From a4650b242f9a06aa1db0c262da4685f638a9cd80 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Mon, 17 Jul 2017 20:37:01 +0100 Subject: [PATCH] Use the upstream dind package to run docker It is pretty close to our docker package, if we adjust the command that is run to avoid the actual dind startup script. We can't use the normal docker image as it does not have mkfs and so on. Signed-off-by: Justin Cormack --- blueprints/docker-for-mac/docker-17.06-ce.yml | 8 +++- examples/docker.yml | 4 +- pkg/docker-ce/Dockerfile | 48 ------------------- pkg/docker-ce/Makefile | 4 -- projects/compose/compose-dynamic.yml | 4 +- projects/compose/compose-static.yml | 4 +- projects/kubernetes/image-cache/Dockerfile | 2 +- projects/kubernetes/kube-master.yml | 4 +- projects/kubernetes/kube-node.yml | 4 +- .../000_docker-bench/test-docker-bench.yml | 4 +- 10 files changed, 20 insertions(+), 66 deletions(-) delete mode 100644 pkg/docker-ce/Dockerfile delete mode 100644 pkg/docker-ce/Makefile diff --git a/blueprints/docker-for-mac/docker-17.06-ce.yml b/blueprints/docker-for-mac/docker-17.06-ce.yml index 3d64257b1..e56038da4 100644 --- a/blueprints/docker-for-mac/docker-17.06-ce.yml +++ b/blueprints/docker-for-mac/docker-17.06-ce.yml @@ -3,7 +3,7 @@ services: # Bind mounts /var/run to allow vsudd to connect to docker.sock, /var/vpnkit # for vpnkit coordination and /var/config/docker for the configuration file. - name: docker-dfm - image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190 + image: docker:17.06.0-ce-dind capabilities: - all net: host @@ -18,7 +18,7 @@ services: - /var/config/docker:/var/config/docker - /usr/bin/vpnkit-expose-port:/usr/bin/vpnkit-expose-port # userland proxy - /usr/bin/vpnkit-iptables-wrapper:/usr/bin/iptables # iptables wrapper - command: [ "/usr/bin/docker-init", "/usr/bin/dockerd", "--", + command: [ "/usr/local/bin/docker-init", "/usr/local/bin/dockerd", "--", "--config-file", "/var/config/docker/daemon.json", "--swarm-default-advertise-addr=eth0", "--userland-proxy-path", "/usr/bin/vpnkit-expose-port", @@ -27,3 +27,7 @@ services: files: - path: /var/config/docker/daemon.json contents: '{ "debug": true }' + +trust: + org: + - library diff --git a/examples/docker.yml b/examples/docker.yml index 885e12b0a..b119e77fe 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -30,7 +30,7 @@ services: - name: ntpd image: linuxkit/openntpd:19370f5d9bec84eb91073b7196b732f1301d9c90 - name: docker - image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190 + image: docker:17.06.0-ce-dind capabilities: - all net: host @@ -41,9 +41,11 @@ services: - /var/lib/docker:/var/lib/docker - /lib/modules:/lib/modules - /etc/docker/daemon.json:/etc/docker/daemon.json + command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"] files: - path: etc/docker/daemon.json contents: '{"debug": true}' trust: org: - linuxkit + - library diff --git a/pkg/docker-ce/Dockerfile b/pkg/docker-ce/Dockerfile deleted file mode 100644 index fd741e1de..000000000 --- a/pkg/docker-ce/Dockerfile +++ /dev/null @@ -1,48 +0,0 @@ -FROM linuxkit/alpine:9bcf61f605ef0ce36cc94d59b8eac307862de6e1 AS mirror - -# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies -# removed openssl as I do not think server needs it -RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ -RUN apk add --no-cache --initdb -p /out \ - alpine-baselayout \ - btrfs-progs \ - busybox \ - ca-certificates \ - curl \ - e2fsprogs \ - e2fsprogs-extra \ - iptables \ - musl \ - xfsprogs \ - xz -RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache - -FROM scratch -COPY --from=mirror /out/ / - -# set up Docker group -# set up subuid/subgid so that "--userns-remap=default" works out-of-the-box -RUN set -x \ - && addgroup -S docker \ - && addgroup -S dockremap \ - && adduser -S -G dockremap dockremap \ - && echo 'dockremap:165536:65536' >> /etc/subuid \ - && echo 'dockremap:165536:65536' >> /etc/subgid - -# DOCKER_TYPE is stable, edge or test -ENV DOCKER_TYPE stable -ENV DOCKER_VERSION 17.06.0-ce -ENV DOCKER_SHA256 e582486c9db0f4229deba9f8517145f8af6c5fae7a1243e6b07876bd3e706620 - -# we could avoid installing client here I suppose -RUN set -x \ - && curl -fSL "https://download.docker.com/linux/static/${DOCKER_TYPE}/$(uname -m)/docker-${DOCKER_VERSION}.tgz" -o docker.tgz \ - && echo "${DOCKER_SHA256} *docker.tgz" | sha256sum -c - \ - && tar -xzvf docker.tgz \ - && mv docker/* /usr/bin/ \ - && rmdir docker \ - && rm docker.tgz \ - && docker -v - -# use the Docker copy of tini as our init for zombie reaping -ENTRYPOINT ["/usr/bin/docker-init", "/usr/bin/dockerd"] diff --git a/pkg/docker-ce/Makefile b/pkg/docker-ce/Makefile