Needs ReviewPublic

Revision Contents

Diff 79325

# Created by: [email protected] # $FreeBSD$ # $FreeBSD$

PORTNAME= docker-freebsd PORTNAME= docker-freebsd PORTVERSION= 20150625 DISTVERSIONPREFIX= v PORTREVISION= 2 DISTVERSION= 19.03.13 CATEGORIES= sysutils CATEGORIES= sysutils

MAINTAINER= [email protected] MAINTAINER= [email protected] COMMENT= Docker containment system COMMENT= Docker Engine based on moby

LICENSE= APACHE20 LICENSE= APACHE20 LICENSE_FILE= ${WRKSRC}/LICENSE LICENSE_FILE= ${WRKSRC}/LICENSE

BROKEN= fails to build BUILD_DEPENDS= bash:shells/bash DEPRECATED= Broken for more than 9 months EXPIRATION_DATE= 2020-01-10

BUILD_DEPENDS= bash:shells/bash \ USES= go sqlite3:databases/sqlite3 RUN_DEPENDS= bash:shells/bash \ sqlite3:databases/sqlite3

USES= go:run

USE_GITHUB= yes USE_GITHUB= yes GH_ACCOUNT= kvasdopil GH_ACCOUNT= moby GH_PROJECT= docker GH_PROJECT= moby GH_TAGNAME= 582db78 GH_SUBDIR= src/github.com/docker/docker

PLIST_FILES= bin/docker GO_TARGET= ./cmd/dockerd

USE_RC_SUBR= docker

do-build: do-build: @cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} AUTO_GOPATH=1 DOCKER_GITCOMMIT=${GH_TAGNAME} ./hack/make.sh binary @cd ${GO_WRKSRC} && export DOCKER_GITCOMMIT=${GH_TAGNAME} && ${SETENV} ${GO_ENV} ./hack/make.sh binary

do-install: @${MKDIR} ${STAGEDIR}${PREFIX}/bin ${INSTALL_PROGRAM} ${WRKSRC}/bundles/latest/binary/docker ${STAGEDIR}${PREFIX}/bin/

.include <bsd.port.mk> .include <bsd.port.mk>

SHA256 (kvasdopil-docker-20150625-582db78_GH0.tar.gz) = a750d344af4af3d30b1a3373f382ab597a2a7aa4a0bb5c22d650d0c5cc9ac506 TIMESTAMP = 1602853279 SIZE (kvasdopil-docker-20150625-582db78_GH0.tar.gz) = 7292884 SHA256 (moby-moby-v19.03.13_GH0.tar.gz) = f43331fef1d24e31f43392fc1fed72b48fc17fd432d341d6eb1f68ca11383406 SIZE (moby-moby-v19.03.13_GH0.tar.gz) = 10406691

• This file was deleted.

The contents of this file were not changed.

• This file was added.

--- FreeBSD.adoc.orig 2020-09-04 14:57:27 UTC +++ FreeBSD.adoc @@ -0,0 +1,265 @@ += Docker on FreeBSD + +The FreeBSD port of Docker requires ZFS and FreeBSD 11.1-RELEASE or greater. + +[NOTE] +==== +The current `freebsd-compat` branch is based off of the `v17.05.0-ce` tag from +upstream. +==== + +== Participate + + +Chat for this effort can be found in the `#freebsd-docker` chanenl on +link:http://freenode.net[Freenode]. + +== Running + +[[prereqs]] +== Prerequisites + +Please ensure the following packages are installed in order to build from +source: + +* `go` +* `git` +* `bash` +* `ca_root_nss` +* `libepoll-shim` + +[source,bash] +---- +sudo pkg install ca_root_nss bash git go libepoll-shim +---- + + +[[zfs]] +=== Setting up ZFS + +In order to provide storage for containers running on FreeBSD, Docker relies on +ZFS underneath the hood. This means the FreeBSD system must have ZFS loaded, +and active. + +==== Systems without ZFS-based disks + +[source,bash] +---- +kldload zfs && \ + dd if=/dev/zero of=/usr/local/dockerfs bs=1024K count=4000 && \ + zpool create -f zroot /usr/local/dockerfs && \ + zfs create -o mountpoint=/usr/docker zroot/docker +---- + +==== Systems with ZFS-based disks + +[source,bash] +---- +zfs create -o mountpoint=/usr/docker zroot/docker +---- + + + +[[networking]] +=== Setting up networking + + +[[pf]] +==== Setting up Packet Filer + +In order to provide networking for containers, Docker must have access to +Packet Filter (`pf`). + +* `sudo kldload pf` + + +The example below provides a bridged network for Docker. If you installed +FreeBSD/Docker via the `sysutils/docker-freebsd` port, this will already be +configured for you. + +[source,bash] +---- +echo "nat on {yout-external-interface} from 172.17.0.0/16 to any -> ({your-external-interface})" > /etc/pf.conf +pfctl -f /etc/pf.conf +pfctl -e +---- + + +=== Progress + +.Features +|=== +| Feature | Status + +| Image loading +| :white_check_mark: + +| Container creationg +| :white_check_mark: + +| Container start/stop +| :white_check_mark: + +| Shared Networking +| partial support + +| Port forwarding +| :white_check_mark: + +| Volumes +| :x: + +| Links +| :x: + +| Virtual networking +| :x: + +| Limits +| :x: + +|=== + +.Commands +|=== +| Command | Status + +| attach +| :white_check_mark: + +| build +| + +| commit +| :white_check_mark: + +| cp +| :white_check_mark: + +| create +| :white_check_mark: + +| diff +| :white_check_mark: + +| events +| :white_check_mark: + +| exec +| :white_check_mark: + +| export +| :white_check_mark: + +| history +| :white_check_mark: + +| images +| :white_check_mark: + +| import +| :white_check_mark: + +| info +| :bug: + +| inspect +| :white_check_mark: + +| kill +| :white_check_mark: + +| load +| :bug: + +| login +| :white_check_mark: + +| logout +| :white_check_mark: + +| logs +| :white_check_mark: + +| pause +| :x: + +| port +| :white_check_mark: + +| ps +| :white_check_mark: + +| pull +| :white_check_mark: + +| push +| :white_check_mark: + +| rename +| :white_check_mark: + +| restart +| :white_check_mark: + +| rm +| :white_check_mark: + +| rmi +| :white_check_mark: + +| run +| :white_check_mark: + +| save +| :white_check_mark: + +| search +| :white_check_mark: + +| start +| :white_check_mark: + +| stats +| :bug: + +| stop +| :white_check_mark: + +| tag +| :white_check_mark: + +| top +| :white_check_mark: + +| unpause +| :x: + +| version +| :white_check_mark: + +| wait +| :white_check_mark: + +|=== + +== Hacking + +To build on 11.1-RELEASE, assuming the <<prereqs>> have been installed: + +[source,bash] +---- +gmake -f Makefile.freebsd +---- + +This should create the `docker` and `dockerd` executables in +`./bundles/latest/`. Please ensure that <<zfs, ZFS>> and <<networking, +Networking>> are set up properly. + +=== References + +Below are a list of useful references for understanding both Docker and +Docker/FreeBSD. + +* link:https://blog.docker.com/2017/08/what-is-containerd-runtime/[What is containerd]. +* link:https://docs.docker.com/engine/userguide/storagedriver/zfs-driver/[Using the ZFS storage driver].

• This file was added.

--- Makefile.freebsd.orig 2020-09-04 14:57:27 UTC +++ Makefile.freebsd @@ -0,0 +1,68 @@ +# This file exists to support the non-Docker-based build requirements for +# FreeBSD/Docker +# +# Hacking GOPATH to take the first directory in the list and use that to clone +# our dependencies +export GO_PATH=$(firstword $(subst :, ,$(GOPATH))) +export AUTO_GO_PATH=1 +export DEST_DIR=$(PWD)/bundles/bin +export RUNC_PATH="${GO_PATH}/src/github.com/opencontainers/runc" +export CONTAINERD_PATH="${GO_PATH}/src/github.com/containerd/containerd" +export CONTAINERD_REFSPEC=freebsd-compat-0.2 +export LIBNETWORK_PATH="${GO_PATH}/src/github.com/docker/libnetwork" +export TINI_PATH="${GO_PATH}/src/tini" + +all: binary + +binary: $(DEST_DIR)/docker-containerd $(DEST_DIR)/docker-proxy + ./hack/make.sh binary + # Copy into bundles/bin for packaging + for f in bundles/latest/*/*; do \ + [ -L "$$f" ] || continue; \ + cp -f "$$(readlink -f $$f)" "$(DEST_DIR)/$${f##*/}"; \ + done + +$(DEST_DIR)/docker-containerd: prepare + if [ ! -d $(CONTAINERD_PATH) ]; then \ + git clone https://github.com/freebsd-docker/containerd.git $(CONTAINERD_PATH) && \ + cd $(CONTAINERD_PATH) && \ + git checkout $(CONTAINERD_REFSPEC); \ + fi; + cd $(CONTAINERD_PATH) && \ + $(MAKE) && \ + cp bin/containerd $(DEST_DIR)/docker-containerd && \ + cp bin/containerd-shim $(DEST_DIR)/docker-containerd-shim && \ + cp bin/ctr $(DEST_DIR)/docker-containerd-ctr + +$(DEST_DIR)/docker-proxy: prepare + if [ ! -d $(LIBNETWORK_PATH) ]; then \ + git clone https://github.com/freebsd-docker/libnetwork.git $(LIBNETWORK_PATH); \ + fi; + cd $(LIBNETWORK_PATH) && \ + go build -o $(DEST_DIR)/docker-proxy github.com/docker/libnetwork/cmd/proxy + + +runc: + if [ ! -d $(RUNC_PATH) ]; then \ + git clone https://github.com/freebsd-docker/runc.git $(RUNC_PATH); \ + fi; + cd $(RUNC_PATH) && \ + $(MAKE) + +tini: check-depends + if [ ! -d $(TINI_PATH) ]; then \ + git clone https://github.com/krallin/tini.git $(TINI_PATH); \ + fi; + cd $(TINI_PATH) && \ + cmake . && \ + $(MAKE) tini-static + +check-depends: + echo ">> Verify that you have CMake installed" + +prepare: bundles/bin + +bundles/bin: + mkdir -p bundles/bin + +.PHONY: check-depends prepare all binary

• This file was added.

