc-1.1.9.ebuild rename sdk_container/src/third_party/coreos-overlay/{app-containers/containerd/files/containerd-1.0.0.service => coreos/sysext/containerd/usr/lib/systemd/system/containerd.service} (100%) create mode 120000 sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/lib/systemd/system/multi-user.target.wants/containerd.service rename sdk_container/src/third_party/coreos-overlay/{app-containers/containerd/files => coreos/sysext/containerd/usr/share/containerd}/config-cgroupfs.toml (100%) rename sdk_container/src/third_party/coreos-overlay/{app-containers/containerd/files => coreos/sysext/containerd/usr/share/containerd}/config.toml (100%) rename sdk_container/src/third_party/coreos-overlay/{app-containers/docker/files => coreos/sysext/docker/usr/lib/flatcar}/dockerd (100%) mode change 100644 => 100755 rename sdk_container/src/third_party/coreos-overlay/{app-containers/docker/files => coreos/sysext/docker/usr/lib/systemd/network}/50-docker.network (100%) rename sdk_container/src/third_party/coreos-overlay/{app-containers/docker/files => coreos/sysext/docker/usr/lib/systemd/network}/90-docker-veth.network (100%) rename sdk_container/src/third_party/coreos-overlay/{app-containers/docker/files => coreos/sysext/docker/usr/lib/systemd/system}/docker.service (100%) rename sdk_container/src/third_party/coreos-overlay/{app-containers/docker/files => coreos/sysext/docker/usr/lib/systemd/system}/docker.socket (100%) create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.1-r1.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.2.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.6.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.7.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.confd create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.initd rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/app-containers/containerd/metadata.xml (63%) create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/cri-tools/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.25.0.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.27.0.ebuild rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/app-containers/cri-tools/metadata.xml (100%) create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/docker-cli/Manifest rename sdk_container/src/third_party/{coreos-overlay/app-containers/docker-cli/docker-cli-20.10.24-r1.ebuild => portage-stable/app-containers/docker-cli/docker-cli-24.0.5.ebuild} (55%) create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-24.0.6.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/docker-cli/metadata.xml rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/app-containers/docker-proxy/Manifest (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild (69%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/app-containers/docker-proxy/metadata.xml (100%) create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/docker/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.5.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.6.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/app-containers/docker/metadata.xml (76%) create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/runc/metadata.xml create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.7.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.9.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/dev-go/go-md2man/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/dev-go/go-md2man/go-md2man-2.0.2.ebuild rename sdk_container/src/third_party/{coreos-overlay/app-containers/docker-cli => portage-stable/dev-go/go-md2man}/metadata.xml (53%) diff --git a/build_image b/build_image index 6cd84d91b65..697c109cee1 100755 --- a/build_image +++ b/build_image @@ -33,8 +33,8 @@ DEFINE_string base_pkg "coreos-base/coreos" \ "The base portage package to base the build off of (only applies to prod images)" DEFINE_string base_dev_pkg "coreos-base/coreos-dev" \ "The base portage package to base the build off of (only applies to dev containers)" -DEFINE_string base_sysexts "containerd-flatcar:app-containers/containerd,docker-flatcar:app-containers/docker" \ - "Comma-separated list of name:package - build 'package' into sysext 'name', and include with OS image and update payload. Must be in order of dependencies, base sysexts come first." +DEFINE_string base_sysexts "containerd-flatcar:app-containers/containerd,docker-flatcar:app-containers/docker&app-containers/docker-cli" \ + "Comma-separated list of name:package[&package[&package]] - build 'package' (a single package or a list of packages separated by '&') into sysext 'name', and include with OS image and update payload. Must be in order of dependencies, base sysexts come first." DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \ "Directory in which to place image result directories (named by version)" DEFINE_string disk_layout "" \ diff --git a/build_library/sysext_mangle_containerd-flatcar b/build_library/sysext_mangle_containerd-flatcar index ff5c5d36952..1d3502d33ae 100755 --- a/build_library/sysext_mangle_containerd-flatcar +++ b/build_library/sysext_mangle_containerd-flatcar @@ -3,5 +3,16 @@ set -euo pipefail rootfs="${1}" + +# No manpages on Flatcar, no need to ship "stress" tool +echo ">>> NOTICE: $0: removing 'gen-manpages', 'containerd-stress' from sysext" +rm -f "${rootfs}/usr/bin/gen-manpages" "${rootfs}/usr/bin/containerd-stress" + +script_root="$(cd "$(dirname "$0")/../"; pwd)" +files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd" + +echo ">>> NOTICE $0: installing extra files from '${files_dir}'" +cp -va "${files_dir}/"* "${rootfs}" + mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d" { echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf" diff --git a/build_library/sysext_mangle_docker-flatcar b/build_library/sysext_mangle_docker-flatcar index 4cb69961036..b2c055324dc 100755 --- a/build_library/sysext_mangle_docker-flatcar +++ b/build_library/sysext_mangle_docker-flatcar @@ -3,5 +3,15 @@ set -euo pipefail rootfs="${1}" +# Remove debug and contrib +echo ">>> NOTICE: $0: removing '/usr/lib/debug/', '/usr/share/docker/contrib' from sysext" +rm -rf "${rootfs}/usr/lib/debug/" "${rootfs}/usr/share/docker/contrib/" + +script_root="$(cd "$(dirname "$0")/../"; pwd)" +files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker" + +echo ">>> NOTICE $0: installing extra files from '${files_dir}'" +cp -va "${files_dir}/"* "${rootfs}" + mkdir -p "${rootfs}/usr/lib/systemd/system/sockets.target.d" { echo "[Unit]"; echo "Upholds=docker.socket"; } > "${rootfs}/usr/lib/systemd/system/sockets.target.d/10-docker-socket.conf" diff --git a/build_library/sysext_prod_builder b/build_library/sysext_prod_builder index 73afbb6cb49..f5642ca9c73 100755 --- a/build_library/sysext_prod_builder +++ b/build_library/sysext_prod_builder @@ -30,12 +30,14 @@ create_prod_sysext() { local base_sysext="$4" local install_root="$5" local name="$6" - local grp_pkg="$7" + local grp_pkgs="$7" local pkginfo="${8:-}" local -a build_sysext_opts=() - local msg="Installing ${grp_pkg}' in sysext ${name}.raw" + local grp_pkg="${grp_pkgs//&/ }" + + local msg="Installing ${grp_pkg} in sysext ${name}.raw" # Include previous sysexts' pkginfo if supplied if [[ -n "${pkginfo}" ]] ; then @@ -60,7 +62,7 @@ create_prod_sysext() { --squashfs_base="${base_sysext}" \ --generate_pkginfo \ "${build_sysext_opts[@]}" \ - "${name}" "${grp_pkg}" + "${name}" ${grp_pkg} sudo mv "${workdir}/sysext-build/${name}.raw" "${workdir}/sysext-build/${name}_pkginfo.raw" \ "${workdir}/sysext-build/${name}"_*.txt "${output_dir}" diff --git a/build_sysext b/build_sysext index bd819e281cf..86954e639c8 100755 --- a/build_sysext +++ b/build_sysext @@ -25,6 +25,8 @@ DEFINE_string squashfs_base '' \ "The path to the squashfs base image. Defaults to the most current image built in '${default_imagedir}/${FLATCAR_PRODUCTION_IMAGE_SYSEXT_BASE}'." DEFINE_string image_builddir '' \ "Custom directory to build the sysext in. Defaults to a 'sysext' sub-directory of the directory the squashfs base image resides in; '${default_imagedir}/sysext' by default." +DEFINE_boolean strip_binaries "${FLAGS_TRUE}" \ + "After installation, scan sysext root for unstripped binaries and strip these." DEFINE_string manglefs_script '' \ "A path to executable that will customize the rootfs of the sysext image." DEFINE_boolean generate_pkginfo "${FLAGS_FALSE}" \ @@ -231,6 +233,22 @@ info "Writing ${SYSEXTNAME}_packages.txt" ROOT="${BUILD_DIR}/install-root" PORTAGE_CONFIGROOT="${BUILD_DIR}/install-root" \ equery --no-color list --format '$cpv::$repo' '*' > "${BUILD_DIR}/${SYSEXTNAME}_packages.txt" + +if [[ "${FLAGS_strip_binaries}" = "${FLAGS_TRUE}" ]]; then + chost="$("portageq-${BOARD}" envvar CHOST)" + strip="${chost}-strip" + + info "Stripping all non-stripped binaries in sysext using '${strip}'" + + # Find all non-stripped binaries, remove ':' from filepath, and strip 'em + find "${BUILD_DIR}/install-root" -exec file \{\} \; \ + | awk '/not stripped/ {print substr($1, 1, length($1)-1)}' \ + | while read bin; do + info " ${strip} ${bin}" + "${strip}" "${bin}" + done +fi + if [[ -n "${FLAGS_manglefs_script}" ]]; then if [[ ! -x "${FLAGS_manglefs_script}" ]]; then die "${FLAGS_manglefs_script} is not executable" diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest deleted file mode 100644 index ad194890936..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/Manifest +++ /dev/null @@ -1 +0,0 @@ -DIST containerd-1.7.7.tar.gz 9910424 BLAKE2B 623315962233fe3ce965c17c37c950dc1ded8b381012ed50d2bee8b1cea134bc9ef5a1cf5599b6bcd121cabe204fe61015526226131954364a976ebb08d8c353 SHA512 a44e901b017522639963bb415f666599af04335d8ccbd28899712606a4692c1601e95eaa2f1db32a3c077ad2c3f332f37393154ad6c2660646b7e8365a6ab720 diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.7.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.7.ebuild deleted file mode 120000 index c5606b90ce7..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-1.7.7.ebuild +++ /dev/null @@ -1 +0,0 @@ -containerd-9999.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-9999.ebuild deleted file mode 100644 index 0cd73e67f56..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/containerd-9999.ebuild +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -GITHUB_URI="github.com/containerd/containerd" -COREOS_GO_PACKAGE="${GITHUB_URI}" -COREOS_GO_VERSION="go1.19" - -if [[ ${PV} == *9999 ]]; then - EGIT_REPO_URI="https://${GITHUB_URI}.git" - inherit git-r3 -else - MY_PV="${PV/_rc/-rc.}" - EGIT_COMMIT="v${MY_PV}" - CONTAINERD_COMMIT="c676287c3e99d785927d9775eb4bcf9facdd4159" - SRC_URI="https://${GITHUB_URI}/archive/${EGIT_COMMIT}.tar.gz -> ${P}.tar.gz" - KEYWORDS="amd64 arm64" - inherit vcs-snapshot -fi - -inherit coreos-go systemd - -DESCRIPTION="A daemon to control runC" -HOMEPAGE="https://containerd.tools" - -LICENSE="Apache-2.0" -SLOT="0" -IUSE="+btrfs hardened" - -DEPEND="btrfs? ( sys-fs/btrfs-progs )" -RDEPEND="~app-containers/runc-1.1.9 - sys-libs/libseccomp" - -S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE} - -RESTRICT="test" - -src_unpack() { - mkdir -p "${S}" - tar --strip-components=1 -C "${S}" -xf "${DISTDIR}/${A}" -} - -src_prepare() { - coreos-go_src_prepare - if [[ ${PV} != *9999* ]]; then - sed -i -e "s/git describe --match.*$/echo ${PV})/"\ - -e "s/git rev-parse HEAD.*$/echo $CONTAINERD_COMMIT)/"\ - -e "s/-s -w//" \ - Makefile || die - fi -} - -src_compile() { - local options=( $(usex btrfs "" "no_btrfs") ) - export GOPATH="${WORKDIR}/${P}" # ${PWD}/vendor - export GO111MODULE=on - export GOFLAGS="-v -x -mod=vendor" - LDFLAGS=$(usex hardened '-extldflags -fno-PIC' '') emake BUILDTAGS="${options[*]}" -} - -src_install() { - dobin bin/containerd{-shim,-shim-runc-v*,} bin/ctr - systemd_newunit "${FILESDIR}/${PN}-1.0.0.service" "${PN}.service" - systemd_enable_service multi-user.target "${PN}.service" - insinto /usr/share/containerd - doins "${FILESDIR}/config.toml" - doins "${FILESDIR}/config-cgroupfs.toml" -} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.service b/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.service deleted file mode 100644 index 4a71b0736b3..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=containerd container runtime -Documentation=https://containerd.io -After=network.target local-fs.target - -[Service] -ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/bin/containerd --listen unix:///var/run/docker/libcontainerd/docker-containerd.sock --shim /usr/bin/containerd-shim --state-dir /var/run/docker/libcontainerd/containerd --start-timeout 2m - -Type=notify -Delegate=yes -KillMode=process -Restart=always -RestartSec=5 -# Having non-zero Limit*s causes performance problems due to accounting overhead -# in the kernel. We recommend using cgroups to do container-local accounting. -LimitNPROC=infinity -LimitCORE=infinity -LimitNOFILE=infinity -TasksMax=infinity -OOMScoreAdjust=-999 - -[Install] -WantedBy=multi-user.target early-docker.target diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/Manifest b/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/Manifest deleted file mode 100644 index 519a794127c..