[tor-commits] [tor-browser-build/master] Bug 21824: use runc instead of docker

boklm at torproject.org boklm at torproject.org
Fri May 5 15:22:04 UTC 2017


commit 2d98c063010fc5b0f8da3e386587a501e27507b9
Author: Nicolas Vigier <boklm at torproject.org>
Date:   Tue Apr 25 22:06:10 2017 +0200

    Bug 21824: use runc instead of docker
---
 README                            |  25 ++----
 keyring/ubuntu.gpg                | Bin 0 -> 32904 bytes
 projects/binutils/config          |   5 +-
 projects/cmake/config             |   6 +-
 projects/common/runc-config.json  | 179 ++++++++++++++++++++++++++++++++++++++
 projects/container-image/build    |   3 +
 projects/container-image/config   |  86 ++++++++++++++++++
 projects/debootstrap-image/build  |   3 +
 projects/debootstrap-image/config |  52 +++++++++++
 projects/docker-image/build       |   4 -
 projects/docker-image/config      |  51 -----------
 projects/ed25519/config           |   5 +-
 projects/firefox/config           |   5 +-
 projects/fonts/config             |   5 +-
 projects/gcc/config               |   5 +-
 projects/gmp/config               |   7 +-
 projects/go-webrtc/config         |   5 +-
 projects/go/config                |   5 +-
 projects/goerrors/config          |   5 +-
 projects/gogb/config              |   5 +-
 projects/goptlib/config           |   5 +-
 projects/goxcrypto/config         |   5 +-
 projects/goxnet/config            |   5 +-
 projects/https-everywhere/config  |   9 +-
 projects/libdmg-hfsplus/config    |   5 +-
 projects/libevent/config          |   7 +-
 projects/llvm/config              |   7 +-
 projects/macosx-toolchain/config  |   5 +-
 projects/meek/config              |   6 +-
 projects/mingw-w64/config         |   5 +-
 projects/nsis/config              |   5 +-
 projects/obfs4/config             |   7 +-
 projects/openssl/config           |   7 +-
 projects/sandbox/config           |   8 +-
 projects/siphash/config           |   5 +-
 projects/snowflake/config         |   7 +-
 projects/tor-browser/config       |   8 +-
 projects/tor-launcher/config      |   6 +-
 projects/tor/config               |   5 +-
 projects/torbutton/config         |   6 +-
 projects/uniuri/config            |   5 +-
 projects/webrtc/config            |  10 ++-
 projects/yasm/config              |   6 +-
 projects/zlib/config              |   7 +-
 rbm                               |   2 +-
 rbm.conf                          |  93 ++++++++++++++++++--
 rbm.local.conf.example            |   6 --
 tools/clean-old                   |  21 -----
 48 files changed, 549 insertions(+), 185 deletions(-)

diff --git a/README b/README
index 08904fb..fa968ff 100644
--- a/README
+++ b/README
@@ -5,13 +5,12 @@ Installing build dependencies
 -----------------------------
 
 To build Tor Browser, you need a Linux distribution that has support
-for Docker (such as Debian jessie, Ubuntu 14.04, Fedora 20, etc ...).
-The Docker package is usually named docker.io or docker-io.
-On Debian jessie, the docker.io package is available in backports.
+for runC (such as Debian jessie, Ubuntu 14.04, Fedora 20, etc ...).
+On Debian jessie, the runc package is available in backports.
 
-Your user account should have access to the docker command without using
-sudo, so it should be in the docker group. The docker daemon should
-also be running.
+Your user account should have access sudo access, which is required to
+be able to extract container file systems, start containers and copy
+files to and from containers.
 
 The sources of most components are downloaded using git, which needs to
 be installed. The sources of webrtc are downloaded using gclient, which
@@ -41,7 +40,7 @@ If you are running Debian or Ubuntu, you can install them with:
                   libio-captureoutput-perl libfile-slurp-perl \
                   libstring-shellquote-perl libsort-versions-perl \
                   libdigest-sha-perl libdata-uuid-perl libdata-dump-perl \
-                  libfile-copy-recursive-perl git libgtk2.0-dev curl
+                  libfile-copy-recursive-perl git libgtk2.0-dev curl runc
 
 
 Starting a build
@@ -184,18 +183,6 @@ of files and containers that would be removed without doing it, you can
 use 'make clean-dry-run'.
 
