diff --git a/Dockerfile b/Dockerfile index 4b3cb30a02..0b79732941 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,6 @@ ARG SYSTEMD="false" ARG GO_VERSION=1.18.2 ARG DEBIAN_FRONTEND=noninteractive ARG VPNKIT_VERSION=0.5.0 -ARG DOCKER_BUILDTAGS="apparmor seccomp" ARG BASE_DEBIAN_DISTRO="bullseye" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" diff --git a/daemon/seccomp_disabled.go b/daemon/seccomp_disabled.go deleted file mode 100644 index 5cfe585e16..0000000000 --- a/daemon/seccomp_disabled.go +++ /dev/null @@ -1,26 +0,0 @@ -//go:build linux && !seccomp -// +build linux,!seccomp - -package daemon // import "github.com/docker/docker/daemon" - -import ( - "context" - "fmt" - - "github.com/containerd/containerd/containers" - coci "github.com/containerd/containerd/oci" - "github.com/docker/docker/container" - dconfig "github.com/docker/docker/daemon/config" -) - -const supportsSeccomp = false - -// WithSeccomp sets the seccomp profile -func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts { - return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { - if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileUnconfined { - return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile") - } - return nil - } -} diff --git a/daemon/seccomp_linux.go b/daemon/seccomp_linux.go index 860635e2c1..8336b00392 100644 --- a/daemon/seccomp_linux.go +++ b/daemon/seccomp_linux.go @@ -1,6 +1,3 @@ -//go:build linux && seccomp -// +build linux,seccomp - package daemon // import "github.com/docker/docker/daemon" import ( diff --git a/daemon/seccomp_linux_test.go b/daemon/seccomp_linux_test.go index 93b29e1c12..c44af03446 100644 --- a/daemon/seccomp_linux_test.go +++ b/daemon/seccomp_linux_test.go @@ -1,6 +1,3 @@ -//go:build linux && seccomp -// +build linux,seccomp - package daemon // import "github.com/docker/docker/daemon" import ( diff --git a/hack/test/unit b/hack/test/unit index 7c8ff53adc..454e99291f 100755 --- a/hack/test/unit +++ b/hack/test/unit @@ -12,7 +12,7 @@ # set -eux -o pipefail -BUILDFLAGS=(-tags 'netgo seccomp libdm_no_deferred_remove') +BUILDFLAGS=(-tags 'netgo libdm_no_deferred_remove') TESTFLAGS+=" -test.timeout=${TIMEOUT:-5m}" TESTDIRS="${TESTDIRS:-./...}" exclude_paths='/vendor/|/integration' diff --git a/integration-cli/requirements_unix_test.go b/integration-cli/requirements_unix_test.go index b0cc0e8f11..cc7c911662 100644 --- a/integration-cli/requirements_unix_test.go +++ b/integration-cli/requirements_unix_test.go @@ -62,7 +62,7 @@ func cgroupCpuset() bool { } func seccompEnabled() bool { - return supportsSeccomp && SysInfo.Seccomp + return SysInfo.Seccomp } func bridgeNfIptables() bool { diff --git a/integration-cli/test_vars_noseccomp_test.go b/integration-cli/test_vars_noseccomp_test.go deleted file mode 100644 index 79c7f3bb6e..0000000000 --- a/integration-cli/test_vars_noseccomp_test.go +++ /dev/null @@ -1,9 +0,0 @@ -//go:build !seccomp -// +build !seccomp - -package main - -const ( - // indicates docker daemon built with seccomp support - supportsSeccomp = false -) diff --git a/integration-cli/test_vars_seccomp_test.go b/integration-cli/test_vars_seccomp_test.go deleted file mode 100644 index 0c16cf4ae8..0000000000 --- a/integration-cli/test_vars_seccomp_test.go +++ /dev/null @@ -1,9 +0,0 @@ -//go:build seccomp -// +build seccomp - -package main - -const ( - // indicates docker daemon built with seccomp support - supportsSeccomp = true -) diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index e51f1018aa..7c06e728b7 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -1,6 +1,3 @@ -//go:build seccomp -// +build seccomp - package seccomp // import "github.com/docker/docker/profiles/seccomp" import ( diff --git a/profiles/seccomp/seccomp_unsupported.go b/profiles/seccomp/seccomp_unsupported.go deleted file mode 100644 index d337695e10..0000000000 --- a/profiles/seccomp/seccomp_unsupported.go +++ /dev/null @@ -1,9 +0,0 @@ -//go:build linux && !seccomp -// +build linux,!seccomp - -package seccomp // import "github.com/docker/docker/profiles/seccomp" - -// DefaultProfile returns a nil pointer on unsupported systems. -func DefaultProfile() *Seccomp { - return nil -} diff --git a/project/PACKAGERS.md b/project/PACKAGERS.md index 502a3808b1..62b7ed50d3 100644 --- a/project/PACKAGERS.md +++ b/project/PACKAGERS.md @@ -81,14 +81,8 @@ Please use our build script ("./hack/make.sh") for compilation. ### `DOCKER_BUILDTAGS` -If you're building a binary that might be used on platforms that include -seccomp, you will need to use the `seccomp` build tag: -```bash -export DOCKER_BUILDTAGS='seccomp' -``` - -There are build tags for disabling graphdrivers as well. By default, support -for all graphdrivers are built in. +There are build tags for disabling graphdrivers, if necessary. By default, +support for all graphdrivers are built in. To disable btrfs: ```bash @@ -107,7 +101,7 @@ export DOCKER_BUILDTAGS='exclude_graphdriver_aufs' NOTE: if you need to set more than one build tag, space separate them: ```bash -export DOCKER_BUILDTAGS='apparmor exclude_graphdriver_aufs' +export DOCKER_BUILDTAGS='exclude_graphdriver_aufs exclude_graphdriver_btrfs' ``` ## System Dependencies