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/Manifest +++ /dev/null @@ -1 +0,0 @@ -DIST cri-tools-1.24.2.tar.gz 5968560 BLAKE2B 8dce8d16d5218aa73705b4a49b31391eaa25b21deb97f3dfe553f43d7371adf58206d9198f3e22e1c9cbcb7f41b832b0600b324d7c0f943ef313dc89900da46d SHA512 9b5907b37bb5f00295eff4fa4207ae55d930feae7e0f48fa130c7ecc936bcd259a11d59ed240684a3e12c8bcee40f2c67d7f4af52c2a76df3d7bf82e5e388a75 diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/cri-tools-1.24.2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/cri-tools-1.24.2.ebuild deleted file mode 100644 index ec5b2f855cd..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/cri-tools-1.24.2.ebuild +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2021-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -# Flatcar: remove bash-completion, inherit coreos-go -inherit go-module coreos-go - -COREOS_GO_VERSION="go1.19" -COREOS_GO_PACKAGE="github.com/kubernetes-sigs/cri-tools" -COREOS_GO_MOD="vendor" - -MY_PV="v${PV/_beta/-beta.}" - -EGO_PN="${COREOS_GO_PACKAGE}" -DESCRIPTION="CLI and validation tools for Kubelet Container Runtime (CRI)" -HOMEPAGE="https://github.com/kubernetes-sigs/cri-tools" -SRC_URI="https://github.com/kubernetes-sigs/cri-tools/archive/v${PV}.tar.gz -> ${P}.tar.gz" - -LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0" -SLOT="0" -# Flatcar: keyword arm64 -KEYWORDS="amd64 arm64" - -S=${WORKDIR}/cri-tools-${PV} - -RESTRICT+=" test" - -src_compile() { - # Flatcar: make use of the existing helpers provided by `coreos-go.eclass`. - # To optimize the binary size of crictl, add "-X" to GO_LDFLAGS, - # like "-X $(PROJECT)/pkg/version.Version=$(VERSION)" in the original - # Makefile of cri-tools. We cannot follow way of Gentoo ebuilds like `emake`, - # because Makefile of cri-tools does not allow users to pass in ${GOARCH}. - # Remove shell completions. - GO_LDFLAGS="-s -w -extldflags=-Wl,-z,now,-z,relro,-z,defs " - GO_LDFLAGS+="-X ${COREOS_GO_PACKAGE}/pkg/version.Version=${PV} " - go_build "${COREOS_GO_PACKAGE}/cmd/crictl" -} - -src_install() { - # Flatcar: install only crictl binary, remove shell completions. - dobin "${GOBIN}/crictl" - - dodoc -r docs {README,RELEASE,CHANGELOG,CONTRIBUTING}.md -} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/Manifest b/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/Manifest deleted file mode 100644 index 934f8dcbabb..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/Manifest +++ /dev/null @@ -1 +0,0 @@ -DIST docker-cli-20.10.24.tar.gz 7589761 BLAKE2B 353298fba483dc9ce2797397398bb99f9194302e09f943614b5101f24d7a6b404c5e8a1890acf76450e85d295e623f18fb21ab55a3faabfd04596ca520f740c5 SHA512 5996c24070986e18c0530d0db1a9b4a2c0188c1d22b4c0d99161b2f69bb9cecd4221b628afc0db3078d17918a6e312c6b6ca63f889e634006d4e04c677257a27 diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/files/0001-20.10-vendor-docker-v20.10.25-45-g0d4b9ed98b-v20.10..patch b/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/files/0001-20.10-vendor-docker-v20.10.25-45-g0d4b9ed98b-v20.10..patch deleted file mode 100644 index d35abf17833..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/files/0001-20.10-vendor-docker-v20.10.25-45-g0d4b9ed98b-v20.10..patch +++ /dev/null @@ -1,104 +0,0 @@ -From 5d4e44df90bb913f30a1f0215f9715cb60e17d75 Mon Sep 17 00:00:00 2001 -Message-Id: <5d4e44df90bb913f30a1f0215f9715cb60e17d75.1689769748.git.dpark@linux.microsoft.com> -From: Sebastiaan van Stijn -Date: Mon, 17 Jul 2023 16:48:27 +0200 -Subject: [PATCH] [20.10] vendor: docker v20.10.25-45-g0d4b9ed98b - (v20.10.26-dev) - -full diff: https://github.com/docker/docker/compare/v20.10.25...0d4b9ed98be2aecf27e8dd014bef7bad0be15457 - -Signed-off-by: Sebastiaan van Stijn ---- - .../github.com/docker/docker/client/client.go | 30 +++++++++++++++++++ - .../github.com/docker/docker/client/hijack.go | 6 +++- - .../docker/docker/client/request.go | 14 ++++----- - vendor/github.com/docker/docker/vendor.conf | 2 +- - 5 files changed, 43 insertions(+), 11 deletions(-) - -diff --git a/vendor/github.com/docker/docker/client/client.go b/vendor/github.com/docker/docker/client/client.go -index 0d3614d5..d0ce09ae 100644 ---- a/vendor/github.com/docker/docker/client/client.go -+++ b/vendor/github.com/docker/docker/client/client.go -@@ -56,6 +56,36 @@ import ( - "github.com/pkg/errors" - ) - -+// DummyHost is a hostname used for local communication. -+// -+// It acts as a valid formatted hostname for local connections (such as "unix://" -+// or "npipe://") which do not require a hostname. It should never be resolved, -+// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2] -+// and [RFC 6761, Section 6.3]). -+// -+// [RFC 7230, Section 5.4] defines that an empty header must be used for such -+// cases: -+// -+// If the authority component is missing or undefined for the target URI, -+// then a client MUST send a Host header field with an empty field-value. -+// -+// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not -+// allow an empty header to be used, and requires req.URL.Scheme to be either -+// "http" or "https". -+// -+// For further details, refer to: -+// -+// - https://github.com/docker/engine-api/issues/189 -+// - https://github.com/golang/go/issues/13624 -+// - https://github.com/golang/go/issues/61076 -+// - https://github.com/moby/moby/issues/45935 -+// -+// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2 -+// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3 -+// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4 -+// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569 -+const DummyHost = "api.moby.localhost" -+ - // ErrRedirect is the error returned by checkRedirect when the request is non-GET. - var ErrRedirect = errors.New("unexpected redirect in response") - -diff --git a/vendor/github.com/docker/docker/client/hijack.go b/vendor/github.com/docker/docker/client/hijack.go -index e1dc49ef..b8fac0be 100644 ---- a/vendor/github.com/docker/docker/client/hijack.go -+++ b/vendor/github.com/docker/docker/client/hijack.go -@@ -62,7 +62,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) { - } - - func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, error) { -- req.Host = cli.addr -+ req.URL.Host = cli.addr -+ if cli.proto == "unix" || cli.proto == "npipe" { -+ // Override host header for non-tcp connections. -+ req.Host = DummyHost -+ } - req.Header.Set("Connection", "Upgrade") - req.Header.Set("Upgrade", proto) - -diff --git a/vendor/github.com/docker/docker/client/request.go b/vendor/github.com/docker/docker/client/request.go -index d3d9a3fe..66530d4b 100644 ---- a/vendor/github.com/docker/docker/client/request.go -+++ b/vendor/github.com/docker/docker/client/request.go -@@ -88,15 +88,13 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea - return nil, err - } - req = cli.addHeaders(req, headers) -- -- if cli.proto == "unix" || cli.proto == "npipe" { -- // For local communications, it doesn't matter what the host is. We just -- // need a valid and meaningful host name. (See #189) -- req.Host = "docker" -- } -- -- req.URL.Host = cli.addr - req.URL.Scheme = cli.scheme -+ req.URL.Host = cli.addr -+ -+ if cli.proto == "unix" || cli.proto == "npipe" { -+ // Override host header for non-tcp connections. -+ req.Host = DummyHost -+ } - - if expectedPayload && req.Header.Get("Content-Type") == "" { - req.Header.Set("Content-Type", "text/plain") --- -2.34.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/Manifest b/sdk_container/src/third_party/coreos-overlay/app-containers/docker/Manifest deleted file mode 100644 index 9f7524a1187..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/Manifest +++ /dev/null @@ -1 +0,0 @@ -DIST docker-20.10.24.tar.gz 11235129 BLAKE2B abeae0ff9e2d03bd7c901a9e3c1f5a3ccf84afefb034ce032f4e559349ea01ab69ebe120d6c0992885aafa153a784a8c253ed3f7345b921860b758da8e0474ef SHA512 2e82d8048fbf53e3d8ac87eb155d2e321378ca9c9ee038d13bb1b510db31df0f9951db51df81bad28a64c25285e21f8e541b4ce58a68af81fa66d5c07dd3f4d3 diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/docker-20.10.24-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/docker/docker-20.10.24-r3.ebuild deleted file mode 100644 index fd5dc6e762a..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/docker-20.10.24-r3.ebuild +++ /dev/null @@ -1,332 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 -EGO_PN=github.com/docker/docker -MY_PV=${PV/_/-} -GIT_COMMIT=d6cbf44b8c -inherit linux-info systemd udev golang-vcs-snapshot - -COREOS_GO_VERSION="go1.19" -COREOS_GO_GO111MODULE="off" - -inherit coreos-go-depend - -DESCRIPTION="The core functions you need to create Docker images and run Docker containers" -HOMEPAGE="https://www.docker.com/" -SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" - -LICENSE="Apache-2.0" -SLOT="0" -KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" -# Flatcar: default enable required USE flags -IUSE="apparmor aufs +btrfs +cli +container-init +device-mapper +hardened -+overlay +seccomp selinux" - -DEPEND=" - acct-group/docker - >=dev-db/sqlite-3.7.9:3 - apparmor? ( sys-libs/libapparmor ) - btrfs? ( >=sys-fs/btrfs-progs-3.16.1 ) - device-mapper? ( >=sys-fs/lvm2-2.02.89[thin] ) - seccomp? ( >=sys-libs/libseccomp-2.2.1 ) -" - -# Flatcar: -# For CoreOS builds coreos-kernel must be installed because this ebuild -# checks the kernel config. The kernel config is left by the kernel compile -# or an explicit copy when installing binary packages. See coreos-kernel.eclass -DEPEND+=" - sys-kernel/coreos-kernel -" - -# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies -# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies -# https://github.com/moby/moby/tree/master//hack/dockerfile/install -# make sure docker-proxy is pinned to exact version from ^, -# for appropriate branchch/version of course -# Flatcar: -# containerd ebuild doesn't support apparmor, device-mapper and seccomp use flags -RDEPEND=" - ${DEPEND} - >=net-firewall/iptables-1.4 - sys-process/procps - >=dev-vcs/git-1.7 - >=app-arch/xz-utils-4.9 - dev-libs/libltdl - >=app-containers/containerd-1.6.16[btrfs?] - ~app-containers/docker-proxy-0.8.0_p20230118 - cli? ( ~app-containers/docker-cli-${PV} ) - container-init? ( >=sys-process/tini-0.19.0[static] ) - selinux? ( sec-policy/selinux-docker ) -" - -# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies -# Flatcar: drop go-md2man -BDEPEND=" - >=dev-lang/go-1.16.12 - virtual/pkgconfig -" -# tests require running dockerd as root and downloading containers -RESTRICT="installsources strip test" - -S="${WORKDIR}/${P}/src/${EGO_PN}" - -# Flatcar: Dropped outdated bug links, dropped openrc init script patch, -# backport upstream patches for fixing invalid headers issue when building -# with Go 1.19.11+. -PATCHES=( - "${FILESDIR}/ppc64-buildmode.patch" - "${FILESDIR}/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch" - "${FILESDIR}/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch" -) - -# see "contrib/check-config.sh" from upstream's sources -CONFIG_CHECK=" - ~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS - ~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG - ~CGROUP_NET_PRIO - ~KEYS - ~VETH ~BRIDGE ~BRIDGE_NETFILTER - ~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE ~NETFILTER_XT_MARK - ~NETFILTER_NETLINK ~NETFILTER_XT_MATCH_ADDRTYPE ~NETFILTER_XT_MATCH_CONNTRACK ~NETFILTER_XT_MATCH_IPVS - ~IP_NF_NAT ~NF_NAT - ~POSIX_MQUEUE - - ~USER_NS - ~SECCOMP - ~CGROUP_PIDS - - ~BLK_CGROUP ~BLK_DEV_THROTTLING - ~CGROUP_PERF - ~CGROUP_HUGETLB - ~NET_CLS_CGROUP - ~CFS_BANDWIDTH ~FAIR_GROUP_SCHED - ~IP_VS ~IP_VS_PROTO_TCP ~IP_VS_PROTO_UDP ~IP_VS_NFCT ~IP_VS_RR - - ~VXLAN - ~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH ~XFRM_ALGO ~XFRM_USER - ~IPVLAN - ~MACVLAN ~DUMMY - - ~OVERLAY_FS ~!OVERLAY_FS_REDIRECT_DIR - ~EXT4_FS_SECURITY - ~EXT4_FS_POSIX_ACL -" - -ERROR_KEYS="CONFIG_KEYS: is mandatory" -ERROR_MEMCG_SWAP="CONFIG_MEMCG_SWAP: is required if you wish to limit swap usage of containers" -ERROR_RESOURCE_COUNTERS="CONFIG_RESOURCE_COUNTERS: is optional for container statistics gathering" - -ERROR_BLK_CGROUP="CONFIG_BLK_CGROUP: is optional for container statistics gathering" -ERROR_IOSCHED_CFQ="CONFIG_IOSCHED_CFQ: is optional for container statistics gathering" -ERROR_CGROUP_PERF="CONFIG_CGROUP_PERF: is optional for container statistics gathering" -ERROR_CFS_BANDWIDTH="CONFIG_CFS_BANDWIDTH: is optional for container statistics gathering" -ERROR_XFRM_ALGO="CONFIG_XFRM_ALGO: is optional for secure networks" -ERROR_XFRM_USER="CONFIG_XFRM_USER: is optional for secure networks" - -pkg_setup() { - - if kernel_is lt 4 5; then - CONFIG_CHECK+=" - ~MEMCG_KMEM - " - ERROR_MEMCG_KMEM="CONFIG_MEMCG_KMEM: is optional" - fi - - if kernel_is lt 4 7; then - CONFIG_CHECK+=" - ~DEVPTS_MULTIPLE_INSTANCES - " - fi - - if kernel_is lt 5 1; then - CONFIG_CHECK+=" - ~NF_NAT_IPV4 - ~IOSCHED_CFQ - ~CFQ_GROUP_IOSCHED - " - fi - - if kernel_is lt 5 2; then - CONFIG_CHECK+=" - ~NF_NAT_NEEDED - " - fi - - if kernel_is lt 5 8; then - CONFIG_CHECK+=" - ~MEMCG_SWAP_ENABLED - " - fi - - if kernel_is lt 6 1; then - CONFIG_CHECK+=" - ~MEMCG_SWAP - " - fi - - if use aufs; then - CONFIG_CHECK+=" - ~AUFS_FS - ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY - " - ERROR_AUFS_FS="CONFIG_AUFS_FS: is required to be set if and only if aufs is patched to kernel instead of using standalone" - fi - - if use btrfs; then - CONFIG_CHECK+=" - ~BTRFS_FS - ~BTRFS_FS_POSIX_ACL - " - fi - - if use device-mapper; then - CONFIG_CHECK+=" - ~BLK_DEV_DM ~DM_THIN_PROVISIONING ~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY - " - fi - - linux-info_pkg_setup -} - -src_compile() { - # Flatcar: for cross-compilation - go_export - export DOCKER_GITCOMMIT="${GIT_COMMIT}" - export GOPATH="${WORKDIR}/${P}" - export VERSION=${PV} - - # setup CFLAGS and LDFLAGS for separate build target - # see https://github.com/tianon/docker-overlay/pull/10 - # Flatcar: allow injecting CFLAGS/LDFLAGS, which is needed for torcx rpath - export CGO_CFLAGS="${CGO_CFLAGS} -I${ESYSROOT}/usr/include" - export CGO_LDFLAGS="${CGO_LDFLAGS} -L${ESYSROOT}/usr/$(get_libdir)" - - # let's set up some optional features :) - export DOCKER_BUILDTAGS='' - for gd in aufs btrfs device-mapper overlay; do - if ! use $gd; then - DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}" - fi - done - - for tag in apparmor seccomp; do - if use $tag; then - DOCKER_BUILDTAGS+=" $tag" - fi - done - # Flatcar: Add journald to build tags. - DOCKER_BUILDTAGS+=' journald' - - # Flatcar: - # inject LDFLAGS for torcx - if use hardened; then - sed -i "s#EXTLDFLAGS_STATIC='#&-fno-PIC $LDFLAGS #" hack/make.sh || die - grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed' - sed "s#LDFLAGS_STATIC_DOCKER='#&-extldflags \"-fno-PIC $LDFLAGS\" #" \ - -i hack/make/dynbinary-daemon || die - grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed' - fi - - # build daemon - ./hack/make.sh dynbinary || die 'dynbinary failed' -} - -src_install() { - dosym containerd /usr/bin/docker-containerd - dosym containerd-shim /usr/bin/docker-containerd-shim - dosym runc /usr/bin/docker-runc - use container-init && dosym tini /usr/bin/docker-init - newbin bundles/dynbinary-daemon/dockerd dockerd - - newinitd contrib/init/openrc/docker.initd docker - newconfd contrib/init/openrc/docker.confd docker - - # Flatcar: - # install our systemd units/network config and our wrapper into - # /usr/lib/flatcar/docker for backwards compatibility instead of - # the units from contrib/init/systemd directory. - # - # systemd_dounit contrib/init/systemd/docker.{service,socket} - exeinto /usr/lib/flatcar - doexe "${FILESDIR}/dockerd" - - systemd_dounit "${FILESDIR}/docker.service" - systemd_dounit "${FILESDIR}/docker.socket" - - insinto /usr/lib/systemd/network - doins "${FILESDIR}/50-docker.network" - doins "${FILESDIR}/90-docker-veth.network" - - udev_dorules contrib/udev/*.rules - - dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md - dodoc -r docs/* - - # Flatcar: - # don't install contrib bits - # # note: intentionally not using "doins" so that we preserve +x bits - # dodir /usr/share/${PN}/contrib - # cp -R contrib/* "${ED}/usr/share/${PN}/contrib" -} - -pkg_postinst() { - udev_reload - - elog - elog "To use Docker, the Docker daemon must be running as root. To automatically" - elog "start the Docker daemon at boot:" - if systemd_is_booted || has_version sys-apps/systemd; then - elog " systemctl enable docker.service" - else - elog " rc-update add docker default" - fi - elog - elog "To use Docker as a non-root user, add yourself to the 'docker' group:" - elog ' usermod -aG docker ' - elog - - if use device-mapper; then - elog " Devicemapper storage driver has been deprecated" - elog " It will be removed in a future release" - elog - fi - - if use overlay; then - elog " Overlay storage driver/USEflag has been deprecated" - elog " in favor of overlay2 (enabled unconditionally)" - elog - fi - - if has_version sys-fs/zfs; then - elog " ZFS storage driver is available" - elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info" - elog - fi - - if use cli; then - ewarn "Starting with docker 20.10.2, docker has been split into" - ewarn "two packages upstream, so Gentoo has followed suit." - ewarn - ewarn "app-containers/docker contains the daemon and" - ewarn "app-containers/docker-cli contains the docker command." - ewarn - ewarn "docker currently installs docker-cli using the cli use flag." - ewarn - ewarn "This use flag is temporary, so you need to take the" - ewarn "following actions:" - ewarn - ewarn "First, disable the cli use flag for app-containers/docker" - ewarn - ewarn "Then, if you need docker-cli and docker on the same machine," - ewarn "run the following command:" - ewarn - ewarn "# emerge --noreplace docker-cli" - ewarn - fi -} - -pkg_postrm() { - udev_reload -} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch b/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch deleted file mode 100644 index 2009922b4d9..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch +++ /dev/null @@ -1,161 +0,0 @@ -From 74b4974cb7e7e81e57661f93b03c94a95a15472e Mon Sep 17 00:00:00 2001 -Message-Id: <74b4974cb7e7e81e57661f93b03c94a95a15472e.1689689028.git.dpark@linux.microsoft.com> -From: Sebastiaan van Stijn -Date: Wed, 12 Jul 2023 14:15:38 +0200 -Subject: [PATCH 1/2] client: define a "dummy" hostname to use for local - connections - -For local communications (npipe://, unix://), the hostname is not used, -but we need valid and meaningful hostname. - -The current code used the client's `addr` as hostname in some cases, which -could contain the path for the unix-socket (`/var/run/docker.sock`), which -gets rejected by go1.20.6 and go1.19.11 because of a security fix for -[CVE-2023-29406 ][1], which was implemented in https://go.dev/issue/60374. - -Prior versions go Go would clean the host header, and strip slashes in the -process, but go1.20.6 and go1.19.11 no longer do, and reject the host -header. - -This patch introduces a `DummyHost` const, and uses this dummy host for -cases where we don't need an actual hostname. - -Before this patch (using go1.20.6): - - make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration - === RUN TestAttachWithTTY - attach_test.go:46: assertion failed: error is not nil: http: invalid Host header - --- FAIL: TestAttachWithTTY (0.11s) - === RUN TestAttachWithoutTTy - attach_test.go:46: assertion failed: error is not nil: http: invalid Host header - --- FAIL: TestAttachWithoutTTy (0.02s) - FAIL - -With this patch applied: - - make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration - INFO: Testing against a local daemon - === RUN TestAttachWithTTY - --- PASS: TestAttachWithTTY (0.12s) - === RUN TestAttachWithoutTTy - --- PASS: TestAttachWithoutTTy (0.02s) - PASS - -[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx - -Signed-off-by: Sebastiaan van Stijn -(cherry picked from commit 92975f0c11f0566cc3c36659f5e3bb9faf5cb176) -Signed-off-by: Sebastiaan van Stijn ---- - client/client.go | 30 ++++++++++++++++++++++++++++++ - client/hijack.go | 6 +++++- - client/request.go | 14 ++++++-------- - client/request_test.go | 4 ++-- - 4 files changed, 43 insertions(+), 11 deletions(-) - -diff --git a/client/client.go b/client/client.go -index 0d3614d5..d0ce09ae 100644 ---- a/client/client.go -+++ b/client/client.go -@@ -56,6 +56,36 @@ import ( - "github.com/pkg/errors" - ) - -+// DummyHost is a hostname used for local communication. -+// -+// It acts as a valid formatted hostname for local connections (such as "unix://" -+// or "npipe://") which do not require a hostname. It should never be resolved, -+// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2] -+// and [RFC 6761, Section 6.3]). -+// -+// [RFC 7230, Section 5.4] defines that an empty header must be used for such -+// cases: -+// -+// If the authority component is missing or undefined for the target URI, -+// then a client MUST send a Host header field with an empty field-value. -+// -+// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not -+// allow an empty header to be used, and requires req.URL.Scheme to be either -+// "http" or "https". -+// -+// For further details, refer to: -+// -+// - https://github.com/docker/engine-api/issues/189 -+// - https://github.com/golang/go/issues/13624 -+// - https://github.com/golang/go/issues/61076 -+// - https://github.com/moby/moby/issues/45935 -+// -+// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2 -+// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3 -+// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4 -+// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569 -+const DummyHost = "api.moby.localhost" -+ - // ErrRedirect is the error returned by checkRedirect when the request is non-GET. - var ErrRedirect = errors.New("unexpected redirect in response") - -diff --git a/client/hijack.go b/client/hijack.go -index e1dc49ef..b8fac0be 100644 ---- a/client/hijack.go -+++ b/client/hijack.go -@@ -62,7 +62,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) { - } - - func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, error) { -- req.Host = cli.addr -+ req.URL.Host = cli.addr -+ if cli.proto == "unix" || cli.proto == "npipe" { -+ // Override host header for non-tcp connections. -+ req.Host = DummyHost -+ } - req.Header.Set("Connection", "Upgrade") - req.Header.Set("Upgrade", proto) - -diff --git a/client/request.go b/client/request.go -index d3d9a3fe..66530d4b 100644 ---- a/client/request.go -+++ b/client/request.go -@@ -88,15 +88,13 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea - return nil, err - } - req = cli.addHeaders(req, headers) -- -- if cli.proto == "unix" || cli.proto == "npipe" { -- // For local communications, it doesn't matter what the host is. We just -- // need a valid and meaningful host name. (See #189) -- req.Host = "docker" -- } -- -- req.URL.Host = cli.addr - req.URL.Scheme = cli.scheme -+ req.URL.Host = cli.addr -+ -+ if cli.proto == "unix" || cli.proto == "npipe" { -+ // Override host header for non-tcp connections. -+ req.Host = DummyHost -+ } - - if expectedPayload && req.Header.Get("Content-Type") == "" { - req.Header.Set("Content-Type", "text/plain") -diff --git a/client/request_test.go b/client/request_test.go -index a3be507b..c1a10923 100644 ---- a/client/request_test.go -+++ b/client/request_test.go -@@ -27,12 +27,12 @@ func TestSetHostHeader(t *testing.T) { - }{ - { - "unix:///var/run/docker.sock", -- "docker", -+ DummyHost, - "/var/run/docker.sock", - }, - { - "npipe:////./pipe/docker_engine", -- "docker", -+ DummyHost, - "//./pipe/docker_engine", - }, - { --- -2.34.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch b/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch deleted file mode 100644 index da7e0dbc112..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 1603196c5bc3e3b826c841e599bc45fc33562633 Mon Sep 17 00:00:00 2001 -Message-Id: <1603196c5bc3e3b826c841e599bc45fc33562633.1689689028.git.dpark@linux.microsoft.com> -In-Reply-To: <74b4974cb7e7e81e57661f93b03c94a95a15472e.1689689028.git.dpark@linux.microsoft.com> -References: <74b4974cb7e7e81e57661f93b03c94a95a15472e.1689689028.git.dpark@linux.microsoft.com> -From: Sebastiaan van Stijn -Date: Wed, 12 Jul 2023 15:07:59 +0200 -Subject: [PATCH 2/2] pkg/plugins: use a dummy hostname for local connections - -For local communications (npipe://, unix://), the hostname is not used, -but we need valid and meaningful hostname. - -The current code used the socket path as hostname, which gets rejected by -go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1], -which was implemented in https://go.dev/issue/60374. - -Prior versions go Go would clean the host header, and strip slashes in the -process, but go1.20.6 and go1.19.11 no longer do, and reject the host -header. - -Before this patch, tests would fail on go1.20.6: - - === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s) - time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s" - time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s" - time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s" - time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s" - authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header - -[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx - -Signed-off-by: Sebastiaan van Stijn -(cherry picked from commit 6b7705d5b29e226a24902a8dcc488836faaee33c) -Signed-off-by: Sebastiaan van Stijn ---- - pkg/plugins/client.go | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/pkg/plugins/client.go b/pkg/plugins/client.go -index 752fecd0..e683eb77 100644 ---- a/pkg/plugins/client.go -+++ b/pkg/plugins/client.go -@@ -18,6 +18,12 @@ import ( - - const ( - defaultTimeOut = 30 -+ -+ // dummyHost is a hostname used for local communication. -+ // -+ // For local communications (npipe://, unix://), the hostname is not used, -+ // but we need valid and meaningful hostname. -+ dummyHost = "plugin.moby.localhost" - ) - - func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transport, error) { -@@ -44,8 +50,12 @@ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transpor - return nil, err - } - scheme := httpScheme(u) -- -- return transport.NewHTTPTransport(tr, scheme, socket), nil -+ hostName := u.Host -+ if hostName == "" || u.Scheme == "unix" || u.Scheme == "npipe" { -+ // Override host header for non-tcp connections. -+ hostName = dummyHost -+ } -+ return transport.NewHTTPTransport(tr, scheme, hostName), nil - } - - // NewClient creates a new plugin client (http). --- -2.34.