dockerd: Updated to 20.10.0

* SELinux and Seccomp are now enabled via the kernel options themselves * Config.in now uses CGroupsV2 by default but optionally allows V1 Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
2020-11-08 12:31:38 +10:00 · 2020-11-08 12:31:38 +10:00 · 3d8d2bd083
parent 404b917183
commit 3d8d2bd083
4 changed files with 107 additions and 190 deletions
--- a/utils/dockerd/Config.in
+++ b/utils/dockerd/Config.in
@ -1,95 +1,74 @@
-config DOCKER_KERNEL_OPTIONS
-	bool "Enable Basic kernel support for Docker"
-	depends on PACKAGE_docker-ce
-	default y
-	select KERNEL_CGROUPS
-	select KERNEL_CGROUP_CPUACCT
+# These options are mostly specified by https://github.com/moby/moby/blob/master/contrib/check-config.sh
+
+config DOCKER_CGROUP_OPTIONS
+	bool "Enable available kernel support for CGroupsV1"
+	default n
+	depends on PACKAGE_dockerd
 	select KERNEL_CGROUP_DEVICE
 	select KERNEL_CGROUP_FREEZER
-	select KERNEL_CGROUP_SCHED
-	select KERNEL_NAMESPACES
-	select KERNEL_CPUSETS
-	select KERNEL_MEMCG
-	select KERNEL_KEYS
-	select KERNEL_POSIX_MQUEUE
+	select KERNEL_NET_CLS_CGROUP
+	select KERNEL_CGROUP_NET_PRIO
+	select PACKAGE_cgroupfs-mount
 	help
-	  Select needed kernel options for Docker. Options include
-	  cgroups, namespaces and other miscellaneous options.
-	  see also https://github.com/docker/engine/blob/master/contrib/check-config.sh
+		Selects kernel options to enable CGroups V1.

-config DOCKER_SECCOMP
-	bool "Enable support for seccomp in Docker"
-	depends on PACKAGE_docker-ce
+config DOCKER_OPTIONAL_FEATURES
+	bool "Enable optional kernel support for Docker"
 	default n
-	select KERNEL_SECCOMP
-	select PACKAGE_libseccomp
-	help
-	  Build Docker with support for seccomp filters.
-	  Select libseccomp which also pulls-in the needed kernel features.
-
-config DOCKER_RES_SHAPE
-	bool "Enables support for resource shaping"
-	depends on PACKAGE_docker-ce
-	default n
-	select KERNEL_MEMCG_SWAP
+	depends on PACKAGE_dockerd
 	select KERNEL_MEMCG_SWAP_ENABLED
-	select KERNEL_BLK_DEV_THROTTLING
 	select KERNEL_CFQ_GROUP_IOSCHED
 	select KERNEL_CGROUP_PERF
 	select KERNEL_CGROUP_HUGETLB
-	select KERNEL_FAIR_GROUP_SCHED
-	select KERNEL_NET_CLS_CGROUP
-	select KERNEL_CGROUP_NET_CLASSID
-	select KERNEL_CGROUP_NET_PRIO
-	select KERNEL_CFS_BANDWIDTH
-	select KERNEL_RT_GROUP_SCHED
+	help
+		Select 'Optional Features' kernel options for Docker that are unselected.
+		See https://github.com/moby/moby/blob/master/contrib/check-config.sh

 menu "Network"
-	depends on PACKAGE_docker-ce
+	depends on PACKAGE_dockerd

 	config DOCKER_NET_OVERLAY
-		bool "Enables the Overlay network feature"
+		bool "Includes the Overlay network feature"
 		default n
-		select PACKAGE_kmod-udptunnel4
+		select PACKAGE_kmod-vxlan
 		help
-		  Selects kernel options for the Overlay network feature.
-		  Includes udptunnel4
+			Selects kmod-vxlan for the Overlay network feature.

 	config DOCKER_NET_ENCRYPT
-		bool "Enable encrypted networking kernel support"
+		bool "Includes encrypted networking kernel modules"
 		depends on DOCKER_NET_OVERLAY
 		default n
-		select PACKAGE_kmod-ipsec
-		select PACKAGE_kmod-ipsec4
 		select PACKAGE_kmod-crypto-gcm
+		select PACKAGE_kmod-crypto-seqiv
 		select PACKAGE_kmod-crypto-ghash
+		select PACKAGE_kmod-ipsec
 		help
-		  Select needed kernel options for encrypted networking support.
+		  Select needed kernel modules for encrypted networking support.

