Message ID | 1476852805-11450-1-git-send-email-christian@paral.in |
---|---|
State | Accepted |
Commit | 053e1c7930e586b182e6f447226788766b1c8d0e |
Headers | show |
>>>>> "Christian" == Christian Stewart <christian@paral.in> writes: > Signed-off-by: Christian Stewart <christian@paral.in> Great, I was just looking at updating our docker packages yesterday. Committed series, thanks. I see that our docker setup doesn't work out of the box (E.G. docker needs a number of kernel options like cgroups and netfilter, runtime dependencies like iptables and there is no init script starting up dockerd / ensuring /var/lib/docker exists, ..). Is that something you could work on?
Peter, On Wed, Oct 19, 2016 at 3:50 AM, Peter Korsgaard <peter@korsgaard.com> wrote: > Great, I was just looking at updating our docker packages yesterday. Cool, glad to hear I got the series in on time :) > I see that our docker setup doesn't work out > of the box (E.G. docker needs a number of kernel options like cgroups > and netfilter, runtime dependencies like iptables and there is no init > script starting up dockerd / ensuring /var/lib/docker exists, ..). > > Is that something you could work on? This is the core of this project: http://github.com/paralin/SkiffOS - it's a lightweight configuration manager and merge tool for Buildroot which supports a number of different embedded devices and Docker on default. In Buildroot there already is a systemd init script. There's no Sysv one as there doesn't exist one at all for Docker right now. Andrew Webster was working on a sysv init script: https://github.com/paralin/buildroot/commit/e642647545513b9d0f8bbeeec4a3342098fb0e87 Other than that I don't know what else could be put in Buildroot itself. Best, Christian Stewart
>>>>> "Christian" == Christian Stewart <christian@paral.in> writes: > Peter, > On Wed, Oct 19, 2016 at 3:50 AM, Peter Korsgaard <peter@korsgaard.com> wrote: >> Great, I was just looking at updating our docker packages yesterday. > Cool, glad to hear I got the series in on time :) Heh ;) >> I see that our docker setup doesn't work out >> of the box (E.G. docker needs a number of kernel options like cgroups >> and netfilter, runtime dependencies like iptables and there is no init >> script starting up dockerd / ensuring /var/lib/docker exists, ..). >> >> Is that something you could work on? > This is the core of this project: http://github.com/paralin/SkiffOS - > it's a lightweight configuration manager and merge tool for Buildroot > which supports a number of different embedded devices and Docker on > default. Ok. > In Buildroot there already is a systemd init script. There's no Sysv > one as there doesn't exist one at all for Docker right now. > Andrew Webster was working on a sysv init script: > https://github.com/paralin/buildroot/commit/e642647545513b9d0f8bbeeec4a3342098fb0e87 That more-or-less seems suitable for upstream buildroot. We may want to handle the mounts through /etc/fstab instead though. It doesn't seem to ensure /var/lib/docker is available, so that could be added as well. > Other than that I don't know what else could be put in Buildroot itself. It would be good if the linux package was changed to enable all the kernel options needed by docker, similar like what we do for systemd, smack, .. Docker afaik also has a number of runtime dependencies on E.G. iptables and iproute2, so it would be good if the docker-engine package would select those.
Peter, On Wed, Oct 19, 2016 at 4:34 PM, Peter Korsgaard <peter@korsgaard.com> wrote: > It doesn't seem to ensure /var/lib/docker is available, so that could be > added as well. Meaning, making sure the directory exists? > Docker afaik also has a number of runtime dependencies on E.G. iptables > and iproute2, so it would be good if the docker-engine package would > select those. When I was originally writing the docker-engine packages I had these selected, but it turns out these are not actually required to run Docker. It uses its own internal syscalls. Best, Christian
>>>>> "Christian" == Christian Stewart <christian@paral.in> writes: > Peter, > On Wed, Oct 19, 2016 at 4:34 PM, Peter Korsgaard <peter@korsgaard.com> wrote: >> It doesn't seem to ensure /var/lib/docker is available, so that could be >> added as well. > Meaning, making sure the directory exists? Yes, I believe dockerd complains if it isn't available (would need to recheck). >> Docker afaik also has a number of runtime dependencies on E.G. iptables >> and iproute2, so it would be good if the docker-engine package would >> select those. > When I was originally writing the docker-engine packages I had these > selected, but it turns out these are not actually required to run > Docker. It uses its own internal syscalls. Are you sure? I got errors without iptables. Running dockerd through strace I see several invocations of iptables: 190 execve("/usr/bin/dockerd", ["dockerd"], [/* 11 vars */]) = 0 196 execve("/usr/bin/docker-containerd", ["docker-containerd", "-l", "unix:///var/run/docker/libcontai"..., "--shim", "docker-containerd-shim", "--metrics-interval=0", "--start-timeout", "2m", "--state-dir", "/var/run/docker/libcontainerd/co"..., "--runtime", "docker-runc"], [/* 11 vars */]) = 0 206 execve("/sbin/modprobe", ["modprobe", "aufs"], [/* 12 vars */]) = 0 207 execve("/sbin/modprobe", ["modprobe", "overlay"], [/* 12 vars */]) = 0 208 execve("/sbin/modprobe", ["modprobe", "-va", "bridge", "br_netfilter"], [/* 12 vars */]) = 0 210 execve("/sbin/modprobe", ["modprobe", "-va", "nf_nat"], [/* 12 vars */]) = 0 211 execve("/sbin/modprobe", ["modprobe", "-va", "xt_conntrack"], [/* 12 vars */]) = 0 212 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-L", "-n"], [/* 12 vars */]) = 0 213 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "--version"], [/* 12 vars */]) = 0 214 