Adjustments to Docker related packages and service

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: Jesse Dowell <jesse.dowell@gmail.com>
To: guix-devel@gnu.org
Subject: Adjustments to Docker related packages and service
Date: Sat, 19 Sep 2020 15:03:29 -0400	[thread overview]
Message-ID: <CADdvwM-+u-6tosYd5ygvNX1W8_n+vMPKK5E7vcwDB7t6KsSkaA@mail.gmail.com> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 1752 bytes --]

Hello Guix,

I've been maintaining a set of patches to Docker in Guix that fix/modify
various aspects of the package and service in ways that are helpful to me.

I'd like to get these changes upstream if possible but I don't know which
of these changes might be qualified as a patch vs a bug fix. Also, it's
possible that I'm unaware of side-effects that these changes might have on
use-cases outside of my own scope of work.

The patches are attached. I think that each patch might stand independently
on its own but I haven't tested them in that configuration.

A quick summary of each patch....

0001-gnu-docker-Synchronize-docker-dependencies-with-the-.patch

This patch synchronizes docker-libnetwork and go-sctp with the current
version of docker. Without this patch, I've encountered some issues (I
forget the specifics offhand - sorry). Also, I believe this is an
appropriate change based on comments in the guix source code for the
packages and build instructions I've seen elsewhere.

0002-gnu-docker-compile-docker-with-seccomp-enabled.patch

I utilize docker seccomp profiles and the current version of docker on guix
does not support them. This seems safe enough to enable for everyone but
perhaps there's something I'm overlooking?

0003-services-docker-shepherd-service-fix-enable-proxy-op.patch

This is a bug fix. I don't think the current code properly disables the
userland-proxy when the option is set to false.

0004-gnu-docker-use-nftables-via-iptables-legacy.patch

I'm guessing this patch won't fly as-is but it's helpful for systems using
nftables instead of iptables. I could try to adjust it to make it flexible
if there's any interest.

That's everything. Any suggestions or comments would be much appreciated.

Best,
Jesse

[-- Attachment #1.2: Type: text/html, Size: 2203 bytes --]

[-- Attachment #2: 0001-gnu-docker-Synchronize-docker-dependencies-with-the-.patch --]
[-- Type: text/x-patch, Size: 4061 bytes --]

From 53e80970f69f2e15be8d320a8e1995ffd0bd8cb0 Mon Sep 17 00:00:00 2001
From: Jesse Dowell <jessedowell@gmail.com>
Date: Sat, 19 Sep 2020 12:08:27 -0400
Subject: [PATCH 1/4] gnu: docker: Synchronize docker dependencies with the
 current version of docker.

---
 gnu/packages/docker.scm     | 17 ++++++++++-------
 gnu/packages/networking.scm |  8 +++++---
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/gnu/packages/docker.scm b/gnu/packages/docker.scm
index bc7e02ec46..69905e59bb 100644
--- a/gnu/packages/docker.scm
+++ b/gnu/packages/docker.scm
@@ -48,6 +48,8 @@
   #:use-module (gnu packages version-control)
   #:use-module (gnu packages virtualization))
 
+;; Note - when changing Docker versions it is important to update the versions
+;; of several associated packages (docker-libnetwork and go-sctp).
 (define %docker-version "19.03.12")
 
 (define-public python-docker
@@ -246,9 +248,10 @@ network attachments.")
 (define docker-libnetwork
   ;; There are no recent release for libnetwork, so choose the last commit of
   ;; the branch that Docker uses, as can be seen in the Docker source file
-  ;; 'hack/dockerfile/install/proxy.installer'.
-  (let ((commit "4725f2163fb214a6312f3beae5991f838ec36326")
-        (version "18.09")
+  ;; 'hack/dockerfile/install/proxy.installer'. NOTE - It is important that
+  ;; this version is kept in sync with the version of Docker being used.
+  (let ((commit "026aabaa659832804b01754aaadd2c0f420c68b6")
+        (version "19.03")
         (revision "1"))
     (package
       (name "docker-libnetwork")
@@ -256,12 +259,12 @@ network attachments.")
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
-                      (url "https://github.com/docker/libnetwork")
+                      (url "https://github.com/moby/libnetwork")
                       (commit commit)))
                 (file-name (git-file-name name version))
                 (sha256
                  (base32
-                  "1zpnxki8qfzha6ljahpwd3vkzmjhsvkmf73w6crm4ilxxw5vnpfb"))
+                  "0bli21vn5v7bssw3ydym4jfdjsldhb47fld88kng7d138wl70lkw"))
                 ;; Delete bundled ("vendored") free software source code.
                 (modules '((guix build utils)))
                 (snippet '(begin
@@ -269,8 +272,8 @@ network attachments.")
                             #t))))
       (build-system go-build-system)
       (arguments
-       `(#:import-path "github.com/docker/libnetwork/"))
-      (home-page "https://github.com/docker/libnetwork/")
+       `(#:import-path "github.com/moby/libnetwork/"))
+      (home-page "https://github.com/moby/libnetwork/")
       (synopsis "Networking for containers")
       (description "Libnetwork provides a native Go implementation for
 connecting containers.  The goal of @code{libnetwork} is to deliver a robust
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 1c2e7cf979..964701af1a 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -1435,8 +1435,10 @@ handling network namespaces in Go.")
       (license license:asl2.0))))
 
