Without systemd package/docker-engine requires another way to mount
/sys/fs/cgroup, so far provided by BR2_PACKAGE_CGROUPFS_MOUNT for
cgroup v1. Replace this with BR2_PACKAGE_CGROUPFS_V2_MOUNT for cgroup
v2 support. 5.2 is the minimum recommended version for cgroup v2
support according to the Docker documentation: "v4.15 or later (v5.2
or later is recommended)" [1].
Depending on the selected container runtime users may need to adjust
kernel configurations to enable options required by that runtime with
cgroup v2 (e.g. CONFIG_CGROUP_BPF for runc).
Propagate dependencies accordingly: The Docker btrfs filesystem driver
does not need a separate and lower minimum headers version,
package/mender-update-modules needs to apply the new "depends on".
[1] https://docs.docker.com/engine/containers/runmetrics/#running-docker-on-cgroup-v2
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Now that the pkg-golang infra automatically sets _INSTALL_BINS by
default to the list of notdir of _BUILD_TARGETS, there is no need to do
that in packages anymore.
Most packages were already using the notdir construct, so those are
trivially fixed; a few had a hard-coded list that matched the built
targets list, so they too are trivially fixed.
host-mender-artifact was slightly different, in that it explicitly set
the _BIN_NAME to mender-artifact, which happens to be the default; it
also set _INSTALL_BINS to _BIN_NAME, so again using the default. This
package can also be fixed easily.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Cc: Christian Stewart <christian@aperture.us>
Cc: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
For release notes since version 27.5.1, see:
https://github.com/moby/moby/releases
Since version 28.0.0, docker-engine requires the RAW netfilter table, so
enable that as part of the kernel fixups.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Christian Stewart <christian@aperture.us>
[Julien: add link to release notes]
Signed-off-by: Julien Olivain <ju.o@free.fr>
currently, docker-engine can only use tini as injected init. catatonit
as a package exists, but it does not create the symlink that would be
needed at runtime [0].
Add a choice at the docker-engine level, for which injected init to use,
bringing catatonit to the integration level of tini.
[0] that could be done in a post-build script, but that's not practical.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Christian Stewart <christian@aperture.us>
Cc: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Tested-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
[Julien: move the legacy option to a new 2025.05 section]
Signed-off-by: Julien Olivain <ju.o@free.fr>
tini can be used standalone, not just as an init injected by docker.
As such, creating the docker-engine's init symlink does not belong to
tini itself, but to docker-engine.
This will also help later, when we allow docker-engine to use another
init alternative, catatonit (already paclkaged in Buildroot, but not
integrated with docker).
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Christian Stewart <christian@aperture.us>
Cc: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Tested-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
To provide an init process for containers if requested e.g. with
"docker run --init", Docker relies on tini to provide the init
binary. package/tini already provides the required
/usr/libexec/docker/docker-init symlink, the new option just selects
tini if enabled to prevent confusion over why docker-init is missing.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This brings the dockerd init script in line with the standard
Buildroot init script pattern.
Reload using SIGHUP is also supported now, note that the Docker
documentation cautions that not all parameters can be changed at
runtime (without a full restart).
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Makes every packages built by the Go compiler select a new variable
introduced in this patch: BR2_PACKAGE_HOST_GO.
In later commits Go compiler variant will be introduced (built from
source, pre-built binaries) and selecting BR2_PACKAGE_HOST_GO will
force to add host-go provider to the dependency list.
The same pattern is used for Rust packages.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Replace all git and svn packages archive names in hash files:
$ sed -r -i -e 's/-br2/-git3/; s/-br3/-svn4/' $(
git grep -l -E -- '-br2|-br3' '*.hash'
)
$ sed -r -i -e 's/(\.tar\.gz)$/-go1\1/' $(
git grep -l -E '\$\(eval \$\((host-)?golang-package\)\)' '*.mk' \
|sed -r -e 's/\.mk$/.hash/' \
|sort -u
)
$ sed -r -i -e 's/(\.tar\.gz)$/-cargo1\1/' $(
git grep -l -E '\$\(eval \$\((host-)?cargo-package\)\)' '*.mk' \
|sed -r -e 's/\.mk$/.hash/' \
|sort -u
)
Then a bit of make source (based on: git diff --name-only), a lot of
sweat, and carefully checking the new archives to verify that only
modes have changed...
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Update to the latest major release of docker-engine.
Fixes CVE-2024-29018: potential data exfiltration from 'internal'
networks via authoritative DNS servers. Do not forward requests to
external DNS servers for a container that is only connected to an
'internal' network.
https://github.com/moby/moby/releases/tag/v26.0.0
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
btrfs doesn't depend on btrfs-progs but on headers >= 4.12 since bump to
version 24.0.2 in commit 314f62eda3 and
https://github.com/moby/moby/commit/3208dcabdc8997340b255f5b880fef4e3f54580d
resulting in the following build failure:
daemon/graphdriver/btrfs/btrfs.go:13:6: error: #error "Headers from kernel >= 4.12 are required to build with Btrfs support."
#error "Headers from kernel >= 4.12 are required to build with Btrfs support."
^~~~~
daemon/graphdriver/btrfs/btrfs.go:14:6: error: #error "HINT: Set 'DOCKER_BUILDTAGS=exclude_graphdriver_btrfs' to build without Btrfs."
#error "HINT: Set 'DOCKER_BUILDTAGS=exclude_graphdriver_btrfs' to build without Btrfs."