Fix build on FreeBSD by copying linux implementation:

builder/dockerfile/internals.go:193:19: undefined: parseChownFlag

--- builder/dockerfile/internals_freebsd.go.orig 2019-03-08 14:02:51 UTC +++ builder/dockerfile/internals_freebsd.go @@ -0,0 +1,88 @@ +package dockerfile // import "github.com/docker/docker/builder/dockerfile" + +import ( + "path/filepath" + "strconv" + "strings" + + "github.com/docker/docker/pkg/idtools" + "github.com/docker/docker/pkg/symlink" + lcUser "github.com/opencontainers/runc/libcontainer/user" + "github.com/pkg/errors" +) + +func parseChownFlag(builder *Builder, state *dispatchState, chown, ctrRootPath string, identityMapping *idtools.IdentityMapping) (idtools.Identity, error) { + var userStr, grpStr string + parts := strings.Split(chown, ":") + if len(parts) > 2 { + return idtools.Identity{}, errors.New("invalid chown string format: " + chown) + } + if len(parts) == 1 { + // if no group specified, use the user spec as group as well + userStr, grpStr = parts[0], parts[0] + } else { + userStr, grpStr = parts[0], parts[1] + } + + passwdPath, err := symlink.FollowSymlinkInScope(filepath.Join(ctrRootPath, "etc", "passwd"), ctrRootPath) + if err != nil { + return idtools.Identity{}, errors.Wrapf(err, "can't resolve /etc/passwd path in container rootfs") + } + groupPath, err := symlink.FollowSymlinkInScope(filepath.Join(ctrRootPath, "etc", "group"), ctrRootPath) + if err != nil { + return idtools.Identity{}, errors.Wrapf(err, "can't resolve /etc/group path in container rootfs") + } + uid, err := lookupUser(userStr, passwdPath) + if err != nil { + return idtools.Identity{}, errors.Wrapf(err, "can't find uid for user "+userStr) + } + gid, err := lookupGroup(grpStr, groupPath) + if err != nil { + return idtools.Identity{}, errors.Wrapf(err, "can't find gid for group "+grpStr) + } + + // convert as necessary because of user namespaces + chownPair, err := identityMapping.ToHost(idtools.Identity{UID: uid, GID: gid}) + if err != nil { + return idtools.Identity{}, errors.Wrapf(err, "unable to convert uid/gid to host mapping") + } + return chownPair, nil +} + +func lookupUser(userStr, filepath string) (int, error) { + // if the string is actually a uid integer, parse to int and return + // as we don't need to translate with the help of files + uid, err := strconv.Atoi(userStr) + if err == nil { + return uid, nil + } + users, err := lcUser.ParsePasswdFileFilter(filepath, func(u lcUser.User) bool { + return u.Name == userStr + }) + if err != nil { + return 0, err + } + if len(users) == 0 { + return 0, errors.New("no such user: " + userStr) + } + return users[0].Uid, nil +} + +func lookupGroup(groupStr, filepath string) (int, error) { + // if the string is actually a gid integer, parse to int and return + // as we don't need to translate with the help of files + gid, err := strconv.Atoi(groupStr) + if err == nil { + return gid, nil + } + groups, err := lcUser.ParseGroupFileFilter(filepath, func(g lcUser.Group) bool { + return g.Name == groupStr + }) + if err != nil { + return 0, err + } + if len(groups) == 0 { + return 0, errors.New("no such group: " + groupStr) + } + return groups[0].Gid, nil +}

• This file was added.

--- daemon/container_freebsd.go.orig 2020-09-18 09:01:00 UTC +++ daemon/container_freebsd.go @@ -0,0 +1,9 @@ +package daemon + +import ( + "github.com/docker/docker/container" +) + +func (daemon *Daemon) saveApparmorConfig(container *container.Container) error { + return nil +}

• This file was added.

--- daemon/container_operations.go.orig 2020-09-04 14:54:50 UTC +++ daemon/container_operations.go @@ -68,7 +68,7 @@ func (daemon *Daemon) buildSandboxOptions(container *c sboxOptions = append(sboxOptions, libnetwork.OptionUseExternalKey()) } - if err = daemon.setupPathsAndSandboxOptions(container, &sboxOptions); err != nil { + if err = setupPathsAndSandboxOptions(container, &sboxOptions); err != nil { return nil, err } @@ -618,9 +618,9 @@ func validateNetworkingConfig(n libnetwork.Network, ep if hasUserDefinedIPAddress(epConfig.IPAMConfig) && !enableIPOnPredefinedNetwork() { return runconfig.ErrUnsupportedNetworkAndIP } - if len(epConfig.Aliases) > 0 && !serviceDiscoveryOnDefaultNetwork() { - return runconfig.ErrUnsupportedNetworkAndAlias - } + // if len(epConfig.Aliases) > 0 && !serviceDiscoveryOnDefaultNetwork() { + // return runconfig.ErrUnsupportedNetworkAndAlias + // } } if !hasUserDefinedIPAddress(epConfig.IPAMConfig) { return nil @@ -935,7 +935,7 @@ func (daemon *Daemon) initializeNetworking(container * return err } - err = daemon.initializeNetworkingPaths(container, nc) + err = initializeNetworkingPaths(container, nc) if err != nil { return err }

• This file was added.

--- daemon/container_operations_freebsd.go.orig 2020-09-04 14:57:27 UTC +++ daemon/container_operations_freebsd.go @@ -0,0 +1,45 @@ +package daemon // import "github.com/docker/docker/daemon" + +import ( + "github.com/docker/docker/container" + "github.com/docker/docker/runconfig" + "github.com/docker/libnetwork" +) + +func (daemon *Daemon) setupLinkedContainers(container *container.Container) ([]string, error) { + return nil, nil +} + +func (daemon *Daemon) setupIpcDirs(container *container.Container) error { + return nil +} + +func killProcessDirectly(container *container.Container) error { + return nil +} + +func detachMounted(path string) error { + return nil +} + +func isLinkable(child *container.Container) bool { + // A container is linkable only if it belongs to the default network + _, ok := child.NetworkSettings.Networks[runconfig.DefaultDaemonNetworkMode().NetworkName()] + return ok +} + +func enableIPOnPredefinedNetwork() bool { + return false +} + +func (daemon *Daemon) isNetworkHotPluggable() bool { + return false +} + +func setupPathsAndSandboxOptions(container *container.Container, sboxOptions *[]libnetwork.SandboxOption) error { + return nil +} + +func initializeNetworkingPaths(container *container.Container, nc *container.Container) error { + return nil +}

• This file was added.

