Bug 21824: use runc instead of docker

2d98c063 · boklm · b9fc5fc4 · 2d98c063 · 2d98c063 · 2d98c063
Unverified Commit 2d98c063 authored Apr 25, 2017 by boklm
--- a/README
+++ b/README
@@ -5,13 +5,12 @@ Installing build dependencies
 -----------------------------

 To build Tor Browser, you need a Linux distribution that has support
-for Docker (such as Debian jessie, Ubuntu 14.04, Fedora 20, etc ...).
-The Docker package is usually named docker.io or docker-io.
-On Debian jessie, the docker.io package is available in backports.
+for runC (such as Debian jessie, Ubuntu 14.04, Fedora 20, etc ...).
+On Debian jessie, the runc package is available in backports.

-Your user account should have access to the docker command without using
-sudo, so it should be in the docker group. The docker daemon should
-also be running.
+Your user account should have access sudo access, which is required to
+be able to extract container file systems, start containers and copy
+files to and from containers.

 The sources of most components are downloaded using git, which needs to
 be installed. The sources of webrtc are downloaded using gclient, which
@@ -41,7 +40,7 @@ If you are running Debian or Ubuntu, you can install them with:
                  libio-captureoutput-perl libfile-slurp-perl \
                  libstring-shellquote-perl libsort-versions-perl \
                  libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \
-                  libfile-copy-recursive-perl git libgtk2.0-dev curl
+                  libfile-copy-recursive-perl git libgtk2.0-dev curl runc


 Starting a build
@@ -184,18 +183,6 @@ of files and containers that would be removed without doing it, you can
 use 'make clean-dry-run'.


-Multiple build directories on the same host
-------------------------------------------
-
-You can do multiple builds of Tor Browser in different directories on
-the same host. However the docker images namespace is global, so you
-may have some conflicts with the same image names used by the
-different builds. By default, the docker images are prefixed with
-tor-browser_$USER. You can change this prefix by defining the
-docker_image_prefix option in rbm.local.conf, using a different prefix
-for each of your build directories.
-
-
 Common Build Errors
 -------------------


--- a/keyring/ubuntu.gpg
+++ b/keyring/ubuntu.gpg
--- a/projects/binutils/config
+++ b/projects/binutils/config
 # vim: filetype=yaml sw=2
 version: 2.24
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 var:
  configure_opt: '--disable-multilib --enable-gold --enable-deterministic-archives --enable-plugins'
+  container:
+    use_container: 1

 targets:
  windows-i686:
@@ -15,7 +16,7 @@ input_files:
    sig_ext: sig
    file_gpg_id: 1
    gpg_keyring: binutils.gpg
-  - project: docker-image
+  - project: container-image
  - filename: enable-reloc-section-ld.patch
    enable: '[% c("var/windows") %]'
  - filename: peXXigen.patch

--- a/projects/cmake/config
+++ b/projects/cmake/config
@@ -5,7 +5,9 @@ git_hash: 'v[% c("version") %]'
 tag_gpg_id: 1
 gpg_keyring: cmake.gpg
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
+var:
+  container:
+    use_container: 1

