overlay app-emulation/docker: Apply Flatcar modifications

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-20.10.24.ebuild → sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-20.10.24-r1.ebuild

@@ -7,15 +7,21 @@ MY_PV=${PV/_/-}
 GIT_COMMIT=d6cbf44b8c
 inherit linux-info systemd udev golang-vcs-snapshot
 
+COREOS_GO_VERSION="go1.18"
+COREOS_GO_GO111MODULE="off"
+
+inherit coreos-go-depend
+
 DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
 HOMEPAGE="https://www.docker.com/"
 SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
 
 LICENSE="Apache-2.0"
 SLOT="0"
 KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86"
-IUSE="apparmor aufs btrfs +cli +container-init device-mapper hardened
-overlay seccomp selinux"
+# Flatcar: default enable required USE flags
+IUSE="apparmor aufs +btrfs +cli +container-init +device-mapper +hardened
++overlay +seccomp selinux"
 
 DEPEND="
 	acct-group/docker
@@ -26,40 +32,51 @@ DEPEND="
 	seccomp? ( >=sys-libs/libseccomp-2.2.1 )
 "
 
+# Flatcar:
+# For CoreOS builds coreos-kernel must be installed because this ebuild
+# checks the kernel config. The kernel config is left by the kernel compile
+# or an explicit copy when installing binary packages. See coreos-kernel.eclass
+DEPEND+="
+	sys-kernel/coreos-kernel
+"
+
 # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
 # https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
 # https://github.com/moby/moby/tree/master//hack/dockerfile/install
 # make sure docker-proxy is pinned to exact version from ^,
 # for appropriate branchch/version of course
+# Flatcar:
+# containerd ebuild doesn't support apparmor, device-mapper and seccomp use flags
+# tini ebuild doesn't support static use flag
+# use the old category app-emulation instead of app-containers for containerd, docker-proxy and docker-cli
 RDEPEND="
 	${DEPEND}
 	>=net-firewall/iptables-1.4
 	sys-process/procps
 	>=dev-vcs/git-1.7
 	>=app-arch/xz-utils-4.9
 	dev-libs/libltdl
-	>=app-containers/containerd-1.6.16[apparmor?,btrfs?,device-mapper?,seccomp?]
-	~app-containers/docker-proxy-0.8.0_p20230118
-	cli? ( ~app-containers/docker-cli-${PV} )
-	container-init? ( >=sys-process/tini-0.19.0[static] )
+	>=app-emulation/containerd-1.6.16[btrfs?]
+	~app-emulation/docker-proxy-0.8.0_p20230118
+	cli? ( ~app-emulation/docker-cli-${PV} )
+	container-init? ( >=sys-process/tini-0.19.0 )
 	selinux? ( sec-policy/selinux-docker )
 "
 
 # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
+# Flatcar: drop go-md2man
 BDEPEND="
 	>=dev-lang/go-1.16.12
-	dev-go/go-md2man
 	virtual/pkgconfig
 "
 # tests require running dockerd as root and downloading containers
 RESTRICT="installsources strip test"
 
 S="${WORKDIR}/${P}/src/${EGO_PN}"
 
-# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552
+# Flatcar: Dropped outdated bug links, dropped openrc init script patch
 PATCHES=(
 	"${FILESDIR}/ppc64-buildmode.patch"
-	"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
 )
 
 # see "contrib/check-config.sh" from upstream's sources
@@ -172,14 +189,17 @@ pkg_setup() {
 }
 
 src_compile() {
+	# Flatcar: for cross-compilation
+	go_export
 	export DOCKER_GITCOMMIT="${GIT_COMMIT}"
 	export GOPATH="${WORKDIR}/${P}"
 	export VERSION=${PV}
 
 	# setup CFLAGS and LDFLAGS for separate build target
 	# see https://github.com/tianon/docker-overlay/pull/10
-	export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
-	export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)"
+	# Flatcar: allow injecting CFLAGS/LDFLAGS, which is needed for torcx rpath
+	export CGO_CFLAGS="${CGO_CFLAGS} -I${ESYSROOT}/usr/include"
+	export CGO_LDFLAGS="${CGO_LDFLAGS} -L${ESYSROOT}/usr/$(get_libdir)"
 