--- daemon/container_operations_linux.go.orig 2020-09-04 14:57:27 UTC +++ daemon/container_operations_linux.go @@ -0,0 +1,415 @@ +// +build linux + +package daemon // import "github.com/docker/docker/daemon" + +import ( + "context" + "fmt" + "io/ioutil" + "os" + "path/filepath" + "strconv" + "time" + + "github.com/docker/docker/container" + "github.com/docker/docker/daemon/links" + "github.com/docker/docker/errdefs" + "github.com/docker/docker/pkg/idtools" + "github.com/docker/docker/pkg/mount" + "github.com/docker/docker/pkg/stringid" + "github.com/docker/docker/runconfig" + "github.com/docker/libnetwork" + "github.com/opencontainers/selinux/go-selinux/label" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" +) + +func (daemon *Daemon) setupLinkedContainers(container *container.Container) ([]string, error) { + var env []string + children := daemon.children(container) + + bridgeSettings := container.NetworkSettings.Networks[runconfig.DefaultDaemonNetworkMode().NetworkName()] + if bridgeSettings == nil || bridgeSettings.EndpointSettings == nil { + return nil, nil + } + + for linkAlias, child := range children { + if !child.IsRunning() { + return nil, fmt.Errorf("Cannot link to a non running container: %s AS %s", child.Name, linkAlias) + } + + childBridgeSettings := child.NetworkSettings.Networks[runconfig.DefaultDaemonNetworkMode().NetworkName()] + if childBridgeSettings == nil || childBridgeSettings.EndpointSettings == nil { + return nil, fmt.Errorf("container %s not attached to default bridge network", child.ID) + } + + link := links.NewLink( + bridgeSettings.IPAddress, + childBridgeSettings.IPAddress, + linkAlias, + child.Config.Env, + child.Config.ExposedPorts, + ) + + env = append(env, link.ToEnv()...) + } + + return env, nil +} + +func (daemon *Daemon) getIpcContainer(id string) (*container.Container, error) { + errMsg := "can't join IPC of container " + id + // Check the container exists + container, err := daemon.GetContainer(id) + if err != nil { + return nil, errors.Wrap(err, errMsg) + } + // Check the container is running and not restarting + if err := daemon.checkContainer(container, containerIsRunning, containerIsNotRestarting); err != nil { + return nil, errors.Wrap(err, errMsg) + } + // Check the container ipc is shareable + if st, err := os.Stat(container.ShmPath); err != nil || !st.IsDir() { + if err == nil || os.IsNotExist(err) { + return nil, errors.New(errMsg + ": non-shareable IPC (hint: use IpcMode:shareable for the donor container)") + } + // stat() failed? + return nil, errors.Wrap(err, errMsg+": unexpected error from stat "+container.ShmPath) + } + + return container, nil +} + +func (daemon *Daemon) getPidContainer(container *container.Container) (*container.Container, error) { + containerID := container.HostConfig.PidMode.Container() + container, err := daemon.GetContainer(containerID) + if err != nil { + return nil, errors.Wrapf(err, "cannot join PID of a non running container: %s", containerID) + } + return container, daemon.checkContainer(container, containerIsRunning, containerIsNotRestarting) +} + +func containerIsRunning(c *container.Container) error { + if !c.IsRunning() { + return errdefs.Conflict(errors.Errorf("container %s is not running", c.ID)) + } + return nil +} + +func containerIsNotRestarting(c *container.Container) error { + if c.IsRestarting() { + return errContainerIsRestarting(c.ID) + } + return nil +} + +func (daemon *Daemon) setupIpcDirs(c *container.Container) error { + ipcMode := c.HostConfig.IpcMode + + switch { + case ipcMode.IsContainer(): + ic, err := daemon.getIpcContainer(ipcMode.Container()) + if err != nil { + return err + } + c.ShmPath = ic.ShmPath + + case ipcMode.IsHost(): + if _, err := os.Stat("/dev/shm"); err != nil { + return fmt.Errorf("/dev/shm is not mounted, but must be for --ipc=host") + } + c.ShmPath = "/dev/shm" + + case ipcMode.IsPrivate(), ipcMode.IsNone(): + // c.ShmPath will/should not be used, so make it empty. + // Container's /dev/shm mount comes from OCI spec. + c.ShmPath = "" + + case ipcMode.IsEmpty(): + // A container was created by an older version of the daemon. + // The default behavior used to be what is now called "shareable". + fallthrough + + case ipcMode.IsShareable(): + rootIDs := daemon.idMapping.RootPair() + if !c.HasMountFor("/dev/shm") { + shmPath, err := c.ShmResourcePath() + if err != nil { + return err + } + + if err := idtools.MkdirAllAndChown(shmPath, 0700, rootIDs); err != nil { + return err + } + + shmproperty := "mode=1777,size=" + strconv.FormatInt(c.HostConfig.ShmSize, 10) + if err := unix.Mount("shm", shmPath, "tmpfs", uintptr(unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV), label.FormatMountLabel(shmproperty, c.GetMountLabel())); err != nil { + return fmt.Errorf("mounting shm tmpfs: %s", err) + } + if err := os.Chown(shmPath, rootIDs.UID, rootIDs.GID); err != nil { + return err + } + c.ShmPath = shmPath + } + + default: + return fmt.Errorf("invalid IPC mode: %v", ipcMode) + } + + return nil +} + +func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { + if len(c.SecretReferences) == 0 && len(c.ConfigReferences) == 0 { + return nil + } + + if err := daemon.createSecretsDir(c); err != nil { + return err + } + defer func() { + if setupErr != nil { + daemon.cleanupSecretDir(c) + } + }() + + if c.DependencyStore == nil { + return fmt.Errorf("secret store is not initialized") + } + + // retrieve possible remapped range start for root UID, GID + rootIDs := daemon.idMapping.RootPair() + + for _, s := range c.SecretReferences { + // TODO (ehazlett): use type switch when more are supported + if s.File == nil { + logrus.Error("secret target type is not a file target") + continue + } + + // secrets are created in the SecretMountPath on the host, at a + // single level + fPath, err := c.SecretFilePath(*s) + if err != nil { + return errors.Wrap(err, "error getting secret file path") + } + if err := idtools.MkdirAllAndChown(filepath.Dir(fPath), 0700, rootIDs); err != nil { + return errors.Wrap(err, "error creating secret mount path") + } + + logrus.WithFields(logrus.Fields{ + "name": s.File.Name, + "path": fPath, + }).Debug("injecting secret") + secret, err := c.DependencyStore.Secrets().Get(s.SecretID) + if err != nil { + return errors.Wrap(err, "unable to get secret from secret store") + } + if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil { + return errors.Wrap(err, "error injecting secret") + } + + uid, err := strconv.Atoi(s.File.UID) + if err != nil { + return err + } + gid, err := strconv.Atoi(s.File.GID) + if err != nil { + return err + } + + if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil { + return errors.Wrap(err, "error setting ownership for secret") + } + if err := os.Chmod(fPath, s.File.Mode); err != nil { + return errors.Wrap(err, "error setting file mode for secret") + } + } + + for _, ref := range c.ConfigReferences { + // TODO (ehazlett): use type switch when more are supported + if ref.File == nil { + // Runtime configs are not mounted into the container, but they're + // a valid type of config so we should not error when we encounter + // one. + if ref.Runtime == nil { + logrus.Error("config target type is not a file or runtime target") + } + // However, in any case, this isn't a file config, so we have no + // further work to do + continue + } + + fPath, err := c.ConfigFilePath(*ref) + if err != nil { + return errors.Wrap(err, "error getting config file path for container") + } + if err := idtools.MkdirAllAndChown(filepath.Dir(fPath), 0700, rootIDs); err != nil { + return errors.Wrap(err, "error creating config mount path") + } + + logrus.WithFields(logrus.Fields{ + "name": ref.File.Name, + "path": fPath, + }).Debug("injecting config") + config, err := c.DependencyStore.Configs().Get(ref.ConfigID) + if err != nil { + return errors.Wrap(err, "unable to get config from config store") + } + if err := ioutil.WriteFile(fPath, config.Spec.Data, ref.File.Mode); err != nil { + return errors.Wrap(err, "error injecting config") + } + + uid, err := strconv.Atoi(ref.File.UID) + if err != nil { + return err + } + gid, err := strconv.Atoi(ref.File.GID) + if err != nil { + return err + } + + if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil { + return errors.Wrap(err, "error setting ownership for config") + } + if err := os.Chmod(fPath, ref.File.Mode); err != nil { + return errors.Wrap(err, "error setting file mode for config") + } + } + + return daemon.remountSecretDir(c) +} + +// createSecretsDir is used to create a dir suitable for storing container secrets. +// In practice this is using a tmpfs mount and is used for both "configs" and "secrets" +func (daemon *Daemon) createSecretsDir(c *container.Container) error { + // retrieve possible remapped range start for root UID, GID + rootIDs := daemon.idMapping.RootPair() + dir, err := c.SecretMountPath() + if err != nil { + return errors.Wrap(err, "error getting container secrets dir") + } + + // create tmpfs + if err := idtools.MkdirAllAndChown(dir, 0700, rootIDs); err != nil { + return errors.Wrap(err, "error creating secret local mount path") + } + + tmpfsOwnership := fmt.Sprintf("uid=%d,gid=%d", rootIDs.UID, rootIDs.GID) + if err := mount.Mount("tmpfs", dir, "tmpfs", "nodev,nosuid,noexec,"+tmpfsOwnership); err != nil { + return errors.Wrap(err, "unable to setup secret mount") + } + return nil +} + +func (daemon *Daemon) remountSecretDir(c *container.Container) error { + dir, err := c.SecretMountPath() + if err != nil { + return errors.Wrap(err, "error getting container secrets path") + } + if err := label.Relabel(dir, c.MountLabel, false); err != nil { + logrus.WithError(err).WithField("dir", dir).Warn("Error while attempting to set selinux label") + } + rootIDs := daemon.idMapping.RootPair() + tmpfsOwnership := fmt.Sprintf("uid=%d,gid=%d", rootIDs.UID, rootIDs.GID) + + // remount secrets ro + if err := mount.Mount("tmpfs", dir, "tmpfs", "remount,ro,"+tmpfsOwnership); err != nil { + return errors.Wrap(err, "unable to remount dir as readonly") + } + + return nil +} + +func (daemon *Daemon) cleanupSecretDir(c *container.Container) { + dir, err := c.SecretMountPath() + if err != nil { + logrus.WithError(err).WithField("container", c.ID).Warn("error getting secrets mount path for container") + } + if err := mount.RecursiveUnmount(dir); err != nil { + logrus.WithField("dir", dir).WithError(err).Warn("Error while attempting to unmount dir, this may prevent removal of container.") + } + if err := os.RemoveAll(dir); err != nil && !os.IsNotExist(err) { + logrus.WithField("dir", dir).WithError(err).Error("Error removing dir.") + } +} + +func killProcessDirectly(cntr *container.Container) error { + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) + defer cancel() + + // Block until the container to stops or timeout. + status := <-cntr.Wait(ctx, container.WaitConditionNotRunning) + if status.Err() != nil { + // Ensure that we don't kill ourselves + if pid := cntr.GetPID(); pid != 0 { + logrus.Infof("Container %s failed to exit within 10 seconds of kill - trying direct SIGKILL", stringid.TruncateID(cntr.ID)) + if err := unix.Kill(pid, 9); err != nil { + if err != unix.ESRCH { + return err + } + e := errNoSuchProcess{pid, 9} + logrus.Debug(e) + return e + } + } + } + return nil +} + +func isLinkable(child *container.Container) bool { + // A container is linkable only if it belongs to the default network + _, ok := child.NetworkSettings.Networks[runconfig.DefaultDaemonNetworkMode().NetworkName()] + return ok +} + +func enableIPOnPredefinedNetwork() bool { + return false +} + +// serviceDiscoveryOnDefaultNetwork indicates if service discovery is supported on the default network +func serviceDiscoveryOnDefaultNetwork() bool { + return false +} + +func (daemon *Daemon) setupPathsAndSandboxOptions(container *container.Container, sboxOptions *[]libnetwork.SandboxOption) error { + var err error + + if container.HostConfig.NetworkMode.IsHost() { + // Point to the host files, so that will be copied into the container running in host mode + *sboxOptions = append(*sboxOptions, libnetwork.OptionOriginHostsPath("/etc/hosts")) + } + + // Copy the host's resolv.conf for the container (/etc/resolv.conf or /run/systemd/resolve/resolv.conf) + *sboxOptions = append(*sboxOptions, libnetwork.OptionOriginResolvConfPath(daemon.configStore.GetResolvConf())) + + container.HostsPath, err = container.GetRootResourcePath("hosts") + if err != nil { + return err + } + *sboxOptions = append(*sboxOptions, libnetwork.OptionHostsPath(container.HostsPath)) + + container.ResolvConfPath, err = container.GetRootResourcePath("resolv.conf") + if err != nil { + return err + } + *sboxOptions = append(*sboxOptions, libnetwork.OptionResolvConfPath(container.ResolvConfPath)) + return nil +} + +func (daemon *Daemon) initializeNetworkingPaths(container *container.Container, nc *container.Container) error { + container.HostnamePath = nc.HostnamePath + container.HostsPath = nc.HostsPath + container.ResolvConfPath = nc.ResolvConfPath + return nil +} + +func (daemon *Daemon) setupContainerMountsRoot(c *container.Container) error { + // get the root mount path so we can make it unbindable + p, err := c.MountsResourcePath("") + if err != nil { + return err + } + return idtools.MkdirAllAndChown(p, 0700, daemon.idMapping.RootPair()) +}

