From 3d8d2bd08326aff1df0489712193be2f238f5803 Mon Sep 17 00:00:00 2001 From: Gerard Ryan Date: Sun, 8 Nov 2020 12:31:38 +1000 Subject: [PATCH] dockerd: Updated to 20.10.0 * SELinux and Seccomp are now enabled via the kernel options themselves * Config.in now uses CGroupsV2 by default but optionally allows V1 Signed-off-by: Gerard Ryan --- utils/dockerd/Config.in | 77 ++++------- utils/dockerd/Makefile | 120 +++++++++--------- .../patches/001-libdevmapper_name_fix.patch | 18 +-- ...mporve-hardcoded-CC-on-cross-compile.patch | 58 --------- 4 files changed, 95 insertions(+), 178 deletions(-) delete mode 100644 utils/dockerd/patches/002-imporve-hardcoded-CC-on-cross-compile.patch diff --git a/utils/dockerd/Config.in b/utils/dockerd/Config.in index e10694f6b..21d55aa19 100644 --- a/utils/dockerd/Config.in +++ b/utils/dockerd/Config.in @@ -1,95 +1,74 @@ -config DOCKER_KERNEL_OPTIONS - bool "Enable Basic kernel support for Docker" - depends on PACKAGE_docker-ce - default y - select KERNEL_CGROUPS - select KERNEL_CGROUP_CPUACCT - select KERNEL_CGROUP_DEVICE - select KERNEL_CGROUP_FREEZER - select KERNEL_CGROUP_SCHED - select KERNEL_NAMESPACES - select KERNEL_CPUSETS - select KERNEL_MEMCG - select KERNEL_KEYS - select KERNEL_POSIX_MQUEUE - help - Select needed kernel options for Docker. Options include - cgroups, namespaces and other miscellaneous options. - see also https://github.com/docker/engine/blob/master/contrib/check-config.sh +# These options are mostly specified by https://github.com/moby/moby/blob/master/contrib/check-config.sh -config DOCKER_SECCOMP - bool "Enable support for seccomp in Docker" - depends on PACKAGE_docker-ce +config DOCKER_CGROUP_OPTIONS + bool "Enable available kernel support for CGroupsV1" default n - select KERNEL_SECCOMP - select PACKAGE_libseccomp + depends on PACKAGE_dockerd + select KERNEL_CGROUP_DEVICE + select KERNEL_CGROUP_FREEZER + select KERNEL_NET_CLS_CGROUP + select KERNEL_CGROUP_NET_PRIO + select PACKAGE_cgroupfs-mount help - Build Docker with support for seccomp filters. - Select libseccomp which also pulls-in the needed kernel features. + Selects kernel options to enable CGroups V1. -config DOCKER_RES_SHAPE - bool "Enables support for resource shaping" - depends on PACKAGE_docker-ce +config DOCKER_OPTIONAL_FEATURES + bool "Enable optional kernel support for Docker" default n - select KERNEL_MEMCG_SWAP + depends on PACKAGE_dockerd select KERNEL_MEMCG_SWAP_ENABLED - select KERNEL_BLK_DEV_THROTTLING select KERNEL_CFQ_GROUP_IOSCHED select KERNEL_CGROUP_PERF select KERNEL_CGROUP_HUGETLB - select KERNEL_FAIR_GROUP_SCHED - select KERNEL_NET_CLS_CGROUP - select KERNEL_CGROUP_NET_CLASSID - select KERNEL_CGROUP_NET_PRIO - select KERNEL_CFS_BANDWIDTH - select KERNEL_RT_GROUP_SCHED + help + Select 'Optional Features' kernel options for Docker that are unselected. + See https://github.com/moby/moby/blob/master/contrib/check-config.sh menu "Network" - depends on PACKAGE_docker-ce + depends on PACKAGE_dockerd config DOCKER_NET_OVERLAY - bool "Enables the Overlay network feature" + bool "Includes the Overlay network feature" default n - select PACKAGE_kmod-udptunnel4 + select PACKAGE_kmod-vxlan help - Selects kernel options for the Overlay network feature. - Includes udptunnel4 + Selects kmod-vxlan for the Overlay network feature. config DOCKER_NET_ENCRYPT - bool "Enable encrypted networking kernel support" + bool "Includes encrypted networking kernel modules" depends on DOCKER_NET_OVERLAY default n - select PACKAGE_kmod-ipsec - select PACKAGE_kmod-ipsec4 select PACKAGE_kmod-crypto-gcm + select PACKAGE_kmod-crypto-seqiv select PACKAGE_kmod-crypto-ghash + select PACKAGE_kmod-ipsec