Replace riddler with code that constructs config.json directly

Generated largely from the specified config; small parts taken from `docker image inspect`,
such as the command line.

Renamed some of the yaml keys to match the OCI spec rather than Docker Compose as
we decided they are more readable, no more underscores.

Add some extra functionality
- tmpfs specification
- fully general mount specification
- no new privileges can be specified now

For nostalgic reasons, using engine-api to talk to the docker cli as
we only need an old API version, and it is nice and easy to vendor...

Signed-off-by: Justin Cormack <justin.cormack@docker.com>

tools/riddler/Dockerfile

@@ -1,24 +0,0 @@
-FROM golang:1.8-alpine
-
-RUN \
-  apk update && apk upgrade && \
-  apk add \
-  docker \
-  gcc \
-  git \
-  jq \
-  linux-headers \
-  musl-dev \
-  tar \
-  && true
-
-COPY Dockerfile /
-COPY riddler.sh /usr/bin/
-
-RUN git clone https://github.com/jessfraz/riddler.git /go/src/github.com/jessfraz/riddler
-
-WORKDIR /go/src/github.com/jessfraz/riddler
-RUN git checkout 23befa0b232877b5b502b828e24161d801bd67f6
-RUN go build -o /usr/bin/riddler .
-
-ENTRYPOINT ["/usr/bin/riddler.sh"]

tools/riddler/Makefile

@@ -1,29 +0,0 @@
-.PHONY: tag push
-
-BASE=golang:1.8-alpine
-IMAGE=riddler
-
-default: push
-
-hash: Dockerfile riddler.sh
-	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
-	docker run --entrypoint=/bin/sh --rm $(IMAGE):build -c 'cat /Dockerfile /usr/bin/riddler.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > $@
-
-push: hash
-	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
-		 (docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
-		  docker push mobylinux/$(IMAGE):$(shell cat hash))
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-tag: hash
-	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
-		docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-clean:
-	rm -f hash
-
-.DELETE_ON_ERROR:

tools/riddler/riddler.sh

@@ -1,49 +0,0 @@
-#!/bin/sh
-
-set -e
-
-# arguments are image name, prefix, then arguments passed to Docker
-# eg ./riddler.sh alpine:3.4 --read-only alpine:3.4 ls
-# This script will output config.json
-
-IMAGE="$1"; shift
-
-cd /tmp
-
-# riddler always adds the apparmor options if this is not present
-EXTRA_OPTIONS="--security-opt apparmor=unconfined"
-
-ARGS="$@"
-CONTAINER=$(docker create $EXTRA_OPTIONS $ARGS)
-riddler $CONTAINER > /dev/null
-docker rm $CONTAINER > /dev/null
-
-# unfixed known issues
-# noNewPrivileges is always set by riddler
-
-# These fixes should be removed when riddler is fixed
-# process.rlimits, just a constant at present, not useful
-# memory swappiness is too big by default
-# remove user namespaces
-# --read-only sets /dev ro
-# /sysfs ro unless privileged - cannot detect so will do if grant all caps
-# ipc, uts namespaces always isolated
-
-UTS="."
-IPC="."
-echo $ARGS | grep -q uts=host && UTS=".linux.namespaces = (.linux.namespaces|map(select(.type!=\"uts\")))"
-echo $ARGS | grep -q ipc=host && IPC=".linux.namespaces = (.linux.namespaces|map(select(.type!=\"ipc\")))"
-
-mv config.json config.json.orig
-cat config.json.orig | \
-  jq "$UTS" | \
-  jq "$IPC" | \
-  jq 'del(.process.rlimits)' | \
-  jq 'del (.linux.resources.memory.swappiness)' | \
-  jq 'del(.linux.uidMappings) | del(.linux.gidMappings) | .linux.namespaces = (.linux.namespaces|map(select(.type!="user")))' | \
-  jq 'if .root.readonly==true then .mounts = (.mounts|map(if .destination=="/dev" then .options |= .+ ["ro"] else . end)) else . end' | \
-  jq '.mounts = if .process.capabilities | length != 38 then (.mounts|map(if .destination=="/sys" then .options |= .+ ["ro"] else . end)) else . end' | \
-  jq '.process.capabilities = { bounding: .process.capabilities, effective: .process.capabilities, inheritable: .process.capabilities, permitted: .process.capabilities }' \
-  > config.json
-
-cat config.json