From 3a06ce55959016653767a1d2c276594ad1eeb743 Mon Sep 17 00:00:00 2001 From: Gerard Ryan Date: Sun, 8 Nov 2020 12:05:23 +1000 Subject: [PATCH] runc: Updated to v1.0.0-rc92 for dockerd SELinux and Seccomp are now enabled via the kernel options themselves Signed-off-by: Gerard Ryan --- utils/runc/Makefile | 33 +++++++----------- utils/runc/Makefile.orig | 74 ++++++++++++++++++++++++++++++++++++++++ utils/runc/Makefile.rej | 48 ++++++++++++++++++++++++++ 3 files changed, 134 insertions(+), 21 deletions(-) create mode 100644 utils/runc/Makefile.orig create mode 100644 utils/runc/Makefile.rej diff --git a/utils/runc/Makefile b/utils/runc/Makefile index 4d1fe8ca1..cb012fc83 100644 --- a/utils/runc/Makefile +++ b/utils/runc/Makefile @@ -1,15 +1,15 @@ include $(TOPDIR)/rules.mk PKG_NAME:=runc -PKG_VERSION:=1.0.0-rc10 -PKG_RELEASE:=3 +PKG_VERSION:=1.0.0-rc92 +PKG_RELEASE:=1 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/opencontainers/runc/tar.gz/v${PKG_VERSION}? -PKG_HASH:=6b44985023347fb9c5a2cc6f761df8c41cc2c84a7a68a6e6acf834dff6653a9a -PKG_SOURCE_VERSION:=dc9208a3303feef5b3839f4323d9beb36df0a9dd +PKG_HASH:=28378df983a3c586ed3ec8c76a774a9b10f36a0c323590a284b801cce95cc61f +PKG_SOURCE_VERSION:=ff819c7e9184c13b7c2607fe6c30ae19403a7aff PKG_MAINTAINER:=Gerard Ryan @@ -23,24 +23,12 @@ GO_PKG:=github.com/opencontainers/runc include $(INCLUDE_DIR)/package.mk include ../../lang/golang/golang-package.mk -define Package/runc/config -config RUNC_SECCOMP - depends on PACKAGE_runc - depends on KERNEL_SECCOMP - bool "Enable support for seccomp in runc" - default y - select PACKAGE_libseccomp - help - Build runc with support for seccomp filters. - Select libseccomp which also pulls-in the needed kernel features. -endef - define Package/runc SECTION:=utils CATEGORY:=Utilities TITLE:=runc container runtime URL:=https://www.opencontainers.org/ - DEPENDS:=$(GO_ARCH_DEPENDS) @(aarch64||arm||x86_64) +RUNC_SECCOMP:libseccomp + DEPENDS:=$(GO_ARCH_DEPENDS) @(aarch64||arm||x86_64) +KERNEL_SECCOMP_FILTER:libseccomp MENU:=1 endef @@ -57,11 +45,14 @@ ifeq ($(ARCH),mips) MAKE_FLAGS += EXTRA_FLAGS='-buildmode=default' endif -ifeq ($(CONFIG_RUNC_SECCOMP),y) -MAKE_FLAGS += BUILDTAGS='seccomp' -else -MAKE_FLAGS += BUILDTAGS='' +BUILDTAGS:= +ifeq ($(CONFIG_KERNEL_SECCOMP_FILTER),y) +BUILDTAGS += seccomp +endif +ifeq ($(CONFIG_SELINUX),y) +BUILDTAGS += selinux endif +MAKE_FLAGS += BUILDTAGS='$(BUILDTAGS)' # Reset golang-package.mk overrides so we can use the Makefile Build/Compile=$(call Build/Compile/Default) diff --git a/utils/runc/Makefile.orig b/utils/runc/Makefile.orig new file mode 100644 index 000000000..4d1fe8ca1 --- /dev/null +++ b/utils/runc/Makefile.orig @@ -0,0 +1,74 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=runc +PKG_VERSION:=1.0.0-rc10 +PKG_RELEASE:=3 +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://codeload.github.com/opencontainers/runc/tar.gz/v${PKG_VERSION}? +PKG_HASH:=6b44985023347fb9c5a2cc6f761df8c41cc2c84a7a68a6e6acf834dff6653a9a +PKG_SOURCE_VERSION:=dc9208a3303feef5b3839f4323d9beb36df0a9dd + +PKG_MAINTAINER:=Gerard Ryan + +PKG_BUILD_DEPENDS:=golang/host +PKG_BUILD_PARALLEL:=1 +PKG_INSTALL:=1 +PKG_USE_MIPS16:=0 + +GO_PKG:=github.com/opencontainers/runc + +include $(INCLUDE_DIR)/package.mk +include ../../lang/golang/golang-package.mk + +define Package/runc/config +config RUNC_SECCOMP + depends on PACKAGE_runc + depends on KERNEL_SECCOMP + bool "Enable support for seccomp in runc" + default y + select PACKAGE_libseccomp + help + Build runc with support for seccomp filters. + Select libseccomp which also pulls-in the needed kernel features. +endef + +define Package/runc + SECTION:=utils + CATEGORY:=Utilities + TITLE:=runc container runtime + URL:=https://www.opencontainers.org/ + DEPENDS:=$(GO_ARCH_DEPENDS) @(aarch64||arm||x86_64) +RUNC_SECCOMP:libseccomp + MENU:=1 +endef + +define Package/runc/description +runc is a CLI tool for spawning and running containers according to the OCI specification. +endef + +GO_PKG_INSTALL_ALL:=1 +MAKE_PATH:=$(GO_PKG_WORK_DIR_NAME)/build/src/$(GO_PKG) +MAKE_VARS += $(GO_PKG_VARS) +MAKE_FLAGS += COMMIT=$(PKG_SOURCE_VERSION) + +ifeq ($(ARCH),mips) +MAKE_FLAGS += EXTRA_FLAGS='-buildmode=default' +endif + +ifeq ($(CONFIG_RUNC_SECCOMP),y) +MAKE_FLAGS += BUILDTAGS='seccomp' +else +MAKE_FLAGS += BUILDTAGS='' +endif + +# Reset golang-package.mk overrides so we can use the Makefile +Build/Compile=$(call Build/Compile/Default) + +define Package/runc/install + $(INSTALL_DIR) $(1)/usr/sbin/ + $(INSTALL_BIN) $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/runc $(1)/usr/sbin/ +endef + +$(eval $(call BuildPackage,runc)) diff --git a/utils/runc/Makefile.rej b/utils/runc/Makefile.rej new file mode 100644 index 000000000..71144d066 --- /dev/null +++ b/utils/runc/Makefile.rej @@ -0,0 +1,48 @@ +--- utils/runc/Makefile ++++ utils/runc/Makefile +@@ -1,15 +1,15 @@ + include $(TOPDIR)/rules.mk + + PKG_NAME:=runc +-PKG_VERSION:=1.0.0-rc10 +-PKG_RELEASE:=2 ++PKG_VERSION:=1.0.0-rc92 ++PKG_RELEASE:=1 + PKG_LICENSE:=Apache-2.0 + PKG_LICENSE_FILES:=LICENSE + + PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz + PKG_SOURCE_URL:=https://codeload.github.com/opencontainers/runc/tar.gz/v${PKG_VERSION}? +-PKG_HASH:=6b44985023347fb9c5a2cc6f761df8c41cc2c84a7a68a6e6acf834dff6653a9a +-PKG_SOURCE_VERSION:=dc9208a3303feef5b3839f4323d9beb36df0a9dd ++PKG_HASH:=28378df983a3c586ed3ec8c76a774a9b10f36a0c323590a284b801cce95cc61f ++PKG_SOURCE_VERSION:=ff819c7e9184c13b7c2607fe6c30ae19403a7aff + + PKG_MAINTAINER:=Gerard Ryan + +@@ -23,24 +23,12 @@ GO_PKG:=github.com/opencontainers/runc + include $(INCLUDE_DIR)/package.mk + include ../../lang/golang/golang-package.mk + +-define Package/runc/config +-config RUNC_SECCOMP +- depends on PACKAGE_runc +- bool "Enable support for seccomp in runc" +- default DOCKER_SECCOMP +- select KERNEL_SECCOMP +- select PACKAGE_libseccomp +- help +- Build runc with support for seccomp filters. +- Select libseccomp which also pulls-in the needed kernel features. +-endef +- + define Package/runc + SECTION:=utils + CATEGORY:=Utilities + TITLE:=runc container runtime + URL:=https://www.opencontainers.org/ +- DEPENDS:=$(GO_ARCH_DEPENDS) @(aarch64||arm||x86_64) +RUNC_SECCOMP:libseccomp ++ DEPENDS:=$(GO_ARCH_DEPENDS) @(aarch64||arm||x86_64) +KERNEL_SECCOMP:libseccomp + MENU:=1 + endef +