 input_files:
-  - project: docker-image
+  - project: container-image
--- a/projects/common/runc-config.json
+++ b/projects/common/runc-config.json
+{
+	"ociVersion": "1.0.0-rc1",
+	"platform": {
+		"os": "linux",
+		"arch": "amd64"
+	},
+	"process": {
+		"terminal": true,
+		"user": {
+			"uid": 0,
+			"gid": 0
+		},
+		"args": [
+			"/rbm/run"
+		],
+		"env": [
+			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+			"TERM=xterm"
+		],
+		"cwd": "/",
+		"capabilities": [
+			"CAP_AUDIT_WRITE",
+			"CAP_KILL",
+			"CAP_NET_BIND_SERVICE",
+			"CAP_SETGID",
+			"CAP_SETUID",
+			"CAP_MKNOD",
+			"CAP_SYS_CHROOT",
+[% IF c("var/container/CAP_SYS_ADMIN") -%]
+			"CAP_SYS_ADMIN",
+[% END -%]
+			"CAP_FSETID",
+			"CAP_FOWNER",
+			"CAP_DAC_OVERRIDE",
+			"CAP_CHOWN"
+		],
+		"rlimits": [
+			{
+				"type": "RLIMIT_NOFILE",
+				"hard": 1024,
+				"soft": 1024
+			}
+		],
+		"noNewPrivileges": true
+	},
+	"root": {
+		"path": "rootfs",
+		"readonly": false
+	},
+	"hostname": "runc",
+	"mounts": [
+		{
+			"destination": "/proc",
+			"type": "proc",
+			"source": "proc"
+		},
+		{
+			"type": "bind",
+			"source": "/etc/resolv.conf",
+			"destination": "/etc/resolv.conf",
+			"options": [
+				"rbind",
+				"ro"
+			]
+		},
+		{
+			"destination": "/dev",
+			"type": "tmpfs",
+			"source": "tmpfs",
+			"options": [
+				"nosuid",
+				"strictatime",
+				"mode=755",
+				"size=65536k"
+			]
+		},
+		{
+			"destination": "/dev/pts",
+			"type": "devpts",
+			"source": "devpts",
+			"options": [
+				"nosuid",
+				"noexec",
+				"newinstance",
+				"ptmxmode=0666",
+				"mode=0620",
+				"gid=5"
+			]
+		},
+		{
+			"destination": "/dev/shm",
+			"type": "tmpfs",
+			"source": "shm",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"mode=1777",
+				"size=65536k"
+			]
+		},
+		{
+			"destination": "/dev/mqueue",
+			"type": "mqueue",
+			"source": "mqueue",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev"
+			]
+		},
+		{
+			"destination": "/sys",
+			"type": "sysfs",
+			"source": "sysfs",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"ro"
+			]
+		},
+		{
+			"destination": "/sys/fs/cgroup",
+			"type": "cgroup",
+			"source": "cgroup",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"relatime",
+				"ro"
+			]
+		}
+	],
+	"hooks": {},
+	"linux": {
+		"resources": {
+			"devices": [
+				{
+					"allow": false,
+					"access": "rwm"
+				}
+			]
+		},
+		"namespaces": [
+			{
+				"type": "pid"
+			},
+			{
+				"type": "ipc"
+			},
+			{
+				"type": "uts"
+			},
+			{
+				"type": "mount"
+			}
+		],
+		"maskedPaths": [
+			"/proc/kcore",
+			"/proc/latency_stats",
+			"/proc/timer_stats",
+			"/proc/sched_debug"
+		],
+		"readonlyPaths": [
+			"/proc/asound",
+			"/proc/bus",
+			"/proc/fs",
+			"/proc/irq",
+			"/proc/sys",
+			"/proc/sysrq-trigger"
+		]
+	},
+	"solaris": {
+		"cappedCPU": {},
+		"cappedMemory": {}
+	}
+}
--- a/projects/container-image/build
+++ b/projects/container-image/build
+#!/bin/sh
+set -e
+# Doing nothing
--- a/projects/docker-image/config
+++ b/projects/docker-image/config
 # vim: filetype=yaml sw=2
-filename: '[% sha256(c("pre")).substr(0, 12) %]'
-remote_docker: 1
-docker_save_image: '[% c("docker_image_prefix") %]:[% c("filename") %]'
+filename: 'container-image_[% c("var/container/suite") %]-[% c("var/container/arch") %]-[% sha256(c("pre")).substr(0, 12) %].tar.gz'
 pkg_type: build

-docker_image: '[% c("lsb_release/id").lower %]:[% c("lsb_release/release") %]'
+var:
+  container:
+    use_container: 1
+    suite: '[% pc(c("origin_project"), "var/container/suite") %]'
+    arch: '[% pc(c("origin_project"), "var/container/arch") %]'

 lsb_release:
-  id: '[% pc(c("origin_project", { no_distro => 1 }), "lsb_release/id", { no_distro => 1 }) %]'
-  release: '[% pc(c("origin_project", { no_distro => 1 }), "lsb_release/release", { no_distro => 1 }) %]'
-  codename: '[% pc(c("origin_project", { no_distro => 1 }), "lsb_release/codename", { no_distro => 1 }) %]'
+  id: Debian
+  codename: wheezy
+  release: 7.11