^~~~~
daemon/graphdriver/btrfs/btrfs.go:18:10: fatal error: linux/btrfs_tree.h: No such file or directory
#include <linux/btrfs_tree.h>
^~~~~~~~~~~~~~~~~~~~
Fixes: 314f62eda3
- http://autobuild.buildroot.org/results/7d07eba37149d341dc86f9742bd166de874dcd5e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since Docker v1.13.0 experimental only exists as a runtime flag. Drop
the config from buildroot as well.
Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The seccomp and apparmor build tags have been removed in 23.0.0. Don't
use those buildtags anymore.
Signed-off-by: Stefan Agner <stefan@agner.ch>
Reviewed-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This update requires a few workaround for the non-standard vendor/
structure in the docker-engine repository.
First, as the vendor/ directory exists, our go-post-process script does
not do the vendoring, and exits early, which is exactly what we need.
Second, docker-engine does not use the "new" go.mod mechanism, so it
does not ship any go.mod file, so our go-post-proces, exiting early,
does not check that the go.mod file exists, and thus does not fail,
which is again exactly what we need.
Third, docker-engine has an invalid vendor/modules.txt file that we need
to remove or go would fail to build. Since our go-post-process exits
early, there is no vendoring, and thus it does not break at download,
which once more is exactly what we need.
However, the missing go.mod and the problematic vendor/modules.txt cause
go to fail at build time, which this time is not really, even really not,
what we want...
So, we fix it up in two ways.
First, the easy part: we just remove the problematic vendor/modules.txt
file.
Second, we create a go.mod to tell the Go compiler the root import path
prefix for the module and the language version. Note that the language
version in go.mod is not required to be equal the version of the Go
compiler.
Reference: https://github.com/moby/moby/issues/44618#issuecomment-1343565705
Note that as of v23.0.0 docker-engine expects containerd to be started
by systemd if --containerd= flag is set in dockerd.service, whereas in
previous versions containerd was started by the docker daemon as a
sub-process.
There is no sysv unit for containerd, but this is OK: in the Docker sysv
init file S60dockerd, we do not set the --containerd flag. The docker
daemon will start containerd as a sub-process automatically due to the
absence of this flag.
Signed-off-by: Christian Stewart <christian@paral.in>
[yann.morin.1998@free.fr:
- run fixups in post-extract hook
- rework commit log for (hopefully) better explanations
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This release of Docker Engine comes with some bug-fixes, and an updated version
of Docker Compose.
Builder
Fix an issue that could result in a panic during docker builder prune or
docker system prune moby/moby#44122.
Daemon
Fix a bug where using docker volume prune would remove volumes that were
still in use if the daemon was running with "live restore" and was restarted
moby/moby#44238.
Packaging
Update Docker Compose to v2.11.2.
https://github.com/moby/moby/releases/tag/v20.10.19
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Docker network driver "overlay", "macvlan" and "ipvlan" are not used
by default. Don't force enable them in the kernel.
The main aim here is to get rid of the dummy0 network interface which
is generated by the dummy driver by default.
Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issues:
- CVE-2021-41089: Create parent directories inside a chroot during docker
cp to prevent a specially crafted container from changing permissions of
existing files in the host’s filesystem.
- CVE-2021-41091: Lock down file permissions to prevent unprivileged users
from discovering and executing programs in /var/lib/docker.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop upstreamed patch fix-port-forwarding-with-ipv6.
Upstream commit: d29a55c6c344a536089d6b1bcd92be9cdea20641
Signed-off-by: Christian Stewart <christian@paral.in>
Tested-by: Christian Stewart <christian@paral.in>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
docker-engine 20.10.6 broke container port forwarding for hosts without IPv6
support:
docker: Error response from daemon: driver failed programming external
connectivity on endpoint naughty_moore
(038e9ed4b5ea77e1c52462d6d04ad001fbad9beb185a6511aadc217c8a271608): Error
starting userland proxy: listen tcp6 [::]:80: socket: address family not
supported by protocol.
Add a libnetwork patch from an upstream pull request to fix this, after
adjusting the patch to apply to docker-engine (which has libnetwork vendored
under vendor/github.com/docker/libnetwork):
- https://github.com/moby/libnetwork/pull/2635,
- https://github.com/moby/moby/pull/42322
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
containerd is now an independent project from Docker.
This commit renames the Buildroot package from docker-containerd to containerd,
adding a entry in Config.in.legacy accordingly.
containerd is an industry-standard container runtime with an emphasis on
simplicity, robustness and portability. It is available as a daemon for Linux
and Windows, which can manage the complete container lifecycle of its host
system: image transfer and storage, container execution and supervision,
low-level storage and network attachments, etc.
https://containerd.io
Signed-off-by: Christian Stewart <christian@paral.in>
Reviewed-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout:
- fix alphabetical ordering in package/Config.in
- also do rename in DEVELOPERS
- squash in second patch
]
Fixes various networking issues:
- Fix a regression in docker 20.10, causing IPv6 addresses no longer to be
bound by default when mapping ports moby/moby#42205
- Fix implicit IPv6 port-mappings not included in API response. Before
docker 20.10, published ports were accessible through both IPv4 and IPv6
by default, but the API only included information about the IPv4 (0.0.0.0)
mapping moby/moby#42205
- Fix a regression in docker 20.10, causing the docker-proxy to not be
terminated in all cases moby/moby#42205
- Fix iptables forwarding rules not being cleaned up upon container removal
moby/moby#42205
For more details, see the release notes:
https://docs.docker.com/engine/release-notes/#20106
Signed-off-by: Mario Fink <knif.oiram@gmail.com>
Tested-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Perale