help - Select needed kernel options for encrypted networking support. + Select needed kernel modules for encrypted networking support. config DOCKER_NET_MACVLAN - bool "Enables macvlan kernel support" + bool "Includes macvlan kernel modules" default n select PACKAGE_kmod-macvlan select PACKAGE_kmod-dummy config DOCKER_NET_TFTP - bool "Enable ftp/tftp client kernel support" + bool "Includes ftp/tftp client kernel modules" default n select PACKAGE_kmod-nf-nathelper select PACKAGE_kmod-nf-nathelper-extra endmenu menu "Storage" - depends on PACKAGE_docker-ce + depends on PACKAGE_dockerd config DOCKER_STO_EXT4 bool "Enables support for ext3 or ext4 as the backing filesystem" default n select KERNEL_EXT4_FS_POSIX_ACL + select KERNEL_EXT4_FS_SECURITY config DOCKER_STO_BTRFS bool "Enables support for btrfs as the backing filesystem" default n - select PACKAGE_kmod-fs-btrfs select KERNEL_BTRFS_FS_POSIX_ACL endmenu diff --git a/utils/dockerd/Makefile b/utils/dockerd/Makefile index 288a18364..fdfacd6ec 100644 --- a/utils/dockerd/Makefile +++ b/utils/dockerd/Makefile @@ -1,61 +1,64 @@ include $(TOPDIR)/rules.mk -PKG_NAME:=docker-ce -PKG_VERSION:=19.03.13 -PKG_RELEASE:=5 +PKG_NAME:=dockerd +PKG_VERSION:=20.10.0 +PKG_RELEASE:=1 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://codeload.github.com/docker/docker-ce/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=b2ff08675738031b6d6d59a90226657c16726851957c11b5fb85a4598b933b92 -PKG_SOURCE_VERSION:=4484c46d9d # SHA1 used within the docker executables +PKG_SOURCE_URL:=https://codeload.github.com/moby/moby/tar.gz/v$(PKG_VERSION)? +PKG_HASH:=c522994fa1c74aac227b9f4b47cf6b3d7ca5fc5b50f06b3dad41bd4dc92b6771 +PKG_SOURCE_VERSION:=e07c941c94 # SHA1 used within the docker executables PKG_MAINTAINER:=Gerard Ryan -# $(1) = path to dependent package 'Makefile' -# $(2) = relevant docker-ce '.installer' file -define EnsureVendoredVersion - ( \ - DEP_VER=$$$$( grep --only-matching --perl-regexp '(?<=PKG_SOURCE_VERSION:=)(.*)' "$(1)" ); \ - VEN_VER=$$$$( grep --only-matching --perl-regexp '(?<=_COMMIT:=)(.*)(?=})' "$(PKG_BUILD_DIR)/components/engine/hack/dockerfile/install/$(2)" ); \ - if [ $$$$VEN_VER != $$$$DEP_VER ]; then \ - echo "ERROR: Expected 'PKG_SOURCE_VERSION:=$$$$VEN_VER' in '$(1)', found 'PKG_SOURCE_VERSION:=$$$$DEP_VER'"; \ - exit 1; \ - fi \ - ) -endef - PKG_BUILD_DEPENDS:=golang/host PKG_BUILD_PARALLEL:=1 -GO_PKG:=github.com/docker +GO_PKG:=github.com/docker/docker include $(INCLUDE_DIR)/package.mk include ../../lang/golang/golang-package.mk -define Package/docker-ce/config +define Package/dockerd/config source "$(SOURCE)/Config.in" endef -define Package/docker-ce +define Package/dockerd SECTION:=utils CATEGORY:=Utilities - TITLE:=Docker Community Edition + TITLE:=Docker Community Edition Daemon URL:=https://www.docker.com/ - DEPENDS:=$(GO_ARCH_DEPENDS) @(aarch64||arm||x86_64) +btrfs-progs +ca-certificates +cgroupfs-mount +containerd +libdevmapper +libnetwork +tini \ - +DOCKER_SECCOMP:libseccomp +iptables-mod-extra +kmod-br-netfilter +kmod-ikconfig +kmod-nf-conntrack-netlink +kmod-nf-ipvs +kmod-veth + DEPENDS:=$(GO_ARCH_DEPENDS) @(aarch64||arm||x86_64) +btrfs-progs +ca-certificates +containerd +libdevmapper +libnetwork +tini \ + +KERNEL_SECCOMP:libseccomp +iptables-mod-extra +kmod-br-netfilter +kmod-ikconfig +kmod-nf-conntrack-netlink +kmod-nf-ipvs \ + +kmod-nf-nat +kmod-veth USERID:=docker:docker MENU:=1 endef -define Package/docker-ce/conffiles +define Package/dockerd/conffiles /etc/config/dockerd endef -define Package/docker-ce/description - Docker Engine is used by millions enables containerized applications - to run anywhere consistently on any infrastructure. +define Package/dockerd/description +The Docker CE Engine. +endef + +TAR_OPTIONS:=--strip-components 1 $(TAR_OPTIONS) +TAR_CMD=$(HOST_TAR) -C $(1) $(TAR_OPTIONS) + +# $(1) = path to dependent package 'Makefile' +# $(2) = relevant dependency '.installer' file +define EnsureVendoredVersion + ( \ + DEP_VER=$$$$( grep --only-matching --perl-regexp '(?