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/ppc64-buildmode.patch b/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/ppc64-buildmode.patch deleted file mode 100644 index 2d677a71abf..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/ppc64-buildmode.patch +++ /dev/null @@ -1,30 +0,0 @@ -From c4135e37e54a6480abfe18746f227f05cb9269ab Mon Sep 17 00:00:00 2001 -From: Georgy Yakovlev -Date: Thu, 10 Jun 2021 16:19:22 -0700 -Subject: [PATCH] don't use buildmode=pie on ppc64 - -It's already omitted for ppc64 in -hack/dockerfile/install/install.sh -not using wildcard, because GOARCH=ppc64le supports pie - -Signed-off-by: Georgy Yakovlev ---- - hack/make/.binary | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hack/make/.binary b/hack/make/.binary -index 5ea3e373f2..7a911de15a 100644 ---- a/hack/make/.binary -+++ b/hack/make/.binary -@@ -70,7 +70,7 @@ hash_files() { - if [[ " $BUILDFLAGS " != *" -race "* ]]; then - # -buildmode=pie is not supported on Windows and Linux on mips and riscv64. - case "$(go env GOOS)/$(go env GOARCH)" in -- windows/* | linux/mips* | linux/riscv*) ;; -+ windows/* | linux/mips* | linux/riscv* | linux/ppc64) ;; - - *) - BUILDFLAGS+=("-buildmode=pie") --- -2.32.0 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/Manifest b/sdk_container/src/third_party/coreos-overlay/app-containers/runc/Manifest deleted file mode 100644 index 83bd124b395..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/Manifest +++ /dev/null @@ -1 +0,0 @@ -DIST runc-1.1.9.tar.gz 2514790 BLAKE2B dec0766c96fb2d264ee8d693adafd2b1f94a2f30329b41f966441f1632ceda83835f4aa8ad46966a04d890cb4c5107f6880ad911ed2b879d2c72565ba5d513e6 SHA512 722ed7d58eccfb37357d85e69b2a8f7fa23ed3553e3b6541e9f26946896dc0c2955e5e4708ee77765ad2d3e4dd9c9722fbcefce1f2a96111240edd445cf902ba diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch b/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch deleted file mode 100644 index d9b38e9a887..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-Delay-unshare-of-clone-newipc-for-selinux.patch +++ /dev/null @@ -1,46 +0,0 @@ -From ab3a3b89d712bb1c6ca2e09ffc375f4b837e9401 Mon Sep 17 00:00:00 2001 -From: Mrunal Patel -Date: Thu, 2 Feb 2017 11:23:26 -0800 -Subject: [PATCH] Delay unshare of CLONE_NEWIPC for SELinux - -We ensure that mqueue is owned by user namespace root -by unsharing CLONE_NEWIPC after we become user namespace -root. This allows us to apply the container SELinux label -to mqueue. - -Signed-off-by: Mrunal Patel -(dpark: Adjust the logic according to the new code of v1.1.5) -Signed-off-by: Dongsu Park ---- - libcontainer/nsenter/nsexec.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index 2d224bab..4865261f 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -1241,7 +1241,12 @@ void nsexec(void) - * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID) - * was broken, so we'll just do it the long way anyway. - */ -- try_unshare(config.cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)"); -+ uint32_t apply_cloneflags = config.cloneflags; -+ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) { -+ apply_cloneflags &= ~CLONE_NEWIPC; -+ } -+ -+ try_unshare(apply_cloneflags & ~CLONE_NEWCGROUP, "remaining namespaces (except cgroupns)"); - - /* Ask our parent to send the mount sources fds. */ - if (config.mountsources) { -@@ -1362,6 +1367,10 @@ void nsexec(void) - try_unshare(CLONE_NEWCGROUP, "cgroup namespace"); - } - -+ if ((config.cloneflags & CLONE_NEWUSER) && (config.cloneflags & CLONE_NEWIPC)) { -+ try_unshare(CLONE_NEWIPC, "ipc namespace"); -+ } -+ - write_log(DEBUG, "signal completion to stage-0"); - s = SYNC_CHILD_FINISH; - if (write(syncfd, &s, sizeof(s)) != sizeof(s)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch b/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch deleted file mode 100644 index 92b024eb4e9..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch +++ /dev/null @@ -1,334 +0,0 @@ -From 2d069bb79260e594870ce3e7466477e54a0c5307 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Wed, 9 Jan 2019 13:40:01 +1100 -Subject: [PATCH] nsenter: clone /proc/self/exe to avoid exposing host binary - to container - -There are quite a few circumstances where /proc/self/exe pointing to a -pretty important container binary is a _bad_ thing, so to avoid this we -have to make a copy (preferably doing self-clean-up and not being -writeable). - -We require memfd_create(2) -- though there is an O_TMPFILE fallback -- -but we can always extend this to use a scratch MNT_DETACH overlayfs or -tmpfs. The main downside to this approach is no page-cache sharing for -the runc binary (which overlayfs would give us) but this is far less -complicated. - -This is only done during nsenter so that it happens transparently to the -Go code, and any libcontainer users benefit from it. This also makes -ExtraFiles and --preserve-fds handling trivial (because we don't need to -worry about it). - -Fixes: CVE-2019-5736 -Co-developed-by: Christian Brauner -Signed-off-by: Aleksa Sarai ---- - libcontainer/nsenter/cloned_binary.c | 268 +++++++++++++++++++++++++++ - libcontainer/nsenter/nsexec.c | 11 ++ - 2 files changed, 279 insertions(+) - create mode 100644 libcontainer/nsenter/cloned_binary.c - -diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c -new file mode 100644 -index 000000000000..c8a42c23f73f ---- /dev/null -+++ b/libcontainer/nsenter/cloned_binary.c -@@ -0,0 +1,268 @@ -+/* -+ * Copyright (C) 2019 Aleksa Sarai -+ * Copyright (C) 2019 SUSE LLC -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+/* Use our own wrapper for memfd_create. */ -+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create) -+# define SYS_memfd_create __NR_memfd_create -+#endif -+#ifdef SYS_memfd_create -+# define HAVE_MEMFD_CREATE -+/* memfd_create(2) flags -- copied from . */ -+# ifndef MFD_CLOEXEC -+# define MFD_CLOEXEC 0x0001U -+# define MFD_ALLOW_SEALING 0x0002U -+# endif -+int memfd_create(const char *name, unsigned int flags) -+{ -+ return syscall(SYS_memfd_create, name, flags); -+} -+#endif -+ -+/* This comes directly from . */ -+#ifndef F_LINUX_SPECIFIC_BASE -+# define F_LINUX_SPECIFIC_BASE 1024 -+#endif -+#ifndef F_ADD_SEALS -+# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) -+# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) -+#endif -+#ifndef F_SEAL_SEAL -+# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */ -+# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */ -+# define F_SEAL_GROW 0x0004 /* prevent file from growing */ -+# define F_SEAL_WRITE 0x0008 /* prevent writes */ -+#endif -+ -+#define RUNC_SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */ -+#ifdef HAVE_MEMFD_CREATE -+# define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe" -+# define RUNC_MEMFD_SEALS \ -+ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) -+#endif -+ -+static void *must_realloc(void *ptr, size_t size) -+{ -+ void *old = ptr; -+ do { -+ ptr = realloc(old, size); -+ } while(!ptr); -+ return ptr; -+} -+ -+/* -+ * Verify whether we are currently in a self-cloned program (namely, is -+ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather -+ * for shmem files), and we want to be sure it's actually sealed. -+ */ -+static int is_self_cloned(void) -+{ -+ int fd, ret, is_cloned = 0; -+ -+ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC); -+ if (fd < 0) -+ return -ENOTRECOVERABLE; -+ -+#ifdef HAVE_MEMFD_CREATE -+ ret = fcntl(fd, F_GET_SEALS); -+ is_cloned = (ret == RUNC_MEMFD_SEALS); -+#else -+ struct stat statbuf = {0}; -+ ret = fstat(fd, &statbuf); -+ if (ret >= 0) -+ is_cloned = (statbuf.st_nlink == 0); -+#endif -+ close(fd); -+ return is_cloned; -+} -+ -+/* -+ * Basic wrapper around mmap(2) that gives you the file length so you can -+ * safely treat it as an ordinary buffer. Only gives you read access. -+ */ -+static char *read_file(char *path, size_t *length) -+{ -+ int fd; -+ char buf[4096], *copy = NULL; -+ -+ if (!length) -+ return NULL; -+ -+ fd = open(path, O_RDONLY | O_CLOEXEC); -+ if (fd < 0) -+ return NULL; -+ -+ *length = 0; -+ for (;;) { -+ int n; -+ -+ n = read(fd, buf, sizeof(buf)); -+ if (n < 0) -+ goto error; -+ if (!n) -+ break; -+ -+ copy = must_realloc(copy, (*length + n) * sizeof(*copy)); -+ memcpy(copy + *length, buf, n); -+ *length += n; -+ } -+ close(fd); -+ return copy; -+ -+error: -+ close(fd); -+ free(copy); -+ return NULL; -+} -+ -+/* -+ * A poor-man's version of "xargs -0". Basically parses a given block of -+ * NUL-delimited data, within the given length and adds a pointer to each entry -+ * to the array of pointers. -+ */ -+static int parse_xargs(char *data, int data_length, char ***output) -+{ -+ int num = 0; -+ char *cur = data; -+ -+ if (!data || *output != NULL) -+ return -1; -+ -+ while (cur < data + data_length) { -+ num++; -+ *output = must_realloc(*output, (num + 1) * sizeof(**output)); -+ (*output)[num - 1] = cur; -+ cur += strlen(cur) + 1; -+ } -+ (*output)[num] = NULL; -+ return num; -+} -+ -+/* -+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ. -+ * This is necessary because we are running in a context where we don't have a -+ * main() that we can just get the arguments from. -+ */ -+static int fetchve(char ***argv, char ***envp) -+{ -+ char *cmdline = NULL, *environ = NULL; -+ size_t cmdline_size, environ_size; -+ -+ cmdline = read_file("/proc/self/cmdline", &cmdline_size); -+ if (!cmdline) -+ goto error; -+ environ = read_file("/proc/self/environ", &environ_size); -+ if (!environ) -+ goto error; -+ -+ if (parse_xargs(cmdline, cmdline_size, argv) <= 0) -+ goto error; -+ if (parse_xargs(environ, environ_size, envp) <= 0) -+ goto error; -+ -+ return 0; -+ -+error: -+ free(environ); -+ free(cmdline); -+ return -EINVAL; -+} -+ -+static int clone_binary(void) -+{ -+ int binfd, memfd; -+ ssize_t sent = 0; -+ -+#ifdef HAVE_MEMFD_CREATE -+ memfd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING); -+#else -+ memfd = open("/tmp", O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0711); -+#endif -+ if (memfd < 0) -+ return -ENOTRECOVERABLE; -+ -+ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); -+ if (binfd < 0) -+ goto error; -+ -+ sent = sendfile(memfd, binfd, NULL, RUNC_SENDFILE_MAX); -+ close(binfd); -+ if (sent < 0) -+ goto error; -+ -+#ifdef HAVE_MEMFD_CREATE -+ int err = fcntl(memfd, F_ADD_SEALS, RUNC_MEMFD_SEALS); -+ if (err < 0) -+ goto error; -+#else -+ /* Need to re-open "memfd" as read-only to avoid execve(2) giving -EXTBUSY. */ -+ int newfd; -+ char *fdpath = NULL; -+ -+ if (asprintf(&fdpath, "/proc/self/fd/%d", memfd) < 0) -+ goto error; -+ newfd = open(fdpath, O_RDONLY | O_CLOEXEC); -+ free(fdpath); -+ if (newfd < 0) -+ goto error; -+ -+ close(memfd); -+ memfd = newfd; -+#endif -+ return memfd; -+ -+error: -+ close(memfd); -+ return -EIO; -+} -+ -+int ensure_cloned_binary(void) -+{ -+ int execfd; -+ char **argv = NULL, **envp = NULL; -+ -+ /* Check that we're not self-cloned, and if we are then bail. */ -+ int cloned = is_self_cloned(); -+ if (cloned > 0 || cloned == -ENOTRECOVERABLE) -+ return cloned; -+ -+ if (fetchve(&argv, &envp) < 0) -+ return -EINVAL; -+ -+ execfd = clone_binary(); -+ if (execfd < 0) -+ return -EIO; -+ -+ fexecve(execfd, argv, envp); -+ return -ENOEXEC; -+} -diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c -index 28269dfc027f..7750af35ea92 100644 ---- a/libcontainer/nsenter/nsexec.c -+++ b/libcontainer/nsenter/nsexec.c -@@ -534,6 +534,9 @@ void join_namespaces(char *nslist) - free(namespaces); - } - -+/* Defined in cloned_binary.c. */ -+extern int ensure_cloned_binary(void); -+ - void nsexec(void) - { - int pipenum; -@@ -549,6 +552,14 @@ void nsexec(void) - if (pipenum == -1) - return; - -+ /* -+ * We need to re-exec if we are not in a cloned binary. This is necessary -+ * to ensure that containers won't be able to access the host binary -+ * through /proc/self/exe. See CVE-2019-5736. -+ */ -+ if (ensure_cloned_binary() < 0) -+ bail("could not ensure we are a cloned binary"); -+ - /* Parse all of the netlink configuration. */ - nl_parse(pipenum, &config); - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/docker-runc-1.0.0_rc2-mount-propagation.patch b/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/docker-runc-1.0.0_rc2-mount-propagation.patch deleted file mode 100644 index c284e9972d7..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/files/docker-runc-1.0.0_rc2-mount-propagation.patch +++ /dev/null @@ -1,41 +0,0 @@ -From db55cd4f29298ae08b20f92b8953735723ee2167 Mon Sep 17 00:00:00 2001 -From: Euan Kemp -Date: Fri, 22 Sep 2017 02:31:17 -0700 -Subject: [PATCH] libcontainer: default mount propagation correctly - -The code in prepareRoot (https://github.com/opencontainers/runc/blob/e385f67a0e45fa1d8ef8154e2aea5128ea1d331b/libcontainer/rootfs_linux.go#L599-L605) -attempts to default the rootfs mount to `rslave`. However, since the spec -conversion has already defaulted it to `rprivate`, that code doesn't -actually ever do anything. - -This changes the spec conversion code to accept "" and treat it as 0. - -Implicitly, this makes rootfs propagation default to `rslave`, which is -a part of fixing the moby bug https://github.com/moby/moby/issues/34672 - -Alternate implementatoins include changing this defaulting to be -`rslave` and removing the defaulting code in prepareRoot, or skipping -the mapping entirely for "", but I think this change is the cleanest of -those options. - -Signed-off-by: Euan Kemp ---- - libcontainer/specconv/spec_linux.