 
-Multiple build directories on the same host
--------------------------------------------
-
-You can do multiple builds of Tor Browser in different directories on
-the same host. However the docker images namespace is global, so you
-may have some conflicts with the same image names used by the
-different builds. By default, the docker images are prefixed with
-tor-browser_$USER. You can change this prefix by defining the
-docker_image_prefix option in rbm.local.conf, using a different prefix
-for each of your build directories.
-
-
 Common Build Errors
 -------------------
 
diff --git a/keyring/ubuntu.gpg b/keyring/ubuntu.gpg
new file mode 100644
index 0000000..8b77bf0
Binary files /dev/null and b/keyring/ubuntu.gpg differ
diff --git a/projects/binutils/config b/projects/binutils/config
index 2975f14..0cb2088 100644
--- a/projects/binutils/config
+++ b/projects/binutils/config
@@ -1,9 +1,10 @@
 # vim: filetype=yaml sw=2
 version: 2.24
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 var:
   configure_opt: '--disable-multilib --enable-gold --enable-deterministic-archives --enable-plugins'
+  container:
+    use_container: 1
 
 targets:
   windows-i686:
@@ -15,7 +16,7 @@ input_files:
     sig_ext: sig
     file_gpg_id: 1
     gpg_keyring: binutils.gpg
-  - project: docker-image
+  - project: container-image
   - filename: enable-reloc-section-ld.patch
     enable: '[% c("var/windows") %]'
   - filename: peXXigen.patch
diff --git a/projects/cmake/config b/projects/cmake/config
index 837d9e1..357370d 100644
--- a/projects/cmake/config
+++ b/projects/cmake/config
@@ -5,7 +5,9 @@ git_hash: 'v[% c("version") %]'
 tag_gpg_id: 1
 gpg_keyring: cmake.gpg
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
+var:
+  container:
+    use_container: 1
 