• This file was added.

--- daemon/container_operations_unix.go.orig 2020-09-04 14:54:50 UTC +++ daemon/container_operations_unix.go @@ -1,415 +0,0 @@ -// +build linux freebsd - -package daemon // import "github.com/docker/docker/daemon" - -import ( - "context" - "fmt" - "io/ioutil" - "os" - "path/filepath" - "strconv" - "time" - - "github.com/docker/docker/container" - "github.com/docker/docker/daemon/links" - "github.com/docker/docker/errdefs" - "github.com/docker/docker/pkg/idtools" - "github.com/docker/docker/pkg/mount" - "github.com/docker/docker/pkg/stringid" - "github.com/docker/docker/runconfig" - "github.com/docker/libnetwork" - "github.com/opencontainers/selinux/go-selinux/label" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" - "golang.org/x/sys/unix" -) - -func (daemon *Daemon) setupLinkedContainers(container *container.Container) ([]string, error) { - var env []string - children := daemon.children(container) - - bridgeSettings := container.NetworkSettings.Networks[runconfig.DefaultDaemonNetworkMode().NetworkName()] - if bridgeSettings == nil || bridgeSettings.EndpointSettings == nil { - return nil, nil - } - - for linkAlias, child := range children { - if !child.IsRunning() { - return nil, fmt.Errorf("Cannot link to a non running container: %s AS %s", child.Name, linkAlias) - } - - childBridgeSettings := child.NetworkSettings.Networks[runconfig.DefaultDaemonNetworkMode().NetworkName()] - if childBridgeSettings == nil || childBridgeSettings.EndpointSettings == nil { - return nil, fmt.Errorf("container %s not attached to default bridge network", child.ID) - } - - link := links.NewLink( - bridgeSettings.IPAddress, - childBridgeSettings.IPAddress, - linkAlias, - child.Config.Env, - child.Config.ExposedPorts, - ) - - env = append(env, link.ToEnv()...) - } - - return env, nil -} - -func (daemon *Daemon) getIpcContainer(id string) (*container.Container, error) { - errMsg := "can't join IPC of container " + id - // Check the container exists - container, err := daemon.GetContainer(id) - if err != nil { - return nil, errors.Wrap(err, errMsg) - } - // Check the container is running and not restarting - if err := daemon.checkContainer(container, containerIsRunning, containerIsNotRestarting); err != nil { - return nil, errors.Wrap(err, errMsg) - } - // Check the container ipc is shareable - if st, err := os.Stat(container.ShmPath); err != nil || !st.IsDir() { - if err == nil || os.IsNotExist(err) { - return nil, errors.New(errMsg + ": non-shareable IPC (hint: use IpcMode:shareable for the donor container)") - } - // stat() failed? - return nil, errors.Wrap(err, errMsg+": unexpected error from stat "+container.ShmPath) - } - - return container, nil -} - -func (daemon *Daemon) getPidContainer(container *container.Container) (*container.Container, error) { - containerID := container.HostConfig.PidMode.Container() - container, err := daemon.GetContainer(containerID) - if err != nil { - return nil, errors.Wrapf(err, "cannot join PID of a non running container: %s", containerID) - } - return container, daemon.checkContainer(container, containerIsRunning, containerIsNotRestarting) -} - -func containerIsRunning(c *container.Container) error { - if !c.IsRunning() { - return errdefs.Conflict(errors.Errorf("container %s is not running", c.ID)) - } - return nil -} - -func containerIsNotRestarting(c *container.Container) error { - if c.IsRestarting() { - return errContainerIsRestarting(c.ID) - } - return nil -} - -func (daemon *Daemon) setupIpcDirs(c *container.Container) error { - ipcMode := c.HostConfig.IpcMode - - switch { - case ipcMode.IsContainer(): - ic, err := daemon.getIpcContainer(ipcMode.Container()) - if err != nil { - return err - } - c.ShmPath = ic.ShmPath - - case ipcMode.IsHost(): - if _, err := os.Stat("/dev/shm"); err != nil { - return fmt.Errorf("/dev/shm is not mounted, but must be for --ipc=host") - } - c.ShmPath = "/dev/shm" - - case ipcMode.IsPrivate(), ipcMode.IsNone(): - // c.ShmPath will/should not be used, so make it empty. - // Container's /dev/shm mount comes from OCI spec. - c.ShmPath = "" - - case ipcMode.IsEmpty(): - // A container was created by an older version of the daemon. - // The default behavior used to be what is now called "shareable". - fallthrough - - case ipcMode.IsShareable(): - rootIDs := daemon.idMapping.RootPair() - if !c.HasMountFor("/dev/shm") { - shmPath, err := c.ShmResourcePath() - if err != nil { - return err - } - - if err := idtools.MkdirAllAndChown(shmPath, 0700, rootIDs); err != nil { - return err - } - - shmproperty := "mode=1777,size=" + strconv.FormatInt(c.HostConfig.ShmSize, 10) - if err := unix.Mount("shm", shmPath, "tmpfs", uintptr(unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV), label.FormatMountLabel(shmproperty, c.GetMountLabel())); err != nil { - return fmt.Errorf("mounting shm tmpfs: %s", err) - } - if err := os.Chown(shmPath, rootIDs.UID, rootIDs.GID); err != nil { - return err - } - c.ShmPath = shmPath - } - - default: - return fmt.Errorf("invalid IPC mode: %v", ipcMode) - } - - return nil -} - -func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) { - if len(c.SecretReferences) == 0 && len(c.ConfigReferences) == 0 { - return nil - } - - if err := daemon.createSecretsDir(c); err != nil { - return err - } - defer func() { - if setupErr != nil { - daemon.cleanupSecretDir(c) - } - }() - - if c.DependencyStore == nil { - return fmt.Errorf("secret store is not initialized") - } - - // retrieve possible remapped range start for root UID, GID - rootIDs := daemon.idMapping.RootPair() - - for _, s := range c.SecretReferences { - // TODO (ehazlett): use type switch when more are supported - if s.File == nil { - logrus.Error("secret target type is not a file target") - continue - } - - // secrets are created in the SecretMountPath on the host, at a - // single level - fPath, err := c.SecretFilePath(*s) - if err != nil { - return errors.Wrap(err, "error getting secret file path") - } - if err := idtools.MkdirAllAndChown(filepath.Dir(fPath), 0700, rootIDs); err != nil { - return errors.Wrap(err, "error creating secret mount path") - } - - logrus.WithFields(logrus.Fields{ - "name": s.File.Name, - "path": fPath, - }).Debug("injecting secret") - secret, err := c.DependencyStore.Secrets().Get(s.SecretID) - if err != nil { - return errors.Wrap(err, "unable to get secret from secret store") - } - if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil { - return errors.Wrap(err, "error injecting secret") - } - - uid, err := strconv.Atoi(s.File.UID) - if err != nil { - return err - } - gid, err := strconv.Atoi(s.File.GID) - if err != nil { - return err - } - - if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil { - return errors.Wrap(err, "error setting ownership for secret") - } - if err := os.Chmod(fPath, s.File.Mode); err != nil { - return errors.Wrap(err, "error setting file mode for secret") - } - } - - for _, ref := range c.ConfigReferences { - // TODO (ehazlett): use type switch when more are supported - if ref.File == nil { - // Runtime configs are not mounted into the container, but they're - // a valid type of config so we should not error when we encounter - // one. - if ref.Runtime == nil { - logrus.Error("config target type is not a file or runtime target") - } - // However, in any case, this isn't a file config, so we have no - // further work to do - continue - } - - fPath, err := c.ConfigFilePath(*ref) - if err != nil { - return errors.Wrap(err, "error getting config file path for container") - } - if err := idtools.MkdirAllAndChown(filepath.Dir(fPath), 0700, rootIDs); err != nil { - return errors.Wrap(err, "error creating config mount path") - } - - logrus.WithFields(logrus.Fields{ - "name": ref.File.Name, - "path": fPath, - }).Debug("injecting config") - config, err := c.DependencyStore.Configs().Get(ref.ConfigID) - if err != nil { - return errors.Wrap(err, "unable to get config from config store") - } - if err := ioutil.WriteFile(fPath, config.Spec.Data, ref.File.Mode); err != nil { - return errors.Wrap(err, "error injecting config") - } - - uid, err := strconv.Atoi(ref.File.UID) - if err != nil { - return err - } - gid, err := strconv.Atoi(ref.File.GID) - if err != nil { - return err - } - - if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil { - return errors.Wrap(err, "error setting ownership for config") - } - if err := os.Chmod(fPath, ref.File.Mode); err != nil { - return errors.Wrap(err, "error setting file mode for config") - } - } - - return daemon.remountSecretDir(c) -} - -// createSecretsDir is used to create a dir suitable for storing container secrets. -// In practice this is using a tmpfs mount and is used for both "configs" and "secrets" -func (daemon *Daemon) createSecretsDir(c *container.Container) error { - // retrieve possible remapped range start for root UID, GID - rootIDs := daemon.idMapping.RootPair() - dir, err := c.SecretMountPath() - if err != nil { - return errors.Wrap(err, "error getting container secrets dir") - } - - // create tmpfs - if err := idtools.MkdirAllAndChown(dir, 0700, rootIDs); err != nil { - return errors.Wrap(err, "error creating secret local mount path") - } - - tmpfsOwnership := fmt.Sprintf("uid=%d,gid=%d", rootIDs.UID, rootIDs.GID) - if err := mount.Mount("tmpfs", dir, "tmpfs", "nodev,nosuid,noexec,"+tmpfsOwnership); err != nil { - return errors.Wrap(err, "unable to setup secret mount") - } - return nil -} - -func (daemon *Daemon) remountSecretDir(c *container.Container) error { - dir, err := c.SecretMountPath() - if err != nil { - return errors.Wrap(err, "error getting container secrets path") - } - if err := label.Relabel(dir, c.MountLabel, false); err != nil { - logrus.WithError(err).WithField("dir", dir).Warn("Error while attempting to set selinux label") - } - rootIDs := daemon.idMapping.RootPair() - tmpfsOwnership := fmt.Sprintf("uid=%d,gid=%d", rootIDs.UID, rootIDs.GID) - - // remount secrets ro - if err := mount.Mount("tmpfs", dir, "tmpfs", "remount,ro,"+tmpfsOwnership); err != nil { - return errors.Wrap(err, "unable to remount dir as readonly") - } - - return nil -} - -func (daemon *Daemon) cleanupSecretDir(c *container.Container) { - dir, err := c.SecretMountPath() - if err != nil { - logrus.WithError(err).WithField("container", c.ID).Warn("error getting secrets mount path for container") - } - if err := mount.RecursiveUnmount(dir); err != nil { - logrus.WithField("dir", dir).WithError(err).Warn("Error while attempting to unmount dir, this may prevent removal of container.") - } - if err := os.RemoveAll(dir); err != nil && !os.IsNotExist(err) { - logrus.WithField("dir", dir).WithError(err).Error("Error removing dir.") - } -} - -func killProcessDirectly(cntr *container.Container) error { - ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) - defer cancel() - - // Block until the container to stops or timeout. - status := <-cntr.Wait(ctx, container.WaitConditionNotRunning) - if status.Err() != nil { - // Ensure that we don't kill ourselves - if pid := cntr.GetPID(); pid != 0 { - logrus.Infof("Container %s failed to exit within 10 seconds of kill - trying direct SIGKILL", stringid.TruncateID(cntr.ID)) - if err := unix.Kill(pid, 9); err != nil { - if err != unix.ESRCH { - return err - } - e := errNoSuchProcess{pid, 9} - logrus.Debug(e) - return e - } - } - } - return nil -} - -func isLinkable(child *container.Container) bool { - // A container is linkable only if it belongs to the default network - _, ok := child.NetworkSettings.Networks[runconfig.DefaultDaemonNetworkMode().NetworkName()] - return ok -} - -func enableIPOnPredefinedNetwork() bool { - return false -} - -// serviceDiscoveryOnDefaultNetwork indicates if service discovery is supported on the default network -func serviceDiscoveryOnDefaultNetwork() bool { - return false -} - -func (daemon *Daemon) setupPathsAndSandboxOptions(container *container.Container, sboxOptions *[]libnetwork.SandboxOption) error { - var err error - - if container.HostConfig.NetworkMode.IsHost() { - // Point to the host files, so that will be copied into the container running in host mode - *sboxOptions = append(*sboxOptions, libnetwork.OptionOriginHostsPath("/etc/hosts")) - } - - // Copy the host's resolv.conf for the container (/etc/resolv.conf or /run/systemd/resolve/resolv.conf) - *sboxOptions = append(*sboxOptions, libnetwork.OptionOriginResolvConfPath(daemon.configStore.GetResolvConf())) - - container.HostsPath, err = container.GetRootResourcePath("hosts") - if err != nil { - return err - } - *sboxOptions = append(*sboxOptions, libnetwork.OptionHostsPath(container.HostsPath)) - - container.ResolvConfPath, err = container.GetRootResourcePath("resolv.conf") - if err != nil { - return err - } - *sboxOptions = append(*sboxOptions, libnetwork.OptionResolvConfPath(container.ResolvConfPath)) - return nil -} - -func (daemon *Daemon) initializeNetworkingPaths(container *container.Container, nc *container.Container) error { - container.HostnamePath = nc.HostnamePath - container.HostsPath = nc.HostsPath - container.ResolvConfPath = nc.ResolvConfPath - return nil -} - -func (daemon *Daemon) setupContainerMountsRoot(c *container.Container) error { - // get the root mount path so we can make it unbindable - p, err := c.MountsResourcePath("") - if err != nil { - return err - } - return idtools.MkdirAllAndChown(p, 0700, daemon.idMapping.RootPair()) -}

• This file was added.