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go -index 1575ae03..8a2947f6 100644 ---- a/libcontainer/specconv/spec_linux.go -+++ b/libcontainer/specconv/spec_linux.go -@@ -36,7 +36,7 @@ var mountPropagationMapping = map[string]int{ - "slave": syscall.MS_SLAVE, - "rshared": syscall.MS_SHARED | syscall.MS_REC, - "shared": syscall.MS_SHARED, -- "": syscall.MS_PRIVATE | syscall.MS_REC, -+ "": 0, - } - - var allowedDevices = []*configs.Device{ --- -2.13.5 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-containers/runc/metadata.xml deleted file mode 100644 index 9fe8126b58a..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/metadata.xml +++ /dev/null @@ -1,19 +0,0 @@ - - - - - runc is a CLI tool for spawning and running containers according - to the OCF (Open Container Format) specification. - - - mrueg@gentoo.org - Manuel RĂ¼ger - - - Enable support for ambient capability - Enable AppArmor support - - - docker/runc - - diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/runc-1.1.9.ebuild b/sdk_container/src/third_party/coreos-overlay/app-containers/runc/runc-1.1.9.ebuild deleted file mode 100644 index 319370f2c7c..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/runc/runc-1.1.9.ebuild +++ /dev/null @@ -1,64 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -GITHUB_URI="github.com/opencontainers/runc" -COREOS_GO_PACKAGE="${GITHUB_URI}" -COREOS_GO_VERSION="go1.19" -# the commit of runc that docker uses. -# see https://github.com/docker/docker-ce/blob/v19.03.15/components/engine/hack/dockerfile/install/runc.installer#L4 -COMMIT_ID="f1136b082cc1c2840cdb3e0debf45e7ef832c918" - -inherit eutils flag-o-matic coreos-go vcs-snapshot - -SRC_URI="https://${GITHUB_URI}/archive/${COMMIT_ID}.tar.gz -> ${P}.tar.gz" -KEYWORDS="amd64 arm64" - -DESCRIPTION="runc container cli tools (docker fork)" -HOMEPAGE="http://runc.io" - -LICENSE="Apache-2.0" -SLOT="0" -IUSE="ambient apparmor hardened +seccomp selinux" - -RDEPEND=" - apparmor? ( sys-libs/libapparmor ) - seccomp? ( sys-libs/libseccomp ) -" - -S=${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE} - -RESTRICT="test" - -src_unpack() { - mkdir -p "${S}" - tar --strip-components=1 -C "${S}" -xf "${DISTDIR}/${A}" -} - -PATCHES=( - "${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch" -) - -src_compile() { - # Taken from app-containers/docker-1.7.0-r1 - export CGO_CFLAGS="-I${SYSROOT}/usr/include" - export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') - -L${SYSROOT}/usr/$(get_libdir)" - - # build up optional flags - local options=( - $(usex ambient 'ambient' '') - $(usex apparmor 'apparmor' '') - $(usex seccomp 'seccomp' '') - $(usex selinux 'selinux' '') - ) - - GOPATH="${WORKDIR}/${P}" emake BUILDTAGS="${options[*]}" \ - VERSION=1.1.9+dev.docker-20.10 \ - COMMIT="${COMMIT_ID}" -} - -src_install() { - dobin runc -} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild index d7369534956..308ff191e5f 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild @@ -31,6 +31,7 @@ RDEPEND=" ) app-containers/containerd app-containers/docker + app-containers/docker-cli app-emulation/amazon-ssm-agent app-emulation/wa-linux-agent coreos-base/coreos diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd-1.0.0.service b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/lib/systemd/system/containerd.service similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/containerd-1.0.0.service rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/lib/systemd/system/containerd.service diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/lib/systemd/system/multi-user.target.wants/containerd.service b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/lib/systemd/system/multi-user.target.wants/containerd.service new file mode 120000 index 00000000000..9125c4ffa4e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/lib/systemd/system/multi-user.target.wants/containerd.service @@ -0,0 +1 @@ +../containerd.service \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/config-cgroupfs.toml b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/share/containerd/config-cgroupfs.toml similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/config-cgroupfs.toml rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/share/containerd/config-cgroupfs.toml diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/config.toml b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/share/containerd/config.toml similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/containerd/files/config.toml rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd/usr/share/containerd/config.toml diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/dockerd b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/flatcar/dockerd old mode 100644 new mode 100755 similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/dockerd rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/flatcar/dockerd diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/50-docker.network b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/network/50-docker.network similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/50-docker.network rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/network/50-docker.network diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/90-docker-veth.network b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/network/90-docker-veth.network similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/90-docker-veth.network rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/network/90-docker-veth.network diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/docker.service b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/system/docker.service similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/docker.service rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/system/docker.service diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/docker.socket b/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/system/docker.socket similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker/files/docker.socket rename to sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker/usr/lib/systemd/system/docker.socket diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 2d52d88858c..f53108c6efa 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -92,3 +92,13 @@ # Accept unstable host Rust compilers. =virtual/rust-1.73.0 ~amd64 ~arm64 + + +# Gentoo upstream package stabilisation +# (the following packages are "unstable" upstream; we're stabilising these) + +=app-containers/containerd-1.7.7 ~amd64 ~arm64 # NOTE this doesn't even exist upstream; Gentoo is on 1.7.6. +=app-containers/cri-tools-1.27.0 ~amd64 ~arm64 +=app-containers/docker-24.0.6 ~amd64 ~arm64 +=app-containers/docker-cli-24.0.6 ~amd64 ~arm64 +=app-containers/runc-1.1.9 ~amd64 ~arm64 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index 75a02185080..60f326bbe04 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -148,3 +148,7 @@ net-analyzer/tcpdump -ssl -smi -samba # selinux: to find files with a particular SElinux label sys-apps/findutils selinux + +# Starting with docker 23 btrfs support is opt-in +app-containers/containerd btrfs +app-containers/docker btrfs diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest new file mode 100644 index 00000000000..96a52330789 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest @@ -0,0 +1,4 @@ +DIST containerd-1.7.1.tar.gz 9682254 BLAKE2B f168070caf2b76f0be350a98f41bfdbfe6d78344d68821fb92a29f839a6e847d795e5b79436e36f985aa88028ff1c3f44f134cf6bd502ddac22453a457bd952b SHA512 e9b00ba8f4dd1b5b1088060d3822f684611d43b367ddfeb1bee1660140af85f31e9c9bfc600a67e8fc8645a625dc4e1919d9af7291bdeaa607bff7065a4fc945 +DIST containerd-1.7.2.tar.gz 9688701 BLAKE2B d31cd0e96bb2675390cc63d06114e37d532b7c666b3ffc5b0087dfcef8de23559471f08bf8a52b164c5f645faf1b8102ab2ccdd8ec417a1c74336097f0c3a899 SHA512 c0d4c02991b7e9fc341c4ef3df2d93097f5854a51b99596ed95436a79f7a586820bb8bb7c17fc43b5f38d97ea942e59490fbbf6c9710391ef9caae3d34627bc5 +DIST containerd-1.7.6.tar.gz 9714550 BLAKE2B 863df1a8ab0f0fe6ec62893ed64824763c1b5230fe830fa268820ce0d6254c79e1ac62ab1261a74785b86b01dff83ea9109a899857fa47a48f2cf2eaf298fea8 SHA512 8b7e13c6ea544754ba7d53092d143f3fd2224b9bc874a33d8a00b781e719927f1b22ad5cd1e35b7b95e4890e630f4b92308549a970587ccdf9dbb8eb470e2703 +DIST containerd-1.7.7.tar.gz 9910424 BLAKE2B 623315962233fe3ce965c17c37c950dc1ded8b381012ed50d2bee8b1cea134bc9ef5a1cf5599b6bcd121cabe204fe61015526226131954364a976ebb08d8c353 SHA512 a44e901b017522639963bb415f666599af04335d8ccbd28899712606a4692c1601e95eaa2f1db32a3c077ad2c3f332f37393154ad6c2660646b7e8365a6ab720 diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.1-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.1-r1.ebuild new file mode 100644 index 00000000000..cc7ea051626 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.1-r1.ebuild @@ -0,0 +1,86 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module systemd +GIT_REVISION=2806fc1057397dbaeefbea0e4e17bddfbd388f38 + +DESCRIPTION="A daemon to control runC" +HOMEPAGE="https://containerd.io/" +SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" +IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test" + +DEPEND=" + btrfs? ( sys-fs/btrfs-progs ) + seccomp? ( sys-libs/libseccomp ) +" + +# recommended version of runc is found in script/setup/runc-version +RDEPEND=" + ${DEPEND} + ~app-containers/runc-1.1.7[apparmor?,seccomp?] +" + +BDEPEND=" + dev-go/go-md2man + virtual/pkgconfig +" + +# tests require root or docker +RESTRICT+="test" + +src_prepare() { + default + sed -i \ + -e "s/-s -w//" \ + -e "s/-mod=readonly//" \ + Makefile || die + sed -i \ + -e "s:/usr/local:/usr:" \ + containerd.service || die +} + +src_compile() { + local options=( + $(usev apparmor) + $(usex btrfs "" "no_btrfs") + $(usex cri "" "no_cri") + $(usex device-mapper "" "no_devmapper") + $(usev seccomp) + $(usev selinux) + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" + REVISION="${GIT_REVISION}" + VERSION=v${PV} + ) + + # race condition in man target https://bugs.gentoo.org/765100 + # we need to explicitly specify GOFLAGS for "go run" to use vendor source + emake "${myemakeargs[@]}" man -j1 #nowarn + emake "${myemakeargs[@]}" all + +} + +src_install() { + rm "${D}"/bin/gen-manpages + dobin bin/* + doman man/* + newconfd "${FILESDIR}"/${PN}.confd "${PN}" + newinitd "${FILESDIR}"/${PN}.initd "${PN}" + systemd_dounit containerd.service + keepdir /var/lib/containerd + + # we already installed manpages, remove markdown source + # before installing docs directory + rm -r docs/man || die + + local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. ) + einstalldocs +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.2.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.2.ebuild new file mode 100644 index 00000000000..498fb8d90a5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.2.ebuild @@ -0,0 +1,86 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module systemd +GIT_REVISION=0cae528dd6cb557f7201036e9f43420650207b58 + +DESCRIPTION="A daemon to control runC" +HOMEPAGE="https://containerd.io/" +SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test" + +DEPEND=" + btrfs? ( sys-fs/btrfs-progs ) + seccomp? ( sys-libs/libseccomp ) +" + +# recommended version of runc is found in script/setup/runc-version +RDEPEND=" + ${DEPEND} + ~app-containers/runc-1.1.7[apparmor?,seccomp?] +" + +BDEPEND=" + dev-go/go-md2man + virtual/pkgconfig +" + +# tests require root or docker +RESTRICT+="test" + +src_prepare() { + default + sed -i \ + -e "s/-s -w//" \ + -e "s/-mod=readonly//" \ + Makefile || die + sed -i \ + -e "s:/usr/local:/usr:" \ + containerd.service || die +} + +src_compile() { + local options=( + $(usev apparmor) + $(usex btrfs "" "no_btrfs") + $(usex cri "" "no_cri") + $(usex device-mapper "" "no_devmapper") + $(usev seccomp) + $(usev selinux) + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" + REVISION="${GIT_REVISION}" + VERSION=v${PV} + ) + + # race condition in man target https://bugs.gentoo.org/765100 + # we need to explicitly specify GOFLAGS for "go run" to use vendor source + emake "${myemakeargs[@]}" man -j1 #nowarn + emake "${myemakeargs[@]}" all + +} + +src_install() { + rm "${D}"/bin/gen-manpages + dobin bin/* + doman man/* + newconfd "${FILESDIR}"/${PN}.confd "${PN}" + newinitd "${FILESDIR}"/${PN}.initd "${PN}" + systemd_dounit containerd.service + keepdir /var/lib/containerd + + # we already installed manpages, remove markdown source + # before installing docs directory + rm -r docs/man || die + + local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. ) + einstalldocs +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.6.