 input_files:
-  - project: docker-image
+  - project: container-image
diff --git a/projects/common/runc-config.json b/projects/common/runc-config.json
new file mode 100644
index 0000000..4c231cd
--- /dev/null
+++ b/projects/common/runc-config.json
@@ -0,0 +1,179 @@
+{
+	"ociVersion": "1.0.0-rc1",
+	"platform": {
+		"os": "linux",
+		"arch": "amd64"
+	},
+	"process": {
+		"terminal": true,
+		"user": {
+			"uid": 0,
+			"gid": 0
+		},
+		"args": [
+			"/rbm/run"
+		],
+		"env": [
+			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+			"TERM=xterm"
+		],
+		"cwd": "/",
+		"capabilities": [
+			"CAP_AUDIT_WRITE",
+			"CAP_KILL",
+			"CAP_NET_BIND_SERVICE",
+			"CAP_SETGID",
+			"CAP_SETUID",
+			"CAP_MKNOD",
+			"CAP_SYS_CHROOT",
+[% IF c("var/container/CAP_SYS_ADMIN") -%]
+			"CAP_SYS_ADMIN",
+[% END -%]
+			"CAP_FSETID",
+			"CAP_FOWNER",
+			"CAP_DAC_OVERRIDE",
+			"CAP_CHOWN"
+		],
+		"rlimits": [
+			{
+				"type": "RLIMIT_NOFILE",
+				"hard": 1024,
+				"soft": 1024
+			}
+		],
+		"noNewPrivileges": true
+	},
+	"root": {
+		"path": "rootfs",
+		"readonly": false
+	},
+	"hostname": "runc",
+	"mounts": [
+		{
+			"destination": "/proc",
+			"type": "proc",
+			"source": "proc"
+		},
+		{
+			"type": "bind",
+			"source": "/etc/resolv.conf",
+			"destination": "/etc/resolv.conf",
+			"options": [
+				"rbind",
+				"ro"
+			]
+		},
+		{
+			"destination": "/dev",
+			"type": "tmpfs",
+			"source": "tmpfs",
+			"options": [
+				"nosuid",
+				"strictatime",
+				"mode=755",
+				"size=65536k"
+			]
+		},
+		{
+			"destination": "/dev/pts",
+			"type": "devpts",
+			"source": "devpts",
+			"options": [
+				"nosuid",
+				"noexec",
+				"newinstance",
+				"ptmxmode=0666",
+				"mode=0620",
+				"gid=5"
+			]
+		},
+		{
+			"destination": "/dev/shm",
+			"type": "tmpfs",
+			"source": "shm",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"mode=1777",
+				"size=65536k"
+			]
+		},
+		{
+			"destination": "/dev/mqueue",
+			"type": "mqueue",
+			"source": "mqueue",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev"
+			]
+		},
+		{
+			"destination": "/sys",
+			"type": "sysfs",
+			"source": "sysfs",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"ro"
+			]
+		},
+		{
+			"destination": "/sys/fs/cgroup",
+			"type": "cgroup",
+			"source": "cgroup",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"relatime",
+				"ro"
+			]
+		}
+	],
+	"hooks": {},
+	"linux": {
+		"resources": {
+			"devices": [
+				{
+					"allow": false,
+					"access": "rwm"
+				}
+			]
+		},
+		"namespaces": [
+			{
+				"type": "pid"
+			},
+			{
+				"type": "ipc"
+			},
+			{
+				"type": "uts"
+			},
+			{
+				"type": "mount"
+			}
+		],
+		"maskedPaths": [
+			"/proc/kcore",
+			"/proc/latency_stats",
+			"/proc/timer_stats",
+			"/proc/sched_debug"
+		],
+		"readonlyPaths": [
+			"/proc/asound",
+			"/proc/bus",
+			"/proc/fs",
+			"/proc/irq",
+			"/proc/sys",
+			"/proc/sysrq-trigger"
+		]
+	},
+	"solaris": {
+		"cappedCPU": {},
+		"cappedMemory": {}
+	}
+}
diff --git a/projects/container-image/build b/projects/container-image/build
new file mode 100644
index 0000000..c7d1c46
--- /dev/null
+++ b/projects/container-image/build
@@ -0,0 +1,3 @@
+#!/bin/sh
+set -e
+# Doing nothing
diff --git a/projects/container-image/config b/projects/container-image/config
new file mode 100644
index 0000000..c9f377f
--- /dev/null
+++ b/projects/container-image/config
@@ -0,0 +1,86 @@
+# vim: filetype=yaml sw=2
+filename: 'container-image_[% c("var/container/suite") %]-[% c("var/container/arch") %]-[% sha256(c("pre")).substr(0, 12) %].tar.gz'
+pkg_type: build
+
+var:
+  container:
+    use_container: 1
+    suite: '[% pc(c("origin_project"), "var/container/suite") %]'
+    arch: '[% pc(c("origin_project"), "var/container/arch") %]'
+
+lsb_release:
+  id: Debian
+  codename: wheezy
+  release: 7.11
+
+pre: |
+  #!/bin/sh
+  # [% c('var/container/suite') %]
+  set -e
+  [% IF pc(c('origin_project'), 'var/pre_pkginst') -%]
+  [% pc(c('origin_project'), 'var/pre_pkginst') %]
+  [% END -%]
+  [% IF c("var/container/suite") == "precise" -%]
+  export INITRD=no
+  mkdir -p /etc/container_environment
+  echo -n no > /etc/container_environment/INITRD
+  dpkg-divert --local --rename --add /sbin/initctl
+  ln -s /bin/true /sbin/initctl
+  dpkg-divert --local --rename --add /usr/bin/ischroot
+  ln -sf /bin/true /usr/bin/ischroot
+  cat >> /etc/apt/sources.list << EOF
+  deb http://archive.ubuntu.com/ubuntu/ precise-updates main
+  deb-src http://archive.ubuntu.com/ubuntu/ precise-updates main
+
+  deb http://archive.ubuntu.com/ubuntu/ precise universe
+  deb-src http://archive.ubuntu.com/ubuntu/ precise universe
+  deb http://archive.ubuntu.com/ubuntu/ precise-updates universe
+  deb-src http://archive.ubuntu.com/ubuntu/ precise-updates universe
+
+  deb http://archive.ubuntu.com/ubuntu/ precise-security main