 	# let's set up some optional features :)
 	export DOCKER_BUILDTAGS=''
@@ -194,11 +214,15 @@ src_compile() {
 			DOCKER_BUILDTAGS+=" $tag"
 		fi
 	done
+	# Flatcar: Add journald to build tags.
+	DOCKER_BUILDTAGS+=' journald'
 
+	# Flatcar:
+	# inject LDFLAGS for torcx
 	if use hardened; then
-		sed -i "s/EXTLDFLAGS_STATIC='/&-fno-PIC /" hack/make.sh || die
+		sed -i "s#EXTLDFLAGS_STATIC='#&-fno-PIC $LDFLAGS #" hack/make.sh || die
 		grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'
-		sed  "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \
+		sed  "s#LDFLAGS_STATIC_DOCKER='#&-extldflags \"-fno-PIC $LDFLAGS\" #" \
 			-i hack/make/dynbinary-daemon || die
 		grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed'
 	fi
@@ -217,16 +241,32 @@ src_install() {
 	newinitd contrib/init/openrc/docker.initd docker
 	newconfd contrib/init/openrc/docker.confd docker
 
-	systemd_dounit contrib/init/systemd/docker.{service,socket}
+	# Flatcar:
+	# install our systemd units/network config and our wrapper into
+	# /usr/lib/flatcar/docker for backwards compatibility instead of
+	# the units from contrib/init/systemd directory.
+	#
+	# systemd_dounit contrib/init/systemd/docker.{service,socket}
+	exeinto /usr/lib/flatcar
+	doexe "${FILESDIR}/dockerd"
+
+	systemd_dounit "${FILESDIR}/docker.service"
+	systemd_dounit "${FILESDIR}/docker.socket"
+
+	insinto /usr/lib/systemd/network
+	doins "${FILESDIR}/50-docker.network"
+	doins "${FILESDIR}/90-docker-veth.network"
 
 	udev_dorules contrib/udev/*.rules
 
 	dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md
 	dodoc -r docs/*
 
-	# note: intentionally not using "doins" so that we preserve +x bits
-	dodir /usr/share/${PN}/contrib
-	cp -R contrib/* "${ED}/usr/share/${PN}/contrib"
+	# Flatcar:
+	# don't install contrib bits
+	# # note: intentionally not using "doins" so that we preserve +x bits
+	# dodir /usr/share/${PN}/contrib
+	# cp -R contrib/* "${ED}/usr/share/${PN}/contrib"
 }
 
 pkg_postinst() {
@@ -267,15 +307,19 @@ pkg_postinst() {
 		ewarn "Starting with docker 20.10.2, docker has been split into"
 		ewarn "two packages upstream, so Gentoo has followed suit."
 		ewarn
-		ewarn "app-containers/docker contains the daemon and"
-		ewarn "app-containers/docker-cli contains the docker command."
+		# Flatcar: We still use the old app-emulation category,
+		# instead of app-containers.
+		ewarn "app-emulation/docker contains the daemon and"
+		ewarn "app-emulation/docker-cli contains the docker command."
 		ewarn
 		ewarn "docker currently installs docker-cli using the cli use flag."
 		ewarn
 		ewarn "This use flag is temporary, so you need to take the"
 		ewarn "following actions:"
 		ewarn
-		ewarn "First, disable the cli use flag for app-containers/docker"
+		# Flatcar: We still use the old app-emulation category,
+		# instead of app-containers.
+		ewarn "First, disable the cli use flag for app-emulation/docker"
 		ewarn
 		ewarn "Then, if you need docker-cli and docker on the same machine,"
 		ewarn "run the following command:"

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/50-docker.network

@@ -0,0 +1,6 @@
+[Match]
+Type=bridge
+Name=docker* br-*
+
+[Link]
+Unmanaged=yes