 	config DOCKER_NET_MACVLAN
-		bool "Enables macvlan kernel support"
+		bool "Includes macvlan kernel modules"
 		default n
 		select PACKAGE_kmod-macvlan
 		select PACKAGE_kmod-dummy

 	config DOCKER_NET_TFTP
-		bool "Enable ftp/tftp client kernel support"
+		bool "Includes ftp/tftp client kernel modules"
 		default n
 		select PACKAGE_kmod-nf-nathelper
 		select PACKAGE_kmod-nf-nathelper-extra
 endmenu

 menu "Storage"
-	depends on PACKAGE_docker-ce
+	depends on PACKAGE_dockerd

 	config DOCKER_STO_EXT4
 		bool "Enables support for ext3 or ext4 as the backing filesystem"
 		default n
 		select KERNEL_EXT4_FS_POSIX_ACL
+		select KERNEL_EXT4_FS_SECURITY

 	config DOCKER_STO_BTRFS
 		bool "Enables support for btrfs as the backing filesystem"
 		default n
-		select PACKAGE_kmod-fs-btrfs
 		select KERNEL_BTRFS_FS_POSIX_ACL
 endmenu
--- a/utils/dockerd/Makefile
+++ b/utils/dockerd/Makefile
@ -1,24 +1,59 @@
 include $(TOPDIR)/rules.mk

-PKG_NAME:=docker-ce
-PKG_VERSION:=19.03.13
-PKG_RELEASE:=5
+PKG_NAME:=dockerd
+PKG_VERSION:=20.10.0
+PKG_RELEASE:=1
 PKG_LICENSE:=Apache-2.0
 PKG_LICENSE_FILES:=LICENSE

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://codeload.github.com/docker/docker-ce/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=b2ff08675738031b6d6d59a90226657c16726851957c11b5fb85a4598b933b92
-PKG_SOURCE_VERSION:=4484c46d9d # SHA1 used within the docker executables
+PKG_SOURCE_URL:=https://codeload.github.com/moby/moby/tar.gz/v$(PKG_VERSION)?
+PKG_HASH:=c522994fa1c74aac227b9f4b47cf6b3d7ca5fc5b50f06b3dad41bd4dc92b6771
+PKG_SOURCE_VERSION:=e07c941c94 # SHA1 used within the docker executables

 PKG_MAINTAINER:=Gerard Ryan <G.M0N3Y.2503@gmail.com>

+PKG_BUILD_DEPENDS:=golang/host
+PKG_BUILD_PARALLEL:=1
+
+GO_PKG:=github.com/docker/docker
+
+include $(INCLUDE_DIR)/package.mk
+include ../../lang/golang/golang-package.mk
+
+define Package/dockerd/config
+  source "$(SOURCE)/Config.in"
+endef
+
+define Package/dockerd
+  SECTION:=utils
+  CATEGORY:=Utilities
+  TITLE:=Docker Community Edition Daemon
+  URL:=https://www.docker.com/
+  DEPENDS:=$(GO_ARCH_DEPENDS) @(aarch64||arm||x86_64) +btrfs-progs +ca-certificates +containerd +libdevmapper +libnetwork +tini \
+           +KERNEL_SECCOMP:libseccomp +iptables-mod-extra +kmod-br-netfilter +kmod-ikconfig +kmod-nf-conntrack-netlink +kmod-nf-ipvs \
+           +kmod-nf-nat +kmod-veth
+  USERID:=docker:docker
+  MENU:=1
+endef
+
+define Package/dockerd/conffiles
+/etc/config/dockerd
+endef
+
+define Package/dockerd/description
+The Docker CE Engine.
+endef
+
+TAR_OPTIONS:=--strip-components 1 $(TAR_OPTIONS)
+TAR_CMD=$(HOST_TAR) -C $(1) $(TAR_OPTIONS)
+
 # $(1) = path to dependent package 'Makefile'
-# $(2) = relevant docker-ce '.installer' file
+# $(2) = relevant dependency '.installer' file
 define EnsureVendoredVersion
 	( \
 		DEP_VER=$$$$( grep --only-matching --perl-regexp '(?<=PKG_SOURCE_VERSION:=)(.*)' "$(1)" ); \
-		VEN_VER=$$$$( grep --only-matching --perl-regexp '(?<=_COMMIT:=)(.*)(?=})' "$(PKG_BUILD_DIR)/components/engine/hack/dockerfile/install/$(2)" ); \
+		VEN_VER=$$$$( grep --only-matching --perl-regexp '(?<=_COMMIT:=)(.*)(?=})' "$(PKG_BUILD_DIR)/hack/dockerfile/install/$(2)" ); \
 		if [ $$$$VEN_VER != $$$$DEP_VER ]; then \
 			echo "ERROR: Expected 'PKG_SOURCE_VERSION:=$$$$VEN_VER' in '$(1)', found 'PKG_SOURCE_VERSION:=$$$$DEP_VER'"; \
 			exit 1; \
@ -26,38 +61,6 @@ define EnsureVendoredVersion
 	)
 endef

