Merge pull request #42501 from tianon/always-seccomp

Remove "seccomp" build tag

Dockerfile

@@ -5,7 +5,6 @@ ARG SYSTEMD="false"
 ARG GO_VERSION=1.18.2
 ARG DEBIAN_FRONTEND=noninteractive
 ARG VPNKIT_VERSION=0.5.0
-ARG DOCKER_BUILDTAGS="apparmor seccomp"
 
 ARG BASE_DEBIAN_DISTRO="bullseye"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"

daemon/seccomp_disabled.go

@@ -1,26 +0,0 @@
-//go:build linux && !seccomp
-// +build linux,!seccomp
-
-package daemon // import "github.com/docker/docker/daemon"
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/containerd/containerd/containers"
-	coci "github.com/containerd/containerd/oci"
-	"github.com/docker/docker/container"
-	dconfig "github.com/docker/docker/daemon/config"
-)
-
-const supportsSeccomp = false
-
-// WithSeccomp sets the seccomp profile
-func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
-	return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
-		if c.SeccompProfile != "" && c.SeccompProfile != dconfig.SeccompProfileUnconfined {
-			return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile")
-		}
-		return nil
-	}
-}

daemon/seccomp_linux.go

@@ -1,6 +1,3 @@
-//go:build linux && seccomp
-// +build linux,seccomp
-
 package daemon // import "github.com/docker/docker/daemon"
 
 import (

daemon/seccomp_linux_test.go

@@ -1,6 +1,3 @@
-//go:build linux && seccomp
-// +build linux,seccomp
-
 package daemon // import "github.com/docker/docker/daemon"
 
 import (

hack/test/unit

@@ -12,7 +12,7 @@
 #
 set -eux -o pipefail
 
-BUILDFLAGS=(-tags 'netgo seccomp libdm_no_deferred_remove')
+BUILDFLAGS=(-tags 'netgo libdm_no_deferred_remove')
 TESTFLAGS+=" -test.timeout=${TIMEOUT:-5m}"
 TESTDIRS="${TESTDIRS:-./...}"
 exclude_paths='/vendor/|/integration'

integration-cli/requirements_unix_test.go

@@ -62,7 +62,7 @@ func cgroupCpuset() bool {
 }
 
 func seccompEnabled() bool {
-	return supportsSeccomp && SysInfo.Seccomp
+	return SysInfo.Seccomp
 }
 
 func bridgeNfIptables() bool {

integration-cli/test_vars_noseccomp_test.go

@@ -1,9 +0,0 @@
-//go:build !seccomp
-// +build !seccomp
-
-package main
-
-const (
-	// indicates docker daemon built with seccomp support
-	supportsSeccomp = false
-)

integration-cli/test_vars_seccomp_test.go

@@ -1,9 +0,0 @@
-//go:build seccomp
-// +build seccomp
-
-package main
-
-const (
-	// indicates docker daemon built with seccomp support
-	supportsSeccomp = true
-)

profiles/seccomp/default_linux.go

@@ -1,6 +1,3 @@
-//go:build seccomp
-// +build seccomp
-
 package seccomp // import "github.com/docker/docker/profiles/seccomp"
 
 import (

profiles/seccomp/seccomp_unsupported.go

@@ -1,9 +0,0 @@
-//go:build linux && !seccomp
-// +build linux,!seccomp
-
-package seccomp // import "github.com/docker/docker/profiles/seccomp"
-
-// DefaultProfile returns a nil pointer on unsupported systems.
-func DefaultProfile() *Seccomp {
-	return nil
-}

project/PACKAGERS.md

@@ -81,14 +81,8 @@ Please use our build script ("./hack/make.sh") for compilation.
 
 ### `DOCKER_BUILDTAGS`
 
-If you're building a binary that might be used on platforms that include
-seccomp, you will need to use the `seccomp` build tag:
-```bash
-export DOCKER_BUILDTAGS='seccomp'
-```
-
-There are build tags for disabling graphdrivers as well. By default, support
-for all graphdrivers are built in.
+There are build tags for disabling graphdrivers, if necessary. By default,
+support for all graphdrivers are built in.
 
 To disable btrfs:
 ```bash
@@ -107,7 +101,7 @@ export DOCKER_BUILDTAGS='exclude_graphdriver_aufs'
 
 NOTE: if you need to set more than one build tag, space separate them:
 ```bash
-export DOCKER_BUILDTAGS='apparmor exclude_graphdriver_aufs'
+export DOCKER_BUILDTAGS='exclude_graphdriver_aufs exclude_graphdriver_btrfs'
 ```
 
 ## System Dependencies