diff --git a/CHANGELOG.md b/CHANGELOG.md index ced2beae..52b4890a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file automatically by Versionist. DO NOT EDIT THIS FILE MANUALLY! This project adheres to [Semantic Versioning](http://semver.org/). +## v6.4.3 - 2017-11-03 + +* Use balena 17.06 and resin-base v2.9.2 for the docker-in-docker supervisor #518 [Pablo Carranza Velez] + ## v6.4.2 - 2017-11-03 * Avoid an indefinite recursion that grows the call stack when reporting the current state fails #480 [Pablo Carranza Velez] diff --git a/package.json b/package.json index e6d2b9f2..821105e6 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "resin-supervisor", "description": "This is resin.io's Supervisor, a program that runs on IoT devices and has the task of running user Apps (which are Docker containers), and updating them as Resin's API informs it to.", - "version": "6.4.2", + "version": "6.4.3", "license": "Apache-2.0", "repository": { "type": "git", diff --git a/tools/dind/Dockerfile b/tools/dind/Dockerfile index eb99de13..f9a6ea36 100644 --- a/tools/dind/Dockerfile +++ b/tools/dind/Dockerfile @@ -1,4 +1,4 @@ -FROM resin/resin-base:2 +FROM resin/resin-base:v2.9.2 VOLUME /var/lib/docker VOLUME /resin-data @@ -11,7 +11,7 @@ RUN apt-get update \ aufs-tools \ && rm -rf /var/lib/apt/lists/* -ENV DOCKER_VERSION 1.10.3 +ENV BALENA_VERSION 17.06-rev1 ENV RELEASE_NAME jessie # Change to 'true' to allow blank password dropbear logins on dind HostOS @@ -20,14 +20,10 @@ ARG PASSWORDLESS_DROPBEAR=false COPY config/certs/ /usr/local/share/ca-certificates/ RUN rm -f /usr/local/share/ca-certificates/.keepme ; update-ca-certificates -RUN apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D \ - && echo deb https://apt.dockerproject.org/repo debian-${RELEASE_NAME} main > /etc/apt/sources.list.d/docker.list \ - && apt-get update || true \ - && apt-get --force-yes install docker-engine=${DOCKER_VERSION}-0~${RELEASE_NAME} \ - && rm -rf /var/lib/apt/lists/* +RUN curl -sL "https://github.com/resin-os/balena/releases/download/${BALENA_VERSION}/balena-${BALENA_VERSION}-x86_64.tar.gz" \ + | tar xzv -C /usr/bin --strip-components=1 -ENV DIND_COMMIT 3b5fac462d21ca164b3778647420016315289034 -RUN curl -sL https://raw.githubusercontent.com/docker/docker/${DIND_COMMIT}/hack/dind > /usr/bin/dind \ +RUN curl -sL https://raw.githubusercontent.com/resin-os/balena/${BALENA_VERSION}/hack/dind > /usr/bin/dind \ && chmod +x /usr/bin/dind RUN passwd -d root @@ -43,6 +39,8 @@ COPY resin-vars vpn-init /usr/src/app/ RUN if [ "$PASSWORDLESS_DROPBEAR" = "true" ]; then sed -i 's/\(DROPBEAR_EXTRA_ARGS=\).*/\1"-B"/' /etc/default/dropbear; fi +ENV DOCKER_HOST unix:///var/run/docker.sock +RUN groupadd docker RUN systemctl enable resin-supervisor-dind COPY supervisor-image.tar /usr/src/ diff --git a/tools/dind/config/services/docker.service b/tools/dind/config/services/docker.service new file mode 100644 index 00000000..a8f9a602 --- /dev/null +++ b/tools/dind/config/services/docker.service @@ -0,0 +1,19 @@ +[Unit] +Description=Balena Application Container Engine +Documentation=http://docs.docker.com +After=network.target docker.socket +Requires=docker.socket + +[Service] +Type=notify +Restart=always +ExecStart=/usr/bin/dind /usr/bin/balenad --storage-driver aufs --host=fd:// -g /var/lib/docker +#Adjust OOMscore to -900 to make killing balena unlikely +OOMScoreAdjust=-900 +MountFlags=slave +LimitNOFILE=1048576 +LimitNPROC=1048576 +LimitCORE=infinity + +[Install] +WantedBy=multi-user.target diff --git a/tools/dind/config/services/docker.service.d/aufs.conf b/tools/dind/config/services/docker.service.d/aufs.conf deleted file mode 100644 index 96276c82..00000000 --- a/tools/dind/config/services/docker.service.d/aufs.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/bin/dind /usr/bin/docker daemon --storage-driver aufs --host=fd:// diff --git a/tools/dind/config/services/docker.socket b/tools/dind/config/services/docker.socket new file mode 100644 index 00000000..7dd95098 --- /dev/null +++ b/tools/dind/config/services/docker.socket @@ -0,0 +1,12 @@ +[Unit] +Description=Docker Socket for the API +PartOf=docker.service + +[Socket] +ListenStream=/var/run/docker.sock +SocketMode=0660 +SocketUser=root +SocketGroup=docker + +[Install] +WantedBy=sockets.target diff --git a/tools/dind/config/services/resin-supervisor-dind.service b/tools/dind/config/services/resin-supervisor-dind.service index e95a6955..5c726976 100644 --- a/tools/dind/config/services/resin-supervisor-dind.service +++ b/tools/dind/config/services/resin-supervisor-dind.service @@ -6,15 +6,16 @@ Before=openvpn-resin.service [Service] WorkingDirectory=/usr/src/app +Environment=DOCKER_HOST=unix:///var/run/docker.sock EnvironmentFile=/usr/src/app/config/env EnvironmentFile=/usr/src/app/config/localenv -ExecStartPre=/bin/bash -c 'if [ "${PRELOADED_IMAGE}" == "true" ]; then /usr/bin/docker pull $(jq --raw-output ".[0].imageId" ${APPS_PATH}); fi' -ExecStartPre=/usr/bin/docker load --input /usr/src/supervisor-image.tar -ExecStartPre=-/usr/bin/docker kill resin_supervisor -ExecStartPre=-/usr/bin/docker rm resin_supervisor +ExecStartPre=/bin/bash -c 'if [ "${PRELOADED_IMAGE}" == "true" ]; then /usr/bin/balena pull $(jq --raw-output ".[0].imageId" ${APPS_PATH}); fi' +ExecStartPre=/usr/bin/balena load --input /usr/src/supervisor-image.tar +ExecStartPre=-/usr/bin/balena kill resin_supervisor +ExecStartPre=-/usr/bin/balena rm resin_supervisor ExecStartPre=-/bin/touch /etc/resolv.conf ExecStart=/bin/bash -c 'source /usr/src/app/resin-vars && \ - /usr/bin/docker run --rm --privileged --name resin_supervisor \ + /usr/bin/balena run --rm --privileged --name resin_supervisor \ --net=host \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "${CONFIG_PATH}:/boot/config.json" \