 pre: |
  #!/bin/sh
-  # [% c('docker_image') %]
+  # [% c('var/container/suite') %]
  set -e
-  [% IF c('lsb_release/release') == '14.10' -%]
-  sed -i 's/archive\.ubuntu\.com/old-releases.ubuntu.com/' /etc/apt/sources.list
-  [% END -%]
  [% IF pc(c('origin_project'), 'var/pre_pkginst') -%]
  [% pc(c('origin_project'), 'var/pre_pkginst') %]
  [% END -%]
-  [% IF c('lsb_release/id') == 'Ubuntu' || c('lsb_release/id') == 'Debian' %]
+  [% IF c("var/container/suite") == "precise" -%]
+  export INITRD=no
+  mkdir -p /etc/container_environment
+  echo -n no > /etc/container_environment/INITRD
+  dpkg-divert --local --rename --add /sbin/initctl
+  ln -s /bin/true /sbin/initctl
+  dpkg-divert --local --rename --add /usr/bin/ischroot
+  ln -sf /bin/true /usr/bin/ischroot
+  cat >> /etc/apt/sources.list << EOF
+  deb http://archive.ubuntu.com/ubuntu/ precise-updates main
+  deb-src http://archive.ubuntu.com/ubuntu/ precise-updates main
+
+  deb http://archive.ubuntu.com/ubuntu/ precise universe
+  deb-src http://archive.ubuntu.com/ubuntu/ precise universe
+  deb http://archive.ubuntu.com/ubuntu/ precise-updates universe
+  deb-src http://archive.ubuntu.com/ubuntu/ precise-updates universe
+
+  deb http://archive.ubuntu.com/ubuntu/ precise-security main
+  deb-src http://archive.ubuntu.com/ubuntu/ precise-security main
+  deb http://archive.ubuntu.com/ubuntu/ precise-security universe
+  deb-src http://archive.ubuntu.com/ubuntu/ precise-security universe
+  EOF
+  [% END -%]
  apt-get update -y
  apt-get upgrade -y
-  [% END %]
  [%
     deps = [];
     IF pc(c('origin_project'), 'var/deps');
@@ -49,3 +69,18 @@ pre: |
  [% IF pc(c('origin_project'), 'var/post_pkginst') -%]
  [% pc(c('origin_project'), 'var/post_pkginst') %]
  [% END -%]
+
+remote_get: |
+  #!/bin/sh
+  set -e
+  [%
+    SET src = shell_quote(c('get_src', { error_if_undef => 1 }));
+    SET dst = shell_quote(c('get_dst', { error_if_undef => 1 }));
+  -%]
+  mkdir -p "[% dst %]"
+  sudo tar -C "[% c("var/container/dir") %]/rootfs" -czf "[% dst %]/[% c("filename") %]" .
+
+input_files:
+  - project: debootstrap-image
+    target:
+      - '[% c("var/container/suite") %]-[% c("var/container/arch") %]'
--- a/projects/debootstrap-image/build
+++ b/projects/debootstrap-image/build
+#!/bin/sh
+set -e
+# Doing nothing
--- a/projects/debootstrap-image/config
+++ b/projects/debootstrap-image/config
+# vim: filetype=yaml sw=2
+filename: 'container-image_[% c("var/container/suite") %]-[% c("var/container/arch") %].tar.gz'
+pkg_type: build
+
+var:
+  ubuntu_version: 17.04
+
+  container_dir: '[% c("tmp_dir") %]/rbm-containers/[% sha256(c("build_id")) %]'
+  container_user: rbm
+
+  container:
+    use_container: 1
+    # We need CAP_SYS_ADMIN for debootstrap to work
+    CAP_SYS_ADMIN: 1
+
+pre: |
+  #!/bin/sh
+  set -e
+  apt-get update -y
+  apt-get install -y debian-archive-keyring ubuntu-keyring debootstrap
+  debootstrap --arch=[% c("var/container/arch") %] [% c("var/container/debootstrap_opt") %] [% c("var/container/suite") %] base-image [% c("var/container/debootstrap_mirror") %]
+  tar -C ./base-image -czf [% dest_dir %]/[% c("filename") %] .
+
+targets:
+  wheezy-amd64:
+    var:
+      container:
+        suite: wheezy
+        arch: amd64
+  jessie-amd64:
+    var:
+      container:
+        suite: jessie
+        arch: amd64
+  precise-amd64:
+    var:
+      container:
+        suite: precise
+        arch: amd64
+        debootstrap_opt: --keyring=/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
+  utopic-amd64:
+    var:
+      container:
+        suite: utopic
+        arch: amd64
+        debootstrap_mirror: http://old-releases.ubuntu.com/ubuntu/
+
+input_files:
+  - URL: 'http://cdimage.ubuntu.com/ubuntu-base/releases/[% c("var/ubuntu_version") %]/release/ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
+    filename: 'container-image_ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
+    sha256sum: df2c8fd540e474b8e1e29c0db8ed6b43a932918f1b9a8149bb82104a7c07ba2a
+
--- a/projects/docker-image/build
+++ b/projects/docker-image/build
-#!/bin/sh
-set -e
-echo 1 > [% dest_dir %]/[% c('filename') %]
-echo Creating [% dest_dir %]/[% c('filename') %]
--- a/projects/ed25519/config
+++ b/projects/ed25519/config
@@ -3,16 +3,17 @@ version: '[% c("abbrev") %]'
 git_url: https://github.com/agl/ed25519.git
 git_hash: c4161f4c7483313562781c61b9a20aba73daf9de
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1

