diff mbox

[1/3] runc: bump version to v1.0.0-rc2

Message ID 1476852805-11450-1-git-send-email-christian@paral.in
State Accepted
Commit 053e1c7930e586b182e6f447226788766b1c8d0e
Headers show

Commit Message

Christian Stewart Oct. 19, 2016, 4:53 a.m. UTC 
Signed-off-by: Christian Stewart <christian@paral.in>
---
 package/runc/runc.hash | 2 +-
 package/runc/runc.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Peter Korsgaard Oct. 19, 2016, 7:50 a.m. UTC | #1 
>>>>> "Christian" == Christian Stewart <christian@paral.in> writes:

 > Signed-off-by: Christian Stewart <christian@paral.in>

Great, I was just looking at updating our docker packages yesterday.

Committed series, thanks. I see that our docker setup doesn't work out
of the box (E.G. docker needs a number of kernel options like cgroups
and netfilter, runtime dependencies like iptables and there is no init
script starting up dockerd / ensuring /var/lib/docker exists, ..).

Is that something you could work on?
Christian Stewart Oct. 19, 2016, 8:24 p.m. UTC | #2 
Peter,

On Wed, Oct 19, 2016 at 3:50 AM, Peter Korsgaard <peter@korsgaard.com> wrote:
> Great, I was just looking at updating our docker packages yesterday.

Cool, glad to hear I got the series in on time :)

> I see that our docker setup doesn't work out
> of the box (E.G. docker needs a number of kernel options like cgroups
> and netfilter, runtime dependencies like iptables and there is no init
> script starting up dockerd / ensuring /var/lib/docker exists, ..).
>
> Is that something you could work on?

This is the core of this project: http://github.com/paralin/SkiffOS -
it's a lightweight configuration manager and merge tool for Buildroot
which supports a number of different embedded devices and Docker on
default.

In Buildroot there already is a systemd init script. There's no Sysv
one as there doesn't exist one at all for Docker right now.

Andrew Webster was working on a sysv init script:
https://github.com/paralin/buildroot/commit/e642647545513b9d0f8bbeeec4a3342098fb0e87

Other than that I don't know what else could be put in Buildroot itself.

Best,
Christian Stewart
Peter Korsgaard Oct. 19, 2016, 8:34 p.m. UTC | #3 
>>>>> "Christian" == Christian Stewart <christian@paral.in> writes:

 > Peter,
 > On Wed, Oct 19, 2016 at 3:50 AM, Peter Korsgaard <peter@korsgaard.com> wrote:
 >> Great, I was just looking at updating our docker packages yesterday.

 > Cool, glad to hear I got the series in on time :)

Heh ;)

 >> I see that our docker setup doesn't work out
 >> of the box (E.G. docker needs a number of kernel options like cgroups
 >> and netfilter, runtime dependencies like iptables and there is no init
 >> script starting up dockerd / ensuring /var/lib/docker exists, ..).
 >> 
 >> Is that something you could work on?

 > This is the core of this project: http://github.com/paralin/SkiffOS -
 > it's a lightweight configuration manager and merge tool for Buildroot
 > which supports a number of different embedded devices and Docker on
 > default.

Ok.

 > In Buildroot there already is a systemd init script. There's no Sysv
 > one as there doesn't exist one at all for Docker right now.

 > Andrew Webster was working on a sysv init script:
 > https://github.com/paralin/buildroot/commit/e642647545513b9d0f8bbeeec4a3342098fb0e87

That more-or-less seems suitable for upstream buildroot. We may want to
handle the mounts through /etc/fstab instead though.

It doesn't seem to ensure /var/lib/docker is available, so that could be
added as well.

 > Other than that I don't know what else could be put in Buildroot itself.

It would be good if the linux package was changed to enable all the
kernel options needed by docker, similar like what we do for systemd,
smack, ..

Docker afaik also has a number of runtime dependencies on E.G. iptables
and iproute2, so it would be good if the docker-engine package would
select those.
Christian Stewart Oct. 19, 2016, 8:37 p.m. UTC | #4 
Peter,

On Wed, Oct 19, 2016 at 4:34 PM, Peter Korsgaard <peter@korsgaard.com> wrote:
> It doesn't seem to ensure /var/lib/docker is available, so that could be
> added as well.