deleted file mode 100644 index efd826209..000000000 --- a/pkg/docker-ce/Makefile +++ /dev/null @@ -1,4 +0,0 @@ -IMAGE=docker-ce -NETWORK=1 - -include ../package.mk diff --git a/projects/compose/compose-dynamic.yml b/projects/compose/compose-dynamic.yml index 72a02db42..3bffd7d85 100644 --- a/projects/compose/compose-dynamic.yml +++ b/projects/compose/compose-dynamic.yml @@ -27,10 +27,9 @@ services: - name: ntpd image: linuxkit/openntpd:19370f5d9bec84eb91073b7196b732f1301d9c90 - name: docker - image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190 + image: docker:17.06.0-ce-dind capabilities: - all - net: host mounts: - type: cgroup options: ["rw","nosuid","noexec","nodev","relatime"] @@ -39,6 +38,7 @@ services: - /lib/modules:/lib/modules - /var/run:/var/run - /var/html:/var/html + command: ["/usr/bin/docker-init", "/usr/bin/dockerd"] - name: compose image: linuxkitprojects/compose:0535e78608f57702745dfd56fbe78d28d237e469 binds: diff --git a/projects/compose/compose-static.yml b/projects/compose/compose-static.yml index c6450da70..a1b4cac26 100644 --- a/projects/compose/compose-static.yml +++ b/projects/compose/compose-static.yml @@ -27,10 +27,9 @@ services: - name: ntpd image: linuxkit/openntpd:19370f5d9bec84eb91073b7196b732f1301d9c90 - name: docker - image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190 + image: docker:17.06.0-ce-dind capabilities: - all - net: host mounts: - type: cgroup options: ["rw","nosuid","noexec","nodev","relatime"] @@ -39,6 +38,7 @@ services: - /lib/modules:/lib/modules - /var/run:/var/run - /var/html:/var/html + command: ["/usr/bin/docker-init", "/usr/bin/dockerd"] - name: compose image: linuxkitprojects/compose:0535e78608f57702745dfd56fbe78d28d237e469 binds: diff --git a/projects/kubernetes/image-cache/Dockerfile b/projects/kubernetes/image-cache/Dockerfile index ebdfbed2f..ae402273c 100644 --- a/projects/kubernetes/image-cache/Dockerfile +++ b/projects/kubernetes/image-cache/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190 +FROM docker:17.06.0-ce-dind ADD . /images ENTRYPOINT [ "/bin/sh", "-c" ] CMD [ "for image in /images/*.tar ; do docker image load -i $image && rm -f $image ; done" ] diff --git a/projects/kubernetes/kube-master.yml b/projects/kubernetes/kube-master.yml index 81a522eb8..9ac253df9 100644 --- a/projects/kubernetes/kube-master.yml +++ b/projects/kubernetes/kube-master.yml @@ -38,10 +38,9 @@ services: - name: sshd image: linuxkit/sshd:89b2e91d7d1bf2f40220be0e3ed586e74746cceb - name: docker - image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190 + image: docker:17.06.0-ce-dind capabilities: - all - net: host pid: host mounts: - type: cgroup @@ -54,6 +53,7 @@ services: - /etc/cni:/etc/cni:rshared,rbind - /opt/cni:/opt/cni:rshared,rbind rootfsPropagation: shared + command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"] - name: kubernetes-image-cache-common image: linuxkit/kubernetes:latest-image-cache-common binds: diff --git a/projects/kubernetes/kube-node.yml b/projects/kubernetes/kube-node.yml index f85667b54..bf1a099a7 100644 --- a/projects/kubernetes/kube-node.yml +++ b/projects/kubernetes/kube-node.yml @@ -38,10 +38,9 @@ services: - name: sshd image: linuxkit/sshd:89b2e91d7d1bf2f40220be0e3ed586e74746cceb - name: docker - image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190 + image: docker:17.06.0-ce-dind capabilities: - all - net: host pid: host mounts: - type: cgroup @@ -54,6 +53,7 @@ services: - /etc/cni:/etc/cni:rshared,rbind - /opt/cni:/opt/cni:rshared,rbind rootfsPropagation: shared + command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"] - name: kubernetes-image-cache-common image: linuxkit/kubernetes:latest-image-cache-common binds: diff --git a/test/cases/030_security/000_docker-bench/test-docker-bench.yml b/test/cases/030_security/000_docker-bench/test-docker-bench.yml index 43a8d16c5..f529a136b 100644 --- a/test/cases/030_security/000_docker-bench/test-docker-bench.yml +++ b/test/cases/030_security/000_docker-bench/test-docker-bench.yml @@ -24,10 +24,9 @@ services: - name: dhcpcd image: linuxkit/dhcpcd:4b7b8bb024cebb1bbb9c8026d44d7cbc8e202c41 - name: docker - image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190 + image: docker:17.06.0-ce-dind capabilities: - all - net: host mounts: - type: cgroup options: ["rw","nosuid","noexec","nodev","relatime"] @@ -35,6 +34,7 @@ services: - /var/lib/docker:/var/lib/docker - /lib/modules:/lib/modules - /run:/var/run + command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"] - name: test-docker-bench image: linuxkit/test-docker-bench:4999d3484771e8466580c0dc2e479595e49faa85 ipc: host