 build: '[% c("projects/go/var/build_go_lib") %]'

 var:
+  container:
+    use_container: 1
  go_lib: github.com/agl/ed25519
  go_lib_install:
    - github.com/agl/ed25519/extra25519

 input_files:
-  - project: docker-image
+  - project: container-image
  - name: go
    project: go
--- a/projects/firefox/config
+++ b/projects/firefox/config
@@ -5,7 +5,6 @@ git_hash: 'tor-browser-[% c("var/firefox_version") %]-[% c("var/torbrowser_branc
 tag_gpg_id: 1
 git_url: https://git.torproject.org/tor-browser.git
 gpg_keyring: torbutton.gpg
-remote_docker: 1

 var:
  firefox_version: 52.1.0esr
@@ -19,6 +18,8 @@ var:
    - autoconf2.13
    - yasm
    - python
+  container:
+    use_container: 1

 targets:
  nightly:
@@ -74,7 +75,7 @@ targets:
      martools_filename: mar-tools-win32.zip

 input_files:
-  - project: docker-image
+  - project: container-image
  - name: '[% c("var/compiler") %]'
    project: '[% c("var/compiler") %]'
  - filename: get-moz-build-date

--- a/projects/fonts/config
+++ b/projects/fonts/config
@@ -3,8 +3,9 @@ version: '[% c("abbrev") %]'
 git_url: https://github.com/googlei18n/noto-fonts.git
 git_hash: 720e34851382ee3c1ef024d8dffb68ffbfb234c2
 filename: "[% project %]-[% c('version') %]-[% c('var/build_id') %].tar.gz"
-remote_docker: 1
 var:
+  container:
+    use_container: 1
  noto_fonts_hinted:
    - Arimo-Regular.ttf
    - Arimo-Bold.ttf
@@ -85,7 +86,7 @@ targets:
        - NotoSansYi-Regular.ttf

 input_files:
-  - project: docker-image
+  - project: container-image
  - URL: https://github.com/googlei18n/noto-emoji/raw/2f1ffdd6fbbd05d6f382138a3d3adcd89c5ce800/fonts/NotoEmoji-Regular.ttf
    sha256sum: 415dc6290378574135b64c808dc640c1df7531973290c4970c51fdeb849cb0c5
    enable: '[% c("var/linux") %]'