Meaning, making sure the directory exists?

> Docker afaik also has a number of runtime dependencies on E.G. iptables
> and iproute2, so it would be good if the docker-engine package would
> select those.

When I was originally writing the docker-engine packages I had these
selected, but it turns out these are not actually required to run
Docker. It uses its own internal syscalls.

Best,
Christian
Peter Korsgaard Oct. 19, 2016, 8:52 p.m. UTC | #5 
>>>>> "Christian" == Christian Stewart <christian@paral.in> writes:

 > Peter,
 > On Wed, Oct 19, 2016 at 4:34 PM, Peter Korsgaard <peter@korsgaard.com> wrote:
 >> It doesn't seem to ensure /var/lib/docker is available, so that could be
 >> added as well.

 > Meaning, making sure the directory exists?

Yes, I believe dockerd complains if it isn't available (would need to recheck).

 >> Docker afaik also has a number of runtime dependencies on E.G. iptables
 >> and iproute2, so it would be good if the docker-engine package would
 >> select those.

 > When I was originally writing the docker-engine packages I had these
 > selected, but it turns out these are not actually required to run
 > Docker. It uses its own internal syscalls.

Are you sure? I got errors without iptables. Running dockerd through
strace I see several invocations of iptables:

190   execve("/usr/bin/dockerd", ["dockerd"], [/* 11 vars */]) = 0
196   execve("/usr/bin/docker-containerd", ["docker-containerd", "-l", "unix:///var/run/docker/libcontai"..., "--shim", "docker-containerd-shim", "--metrics-interval=0", "--start-timeout", "2m", "--state-dir", "/var/run/docker/libcontainerd/co"..., "--runtime", "docker-runc"], [/* 11 vars */]) = 0
206   execve("/sbin/modprobe", ["modprobe", "aufs"], [/* 12 vars */]) = 0
207   execve("/sbin/modprobe", ["modprobe", "overlay"], [/* 12 vars */]) = 0
208   execve("/sbin/modprobe", ["modprobe", "-va", "bridge", "br_netfilter"], [/* 12 vars */]) = 0
210   execve("/sbin/modprobe", ["modprobe", "-va", "nf_nat"], [/* 12 vars */]) = 0
211   execve("/sbin/modprobe", ["modprobe", "-va", "xt_conntrack"], [/* 12 vars */]) = 0
212   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-L", "-n"], [/* 12 vars */]) = 0
213   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "--version"], [/* 12 vars */]) = 0
214   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-D", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER"], [/* 12 vars */]) = 0
217   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-D", "OUTPUT", "-m", "addrtype", "--dst-type", "LOCAL", "!", "--dst", "127.0.0.0/8", "-j", "DOCKER"], [/* 12 vars */]) = 0
220   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-D", "OUTPUT", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER"], [/* 12 vars */]) = 0
223   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-D", "PREROUTING"], [/* 12 vars */]) = 0
224   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-D", "OUTPUT"], [/* 12 vars */]) = 0
225   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-F", "DOCKER"], [/* 12 vars */]) = 0
226   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-X", "DOCKER"], [/* 12 vars */]) = 0
227   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-F", "DOCKER"], [/* 12 vars */]) = 0
228   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-X", "DOCKER"], [/* 12 vars */]) = 0
229   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-F", "DOCKER-ISOLATION"], [/* 12 vars */]) = 0
230   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-X", "DOCKER-ISOLATION"], [/* 12 vars */]) = 0
231   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-n", "-L", "DOCKER"], [/* 12 vars */]) = 0
232   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-N", "DOCKER"], [/* 12 vars */]) = 0
233   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-n", "-L", "DOCKER"], [/* 12 vars */]) = 0
234   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-N", "DOCKER"], [/* 12 vars */]) = 0
235   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-n", "-L", "DOCKER-ISOLATION"], [/* 12 vars */]) = 0
236   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-N", "DOCKER-ISOLATION"], [/* 12 vars */]) = 0
237   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-C", "DOCKER-ISOLATION", "-j", "RETURN"], [/* 12 vars */]) = 0
238   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-I", "DOCKER-ISOLATION", "-j", "RETURN"], [/* 12 vars */]) = 0
239   execve("/sbin/modprobe", ["modprobe", "-va", "xfrm_user"], [/* 12 vars */]) = 0
240   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-C", "POSTROUTING", "-s", "172.17.0.0/16", "!", "-o", "docker0", "-j", "MASQUERADE"], [/* 12 vars */]) = 0
241   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-C", "DOCKER", "-i", "docker0", "-j", "RETURN"], [/* 12 vars */]) = 0
242   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-I", "DOCKER", "-i", "docker0", "-j", "RETURN"], [/* 12 vars */]) = 0
243   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-D", "FORWARD", "-i", "docker0", "-o", "docker0", "-j", "DROP"], [/* 12 vars */]) = 0
244   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-C", "FORWARD", "-i", "docker0", "-o", "docker0", "-j", "ACCEPT"], [/* 12 vars */]) = 0
245   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-C", "FORWARD", "-i", "docker0", "!", "-o", "docker0", "-j", "ACCEPT"], [/* 12 vars */]) = 0
246   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-C", "FORWARD", "-o", "docker0", "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"], [/* 12 vars */]) = 0
247   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-C", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER"], [/* 12 vars */]) = 0
250   execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-A", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER"], [/* 12 vars */]) = 0