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/90-docker-veth.network

@@ -0,0 +1,5 @@
+[Match]
+Driver=veth
+
+[Link]
+Unmanaged=yes

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service

@@ -0,0 +1,37 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=http://docs.docker.com
+After=containerd.service docker.socket network-online.target
+Wants=network-online.target
+Requires=containerd.service docker.socket
+
+[Service]
+Type=notify
+EnvironmentFile=-/run/flannel/flannel_docker_opts.env
+Environment=DOCKER_SELINUX=--selinux-enabled=true
+
+# the default is not to use systemd for cgroups because the delegate issues still
+# exists and systemd currently does not support the cgroup feature set required
+# for containers run by docker
+ExecStart=/usr/bin/dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock $DOCKER_SELINUX $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
+ExecReload=/bin/kill -s HUP $MAINPID
+LimitNOFILE=1048576
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
+# Uncomment TasksMax if your systemd version supports it.
+# Only systemd 226 and above support this version.
+TasksMax=infinity
+TimeoutStartSec=0
+# set delegate yes so that systemd does not reset the cgroups of docker containers
+Delegate=yes
+# kill only the docker process, not all processes in the cgroup
+KillMode=process
+# restart the docker process if it exits prematurely
+Restart=on-failure
+StartLimitBurst=3
+StartLimitInterval=60s
+
+[Install]
+WantedBy=multi-user.target

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.socket

@@ -0,0 +1,13 @@
+[Unit]
+Description=Docker Socket for the API
+PartOf=docker.service
+
+[Socket]
+ListenStream=/var/run/docker.sock
+SocketMode=0660
+SocketUser=root
+SocketGroup=docker
+
+[Install]
+WantedBy=sockets.target
+

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd

@@ -0,0 +1,41 @@
+#!/bin/bash
+# Wrapper for launching docker daemons with selinux default on
+# This wrapper script has been deprecated (euank: 2017-05-09) and is retained
+# for backwards compatibility.
+
+set -e
+
+parse_docker_args() {
+    local flag
+    while [[ $# -gt 0 ]]; do
+        flag="$1"
+        shift
+
+        # treat --flag=foo and --flag foo identically
+        if [[ "${flag}" == *=* ]]; then
+            set -- "${flag#*=}" "$@"
+            flag="${flag%=*}"
+        fi
+
+        case "${flag}" in
+            --selinux-enabled)
+                ARG_SELINUX="$1"
+                shift
+                ;;
+            *)
+                # ignore everything else
+                ;;
+        esac
+    done
+}
+
+parse_docker_args "$@"
+
+USE_SELINUX=""
+# Do not override selinux if it is already explicitly configured.
+if [[ -z "${ARG_SELINUX}" ]]; then
+        # If unspecified, default off
+        USE_SELINUX="--selinux-enabled=false"
+fi
+
+exec dockerd "$@" ${USE_SELINUX}

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/ppc64-buildmode.patch

@@ -17,14 +17,14 @@ index 5ea3e373f2..7a911de15a 100644
 --- a/hack/make/.binary
 +++ b/hack/make/.binary
 @@ -70,7 +70,7 @@ hash_files() {
+ 	if [[ " $BUILDFLAGS " != *" -race "* ]]; then
+ 		# -buildmode=pie is not supported on Windows and Linux on mips and riscv64.
+ 		case "$(go env GOOS)/$(go env GOARCH)" in
+-			windows/* | linux/mips* | linux/riscv*) ;;
++			windows/* | linux/mips* | linux/riscv* | linux/ppc64) ;;
 
- 	# -buildmode=pie is not supported on Windows and Linux on mips and riscv64.
- 	case "$(go env GOOS)/$(go env GOARCH)" in
--		windows/* | linux/mips* | linux/riscv*) ;;
-+		windows/* | linux/mips* | linux/riscv* | linux/ppc64) ;;
-
- 		*)
- 			BUILDFLAGS+=("-buildmode=pie")
+ 			*)
+ 				BUILDFLAGS+=("-buildmode=pie")
 -- 
 2.32.0