--- daemon/daemon_freebsd.go.orig 2020-10-16 13:57:41 UTC +++ daemon/daemon_freebsd.go @@ -0,0 +1,139 @@ +package daemon // import "github.com/docker/docker/daemon" + +// based on daemon_linux + +import ( + "bufio" + "fmt" + "io" + "os" + "path/filepath" + "regexp" + "strings" + + "github.com/docker/docker/daemon/config" + "github.com/docker/docker/pkg/fileutils" + "github.com/docker/docker/pkg/mount" + "github.com/docker/libnetwork/resolvconf" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" +) + +func getPluginExecRoot(root string) string { + return filepath.Join(root, "plugins") +} + +func (daemon *Daemon) cleanupMountsByID(id string) error { + return nil +} + +func (daemon *Daemon) cleanupMountsFromReaderByID(reader io.Reader, id string, unmount func(target string) error) error { + if daemon.root == "" { + return nil + } + var errors []string + + regexps := getCleanPatterns(id) + sc := bufio.NewScanner(reader) + for sc.Scan() { + if fields := strings.Fields(sc.Text()); len(fields) >= 4 { + if mnt := fields[4]; strings.HasPrefix(mnt, daemon.root) { + for _, p := range regexps { + if p.MatchString(mnt) { + if err := unmount(mnt); err != nil { + logrus.Error(err) + errors = append(errors, err.Error()) + } + } + } + } + } + } + + if err := sc.Err(); err != nil { + return err + } + + if len(errors) > 0 { + return fmt.Errorf("Error cleaning up mounts:\n%v", strings.Join(errors, "\n")) + } + + logrus.Debugf("Cleaning up old mountid %v: done.", id) + return nil +} + +// cleanupMounts umounts used by container resources and the daemon root mount +func (daemon *Daemon) cleanupMounts() error { + if err := daemon.cleanupMountsByID(""); err != nil { + return err + } + + info, err := mount.GetMounts(mount.SingleEntryFilter(daemon.root)) + if err != nil { + return errors.Wrap(err, "error reading mount table for cleanup") + } + + if len(info) < 1 { + // no mount found, we're done here + return nil + } + + // `info.Root` here is the root mountpoint of the passed in path (`daemon.root`). + // The ony cases that need to be cleaned up is when the daemon has performed a + // `mount --bind /daemon/root /daemon/root && mount --make-shared /daemon/root` + // This is only done when the daemon is started up and `/daemon/root` is not + // already on a shared mountpoint. + //if !shouldUnmountRoot(daemon.root, info[0]) { + // return nil + //} + + unmountFile := getUnmountOnShutdownPath(daemon.configStore) + if _, err := os.Stat(unmountFile); err != nil { + return nil + } + + logrus.WithField("mountpoint", daemon.root).Debug("unmounting daemon root") + if err := mount.Unmount(daemon.root); err != nil { + return err + } + return os.Remove(unmountFile) +} + +func getCleanPatterns(id string) (regexps []*regexp.Regexp) { + var patterns []string + if id == "" { + id = "[0-9a-f]{64}" + patterns = append(patterns, "containers/"+id+"/shm") + } + patterns = append(patterns, "aufs/mnt/"+id+"$", "overlay/"+id+"/merged$", "zfs/graph/"+id+"$") + for _, p := range patterns { + r, err := regexp.Compile(p) + if err == nil { + regexps = append(regexps, r) + } + } + return +} + +func getRealPath(path string) (string, error) { + return fileutils.ReadSymlinkedDirectory(path) +} + +//func shouldUnmountRoot(root string, info *mount.Info) bool { +// if !strings.HasSuffix(root, info.Root) { +// return false +// } +// return hasMountinfoOption(info.Optional, sharedPropagationOption) +//} + +// setupResolvConf sets the appropriate resolv.conf file if not specified +// When systemd-resolved is running the default /etc/resolv.conf points to +// localhost. In this case fetch the alternative config file that is in a +// different path so that containers can use it +// In all the other cases fallback to the default one +func setupResolvConf(config *config.Config) { + if config.ResolvConf != "" { + return + } + config.ResolvConf = resolvconf.Path() +}

• This file was added.

--- daemon/daemon_linux.go.orig 2020-09-04 14:54:51 UTC +++ daemon/daemon_linux.go @@ -145,3 +145,43 @@ func setupResolvConf(config *config.Config) { } config.ResolvConf = resolvconf.Path() } + +// setupDaemonProcess sets various settings for the daemon's process +func setupDaemonProcess(config *config.Config) error { + // setup the daemons oom_score_adj + return setupOOMScoreAdj(config.OOMScoreAdjust) +} + +func setupOOMScoreAdj(score int) error { + f, err := os.OpenFile("/proc/self/oom_score_adj", os.O_WRONLY, 0) + if err != nil { + return err + } + defer f.Close() + stringScore := strconv.Itoa(score) + _, err = f.WriteString(stringScore) + if os.IsPermission(err) { + // Setting oom_score_adj does not work in an + // unprivileged container. Ignore the error, but log + // it if we appear not to be in that situation. + if !rsystem.RunningInUserNS() { + logrus.Debugf("Permission denied writing %q to /proc/self/oom_score_adj", stringScore) + } + return nil + } + + return err +} + +func (daemon *Daemon) setupSeccompProfile() error { + if daemon.configStore.SeccompProfile != "" { + daemon.seccompProfilePath = daemon.configStore.SeccompProfile + b, err := ioutil.ReadFile(daemon.configStore.SeccompProfile) + if err != nil { + return fmt.Errorf("opening seccomp profile (%s) failed: %v", daemon.configStore.SeccompProfile, err) + } + daemon.seccompProfile = b + } + return nil +} +

• This file was added.