 (define-public go-sctp
-  ;; docker-libnetwork-cmd-proxy requires this exact commit.
-  (let ((commit "07191f837fedd2f13d1ec7b5f885f0f3ec54b1cb")
+  ;; docker-libnetwork-cmd-proxy requires this exact commit.  NOTE - It is
+  ;; important that this version is kept in sync with the current version of
+  ;; Docker and its associated dependencies.
+  (let ((commit "6e2cb1366111dcf547c13531e3a263a067715847")
         (revision "1"))
     (package
       (name "go-sctp")
@@ -1449,7 +1451,7 @@ handling network namespaces in Go.")
                 (file-name (git-file-name name version))
                 (sha256
                  (base32
-                  "1mk9ncm10gwi5pn5wcw4skbyf4qg7n5qdf1mim4gf3mrckvi6g6h"))))
+                  "1ba90fmpdwxa1ba4hrsjhi3gfy3pwmz7x8amw1p5dc9p5a7nnqrb"))))
       (build-system go-build-system)
       (arguments
        `(#:import-path "github.com/ishidawataru/sctp"))
-- 
2.28.0


[-- Attachment #3: 0003-services-docker-shepherd-service-fix-enable-proxy-op.patch --]
[-- Type: text/x-patch, Size: 1486 bytes --]

From e5ecc9051ae14172acbab1e8b81e038f51a7bdf0 Mon Sep 17 00:00:00 2001
From: Jesse Dowell <jessedowell@gmail.com>
Date: Sat, 19 Sep 2020 12:40:38 -0400
Subject: [PATCH 3/4] services: docker-shepherd-service: fix enable-proxy?
 option

The userland proxy option does not properly disable the userland proxy when
set to false. Docker defaults to enabling the userland proxy if the option is
unset on the command line.
---
 gnu/services/docker.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm
index a4eccc7928..db7fdd5f4e 100644
--- a/gnu/services/docker.scm
+++ b/gnu/services/docker.scm
@@ -121,9 +121,9 @@ loop-back communications.")
                            #$@(if debug?
                                   '("--debug" "--log-level=debug")
                                   '())
-                           (if #$enable-proxy? "--userland-proxy" "")
-                           "--userland-proxy-path" (string-append #$proxy
-                                                                  "/bin/proxy")
+                           #$@(if enable-proxy?
+                                  '("--userland-proxy=true" (string-append "--userland-proxy-path=" proxy "/bin/proxy"))
+                                  '("--userland-proxy=false"))
                            (if #$enable-iptables?
                                "--iptables"
                                "--iptables=false"))
-- 
2.28.0


[-- Attachment #4: 0002-gnu-docker-compile-docker-with-seccomp-enabled.patch --]
[-- Type: text/x-patch, Size: 851 bytes --]

From 163e84b2dc3d13d716fa1db27ab93893a5419303 Mon Sep 17 00:00:00 2001
From: Jesse Dowell <jessedowell@gmail.com>
Date: Sat, 19 Sep 2020 12:34:47 -0400
Subject: [PATCH 2/4] gnu: docker: compile docker with seccomp enabled

---
 gnu/packages/docker.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/docker.scm b/gnu/packages/docker.scm
index 69905e59bb..825aa1ef0f 100644
--- a/gnu/packages/docker.scm
+++ b/gnu/packages/docker.scm
@@ -517,6 +517,7 @@ built-in registry server of Docker.")
              #t))
          (replace 'configure
            (lambda _
+             (setenv "DOCKER_BUILDTAGS" "seccomp")
              (setenv "DOCKER_GITCOMMIT" (string-append "v" ,%docker-version))
              (setenv "VERSION" (string-append ,%docker-version "-ce"))
              ;; Automatically use bundled dependencies.
-- 
2.28.0


[-- Attachment #5: 0004-gnu-docker-use-nftables-via-iptables-legacy.patch --]
[-- Type: text/x-patch, Size: 1049 bytes --]

From ac3277477bda6741ff3a8af9530c2fd68e2bb062 Mon Sep 17 00:00:00 2001
From: Jesse Dowell <jessedowell@gmail.com>
Date: Sat, 19 Sep 2020 12:45:39 -0400
Subject: [PATCH 4/4] gnu: docker: use nftables via iptables-legacy

---
 gnu/packages/docker.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/docker.scm b/gnu/packages/docker.scm
index 825aa1ef0f..322f00026f 100644
--- a/gnu/packages/docker.scm
+++ b/gnu/packages/docker.scm
@@ -438,8 +438,8 @@ built-in registry server of Docker.")
                   ("pvdisplay" "lvm2" "sbin/pvdisplay")
                   ("blkid" "util-linux" "sbin/blkid")
                   ("unpigz" "pigz" "bin/unpigz")
-                  ("iptables" "iptables" "sbin/iptables")
-                  ("iptables-legacy" "iptables" "sbin/iptables")
+                  ("iptables" "iptables" "sbin/iptables-nft")
+                  ("iptables-legacy" "iptables" "sbin/iptables-legacy")
                   ("ip" "iproute2" "sbin/ip"))
 
                  (substitute-Command*
-- 
2.28.0

next             reply	other threads:[~2020-09-19 19:13 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-19 19:03 Jesse Dowell [this message]
2020-09-21 10:18 ` Adjustments to Docker related packages and service Efraim Flashner
2020-09-22  2:50   ` Jesse Dowell

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:bc7e02ec4 dfblob:1c2e7cf97 dfblob:a4eccc792 dfblob:69905e59b
dfblob:825aa1ef0 dfblob:69905e59b dfblob:964701af1 dfblob:db7fdd5f4
dfblob:825aa1ef0 dfblob:322f00026
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CADdvwM-+u-6tosYd5ygvNX1W8_n+vMPKK5E7vcwDB7t6KsSkaA@mail.gmail.com \
    --to=jesse.dowell@gmail.com \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).