-PKG_BUILD_DEPENDS:=golang/host
-PKG_BUILD_PARALLEL:=1
-
-GO_PKG:=github.com/docker
-
-include $(INCLUDE_DIR)/package.mk
-include ../../lang/golang/golang-package.mk
-
-define Package/docker-ce/config
-  source "$(SOURCE)/Config.in"
-endef
-
-define Package/docker-ce
-  SECTION:=utils
-  CATEGORY:=Utilities
-  TITLE:=Docker Community Edition
-  URL:=https://www.docker.com/
-  DEPENDS:=$(GO_ARCH_DEPENDS) @(aarch64||arm||x86_64) +btrfs-progs +ca-certificates +cgroupfs-mount +containerd +libdevmapper +libnetwork +tini \
-           +DOCKER_SECCOMP:libseccomp +iptables-mod-extra +kmod-br-netfilter +kmod-ikconfig +kmod-nf-conntrack-netlink +kmod-nf-ipvs +kmod-veth
-  USERID:=docker:docker
-  MENU:=1
-endef
-
-define Package/docker-ce/conffiles
-/etc/config/dockerd
-endef
-
-define Package/docker-ce/description
-  Docker Engine is used by millions enables containerized applications
-  to run anywhere consistently on any infrastructure.
-endef
-
 define Build/Prepare
 	$(Build/Prepare/Default)

@ -66,51 +69,44 @@ define Build/Prepare
 	$(call EnsureVendoredVersion,../libnetwork/Makefile,proxy.installer)
 	$(call EnsureVendoredVersion,../runc/Makefile,runc.installer)
 	$(call EnsureVendoredVersion,../tini/Makefile,tini.installer)
+
+	# Verify CLI is the same version
+	( \
+		CLI_MAKEFILE="../docker/Makefile"; \
+		CLI_VERSION=$$$$( grep --only-matching --perl-regexp '(?<=PKG_VERSION:=)(.*)' "$$$$CLI_MAKEFILE" ); \
+		if [ $$$$CLI_VERSION != $(PKG_VERSION) ]; then \
+			echo "ERROR: Expected 'PKG_VERSION:=$(PKG_VERSION)' in '$$$$CLI_MAKEFILE', found 'PKG_VERSION:=$$$$CLI_VERSION'"; \
+			exit 1; \
+		fi \
+	)
 endef

-define Build/Configure
-	# move so GoPackage/Build/Configure will get the correct path
-	mv $(PKG_BUILD_DIR)/components/engine $(PKG_BUILD_DIR)/
-
-	# docker generates files at build time so we'll just symlink for now and call GoPackage/Build/Configure later
-	mkdir -p $(GO_PKG_BUILD_DIR)/bin \
-			 $(GO_PKG_BUILD_DIR)/src \
-			 $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/ \
-			 $(GO_BUILD_CACHE_DIR)
-	$(LN) $(PKG_BUILD_DIR)/engine $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/docker
-endef
-
-ifeq ($(CONFIG_DOCKER_SECCOMP),y)
-BUILDTAGS:=seccomp
-else
 BUILDTAGS:=
+ifeq ($(KERNEL_SECCOMP),y)
+BUILDTAGS += seccomp
+endif
+ifeq ($(CONFIG_SELINUX),y)
+BUILDTAGS += selinux
 endif

 define Build/Compile
 	( \
-		export $(GO_PKG_VARS) \
-			GITCOMMIT=$(PKG_SOURCE_VERSION) \
-			DOCKER_GITCOMMIT=$(PKG_SOURCE_VERSION) \
-			DOCKER_BUILDTAGS='$(BUILDTAGS)' \
-			VERSION=$(PKG_VERSION) \
-		\
-		&& echo "Compiling Engine..." \
-		&& cd $(PKG_BUILD_DIR)/engine \
-		&& ./hack/make.sh binary \
+		cd $(PKG_BUILD_DIR); \
+		$(GO_PKG_VARS) \
+		DOCKER_GITCOMMIT=$(PKG_SOURCE_VERSION) \
+		DOCKER_BUILDTAGS='$(BUILDTAGS)' \
+		VERSION=$(PKG_VERSION) \
+		./hack/make.sh binary; \
 	)
-
-	# done here to include autogenerated files also
-	rm $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/docker
-	$(call GoPackage/Build/Configure)
 endef

-define Package/docker-ce/install
+define Package/dockerd/install
 	$(INSTALL_DIR) $(1)/usr/bin/
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/engine/bundles/binary-daemon/dockerd $(1)/usr/bin/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/bundles/binary-daemon/dockerd $(1)/usr/bin/

 	$(INSTALL_DIR) $(1)/opt/docker/
 	$(INSTALL_DIR) $(1)/usr/share/docker/
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/engine/contrib/check-config.sh $(1)/usr/share/docker/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/contrib/check-config.sh $(1)/usr/share/docker/