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-D", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER"], [/* 12 vars */]) = 0 217 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-D", "OUTPUT", "-m", "addrtype", "--dst-type", "LOCAL", "!", "--dst", "127.0.0.0/8", "-j", "DOCKER"], [/* 12 vars */]) = 0 220 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-D", "OUTPUT", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER"], [/* 12 vars */]) = 0 223 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-D", "PREROUTING"], [/* 12 vars */]) = 0 224 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-D", "OUTPUT"], [/* 12 vars */]) = 0 225 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-F", "DOCKER"], [/* 12 vars */]) = 0 226 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-X", "DOCKER"], [/* 12 vars */]) = 0 227 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-F", "DOCKER"], [/* 12 vars */]) = 0 228 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-X", "DOCKER"], [/* 12 vars */]) = 0 229 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-F", "DOCKER-ISOLATION"], [/* 12 vars */]) = 0 230 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-X", "DOCKER-ISOLATION"], [/* 12 vars */]) = 0 231 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-n", "-L", "DOCKER"], [/* 12 vars */]) = 0 232 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-N", "DOCKER"], [/* 12 vars */]) = 0 233 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-n", "-L", "DOCKER"], [/* 12 vars */]) = 0 234 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-N", "DOCKER"], [/* 12 vars */]) = 0 235 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-n", "-L", "DOCKER-ISOLATION"], [/* 12 vars */]) = 0 236 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-N", "DOCKER-ISOLATION"], [/* 12 vars */]) = 0 237 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-C", "DOCKER-ISOLATION", "-j", "RETURN"], [/* 12 vars */]) = 0 238 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-I", "DOCKER-ISOLATION", "-j", "RETURN"], [/* 12 vars */]) = 0 239 execve("/sbin/modprobe", ["modprobe", "-va", "xfrm_user"], [/* 12 vars */]) = 0 240 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-C", "POSTROUTING", "-s", "172.17.0.0/16", "!", "-o", "docker0", "-j", "MASQUERADE"], [/* 12 vars */]) = 0 241 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-C", "DOCKER", "-i", "docker0", "-j", "RETURN"], [/* 12 vars */]) = 0 242 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-I", "DOCKER", "-i", "docker0", "-j", "RETURN"], [/* 12 vars */]) = 0 243 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-D", "FORWARD", "-i", "docker0", "-o", "docker0", "-j", "DROP"], [/* 12 vars */]) = 0 244 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-C", "FORWARD", "-i", "docker0", "-o", "docker0", "-j", "ACCEPT"], [/* 12 vars */]) = 0 245 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-C", "FORWARD", "-i", "docker0", "!", "-o", "docker0", "-j", "ACCEPT"], [/* 12 vars */]) = 0 246 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "filter", "-C", "FORWARD", "-o", "docker0", "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"], [/* 12 vars */]) = 0 247 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-C", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER"], [/* 12 vars */]) = 0 250 execve("/usr/sbin/iptables", ["/usr/sbin/iptables", "--wait", "-t", "nat", "-A", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER"], [/* 12 vars */]) = 0 And then I seem to be missing something else, because it dies with: FATA[0004] Error starting daemon: Error initializing network controller: Error creating default "bridge" network: Failed to program NAT chain: Failed to inject docker in PREROUTING chain: iptables failed: iptables --wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER: iptables: No chain/target/match by that name.
Peter, On Wed, Oct 19, 2016 at 4:52 PM, Peter Korsgaard <peter@korsgaard.com> wrote: > Are you sure? I got errors without iptables. Running dockerd through > strace I see several invocations of iptables: I guess I was wrong. Called here: https://github.com/docker/libnetwork/blob/master/iptables/iptables.go#L400 Needs modprobe binary as well. > And then I seem to be missing something else, because it dies with: > > > FATA[0004] Error starting daemon: Error initializing network controller: > Error creating default "bridge" network: Failed to program NAT chain: > Failed to inject docker in PREROUTING chain: iptables failed: iptables > --wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER: > iptables: No chain/target/match by that name. This is quite strange and might just be a Docker bug. I had a look over the binaries Docker calls and couldn't find anything else that seems related. Patch submitted to fix. Best, Christian Stewart
diff --git a/package/runc/runc.hash b/package/runc/runc.hash index c409a66..5b5400e 100644 --- a/package/runc/runc.hash +++ b/package/runc/runc.hash @@ -1,2 +1,2 @@ # Locally computed -sha256 196b78c6caf1a4c6257314b393381baffa7c82bb2690ac02a7b3d6cd6cfe7776 runc-cc29e3dded8e27ba8f65738f40d251c885030a28.tar.gz +sha256 638742c48426b9a3281aeb619e27513d972de228bdbd43b478baea99c186d491 runc-v1.0.0-rc2.tar.gz diff --git a/package/runc/runc.mk b/package/runc/runc.mk index e2ab5ed..ef151ed 100644 --- a/package/runc/runc.mk +++ b/package/runc/runc.mk @@ -4,7 +4,7 @@ # ################################################################################ -RUNC_VERSION = cc29e3dded8e27ba8f65738f40d251c885030a28 +RUNC_VERSION = v1.0.0-rc2 RUNC_SITE = $(call github,opencontainers,runc,$(RUNC_VERSION)) RUNC_LICENSE = Apache-2.0 RUNC_LICENSE_FILES = LICENSE
Signed-off-by: Christian Stewart <christian@paral.in> --- package/runc/runc.hash | 2 +- package/runc/runc.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)