--- daemon/daemon_unix.go.orig 2020-10-23 18:37:16 UTC +++ daemon/daemon_unix.go @@ -29,7 +29,8 @@ import ( "github.com/docker/docker/pkg/containerfs" "github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/ioutils" - "github.com/docker/docker/pkg/mount" + + //"github.com/docker/docker/pkg/mount" "github.com/docker/docker/pkg/parsers" "github.com/docker/docker/pkg/parsers/kernel" "github.com/docker/docker/pkg/sysinfo" @@ -37,18 +38,18 @@ import ( volumemounts "github.com/docker/docker/volume/mounts" "github.com/docker/libnetwork" nwconfig "github.com/docker/libnetwork/config" - "github.com/docker/libnetwork/drivers/bridge" + "github.com/docker/libnetwork/drivers/freebsd/bridge" "github.com/docker/libnetwork/netlabel" "github.com/docker/libnetwork/netutils" "github.com/docker/libnetwork/options" lntypes "github.com/docker/libnetwork/types" - "github.com/opencontainers/runc/libcontainer/cgroups" + + // "github.com/opencontainers/runc/libcontainer/cgroups" rsystem "github.com/opencontainers/runc/libcontainer/system" "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" - "github.com/vishvananda/netlink" "golang.org/x/sys/unix" ) @@ -874,11 +875,11 @@ func (daemon *Daemon) initNetworkController(config *co } // Initialize default network on "host" - if n, _ := controller.NetworkByName("host"); n == nil { - if _, err := controller.NewNetwork("host", "host", "", libnetwork.NetworkOptionPersist(true)); err != nil { - return nil, fmt.Errorf("Error creating default \"host\" network: %v", err) - } - } + // if n, _ := controller.NetworkByName("host"); n == nil { + // if _, err := controller.NewNetwork("host", "host", "", libnetwork.NetworkOptionPersist(true)); err != nil { + // return nil, fmt.Errorf("Error creating default \"host\" network: %v", err) + // } + // } // Clear stale bridge network if n, err := controller.NetworkByName("bridge"); err == nil { @@ -1043,16 +1044,13 @@ func initBridgeDriver(controller libnetwork.NetworkCon if err != nil { return fmt.Errorf("Error creating default \"bridge\" network: %v", err) } + return nil } // Remove default bridge interface if present (--bridge=none use case) -func removeDefaultBridgeInterface() { - if lnk, err := netlink.LinkByName(bridge.DefaultBridgeName); err == nil { - if err := netlink.LinkDel(lnk); err != nil { - logrus.Warnf("Failed to remove bridge interface (%s): %v", bridge.DefaultBridgeName, err) - } - } +func removeDefaultBridgeInterface() error { + return fmt.Errorf("Bridge network driver not supported on FreeBSD (yet)") } func setupInitLayer(idMapping *idtools.IdentityMapping) func(containerfs.ContainerFS) error { @@ -1260,45 +1258,45 @@ func setupDaemonRoot(config *config.Config, rootDir st } func setupDaemonRootPropagation(cfg *config.Config) error { - rootParentMount, options, err := getSourceMount(cfg.Root) - if err != nil { - return errors.Wrap(err, "error getting daemon root's parent mount") - } + // rootParentMount, options, err := getSourceMount(cfg.Root) + // if err != nil { + // return errors.Wrap(err, "error getting daemon root's parent mount") + // } - var cleanupOldFile bool - cleanupFile := getUnmountOnShutdownPath(cfg) - defer func() { - if !cleanupOldFile { - return - } - if err := os.Remove(cleanupFile); err != nil && !os.IsNotExist(err) { - logrus.WithError(err).WithField("file", cleanupFile).Warn("could not clean up old root propagation unmount file") - } - }() + // var cleanupOldFile bool + // cleanupFile := getUnmountOnShutdownPath(cfg) + // defer func() { + // if !cleanupOldFile { + // return + // } + // if err := os.Remove(cleanupFile); err != nil && !os.IsNotExist(err) { + // logrus.WithError(err).WithField("file", cleanupFile).Warn("could not clean up old root propagation unmount file") + // } + // }() - if hasMountinfoOption(options, sharedPropagationOption, slavePropagationOption) { - cleanupOldFile = true - return nil - } + // if hasMountinfoOption(options, sharedPropagationOption, slavePropagationOption) { + // cleanupOldFile = true + // return nil + // } - if err := mount.MakeShared(cfg.Root); err != nil { - return errors.Wrap(err, "could not setup daemon root propagation to shared") - } + // if err := mount.MakeShared(cfg.Root); err != nil { + // return errors.Wrap(err, "could not setup daemon root propagation to shared") + // } - // check the case where this may have already been a mount to itself. - // If so then the daemon only performed a remount and should not try to unmount this later. - if rootParentMount == cfg.Root { - cleanupOldFile = true - return nil - } + // // check the case where this may have already been a mount to itself. + // // If so then the daemon only performed a remount and should not try to unmount this later. + // if rootParentMount == cfg.Root { + // cleanupOldFile = true + // return nil + // } - if err := os.MkdirAll(filepath.Dir(cleanupFile), 0700); err != nil { - return errors.Wrap(err, "error creating dir to store mount cleanup file") - } + // if err := os.MkdirAll(filepath.Dir(cleanupFile), 0700); err != nil { + // return errors.Wrap(err, "error creating dir to store mount cleanup file") + // } - if err := ioutil.WriteFile(cleanupFile, nil, 0600); err != nil { - return errors.Wrap(err, "error writing file to signal mount cleanup on shutdown") - } + // if err := ioutil.WriteFile(cleanupFile, nil, 0600); err != nil { + // return errors.Wrap(err, "error writing file to signal mount cleanup on shutdown") + // } return nil } @@ -1387,7 +1385,7 @@ func (daemon *Daemon) stats(c *container.Container) (* if !c.IsRunning() { return nil, errNotRunning(c.ID) } - cs, err := daemon.containerd.Stats(context.Background(), c.ID) + _, err := daemon.containerd.Stats(context.Background(), c.ID) if err != nil { if strings.Contains(err.Error(), "container not found") { return nil, containerNotFound(c.ID) @@ -1395,97 +1393,97 @@ func (daemon *Daemon) stats(c *container.Container) (* return nil, err } s := &types.StatsJSON{} - s.Read = cs.Read - stats := cs.Metrics - if stats.Blkio != nil { - s.BlkioStats = types.BlkioStats{ - IoServiceBytesRecursive: copyBlkioEntry(stats.Blkio.IoServiceBytesRecursive), - IoServicedRecursive: copyBlkioEntry(stats.Blkio.IoServicedRecursive), - IoQueuedRecursive: copyBlkioEntry(stats.Blkio.IoQueuedRecursive), - IoServiceTimeRecursive: copyBlkioEntry(stats.Blkio.IoServiceTimeRecursive), - IoWaitTimeRecursive: copyBlkioEntry(stats.Blkio.IoWaitTimeRecursive), - IoMergedRecursive: copyBlkioEntry(stats.Blkio.IoMergedRecursive), - IoTimeRecursive: copyBlkioEntry(stats.Blkio.IoTimeRecursive), - SectorsRecursive: copyBlkioEntry(stats.Blkio.SectorsRecursive), - } - } - if stats.CPU != nil { - s.CPUStats = types.CPUStats{ - CPUUsage: types.CPUUsage{ - TotalUsage: stats.CPU.Usage.Total, - PercpuUsage: stats.CPU.Usage.PerCPU, - UsageInKernelmode: stats.CPU.Usage.Kernel, - UsageInUsermode: stats.CPU.Usage.User, - }, - ThrottlingData: types.ThrottlingData{ - Periods: stats.CPU.Throttling.Periods, - ThrottledPeriods: stats.CPU.Throttling.ThrottledPeriods, - ThrottledTime: stats.CPU.Throttling.ThrottledTime, - }, - } - } + // s.Read = cs.Read + // stats := cs.Metrics + // if stats.Blkio != nil { + // s.BlkioStats = types.BlkioStats{ + // IoServiceBytesRecursive: copyBlkioEntry(stats.Blkio.IoServiceBytesRecursive), + // IoServicedRecursive: copyBlkioEntry(stats.Blkio.IoServicedRecursive), + // IoQueuedRecursive: copyBlkioEntry(stats.Blkio.IoQueuedRecursive), + // IoServiceTimeRecursive: copyBlkioEntry(stats.Blkio.IoServiceTimeRecursive), + // IoWaitTimeRecursive: copyBlkioEntry(stats.Blkio.IoWaitTimeRecursive), + // IoMergedRecursive: copyBlkioEntry(stats.Blkio.IoMergedRecursive), + // IoTimeRecursive: copyBlkioEntry(stats.Blkio.IoTimeRecursive), + // SectorsRecursive: copyBlkioEntry(stats.Blkio.SectorsRecursive), + // } + // } + // if stats.CPU != nil { + // s.CPUStats = types.CPUStats{ + // CPUUsage: types.CPUUsage{ + // TotalUsage: stats.CPU.Usage.Total, + // PercpuUsage: stats.CPU.Usage.PerCPU, + // UsageInKernelmode: stats.CPU.Usage.Kernel, + // UsageInUsermode: stats.CPU.Usage.User, + // }, + // ThrottlingData: types.ThrottlingData{ + // Periods: stats.CPU.Throttling.Periods, + // ThrottledPeriods: stats.CPU.Throttling.ThrottledPeriods, + // ThrottledTime: stats.CPU.Throttling.ThrottledTime, + // }, + // } + // } - if stats.Memory != nil { - raw := make(map[string]uint64) - raw["cache"] = stats.Memory.Cache - raw["rss"] = stats.Memory.RSS - raw["rss_huge"] = stats.Memory.RSSHuge - raw["mapped_file"] = stats.Memory.MappedFile - raw["dirty"] = stats.Memory.Dirty - raw["writeback"] = stats.Memory.Writeback - raw["pgpgin"] = stats.Memory.PgPgIn - raw["pgpgout"] = stats.Memory.PgPgOut - raw["pgfault"] = stats.Memory.PgFault - raw["pgmajfault"] = stats.Memory.PgMajFault - raw["inactive_anon"] = stats.Memory.InactiveAnon - raw["active_anon"] = stats.Memory.ActiveAnon - raw["inactive_file"] = stats.Memory.InactiveFile - raw["active_file"] = stats.Memory.ActiveFile - raw["unevictable"] = stats.Memory.Unevictable - raw["hierarchical_memory_limit"] = stats.Memory.HierarchicalMemoryLimit - raw["hierarchical_memsw_limit"] = stats.Memory.HierarchicalSwapLimit - raw["total_cache"] = stats.Memory.TotalCache - raw["total_rss"] = stats.Memory.TotalRSS - raw["total_rss_huge"] = stats.Memory.TotalRSSHuge - raw["total_mapped_file"] = stats.Memory.TotalMappedFile - raw["total_dirty"] = stats.Memory.TotalDirty - raw["total_writeback"] = stats.Memory.TotalWriteback - raw["total_pgpgin"] = stats.Memory.TotalPgPgIn - raw["total_pgpgout"] = stats.Memory.TotalPgPgOut - raw["total_pgfault"] = stats.Memory.TotalPgFault - raw["total_pgmajfault"] = stats.Memory.TotalPgMajFault - raw["total_inactive_anon"] = stats.Memory.TotalInactiveAnon - raw["total_active_anon"] = stats.Memory.TotalActiveAnon - raw["total_inactive_file"] = stats.Memory.TotalInactiveFile - raw["total_active_file"] = stats.Memory.TotalActiveFile - raw["total_unevictable"] = stats.Memory.TotalUnevictable + // if stats.Memory != nil { + // raw := make(map[string]uint64) + // raw["cache"] = stats.Memory.Cache + // raw["rss"] = stats.Memory.RSS + // raw["rss_huge"] = stats.Memory.RSSHuge + // raw["mapped_file"] = stats.Memory.MappedFile + // raw["dirty"] = stats.Memory.Dirty + // raw["writeback"] = stats.Memory.Writeback + // raw["pgpgin"] = stats.Memory.PgPgIn + // raw["pgpgout"] = stats.Memory.PgPgOut + // raw["pgfault"] = stats.Memory.PgFault + // raw["pgmajfault"] = stats.Memory.PgMajFault + // raw["inactive_anon"] = stats.Memory.InactiveAnon + // raw["active_anon"] = stats.Memory.ActiveAnon + // raw["inactive_file"] = stats.Memory.InactiveFile + // raw["active_file"] = stats.Memory.ActiveFile + // raw["unevictable"] = stats.Memory.Unevictable + // raw["hierarchical_memory_limit"] = stats.Memory.HierarchicalMemoryLimit + // raw["hierarchical_memsw_limit"] = stats.Memory.HierarchicalSwapLimit + // raw["total_cache"] = stats.Memory.TotalCache + // raw["total_rss"] = stats.Memory.TotalRSS + // raw["total_rss_huge"] = stats.Memory.TotalRSSHuge + // raw["total_mapped_file"] = stats.Memory.TotalMappedFile + // raw["total_dirty"] = stats.Memory.TotalDirty + // raw["total_writeback"] = stats.Memory.TotalWriteback + // raw["total_pgpgin"] = stats.Memory.TotalPgPgIn + // raw["total_pgpgout"] = stats.Memory.TotalPgPgOut + // raw["total_pgfault"] = stats.Memory.TotalPgFault + // raw["total_pgmajfault"] = stats.Memory.TotalPgMajFault + // raw["total_inactive_anon"] = stats.Memory.TotalInactiveAnon + // raw["total_active_anon"] = stats.Memory.TotalActiveAnon + // raw["total_inactive_file"] = stats.Memory.TotalInactiveFile + // raw["total_active_file"] = stats.Memory.TotalActiveFile + // raw["total_unevictable"] = stats.Memory.TotalUnevictable - if stats.Memory.Usage != nil { - s.MemoryStats = types.MemoryStats{ - Stats: raw, - Usage: stats.Memory.Usage.Usage, - MaxUsage: stats.Memory.Usage.Max, - Limit: stats.Memory.Usage.Limit, - Failcnt: stats.Memory.Usage.Failcnt, - } - } else { - s.MemoryStats = types.MemoryStats{ - Stats: raw, - } - } + // if stats.Memory.Usage != nil { + // s.MemoryStats = types.MemoryStats{ + // Stats: raw, + // Usage: stats.Memory.Usage.Usage, + // MaxUsage: stats.Memory.Usage.Max, + // Limit: stats.Memory.Usage.Limit, + // Failcnt: stats.Memory.Usage.Failcnt, + // } + // } else { + // s.MemoryStats = types.MemoryStats{ + // Stats: raw, + // } + // } - // if the container does not set memory limit, use the machineMemory - if s.MemoryStats.Limit > daemon.machineMemory && daemon.machineMemory > 0 { - s.MemoryStats.Limit = daemon.machineMemory - } - } + // // if the container does not set memory limit, use the machineMemory + // if s.MemoryStats.Limit > daemon.machineMemory && daemon.machineMemory > 0 { + // s.MemoryStats.Limit = daemon.machineMemory + // } + // } - if stats.Pids != nil { - s.PidsStats = types.PidsStats{ - Current: stats.Pids.Current, - Limit: stats.Pids.Limit, - } - } + // if stats.Pids != nil { + // s.PidsStats = types.PidsStats{ + // Current: stats.Pids.Current, + // Limit: stats.Pids.Limit, + // } + // } return s, nil } @@ -1538,24 +1536,7 @@ func setMayDetachMounts() error { } func setupOOMScoreAdj(score int) error { - f, err := os.OpenFile("/proc/self/oom_score_adj", os.O_WRONLY, 0) - if err != nil { - return err - } - defer f.Close() - stringScore := strconv.Itoa(score) - _, err = f.WriteString(stringScore) - if os.IsPermission(err) { - // Setting oom_score_adj does not work in an - // unprivileged container. Ignore the error, but log - // it if we appear not to be in that situation. - if !rsystem.RunningInUserNS() { - logrus.Debugf("Permission denied writing %q to /proc/self/oom_score_adj", stringScore) - } - return nil - } - - return err + return nil } func (daemon *Daemon) initCgroupsPath(path string) error { @@ -1571,7 +1552,10 @@ func (daemon *Daemon) initCgroupsPath(path string) err // for the period and runtime as this limits what the children can be set to. daemon.initCgroupsPath(filepath.Dir(path)) - mnt, root, err := cgroups.FindCgroupMountpointAndRoot("", "cpu") + mnt := "" + root := "" + var err error = nil + //mnt, root, err := cgroups.FindCgroupMountpointAndRoot("", "cpu") if err != nil { return err }