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.6.ebuild new file mode 100644 index 00000000000..8ce5ddd813b --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.6.ebuild @@ -0,0 +1,86 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module systemd +GIT_REVISION=091922f03c2762540fd057fba91260237ff86acb + +DESCRIPTION="A daemon to control runC" +HOMEPAGE="https://containerd.io/" +SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test" + +DEPEND=" + btrfs? ( sys-fs/btrfs-progs ) + seccomp? ( sys-libs/libseccomp ) +" + +# recommended version of runc is found in script/setup/runc-version +RDEPEND=" + ${DEPEND} + ~app-containers/runc-1.1.9[apparmor?,seccomp?] +" + +BDEPEND=" + dev-go/go-md2man + virtual/pkgconfig +" + +# tests require root or docker +RESTRICT+="test" + +src_prepare() { + default + sed -i \ + -e "s/-s -w//" \ + -e "s/-mod=readonly//" \ + Makefile || die + sed -i \ + -e "s:/usr/local:/usr:" \ + containerd.service || die +} + +src_compile() { + local options=( + $(usev apparmor) + $(usex btrfs "" "no_btrfs") + $(usex cri "" "no_cri") + $(usex device-mapper "" "no_devmapper") + $(usev seccomp) + $(usev selinux) + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" + REVISION="${GIT_REVISION}" + VERSION=v${PV} + ) + + # race condition in man target https://bugs.gentoo.org/765100 + # we need to explicitly specify GOFLAGS for "go run" to use vendor source + emake "${myemakeargs[@]}" man -j1 #nowarn + emake "${myemakeargs[@]}" all + +} + +src_install() { + rm "${D}"/bin/gen-manpages + dobin bin/* + doman man/* + newconfd "${FILESDIR}"/${PN}.confd "${PN}" + newinitd "${FILESDIR}"/${PN}.initd "${PN}" + systemd_dounit containerd.service + keepdir /var/lib/containerd + + # we already installed manpages, remove markdown source + # before installing docs directory + rm -r docs/man || die + + local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. ) + einstalldocs +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.7.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.7.ebuild new file mode 100644 index 00000000000..8ce5ddd813b --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-1.7.7.ebuild @@ -0,0 +1,86 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module systemd +GIT_REVISION=091922f03c2762540fd057fba91260237ff86acb + +DESCRIPTION="A daemon to control runC" +HOMEPAGE="https://containerd.io/" +SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor btrfs device-mapper +cri hardened +seccomp selinux test" + +DEPEND=" + btrfs? ( sys-fs/btrfs-progs ) + seccomp? ( sys-libs/libseccomp ) +" + +# recommended version of runc is found in script/setup/runc-version +RDEPEND=" + ${DEPEND} + ~app-containers/runc-1.1.9[apparmor?,seccomp?] +" + +BDEPEND=" + dev-go/go-md2man + virtual/pkgconfig +" + +# tests require root or docker +RESTRICT+="test" + +src_prepare() { + default + sed -i \ + -e "s/-s -w//" \ + -e "s/-mod=readonly//" \ + Makefile || die + sed -i \ + -e "s:/usr/local:/usr:" \ + containerd.service || die +} + +src_compile() { + local options=( + $(usev apparmor) + $(usex btrfs "" "no_btrfs") + $(usex cri "" "no_cri") + $(usex device-mapper "" "no_devmapper") + $(usev seccomp) + $(usev selinux) + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + LDFLAGS="$(usex hardened '-extldflags -fno-PIC' '')" + REVISION="${GIT_REVISION}" + VERSION=v${PV} + ) + + # race condition in man target https://bugs.gentoo.org/765100 + # we need to explicitly specify GOFLAGS for "go run" to use vendor source + emake "${myemakeargs[@]}" man -j1 #nowarn + emake "${myemakeargs[@]}" all + +} + +src_install() { + rm "${D}"/bin/gen-manpages + dobin bin/* + doman man/* + newconfd "${FILESDIR}"/${PN}.confd "${PN}" + newinitd "${FILESDIR}"/${PN}.initd "${PN}" + systemd_dounit containerd.service + keepdir /var/lib/containerd + + # we already installed manpages, remove markdown source + # before installing docs directory + rm -r docs/man || die + + local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. ) + einstalldocs +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.confd b/sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.confd new file mode 100644 index 00000000000..22ef83205e2 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.confd @@ -0,0 +1,3 @@ +# This is the delay to be used in the start_post function to wait for +# the socket to be active. +#containerd_socket_delay=5 diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.initd b/sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.initd new file mode 100644 index 00000000000..143305c0333 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/files/containerd.initd @@ -0,0 +1,26 @@ +#!/sbin/openrc-run +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +description="Containerd container runtime" +command="/usr/bin/containerd" +command_args="${command_args:-}" +command_background="true" +pidfile="${pidfile:-/run/${RC_SVCNAME}.pid}" +start_stop_daemon_args="--stderr /var/log/${RC_SVCNAME}/${RC_SVCNAME}.log --stdout /var/log/${RC_SVCNAME}/${RC_SVCNAME}.log" + +start_pre() { + checkpath -m 0750 -d "/var/log/${RC_SVCNAME}" + + ulimit -n 1048576 + + # Having non-zero limits causes performance problems due to accounting overhead + # in the kernel. We recommend using cgroups to do container-local accounting. + ulimit -u unlimited + + return 0 +} + +start_post() { + ewaitfile ${containerd_socket_delay:-5} /run/containerd/containerd.sock +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/metadata.xml b/sdk_container/src/third_party/portage-stable/app-containers/containerd/metadata.xml similarity index 63% rename from sdk_container/src/third_party/coreos-overlay/app-containers/containerd/metadata.xml rename to sdk_container/src/third_party/portage-stable/app-containers/containerd/metadata.xml index 7cc46305346..5d63e8606e9 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/containerd/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/metadata.xml @@ -1,5 +1,5 @@ - + Containerd is a daemon with an API and a command line client, to manage @@ -8,22 +8,21 @@ and user namespace support as well as checkpoint and restore for cloning and live migration of containers. - - admwiggin@gmail.com - Tianon - - - mrueg@gentoo.org - Manuel RĂ¼ger - williamh@gentoo.org William Hubbs + + gyakovlev@gentoo.org + Georgy Yakovlev + Support for BTRFS snapshot driver + Support for Kubernetes CRI + Support for device mapper snapshot driver - docker/containerd + containerd/containerd + cpe:/a:linuxfoundation:containerd diff --git a/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/Manifest new file mode 100644 index 00000000000..a67abf87f20 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/Manifest @@ -0,0 +1,2 @@ +DIST cri-tools-1.25.0.tar.gz 7905707 BLAKE2B 79595f31fc22aff608406bad4319a60dddcabda5f4dab8706305f11500b3db43f1d7021a340a096227d4580212953f32a95b05bbf81c1236f8fa8cf635017abb SHA512 dc04359320d59d6b3789e4e81fb613f3795b7e82dbad681393eaeff2c876e5b0393dd9384d7857d24ada5de34d03e151f7cf121367cc20e71d0b78607372b3a1 +DIST cri-tools-1.27.0.tar.gz 8465050 BLAKE2B d6c0429271ebc4085e75b54d7f3b9f75ab796e63bc9ae7562105296b13bbad8b512293a7d25abf1ab946f4bf54e672016fdb72696c12c730d21ac74724da465c SHA512 b94122e6401eb0c33b9c3d112274b7ab20cbbad05e76a54933e79d2e42ded2d684771cb9ed703a6c1afa381844142b6f1b4dc77d17e915f9a42c236fd8426b9b diff --git a/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.25.0.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.25.0.ebuild new file mode 100644 index 00000000000..67c3e8b3887 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.25.0.ebuild @@ -0,0 +1,34 @@ +# Copyright 2021-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit bash-completion-r1 go-module + +DESCRIPTION="CLI and validation tools for Kubelet Container Runtime (CRI)" +HOMEPAGE="https://github.com/kubernetes-sigs/cri-tools" +SRC_URI="https://github.com/kubernetes-sigs/cri-tools/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0" +SLOT="0" +KEYWORDS="amd64 ~arm64" + +DEPEND="dev-lang/go" + +RESTRICT+=" test" + +src_compile() { + emake VERSION="${PV}" + ./build/bin/crictl completion bash > "crictl.bash" || die + ./build/bin/crictl completion zsh > "crictl.zsh" || die +} + +src_install() { + dobin ./build/bin/crictl + + newbashcomp crictl.bash crictl + insinto /usr/share/zsh/site-functions + newins crictl.zsh _crictl + + dodoc -r docs {README,RELEASE,CHANGELOG,CONTRIBUTING}.md +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.27.0.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.27.0.ebuild new file mode 100644 index 00000000000..ae910c91f75 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/cri-tools-1.27.0.ebuild @@ -0,0 +1,33 @@ +# Copyright 2021-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit bash-completion-r1 go-module + +DESCRIPTION="CLI and validation tools for Kubelet Container Runtime (CRI)" +HOMEPAGE="https://github.com/kubernetes-sigs/cri-tools" +SRC_URI="https://github.com/kubernetes-sigs/cri-tools/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0" +SLOT="0" +KEYWORDS="amd64 ~arm64" +RESTRICT="test" + +DOCS=( docs {README,RELEASE,CHANGELOG,CONTRIBUTING}.md ) + +src_compile() { + emake VERSION="${PV}" + find build/ -name crictl -exec cp {} build/bin/ \; || die + ./build/bin/crictl completion bash > "crictl.bash" || die + ./build/bin/crictl completion zsh > "crictl.zsh" || die +} + +src_install() { + einstalldocs + + dobin ./build/bin/crictl + newbashcomp crictl.bash crictl + insinto /usr/share/zsh/site-functions + newins crictl.zsh _crictl +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/metadata.xml b/sdk_container/src/third_party/portage-stable/app-containers/cri-tools/metadata.xml similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/cri-tools/metadata.xml rename to sdk_container/src/third_party/portage-stable/app-containers/cri-tools/metadata.xml diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/Manifest new file mode 100644 index 00000000000..1dac761372e --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/Manifest @@ -0,0 +1,4 @@ +DIST docker-cli-24.0.5-man.tar.xz 82496 BLAKE2B f3295b684dbf8d251ba13a19b9bad9b828fce7d2f76b6643b1cf579cd297b770e8f7304bd3fce823badfbe97e9b760a108b819ca3c760a55e352cf3c5235d815 SHA512 683b0f131902e0a57512207daa49534d73aac6db99dc8621ac6b48eeef26b873e2ba03fe4afe6f1e84c5922e4c60bf0e80e24cc95cdbf2a4953d1c11b80d56ad +DIST docker-cli-24.0.5.tar.gz 6243993 BLAKE2B a7ce84ecf329bc74e48f3a6e1b12a9e310a8f27ac68918ffeb40ab9c4eab8b79e753265b48220fcd3ab40b4136de5ebd44607831f642664eaf732111bd8f41b1 SHA512 765c67634d91d248b156d3e407398b98b7a0a89507bbac0310d4a68b95aa1a05e3af43c8b90bc10166748749d8cc36670619fc9efca110beefbdcd4385dc96be +DIST docker-cli-24.0.6-man.tar.xz 82600 BLAKE2B 9e39bf200d252a0d91b0b6f17680a4c1b34e55cc9f357a59f124138cef39c5ff10fb104c51efe3010bca9a4f72447764ced1c02e3bb3924051fa6f1f01a8f6fa SHA512 5e972647961899e438b765f53afff570b9f0c1742c7c72a3a424887719c3a6afbd467d15884d44ac64b752c984261967f304afa5c168466fe6f611967d18a578 +DIST docker-cli-24.0.6.tar.gz 6244014 BLAKE2B c5f2082e44a568d3f6ee2ff5df9e9b727808f0b70d7d0c6c18b9769c1c4d0f49d371cbd08c95e748d441dc0ef011b66446527b0eeb33368ee59b85496185ba12 SHA512 55c56ae08eb314cce5f4c93544c6748586eadb3abe502d39d4d297e14d274af37346b38695a20a91dcfe51d3d35a77ddd7aa69d170b525e5e6ba345161869cd8 diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/docker-cli-20.10.24-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-24.0.5.ebuild similarity index 55% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/docker-cli-20.10.24-r1.ebuild rename to sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-24.0.5.ebuild index e5181c72ea5..4e1f622ad7a 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/docker-cli-20.10.24-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-cli/docker-cli-24.0.5.ebuild @@ -1,35 +1,36 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -GIT_COMMIT=e78084afe5 +GIT_COMMIT=ced0996600 EGO_PN="github.com/docker/cli" - -COREOS_GO_PACKAGE="${EGO_PN}" -COREOS_GO_VERSION="go1.19" - -inherit bash-completion-r1 golang-vcs-snapshot coreos-go-depend +MY_PV=${PV/_/-} +inherit bash-completion-r1 golang-vcs-snapshot DESCRIPTION="the command line binary for docker" HOMEPAGE="https://www.docker.com/" -MY_PV=${PV/_/-} SRC_URI="https://github.com/docker/cli/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" +SRC_URI+=" https://dev.gentoo.org/~williamh/dist/${P}-man.tar.xz" LICENSE="Apache-2.0" SLOT="0" -KEYWORDS="amd64 arm64" -IUSE="hardened" +KEYWORDS="amd64 ~arm arm64 ~loong ppc64 ~riscv ~x86" +IUSE="hardened selinux" -RDEPEND="! + + + + williamh@gentoo.org + William Hubbs + + + gyakovlev@gentoo.org + Georgy Yakovlev + + + docker/cli + + diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/Manifest similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/Manifest rename to sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/Manifest diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild similarity index 69% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild rename to sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild index bb3ea78ae77..a39b18d1aee 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/docker-proxy-0.8.0_p20230118.ebuild @@ -6,13 +6,6 @@ EGO_PN=github.com/moby/libnetwork GIT_COMMIT=05b93e0d3a95952f70c113b0bc5bdb538d7afdd7 inherit golang-vcs-snapshot -# Flatcar: Add coreos go goo. -COREOS_GO_PACKAGE="${EGO_PN}" -COREOS_GO_VERSION="go1.19" -COREOS_GO_GO111MODULE="off" - -inherit coreos-go - DESCRIPTION="Docker container networking" HOMEPAGE="https://github.com/docker/libnetwork" SRC_URI="https://github.com/moby/libnetwork/archive/${GIT_COMMIT}.tar.gz -> ${P}.tar.gz" @@ -26,13 +19,12 @@ S=${WORKDIR}/${P}/src/${EGO_PN} # needs dockerd RESTRICT="strip test" -# Flatcar: Rewrite src_compile src_compile() { - go_build "${COREOS_GO_PACKAGE}/cmd/proxy" + GO111MODULE=auto GOPATH="${WORKDIR}/${P}" \ + go build -o "bin/docker-proxy" ./cmd/proxy || die } -# Flatcar: Rewrite src_install src_install() { + dobin bin/docker-proxy dodoc README.md CHANGELOG.md - newbin "${GOBIN}"/proxy docker-proxy } diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/metadata.xml b/sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/metadata.xml similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker-proxy/metadata.xml rename to sdk_container/src/third_party/portage-stable/app-containers/docker-proxy/metadata.xml diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/docker/Manifest new file mode 100644 index 00000000000..674239bbd15 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker/Manifest @@ -0,0 +1,2 @@ +DIST docker-24.0.5.tar.gz 14456089 BLAKE2B be13a4256787152cb35ddb96d80e97a5e5b587094f1c61d18158737a037c4e81b88c186098ba7416eb7778022ece07bc31ee55af13d3e3da8e0bbd5452ad027f SHA512 cde2e47e7658b153399ee29154ec21eebf54b292185e07d43b968895dcfdfead95e4507fefb713859a4540f21d8007116d3ebeaa1fb7ba305fb2a0449ba1bee6 +DIST docker-24.0.6.tar.gz 14462378 BLAKE2B bced8e687abac59254a9969df46f323a835627a724889e5966bea08df8766b4291914442001d1b573280c45ac4d357a673e98e8fba2b8d116a1dbd65424ccf78 SHA512 d9bf0ba756b1ebe69a44819d7c6aa5d66dad8db5bcc41233e2bfce8131334a2fe1af3972de7f602b7911231288d29aaea797b7a05b335c2d7214a613b27c4b63 diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.5.