<=PKG_SOURCE_VERSION:=)(.*)' "$(1)" ); \ + VEN_VER=$$$$( grep --only-matching --perl-regexp '(?<=_COMMIT:=)(.*)(?=})' "$(PKG_BUILD_DIR)/hack/dockerfile/install/$(2)" ); \ + if [ $$$$VEN_VER != $$$$DEP_VER ]; then \ + echo "ERROR: Expected 'PKG_SOURCE_VERSION:=$$$$VEN_VER' in '$(1)', found 'PKG_SOURCE_VERSION:=$$$$DEP_VER'"; \ + exit 1; \ + fi \ + ) endef define Build/Prepare @@ -66,51 +69,44 @@ define Build/Prepare $(call EnsureVendoredVersion,../libnetwork/Makefile,proxy.installer) $(call EnsureVendoredVersion,../runc/Makefile,runc.installer) $(call EnsureVendoredVersion,../tini/Makefile,tini.installer) -endef -define Build/Configure - # move so GoPackage/Build/Configure will get the correct path - mv $(PKG_BUILD_DIR)/components/engine $(PKG_BUILD_DIR)/ - - # docker generates files at build time so we'll just symlink for now and call GoPackage/Build/Configure later - mkdir -p $(GO_PKG_BUILD_DIR)/bin \ - $(GO_PKG_BUILD_DIR)/src \ - $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/ \ - $(GO_BUILD_CACHE_DIR) - $(LN) $(PKG_BUILD_DIR)/engine $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/docker + # Verify CLI is the same version + ( \ + CLI_MAKEFILE="../docker/Makefile"; \ + CLI_VERSION=$$$$( grep --only-matching --perl-regexp '(?<=PKG_VERSION:=)(.*)' "$$$$CLI_MAKEFILE" ); \ + if [ $$$$CLI_VERSION != $(PKG_VERSION) ]; then \ + echo "ERROR: Expected 'PKG_VERSION:=$(PKG_VERSION)' in '$$$$CLI_MAKEFILE', found 'PKG_VERSION:=$$$$CLI_VERSION'"; \ + exit 1; \ + fi \ + ) endef -ifeq ($(CONFIG_DOCKER_SECCOMP),y) -BUILDTAGS:=seccomp -else BUILDTAGS:= +ifeq ($(KERNEL_SECCOMP),y) +BUILDTAGS += seccomp +endif +ifeq ($(CONFIG_SELINUX),y) +BUILDTAGS += selinux endif define Build/Compile ( \ - export $(GO_PKG_VARS) \ - GITCOMMIT=$(PKG_SOURCE_VERSION) \ - DOCKER_GITCOMMIT=$(PKG_SOURCE_VERSION) \ - DOCKER_BUILDTAGS='$(BUILDTAGS)' \ - VERSION=$(PKG_VERSION) \ - \ - && echo "Compiling Engine..." \ - && cd $(PKG_BUILD_DIR)/engine \ - && ./hack/make.sh binary \ + cd $(PKG_BUILD_DIR); \ + $(GO_PKG_VARS) \ + DOCKER_GITCOMMIT=$(PKG_SOURCE_VERSION) \ + DOCKER_BUILDTAGS='$(BUILDTAGS)' \ + VERSION=$(PKG_VERSION) \ + ./hack/make.sh binary; \ ) - - # done here to include autogenerated files also - rm $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/docker - $(call GoPackage/Build/Configure) endef -define Package/docker-ce/install +define Package/dockerd/install $(INSTALL_DIR) $(1)/usr/bin/ - $(INSTALL_BIN) $(PKG_BUILD_DIR)/engine/bundles/binary-daemon/dockerd $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_BUILD_DIR)/bundles/binary-daemon/dockerd $(1)/usr/bin/ $(INSTALL_DIR) $(1)/opt/docker/ $(INSTALL_DIR) $(1)/usr/share/docker/ - $(INSTALL_BIN) $(PKG_BUILD_DIR)/engine/contrib/check-config.sh $(1)/usr/share/docker/ + $(INSTALL_BIN) $(PKG_BUILD_DIR)/contrib/check-config.sh $(1)/usr/share/docker/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/dockerd.init $(1)/etc/init.d/dockerd @@ -124,7 +120,7 @@ define Package/docker-ce/install $(1)/etc/sysctl.d/12-br-netfilter-ip.conf endef -define Package/docker-ce/postinst +define Package/dockerd/postinst #!/bin/sh [ -n "$$IPKG_INSTROOT" ] || { /etc/init.d/dockerd enable @@ -133,7 +129,7 @@ define Package/docker-ce/postinst } endef -define Package/docker-ce/prerm +define Package/dockerd/prerm #!