 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/dockerd.init $(1)/etc/init.d/dockerd
@ -124,7 +120,7 @@ define Package/docker-ce/install
 		$(1)/etc/sysctl.d/12-br-netfilter-ip.conf
 endef

-define Package/docker-ce/postinst
+define Package/dockerd/postinst
 #!/bin/sh
 [ -n "$$IPKG_INSTROOT" ] || {
 	/etc/init.d/dockerd enable
@ -133,7 +129,7 @@ define Package/docker-ce/postinst
 }
 endef

-define Package/docker-ce/prerm
+define Package/dockerd/prerm
 #!/bin/sh
 [ -n "$$IPKG_INSTROOT" ] || {
 	/etc/init.d/dockerd disable
@ -142,4 +138,4 @@ define Package/docker-ce/prerm
 }
 endef

-$(eval $(call BuildPackage,docker-ce))
+$(eval $(call BuildPackage,dockerd))
--- a/utils/dockerd/patches/001-libdevmapper_name_fix.patch
+++ b/utils/dockerd/patches/001-libdevmapper_name_fix.patch
@ -1,13 +1,13 @@
-Index: docker-ce-18.09.0/components/engine/hack/make.sh
+Index: docker-ce-20.10.0/hack/make.sh
 ===================================================================
--- docker-ce-18.09.0.orig/components/engine/hack/make.sh
-+++ docker-ce-18.09.0/components/engine/hack/make.sh
-@@ -129,7 +129,7 @@ fi
+--- docker-ce-20.10.0.orig/hack/make.sh
+++ docker-ce-20.10.0/hack/make.sh
+@@ -95,7 +95,7 @@ fi
 # with a newer libdevmapper than the one it was built with.
- if \
+ if
 	command -v gcc &> /dev/null \
-	&& ! ( echo -e  '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null ) \
-+	&& ! ( echo -e  '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs libdevmapper) &> /dev/null ) \
- ; then
+-		&& ! (echo -e '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }' | gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null) \
+		&& ! (echo -e '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }' | gcc -xc - -o /dev/null $(pkg-config --libs libdevmapper) &> /dev/null) \
+ 		;
+ then
 	add_buildtag libdm dlsym_deferred_remove
- fi
--- a/utils/dockerd/patches/002-imporve-hardcoded-CC-on-cross-compile.patch
+++ b/utils/dockerd/patches/002-imporve-hardcoded-CC-on-cross-compile.patch
@ -1,58 +0,0 @@
-From 2fdfb4404ab811cb00227a3de111437b829e55cf Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Wed, 17 Jul 2019 17:34:04 +0800
-Subject: [PATCH] imporve hardcoded CC on cross compile
-
-Since commit applied in moby [61a3285 Support cross-compile for arm]
-it hardcoded var-CC to support cross-compile for arm
-
-Correct it with "${parameter:-word}" format, it is helpful for user
-define toolchains
-
-(Use Default Values.  If parameter is unset or null, the expansion of
-word is substituted.  Otherwise, the value of parameter is substituted.)
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
-Upstream-commit: 3c701e4db1b8646c2324ae524b4e7ca1b1147a07
-Component: engine
---
- components/engine/hack/make/.binary | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/components/engine/hack/make/.binary b/components/engine/hack/make/.binary
-index 53de6749e5..66f4ca05f3 100644
--- a/components/engine/hack/make/.binary
-+++ b/components/engine/hack/make/.binary
-@@ -44,27 +44,27 @@ if [ "$(go env GOOS)/$(go env GOARCH)" != "$(go env GOHOSTOS)/$(go env GOHOSTARC
- 	# must be cross-compiling!
- 	case "$(go env GOOS)/$(go env GOARCH)" in
- 		windows/amd64)
-			export CC=x86_64-w64-mingw32-gcc
-+			export CC="${CC:-x86_64-w64-mingw32-gcc}"
- 			export CGO_ENABLED=1
- 			;;
- 		linux/arm)
- 			case "${GOARM}" in
- 			5|"")
-				export CC=arm-linux-gnueabi-gcc
-+				export CC="${CC:-arm-linux-gnueabi-gcc}"
- 				export CGO_ENABLED=1
- 				;;
- 			7)
-				export CC=arm-linux-gnueabihf-gcc
-+				export CC="${CC:-arm-linux-gnueabihf-gcc}"
- 				export CGO_ENABLED=1
- 				;;
- 			esac
- 			;;
- 		linux/arm64)
-			export CC=aarch64-linux-gnu-gcc
-+			export CC="${CC:-aarch64-linux-gnu-gcc}"
- 			export CGO_ENABLED=1
- 			;;
- 		linux/amd64)
-			export CC=x86_64-linux-gnu-gcc
-+			export CC="${CC:-x86_64-linux-gnu-gcc}"
- 			export CGO_ENABLED=1
- 			;;
- 	esac