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.5.ebuild new file mode 100644 index 00000000000..ac578996d43 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.5.ebuild @@ -0,0 +1,330 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 +EGO_PN=github.com/docker/docker +MY_PV=${PV/_/-} +inherit linux-info systemd udev golang-vcs-snapshot +GIT_COMMIT=4ffc61430bbe6d3d405bdf357b766bf303ff3cc5 + +DESCRIPTION="The core functions you need to create Docker images and run Docker containers" +HOMEPAGE="https://www.docker.com/" +SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" +IUSE="apparmor btrfs +container-init device-mapper overlay seccomp selinux" + +DEPEND=" + acct-group/docker + >=dev-db/sqlite-3.7.9:3 + apparmor? ( sys-libs/libapparmor ) + btrfs? ( >=sys-fs/btrfs-progs-3.16.1 ) + device-mapper? ( >=sys-fs/lvm2-2.02.89[thin] ) + seccomp? ( >=sys-libs/libseccomp-2.2.1 ) +" + +# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies +# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies +RDEPEND=" + ${DEPEND} + >=net-firewall/iptables-1.4 + sys-process/procps + >=dev-vcs/git-1.7 + >=app-arch/xz-utils-4.9 + dev-libs/libltdl + >=app-containers/containerd-1.7.1[apparmor?,btrfs?,device-mapper?,seccomp?] + !app-containers/docker-proxy + container-init? ( >=sys-process/tini-0.19.0[static] ) + selinux? ( sec-policy/selinux-docker ) +" + +# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies +BDEPEND=" + >=dev-lang/go-1.16.12 + dev-go/go-md2man + virtual/pkgconfig +" +# tests require running dockerd as root and downloading containers +RESTRICT="installsources strip test" + +S="${WORKDIR}/${P}/src/${EGO_PN}" + +# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552 +PATCHES=( + "${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch" +) + +pkg_setup() { + # this is based on "contrib/check-config.sh" from upstream's sources + # required features. + CONFIG_CHECK=" + ~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS + ~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG + ~KEYS + ~VETH ~BRIDGE ~BRIDGE_NETFILTER + ~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE + ~NETFILTER_XT_MATCH_ADDRTYPE + ~NETFILTER_XT_MATCH_CONNTRACK + ~NETFILTER_XT_MATCH_IPVS + ~NETFILTER_XT_MARK + ~IP_NF_NAT ~NF_NAT + ~POSIX_MQUEUE + " + WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers" + + if kernel_is lt 4 8; then + CONFIG_CHECK+=" + ~DEVPTS_MULTIPLE_INSTANCES + " + fi + + if kernel_is le 5 1; then + CONFIG_CHECK+=" + ~NF_NAT_IPV4 + " + fi + + if kernel_is le 5 2; then + CONFIG_CHECK+=" + ~NF_NAT_NEEDED + " + fi + + if kernel_is ge 4 15; then + CONFIG_CHECK+=" + ~CGROUP_BPF + " + fi + + # optional features + CONFIG_CHECK+=" + ~USER_NS + " + + if use seccomp; then + CONFIG_CHECK+=" + ~SECCOMP ~SECCOMP_FILTER + " + fi + + CONFIG_CHECK+=" + ~CGROUP_PIDS + " + + if kernel_is lt 6 1; then + CONFIG_CHECK+=" + ~MEMCG_SWAP + " + fi + + if kernel_is le 5 8; then + CONFIG_CHECK+=" + ~MEMCG_SWAP_ENABLED + " + fi + + CONFIG_CHECK+=" + ~!LEGACY_VSYSCALL_NATIVE + " + if kernel_is lt 5 19; then + CONFIG_CHECK+=" + ~LEGACY_VSYSCALL_EMULATE + " + fi + CONFIG_CHECK+=" + ~!LEGACY_VSYSCALL_NONE + " + WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \ + Containers with <=glibc-2.13 will not work" + + if kernel_is le 4 5; then + CONFIG_CHECK+=" + ~MEMCG_KMEM + " + fi + + if kernel_is lt 5; then + CONFIG_CHECK+=" + ~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED + " + fi + + CONFIG_CHECK+=" + ~BLK_CGROUP ~BLK_DEV_THROTTLING + ~CGROUP_PERF + ~CGROUP_HUGETLB + ~NET_CLS_CGROUP ~CGROUP_NET_PRIO + ~CFS_BANDWIDTH ~FAIR_GROUP_SCHED + ~IP_NF_TARGET_REDIRECT + ~IP_VS + ~IP_VS_NFCT + ~IP_VS_PROTO_TCP + ~IP_VS_PROTO_UDP + ~IP_VS_RR + " + + if use selinux; then + CONFIG_CHECK+=" + ~SECURITY_SELINUX + " + fi + + if use apparmor; then + CONFIG_CHECK+=" + ~SECURITY_APPARMOR + " + fi + + # if ! is_set EXT4_USE_FOR_EXT2; then + # check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY + # if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then + # echo " $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)" + # fi + # fi + + CONFIG_CHECK+=" + ~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY + " + + # if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then + # if is_set EXT4_USE_FOR_EXT2; then + # echo " $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)" + # else + # echo " $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)" + # fi + # fi + + # network drivers + CONFIG_CHECK+=" + ~VXLAN ~BRIDGE_VLAN_FILTERING + ~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH + ~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP + " + if kernel_is le 5 3; then + CONFIG_CHECK+=" + ~INET_XFRM_MODE_TRANSPORT + " + fi + + CONFIG_CHECK+=" + ~IPVLAN + " + CONFIG_CHECK+=" + ~MACVLAN ~DUMMY + " + CONFIG_CHECK+=" + ~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP + " + + # storage drivers + if use btrfs; then + CONFIG_CHECK+=" + ~BTRFS_FS + ~BTRFS_FS_POSIX_ACL + " + fi + + if use device-mapper; then + CONFIG_CHECK+=" + ~BLK_DEV_DM ~DM_THIN_PROVISIONING + " + fi + + CONFIG_CHECK+=" + ~OVERLAY_FS + " + + linux-info_pkg_setup +} + +src_compile() { + export DOCKER_GITCOMMIT="${GIT_COMMIT}" + export GOPATH="${WORKDIR}/${P}" + export VERSION=${PV} + + # setup CFLAGS and LDFLAGS for separate build target + # see https://github.com/tianon/docker-overlay/pull/10 + export CGO_CFLAGS="-I${ESYSROOT}/usr/include" + export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)" + + # let's set up some optional features :) + export DOCKER_BUILDTAGS='' + for gd in btrfs device-mapper overlay; do + if ! use $gd; then + DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}" + fi + done + + for tag in apparmor seccomp; do + if use $tag; then + DOCKER_BUILDTAGS+=" $tag" + fi + done + + # build binaries + ./hack/make.sh dynbinary || die 'dynbinary failed' +} + +src_install() { + dosym containerd /usr/bin/docker-containerd + dosym containerd-shim /usr/bin/docker-containerd-shim + dosym runc /usr/bin/docker-runc + use container-init && dosym tini /usr/bin/docker-init + dobin bundles/dynbinary-daemon/dockerd + dobin bundles/dynbinary-daemon/docker-proxy + + newinitd contrib/init/openrc/docker.initd docker + newconfd contrib/init/openrc/docker.confd docker + + systemd_dounit contrib/init/systemd/docker.{service,socket} + + udev_dorules contrib/udev/*.rules + + dodoc AUTHORS CONTRIBUTING.md NOTICE README.md + dodoc -r docs/* + + # note: intentionally not using "doins" so that we preserve +x bits + dodir /usr/share/${PN}/contrib + cp -R contrib/* "${ED}/usr/share/${PN}/contrib" +} + +pkg_postinst() { + udev_reload + + elog + elog "To use Docker, the Docker daemon must be running as root. To automatically" + elog "start the Docker daemon at boot:" + if systemd_is_booted || has_version sys-apps/systemd; then + elog " systemctl enable docker.service" + else + elog " rc-update add docker default" + fi + elog + elog "To use Docker as a non-root user, add yourself to the 'docker' group:" + elog ' usermod -aG docker ' + elog + + if use device-mapper; then + elog " Devicemapper storage driver has been deprecated" + elog " It will be removed in a future release" + elog + fi + + if use overlay; then + elog " Overlay storage driver/USEflag has been deprecated" + elog " in favor of overlay2 (enabled unconditionally)" + elog + fi + + if has_version sys-fs/zfs; then + elog " ZFS storage driver is available" + elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info" + elog + fi +} + +pkg_postrm() { + udev_reload +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.6.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.6.ebuild new file mode 100644 index 00000000000..6a8cc58fd1f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker/docker-24.0.6.ebuild @@ -0,0 +1,331 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 +EGO_PN=github.com/docker/docker +MY_PV=${PV/_/-} +inherit linux-info systemd udev golang-vcs-snapshot +GIT_COMMIT=1a7969545d73537545645f5cd2c79b7a77e7d39f + +DESCRIPTION="The core functions you need to create Docker images and run Docker containers" +HOMEPAGE="https://www.docker.com/" +SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor btrfs +container-init device-mapper overlay seccomp selinux" + +DEPEND=" + acct-group/docker + >=dev-db/sqlite-3.7.9:3 + apparmor? ( sys-libs/libapparmor ) + btrfs? ( >=sys-fs/btrfs-progs-3.16.1 ) + device-mapper? ( >=sys-fs/lvm2-2.02.89[thin] ) + seccomp? ( >=sys-libs/libseccomp-2.2.1 ) +" + +# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies +# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies +RDEPEND=" + ${DEPEND} + >=net-firewall/iptables-1.4 + sys-process/procps + >=dev-vcs/git-1.7 + >=app-arch/xz-utils-4.9 + dev-libs/libltdl + >=app-containers/containerd-1.7.3[apparmor?,btrfs?,device-mapper?,seccomp?] + >=app-containers/runc-1.1.9[apparmor?,seccomp?] + !app-containers/docker-proxy + container-init? ( >=sys-process/tini-0.19.0[static] ) + selinux? ( sec-policy/selinux-docker ) +" + +# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies +BDEPEND=" + >=dev-lang/go-1.16.12 + dev-go/go-md2man + virtual/pkgconfig +" +# tests require running dockerd as root and downloading containers +RESTRICT="installsources strip test" + +S="${WORKDIR}/${P}/src/${EGO_PN}" + +# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552 +PATCHES=( + "${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch" +) + +pkg_setup() { + # this is based on "contrib/check-config.sh" from upstream's sources + # required features. + CONFIG_CHECK=" + ~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS + ~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG + ~KEYS + ~VETH ~BRIDGE ~BRIDGE_NETFILTER + ~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE + ~NETFILTER_XT_MATCH_ADDRTYPE + ~NETFILTER_XT_MATCH_CONNTRACK + ~NETFILTER_XT_MATCH_IPVS + ~NETFILTER_XT_MARK + ~IP_NF_NAT ~NF_NAT + ~POSIX_MQUEUE + " + WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers" + + if kernel_is lt 4 8; then + CONFIG_CHECK+=" + ~DEVPTS_MULTIPLE_INSTANCES + " + fi + + if kernel_is le 5 1; then + CONFIG_CHECK+=" + ~NF_NAT_IPV4 + " + fi + + if kernel_is le 5 2; then + CONFIG_CHECK+=" + ~NF_NAT_NEEDED + " + fi + + if kernel_is ge 4 15; then + CONFIG_CHECK+=" + ~CGROUP_BPF + " + fi + + # optional features + CONFIG_CHECK+=" + ~USER_NS + " + + if use seccomp; then + CONFIG_CHECK+=" + ~SECCOMP ~SECCOMP_FILTER + " + fi + + CONFIG_CHECK+=" + ~CGROUP_PIDS + " + + if kernel_is lt 6 1; then + CONFIG_CHECK+=" + ~MEMCG_SWAP + " + fi + + if kernel_is le 5 8; then + CONFIG_CHECK+=" + ~MEMCG_SWAP_ENABLED + " + fi + + CONFIG_CHECK+=" + ~!LEGACY_VSYSCALL_NATIVE + " + if kernel_is lt 5 19; then + CONFIG_CHECK+=" + ~LEGACY_VSYSCALL_EMULATE + " + fi + CONFIG_CHECK+=" + ~!LEGACY_VSYSCALL_NONE + " + WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \ + Containers with <=glibc-2.13 will not work" + + if kernel_is le 4 5; then + CONFIG_CHECK+=" + ~MEMCG_KMEM + " + fi + + if kernel_is lt 5; then + CONFIG_CHECK+=" + ~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED + " + fi + + CONFIG_CHECK+=" + ~BLK_CGROUP ~BLK_DEV_THROTTLING + ~CGROUP_PERF + ~CGROUP_HUGETLB + ~NET_CLS_CGROUP ~CGROUP_NET_PRIO + ~CFS_BANDWIDTH ~FAIR_GROUP_SCHED + ~IP_NF_TARGET_REDIRECT + ~IP_VS + ~IP_VS_NFCT + ~IP_VS_PROTO_TCP + ~IP_VS_PROTO_UDP + ~IP_VS_RR + " + + if use selinux; then + CONFIG_CHECK+=" + ~SECURITY_SELINUX + " + fi + + if use apparmor; then + CONFIG_CHECK+=" + ~SECURITY_APPARMOR + " + fi + + # if ! is_set EXT4_USE_FOR_EXT2; then + # check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY + # if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then + # echo " $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)" + # fi + # fi + + CONFIG_CHECK+=" + ~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY + " + + # if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then + # if is_set EXT4_USE_FOR_EXT2; then + # echo " $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)" + # else + # echo " $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)" + # fi + # fi + + # network drivers + CONFIG_CHECK+=" + ~VXLAN ~BRIDGE_VLAN_FILTERING + ~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH + ~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP + " + if kernel_is le 5 3; then + CONFIG_CHECK+=" + ~INET_XFRM_MODE_TRANSPORT + " + fi + + CONFIG_CHECK+=" + ~IPVLAN + " + CONFIG_CHECK+=" + ~MACVLAN ~DUMMY + " + CONFIG_CHECK+=" + ~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP + " + + # storage drivers + if use btrfs; then + CONFIG_CHECK+=" + ~BTRFS_FS + ~BTRFS_FS_POSIX_ACL + " + fi + + if use device-mapper; then + CONFIG_CHECK+=" + ~BLK_DEV_DM ~DM_THIN_PROVISIONING + " + fi + + CONFIG_CHECK+=" + ~OVERLAY_FS + " + + linux-info_pkg_setup +} + +src_compile() { + export DOCKER_GITCOMMIT="${GIT_COMMIT}" + export GOPATH="${WORKDIR}/${P}" + export VERSION=${PV} + + # setup CFLAGS and LDFLAGS for separate build target + # see https://github.com/tianon/docker-overlay/pull/10 + export CGO_CFLAGS="-I${ESYSROOT}/usr/include" + export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)" + + # let's set up some optional features :) + export DOCKER_BUILDTAGS='' + for gd in btrfs device-mapper overlay; do + if ! use $gd; then + DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}" + fi + done + + for tag in apparmor seccomp; do + if use $tag; then + DOCKER_BUILDTAGS+=" $tag" + fi + done + + # build binaries + ./hack/make.sh dynbinary || die 'dynbinary failed' +} + +src_install() { + dosym containerd /usr/bin/docker-containerd + dosym containerd-shim /usr/bin/docker-containerd-shim + dosym runc /usr/bin/docker-runc + use container-init && dosym tini /usr/bin/docker-init + dobin bundles/dynbinary-daemon/dockerd + dobin bundles/dynbinary-daemon/docker-proxy + + newinitd contrib/init/openrc/docker.initd docker + newconfd contrib/init/openrc/docker.confd docker + + systemd_dounit contrib/init/systemd/docker.{service,socket} + + udev_dorules contrib/udev/*.rules + + dodoc AUTHORS CONTRIBUTING.md NOTICE README.md + dodoc -r docs/* + + # note: intentionally not using "doins" so that we preserve +x bits + dodir /usr/share/${PN}/contrib + cp -R contrib/* "${ED}/usr/share/${PN}/contrib" +} + +pkg_postinst() { + udev_reload + + elog + elog "To use Docker, the Docker daemon must be running as root. To automatically" + elog "start the Docker daemon at boot:" + if systemd_is_booted || has_version sys-apps/systemd; then + elog " systemctl enable docker.service" + else + elog " rc-update add docker default" + fi + elog + elog "To use Docker as a non-root user, add yourself to the 'docker' group:" + elog ' usermod -aG docker ' + elog + + if use device-mapper; then + elog " Devicemapper storage driver has been deprecated" + elog " It will be removed in a future release" + elog + fi + + if use overlay; then + elog " Overlay storage driver/USEflag has been deprecated" + elog " in favor of overlay2 (enabled unconditionally)" + elog + fi + + if has_version sys-fs/zfs; then + elog " ZFS storage driver is available" + elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info" + elog + fi +} + +pkg_postrm() { + udev_reload +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch b/sdk_container/src/third_party/portage-stable/app-containers/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch new file mode 100644 index 00000000000..22aa145f33b --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker/files/0001-Openrc-Depend-on-containerd-init-script.patch @@ -0,0 +1,28 @@ +From bb69104381805014eb7675682d204fe460a52388 Mon Sep 17 00:00:00 2001 +From: Jan Breig +Date: Mon, 16 May 2022 14:58:36 +0200 +Subject: [PATCH] Openrc: Depend on containerd init script + +Signed-off-by: Jan Breig +--- + contrib/init/openrc/docker.initd | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/contrib/init/openrc/docker.initd b/contrib/init/openrc/docker.initd +index 3229223bad..57defb8f57 100644 +--- a/contrib/init/openrc/docker.initd ++++ b/contrib/init/openrc/docker.initd +@@ -17,6 +17,10 @@ rc_ulimit="${DOCKER_ULIMIT:--c unlimited -n 1048576 -u unlimited}" + + retry="${DOCKER_RETRY:-TERM/60/KILL/10}" + ++depend() { ++ need containerd ++} ++ + start_pre() { + checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE" + } +-- +2.35.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/metadata.xml b/sdk_container/src/third_party/portage-stable/app-containers/docker/metadata.xml similarity index 76% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker/metadata.xml rename to sdk_container/src/third_party/portage-stable/app-containers/docker/metadata.xml index 5f163941881..d58b9b295fb 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/app-containers/docker/metadata.xml @@ -17,19 +17,9 @@ Georgy Yakovlev - - Enables dependencies for the "aufs" graph driver, including - necessary kernel flags. - Enables dependencies for the "btrfs" graph driver, including necessary kernel flags. - - - This is a temporary use flag which pulls in - app-containers/docker-cli, the docker command line client. - This flag is here to assist in the transition to split packages - and will be removed in a future release. Makes the a staticly-linked init system tini available inside a diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest new file mode 100644 index 00000000000..6d16b6ad964 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest @@ -0,0 +1,2 @@ +DIST runc-1.1.7.tar.gz 2511464 BLAKE2B 63f09052659636b62185abbb178f7e104d22125190899e80e71ed2ba35567eb855abf786d3c7fff3dd9a1ab43ee282fcaecb6650cd8a1ce49c05acefd7c12cde SHA512 e3a18f04ac2c3553a815074ca64e04cfd71af54d78edbd4a13819f187476f96d7311c23bb63fb5c311b91865db4540985a6f9daa84819b0bac5f023b3b2a832c +DIST runc-1.1.9.tar.gz 2512231 BLAKE2B 4e8e2a454231492f83de34bf66ba25a02b8925b6ef0af2206cdf4ab3299173d3452cea4d51fcfeb02026df288dd8ca6c44ecd35fb075f25f56fd7bc07f873af7 SHA512 020986f2df49c45394d0acbfa4da62663353004550d9b4409f6cfe8369972a090fb8020e4a05342754bde5c1fbe9fcf3868faed2dceed5d54460c3373cdd2278 diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/metadata.xml b/sdk_container/src/third_party/portage-stable/app-containers/runc/metadata.xml new file mode 100644 index 00000000000..76423a90314 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/metadata.xml @@ -0,0 +1,25 @@ + + + + + runc is a CLI tool for spawning and running containers according + to the OCF (Open Container Format) specification. + + + williamh@gentoo.org + William Hubbs + + + gyakovlev@gentoo.org + Georgy Yakovlev + + + + Enable Kernel Memory Accounting. + + + + opencontainers/runc + cpe:/a:linuxfoundation:runc + + diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.7.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.7.ebuild new file mode 100644 index 00000000000..01b66cb3480 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.7.ebuild @@ -0,0 +1,78 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module linux-info + +# update on bump, look for https://github.com/docker\ +# docker-ce/blob//components/engine/hack/dockerfile/install/runc.installer +RUNC_COMMIT=4ffc61430bbe6d3d405bdf357b766bf303ff3cc5 +CONFIG_CHECK="~USER_NS" + +DESCRIPTION="runc container cli tools" +HOMEPAGE="http://github.com/opencontainers/runc/" +MY_PV="${PV/_/-}" +SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0 BSD-2 BSD MIT" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" +IUSE="apparmor hardened +kmem +seccomp selinux test" + +DEPEND="seccomp? ( sys-libs/libseccomp )" + +RDEPEND=" + ${DEPEND} + !app-emulation/docker-runc + apparmor? ( sys-libs/libapparmor ) + selinux? ( sec-policy/selinux-container ) +" + +BDEPEND=" + dev-go/go-md2man + test? ( "${RDEPEND}" ) +" + +# tests need busybox binary, and portage namespace +# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox +# majority of tests pass +RESTRICT+=" test" + +S="${WORKDIR}/${PN}-${MY_PV}" + +src_compile() { + # Taken from app-containers/docker-1.7.0-r1 + export CGO_CFLAGS="-I${ESYSROOT}/usr/include" + export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') + -L${ESYSROOT}/usr/$(get_libdir)" + + # build up optional flags + local options=( + $(usev apparmor) + $(usev seccomp) + $(usex kmem '' 'nokmem') + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + COMMIT="${RUNC_COMMIT}" + ) + + emake "${myemakeargs[@]}" runc man +} + +src_install() { + myemakeargs+=( + PREFIX="${ED}/usr" + BINDIR="${ED}/usr/bin" + MANDIR="${ED}/usr/share/man" + ) + emake "${myemakeargs[@]}" install install-man install-bash + + local DOCS=( README.md PRINCIPLES.md docs/. ) + einstalldocs +} + +src_test() { + emake "${myemakeargs[@]}" localunittest +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.9.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.9.ebuild new file mode 100644 index 00000000000..6282b7e0795 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.1.9.ebuild @@ -0,0 +1,78 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module linux-info + +# update on bump, look for https://github.com/docker\ +# docker-ce/blob//components/engine/hack/dockerfile/install/runc.installer +RUNC_COMMIT=ccaecfcbc907d70a7aa870a6650887b901b25b82 +CONFIG_CHECK="~USER_NS" + +DESCRIPTION="runc container cli tools" +HOMEPAGE="http://github.com/opencontainers/runc/" +MY_PV="${PV/_/-}" +SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0 BSD-2 BSD MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor hardened +kmem +seccomp selinux test" + +DEPEND="seccomp? ( sys-libs/libseccomp )" + +RDEPEND=" + ${DEPEND} + !app-emulation/docker-runc + apparmor? ( sys-libs/libapparmor ) + selinux? ( sec-policy/selinux-container ) +" + +BDEPEND=" + dev-go/go-md2man + test? ( "${RDEPEND}" ) +" + +# tests need busybox binary, and portage namespace +# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox +# majority of tests pass +RESTRICT+=" test" + +S="${WORKDIR}/${PN}-${MY_PV}" + +src_compile() { + # Taken from app-containers/docker-1.7.0-r1 + export CGO_CFLAGS="-I${ESYSROOT}/usr/include" + export CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '') + -L${ESYSROOT}/usr/$(get_libdir)" + + # build up optional flags + local options=( + $(usev apparmor) + $(usev seccomp) + $(usex kmem '' 'nokmem') + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + COMMIT="${RUNC_COMMIT}" + ) + + emake "${myemakeargs[@]}" runc man +} + +src_install() { + myemakeargs+=( + PREFIX="${ED}/usr" + BINDIR="${ED}/usr/bin" + MANDIR="${ED}/usr/share/man" + ) + emake "${myemakeargs[@]}" install install-man install-bash + + local DOCS=( README.md PRINCIPLES.md docs/. ) + einstalldocs +} + +src_test() { + emake "${myemakeargs[@]}" localunittest +} diff --git a/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/Manifest b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/Manifest new file mode 100644 index 00000000000..ac3ef5d418e --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/Manifest @@ -0,0 +1 @@ +DIST go-md2man-2.0.2.tar.gz 64353 BLAKE2B cc9ce9d14b61e600cf5179b72e08bc7e6ae5fcf31d3e00d6e5f7e5e77a26dd2b2b8a938e168e0053b2a9f9aab734d9beb02f7d95549fbf073125ad42b03cf478 SHA512 c81edfdc0b6647ef699cc908a1a7038d98da34df6d48b223b83a0699de91a7e322e70d67645acf1fc848918f4c1ea310160c7ccb75e6f97b53af7103c7aa18b3 diff --git a/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/go-md2man-2.0.2.ebuild b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/go-md2man-2.0.2.ebuild new file mode 100644 index 00000000000..8d9a92730d2 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/go-md2man-2.0.2.ebuild @@ -0,0 +1,32 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module + +DESCRIPTION="A utility to convert markdown to man pages" + SRC_URI="https://github.com/cpuguy83/go-md2man/archive/v${PV}.tar.gz -> ${P}.tar.gz" +HOMEPAGE="https://github.com/cpuguy83/go-md2man" + +LICENSE="BSD-2 MIT" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ~loong ppc64 ~riscv ~x86" + +# restrict tests because they need network-sandbox disabled +# bug https://bugs.gentoo.org/715028 +RESTRICT+=" test" + +src_compile() { + emake BUILD_FLAGS="-mod=vendor" build +} + +src_install() { + "${S}"/bin/go-md2man -in go-md2man.1.md -out go-md2man.1 || + die "Unable to create man page" + dobin bin/go-md2man + doman go-md2man.1 +} + +src_test() { + emake test +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/metadata.xml b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/metadata.xml similarity index 53% rename from sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/metadata.xml rename to sdk_container/src/third_party/portage-stable/dev-go/go-md2man/metadata.xml index c36c37139fa..ef82969b8c0 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-containers/docker-cli/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/dev-go/go-md2man/metadata.xml @@ -1,8 +1,11 @@ - + williamh@gentoo.org William Hubbs + + cpuguy83/go-md2man +