--- a/projects/gcc/config
+++ b/projects/gcc/config
 # vim: filetype=yaml sw=2
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
 version: 5.1.0
-remote_docker: 1
 var:
+  container:
+    use_container: 1
  configure_opt: --enable-multilib --enable-languages=c,c++ --with-arch_32=i686
  deps:
    - build-essential
@@ -42,6 +43,6 @@ targets:
    var:
      configure_opt: --disable-multilib --enable-languages=c,c++
 input_files:
+  - project: container-image
  - URL: 'https://ftp.gnu.org/gnu/gcc/gcc-[% c("version") %]/gcc-[% c("version") %].tar.bz2'
    sha256sum: b7dafdf89cbb0e20333dbf5b5349319ae06e3d1a30bf3515b5488f7e89dca5ad
-  - project: docker-image
--- a/projects/gmp/config
+++ b/projects/gmp/config
 # vim: filetype=yaml sw=2
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
 version: 5.1.3
-remote_docker: 1
+
+var:
+  container:
+    use_container: 1

 targets:
  linux:
@@ -9,9 +12,9 @@ targets:
      configure_opt_gmp: --enable-fat

 input_files:
+  - project: container-image
  - name: gmp
    URL: 'https://ftp.gnu.org/gnu/gmp/gmp-[% c("version") %].tar.bz2'
    sha256sum: 752079520b4690531171d0f4532e40f08600215feefede70b24fabdc6f1ab160
  - name: '[% c("var/compiler") %]'
    project: '[% c("var/compiler") %]'
-  - project: docker-image
--- a/projects/go-webrtc/config
+++ b/projects/go-webrtc/config
@@ -3,11 +3,12 @@ version: '[% c("abbrev") %]'
 git_url: https://github.com/keroserene/go-webrtc.git
 git_hash: ab1b64862e0c4b4182010699911c2c5818f0a101
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1

 build: '[% c("projects/go/var/build_go_lib") %]'

 var:
+  container:
+    use_container: 1
  go_lib: github.com/keroserene/go-webrtc
  build_go_lib_pre: |
    [% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
@@ -43,7 +44,7 @@ targets:
        - lib32stdc++6

 input_files:
-  - project: docker-image
+  - project: container-image
  - name: go
    project: go
  - name: webrtc

--- a/projects/go/config
+++ b/projects/go/config
 # vim: filetype=yaml sw=2
 version: 1.7.5
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1

 var:
  go14_version: 1.4.3
+  container:
+    use_container: 1

  setup: |
    mkdir -p /var/tmp/dist
@@ -69,7 +70,7 @@ targets:
      GOARCH: 386

 input_files:
-  - project: docker-image
+  - project: container-image
  - name: '[% c("var/compiler") %]'
    project: '[% c("var/compiler") %]'
    enable: '[% c("var/windows") || c("var/osx") %]'

--- a/projects/goerrors/config
+++ b/projects/goerrors/config
@@ -3,14 +3,15 @@ version: '[% c("abbrev") %]'
 git_url: https://github.com/pkg/errors
 git_hash: 248dadf4e9068a0b3e79f02ed0a610d935de5302
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1

 build: '[% c("projects/go/var/build_go_lib") %]'

 var:
+  container:
+    use_container: 1
  go_lib: github.com/pkg/errors

 input_files:
-  - project: docker-image
+  - project: container-image
  - name: go
    project: go
--- a/projects/gogb/config
+++ b/projects/gogb/config
@@ -3,18 +3,19 @@ version: '[% c("abbrev") %]'
 git_url: https://github.com/constabulary/gb
 git_hash: 06cc925cce6592e922dcc4839a8b44feb384e71e
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1

 build: '[% c("projects/go/var/build_go_lib") %]'

 var:
+  container:
+    use_container: 1
  go_lib: github.com/constabulary/gb
  go_lib_install: github.com/constabulary/gb/cmd/gb
  go_lib_deps:
    - goerrors

 input_files:
-  - project: docker-image
+  - project: container-image
  - name: go
    project: go
  - name: goerrors

--- a/projects/goptlib/config
+++ b/projects/goptlib/config
@@ -5,14 +5,15 @@ git_hash: '[% c("version") %]'
 tag_gpg_id: 1
 gpg_keyring: goptlib.gpg
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1

 build: '[% c("projects/go/var/build_go_lib") %]'

 var:
+  container:
+    use_container: 1
  go_lib: git.torproject.org/pluggable-transports/goptlib.git

 input_files:
-  - project: docker-image
+  - project: container-image
  - name