And then I seem to be missing something else, because it dies with:


FATA[0004] Error starting daemon: Error initializing network controller:
Error creating default "bridge" network: Failed to program NAT chain:
Failed to inject docker in PREROUTING chain: iptables failed: iptables
--wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER:
iptables: No chain/target/match by that name.
Christian Stewart Oct. 19, 2016, 9:05 p.m. UTC | #6 
Peter,

On Wed, Oct 19, 2016 at 4:52 PM, Peter Korsgaard <peter@korsgaard.com> wrote:
> Are you sure? I got errors without iptables. Running dockerd through
> strace I see several invocations of iptables:

I guess I was wrong.

Called here: https://github.com/docker/libnetwork/blob/master/iptables/iptables.go#L400

Needs modprobe binary as well.

> And then I seem to be missing something else, because it dies with:
>
>
> FATA[0004] Error starting daemon: Error initializing network controller:
> Error creating default "bridge" network: Failed to program NAT chain:
> Failed to inject docker in PREROUTING chain: iptables failed: iptables
> --wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER:
> iptables: No chain/target/match by that name.

This is quite strange and might just be a Docker bug. I had a look
over the binaries Docker calls and couldn't find anything else that
seems related.

Patch submitted to fix.

Best,
Christian Stewart
diff mbox

Patch

diff --git a/package/runc/runc.hash b/package/runc/runc.hash
index c409a66..5b5400e 100644
--- a/package/runc/runc.hash
+++ b/package/runc/runc.hash
@@ -1,2 +1,2 @@ 
 # Locally computed
-sha256 196b78c6caf1a4c6257314b393381baffa7c82bb2690ac02a7b3d6cd6cfe7776  runc-cc29e3dded8e27ba8f65738f40d251c885030a28.tar.gz
+sha256 638742c48426b9a3281aeb619e27513d972de228bdbd43b478baea99c186d491  runc-v1.0.0-rc2.tar.gz
diff --git a/package/runc/runc.mk b/package/runc/runc.mk
index e2ab5ed..ef151ed 100644
--- a/package/runc/runc.mk
+++ b/package/runc/runc.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-RUNC_VERSION = cc29e3dded8e27ba8f65738f40d251c885030a28
+RUNC_VERSION = v1.0.0-rc2
 RUNC_SITE = $(call github,opencontainers,runc,$(RUNC_VERSION))
 RUNC_LICENSE = Apache-2.0
 RUNC_LICENSE_FILES = LICENSE