/bin/sh [ -n "$$IPKG_INSTROOT" ] || { /etc/init.d/dockerd disable @@ -142,4 +138,4 @@ define Package/docker-ce/prerm } endef -$(eval $(call BuildPackage,docker-ce)) +$(eval $(call BuildPackage,dockerd)) diff --git a/utils/dockerd/patches/001-libdevmapper_name_fix.patch b/utils/dockerd/patches/001-libdevmapper_name_fix.patch index eb7340d3c..ba6bba32c 100644 --- a/utils/dockerd/patches/001-libdevmapper_name_fix.patch +++ b/utils/dockerd/patches/001-libdevmapper_name_fix.patch @@ -1,13 +1,13 @@ -Index: docker-ce-18.09.0/components/engine/hack/make.sh +Index: docker-ce-20.10.0/hack/make.sh =================================================================== ---- docker-ce-18.09.0.orig/components/engine/hack/make.sh -+++ docker-ce-18.09.0/components/engine/hack/make.sh -@@ -129,7 +129,7 @@ fi +--- docker-ce-20.10.0.orig/hack/make.sh ++++ docker-ce-20.10.0/hack/make.sh +@@ -95,7 +95,7 @@ fi # with a newer libdevmapper than the one it was built with. - if \ + if command -v gcc &> /dev/null \ -- && ! ( echo -e '#include \nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null ) \ -+ && ! ( echo -e '#include \nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs libdevmapper) &> /dev/null ) \ - ; then +- && ! (echo -e '#include \nint main() { dm_task_deferred_remove(NULL); }' | gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null) \ ++ && ! (echo -e '#include \nint main() { dm_task_deferred_remove(NULL); }' | gcc -xc - -o /dev/null $(pkg-config --libs libdevmapper) &> /dev/null) \ + ; + then add_buildtag libdm dlsym_deferred_remove - fi diff --git a/utils/dockerd/patches/002-imporve-hardcoded-CC-on-cross-compile.patch b/utils/dockerd/patches/002-imporve-hardcoded-CC-on-cross-compile.patch deleted file mode 100644 index b134cdf5e..000000000 --- a/utils/dockerd/patches/002-imporve-hardcoded-CC-on-cross-compile.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 2fdfb4404ab811cb00227a3de111437b829e55cf Mon Sep 17 00:00:00 2001 -From: Hongxu Jia -Date: Wed, 17 Jul 2019 17:34:04 +0800 -Subject: [PATCH] imporve hardcoded CC on cross compile - -Since commit applied in moby [61a3285 Support cross-compile for arm] -it hardcoded var-CC to support cross-compile for arm - -Correct it with "${parameter:-word}" format, it is helpful for user -define toolchains - -(Use Default Values. If parameter is unset or null, the expansion of -word is substituted. Otherwise, the value of parameter is substituted.) - -Signed-off-by: Hongxu Jia -Upstream-commit: 3c701e4db1b8646c2324ae524b4e7ca1b1147a07 -Component: engine ---- - components/engine/hack/make/.binary | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/components/engine/hack/make/.binary b/components/engine/hack/make/.binary -index 53de6749e5..66f4ca05f3 100644 ---- a/components/engine/hack/make/.binary -+++ b/components/engine/hack/make/.binary -@@ -44,27 +44,27 @@ if [ "$(go env GOOS)/$(go env GOARCH)" != "$(go env GOHOSTOS)/$(go env GOHOSTARC - # must be cross-compiling! - case "$(go env GOOS)/$(go env GOARCH)" in - windows/amd64) -- export CC=x86_64-w64-mingw32-gcc -+ export CC="${CC:-x86_64-w64-mingw32-gcc}" - export CGO_ENABLED=1 - ;; - linux/arm) - case "${GOARM}" in - 5|"") -- export CC=arm-linux-gnueabi-gcc -+ export CC="${CC:-arm-linux-gnueabi-gcc}" - export CGO_ENABLED=1 - ;; - 7) -- export CC=arm-linux-gnueabihf-gcc -+ export CC="${CC:-arm-linux-gnueabihf-gcc}" - export CGO_ENABLED=1 - ;; - esac - ;; - linux/arm64) -- export CC=aarch64-linux-gnu-gcc -+ export CC="${CC:-aarch64-linux-gnu-gcc}" - export CGO_ENABLED=1 - ;; - linux/amd64) -- export CC=x86_64-linux-gnu-gcc -+ export CC="${CC:-x86_64-linux-gnu-gcc}" - export CGO_ENABLED=1 - ;; - esac