• This file was added.

--- daemon/exec_freebsd.go.orig 2020-09-18 09:01:00 UTC +++ daemon/exec_freebsd.go @@ -0,0 +1,11 @@ +package daemon + +import ( + "github.com/docker/docker/container" + "github.com/docker/docker/daemon/exec" + specs "github.com/opencontainers/runtime-spec/specs-go" +) + +func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config, p *specs.Process) error { + return nil +}

• This file was added.

Fix build error on FreeBSD:

daemon/graphdriver/driver_freebsd.go:17:38: cannot use &buf (type *unix.Statfs_t) as type *syscall.Statfs_t in argument to syscall.Statfs

--- daemon/graphdriver/driver_freebsd.go.orig 2019-02-26 00:29:56 UTC +++ daemon/graphdriver/driver_freebsd.go @@ -1,8 +1,7 @@ package graphdriver // import "github.com/docker/docker/daemon/graphdriver" import ( - "syscall" - + "github.com/docker/docker/pkg/mount" "golang.org/x/sys/unix" ) @@ -11,10 +10,49 @@ var ( priority = "zfs" ) +// GetFSMagic returns the filesystem id given the path. +func GetFSMagic(rootpath string) (FsMagic, error) { + var buf unix.Statfs_t + if err := unix.Statfs(rootpath, &buf); err != nil { + return 0, err + } + return FsMagic(buf.Type), nil +} + +// NewFsChecker returns a checker configured for the provided FsMagic +func NewFsChecker(t FsMagic) Checker { + return &fsChecker{ + t: t, + } +} + +type fsChecker struct { + t FsMagic +} + +func (c *fsChecker) IsMounted(path string) bool { + m, _ := Mounted(c.t, path) + return m +} + +// NewDefaultChecker returns a check that parses /proc/mountinfo to check +// if the specified path is mounted. +func NewDefaultChecker() Checker { + return &defaultChecker{} +} + +type defaultChecker struct { +} + +func (c *defaultChecker) IsMounted(path string) bool { + m, _ := mount.Mounted(path) + return m +} + // Mounted checks if the given path is mounted as the fs type func Mounted(fsType FsMagic, mountPath string) (bool, error) { var buf unix.Statfs_t - if err := syscall.Statfs(mountPath, &buf); err != nil { + if err := unix.Statfs(mountPath, &buf); err != nil { return false, err } return FsMagic(buf.Type) == fsType, nil

• This file was added.

--- daemon/graphdriver/zfs/zfs.go.orig 2019-10-07 21:12:15 UTC +++ daemon/graphdriver/zfs/zfs.go @@ -414,7 +414,7 @@ func (d *Driver) Put(id string) error { logger.Debugf(`unmount("%s")`, mountpoint) - if err := unix.Unmount(mountpoint, unix.MNT_DETACH); err != nil { + if err := unix.Unmount(mountpoint, 0); err != nil { logger.Warnf("Failed to unmount %s mount %s: %v", id, mountpoint, err) } if err := unix.Rmdir(mountpoint); err != nil && !os.IsNotExist(err) {

• This file was added.

--- daemon/inspect.go.orig 2019-10-07 21:12:15 UTC +++ daemon/inspect.go @@ -22,7 +22,7 @@ import ( func (daemon *Daemon) ContainerInspect(name string, size bool, version string) (interface{}, error) { switch { case versions.LessThan(version, "1.20"): - return daemon.containerInspectPre120(name) + return nil, errors.New("Port pre-1.20 not supported on freeBSD") case versions.Equal(version, "1.20"): return daemon.containerInspect120(name) } @@ -135,7 +135,7 @@ func (daemon *Daemon) getInspectData(container *contai } // We merge the Ulimits from hostConfig with daemon default - daemon.mergeUlimits(&hostConfig) + // daemon.mergeUlimits(&hostConfig) var containerHealth *types.Health if container.State.Health != nil {

• This file was added.

--- daemon/inspect_freebsd.go.orig 2020-09-04 09:13:42 UTC +++ daemon/inspect_freebsd.go @@ -0,0 +1,73 @@ +package daemon // import "github.com/docker/docker/daemon" + +import ( + "github.com/docker/docker/api/types" + "github.com/docker/docker/api/types/backend" + "github.com/docker/docker/api/types/versions/v1p19" + "github.com/docker/docker/container" + "github.com/docker/docker/daemon/exec" +) + +// This sets platform-specific fields +func setPlatformSpecificContainerFields(container *container.Container, contJSONBase *types.ContainerJSONBase) *types.ContainerJSONBase { + contJSONBase.AppArmorProfile = container.AppArmorProfile + contJSONBase.ResolvConfPath = container.ResolvConfPath + contJSONBase.HostnamePath = container.HostnamePath + contJSONBase.HostsPath = container.HostsPath + + return contJSONBase +} + +// containerInspectPre120 gets containers for pre 1.20 APIs. +func (daemon *Daemon) containerInspectPre120(name string) (*v1p19.ContainerJSON, error) { + container, err := daemon.GetContainer(name) + if err != nil { + return nil, err + } + + container.Lock() + defer container.Unlock() + + base, err := daemon.getInspectData(container) + if err != nil { + return nil, err + } + + volumes := make(map[string]string) + volumesRW := make(map[string]bool) + for _, m := range container.MountPoints { + volumes[m.Destination] = m.Path() + volumesRW[m.Destination] = m.RW + } + + config := &v1p19.ContainerConfig{ + Config: container.Config, + MacAddress: container.Config.MacAddress, + NetworkDisabled: container.Config.NetworkDisabled, + ExposedPorts: container.Config.ExposedPorts, + VolumeDriver: container.HostConfig.VolumeDriver, + Memory: container.HostConfig.Memory, + MemorySwap: container.HostConfig.MemorySwap, + CPUShares: container.HostConfig.CPUShares, + CPUSet: container.HostConfig.CpusetCpus, + } + networkSettings := daemon.getBackwardsCompatibleNetworkSettings(container.NetworkSettings) + + return &v1p19.ContainerJSON{ + ContainerJSONBase: base, + Volumes: volumes, + VolumesRW: volumesRW, + Config: config, + NetworkSettings: networkSettings, + }, nil +} + +func inspectExecProcessConfig(e *exec.Config) *backend.ExecProcessConfig { + return &backend.ExecProcessConfig{ + Tty: e.Tty, + Entrypoint: e.Entrypoint, + Arguments: e.Args, + Privileged: &e.Privileged, + User: e.User, + } +}