+  deb-src http://archive.ubuntu.com/ubuntu/ precise-security main
+  deb http://archive.ubuntu.com/ubuntu/ precise-security universe
+  deb-src http://archive.ubuntu.com/ubuntu/ precise-security universe
+  EOF
+  [% END -%]
+  apt-get update -y
+  apt-get upgrade -y
+  [%
+     deps = [];
+     IF pc(c('origin_project'), 'var/deps');
+       CALL deps.import(pc(c('origin_project'), 'var/deps'));
+     END;
+     IF pc(c('origin_project'), 'var/arch_deps');
+       CALL deps.import(pc(c('origin_project'), 'var/arch_deps'));
+     END;
+     IF deps.size;
+       IF pc(c('origin_project'), 'var/sort_deps');
+         deps = deps.sort;
+       END;
+       FOREACH pkg IN deps;
+         SET p = tmpl(pkg);
+         IF p;
+           GET c('install_package', { pkg_name => p });
+           GET "\n";
+         END;
+       END;
+     END;
+  -%]
+  [% IF pc(c('origin_project'), 'var/post_pkginst') -%]
+  [% pc(c('origin_project'), 'var/post_pkginst') %]
+  [% END -%]
+
+remote_get: |
+  #!/bin/sh
+  set -e
+  [%
+    SET src = shell_quote(c('get_src', { error_if_undef => 1 }));
+    SET dst = shell_quote(c('get_dst', { error_if_undef => 1 }));
+  -%]
+  mkdir -p "[% dst %]"
+  sudo tar -C "[% c("var/container/dir") %]/rootfs" -czf "[% dst %]/[% c("filename") %]" .
+
+input_files:
+  - project: debootstrap-image
+    target:
+      - '[% c("var/container/suite") %]-[% c("var/container/arch") %]'
diff --git a/projects/debootstrap-image/build b/projects/debootstrap-image/build
new file mode 100644
index 0000000..c7d1c46
--- /dev/null
+++ b/projects/debootstrap-image/build
@@ -0,0 +1,3 @@
+#!/bin/sh
+set -e
+# Doing nothing
diff --git a/projects/debootstrap-image/config b/projects/debootstrap-image/config
new file mode 100644
index 0000000..bd204f5
--- /dev/null
+++ b/projects/debootstrap-image/config
@@ -0,0 +1,52 @@
+# vim: filetype=yaml sw=2
+filename: 'container-image_[% c("var/container/suite") %]-[% c("var/container/arch") %].tar.gz'
+pkg_type: build
+
+var:
+  ubuntu_version: 17.04
+
+  container_dir: '[% c("tmp_dir") %]/rbm-containers/[% sha256(c("build_id")) %]'
+  container_user: rbm
+
+  container:
+    use_container: 1
+    # We need CAP_SYS_ADMIN for debootstrap to work
+    CAP_SYS_ADMIN: 1
+
+pre: |
+  #!/bin/sh
+  set -e
+  apt-get update -y
+  apt-get install -y debian-archive-keyring ubuntu-keyring debootstrap
+  debootstrap --arch=[% c("var/container/arch") %] [% c("var/container/debootstrap_opt") %] [% c("var/container/suite") %] base-image [% c("var/container/debootstrap_mirror") %]
+  tar -C ./base-image -czf [% dest_dir %]/[% c("filename") %] .
+
+targets:
+  wheezy-amd64:
+    var:
+      container:
+        suite: wheezy
+        arch: amd64
+  jessie-amd64:
+    var:
+      container:
+        suite: jessie
+        arch: amd64
+  precise-amd64:
+    var:
+      container:
+        suite: precise
+        arch: amd64
+        debootstrap_opt: --keyring=/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
+  utopic-amd64:
+    var:
+      container:
+        suite: utopic
+        arch: amd64
+        debootstrap_mirror: http://old-releases.ubuntu.com/ubuntu/
+
+input_files:
+  - URL: 'http://cdimage.ubuntu.com/ubuntu-base/releases/[% c("var/ubuntu_version") %]/release/ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
+    filename: 'container-image_ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
+    sha256sum: df2c8fd540e474b8e1e29c0db8ed6b43a932918f1b9a8149bb82104a7c07ba2a
+
diff --git a/projects/docker-image/build b/projects/docker-image/build
deleted file mode 100644
index ced6ad3..0000000
--- a/projects/docker-image/build
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-set -e
-echo 1 > [% dest_dir %]/[% c('filename') %]
-echo Creating [% dest_dir %]/[% c('filename') %]
diff --git a/projects/docker-image/config b/projects/docker-image/config
deleted file mode 100644
index 1968b77..0000000
--- a/projects/docker-image/config
+++ /dev/null
@@ -1,51 +0,0 @@
-# vim: filetype=yaml sw=2
-filename: '[% sha256(c("pre")).substr(0, 12) %]'
-remote_docker: 1
-docker_save_image: '[% c("docker_image_prefix") %]:[% c("filename") %]'
-pkg_type: build
-
-docker_image: '[% c("lsb_release/id").lower %]:[% c("lsb_release/release") %]'
-
-lsb_release:
-  id: '[% pc(c("origin_project", { no_distro => 1 }), "lsb_release/id", { no_distro => 1 }) %]'
-  release: '[% pc(c("origin_project", { no_distro => 1 }), "lsb_release/release", { no_distro => 1 }) %]'
-  codename: '[% pc(c("origin_project", { no_distro => 1 }), "lsb_release/codename", { no_distro => 1 }) %]'
-
-pre: |
-  #!/bin/sh
-  # [% c('docker_image') %]
-  set -e
-  [% IF c('lsb_release/release') == '14.10' -%]
-  sed -i 's/archive\.ubuntu\.com/old-releases.ubuntu.com/' /etc/apt/sources.list
-  [% END -%]
-  [% IF pc(c('origin_project'), 'var/pre_pkginst') -%]
-  [% pc(c('origin_project'), 'var/pre_pkginst') %]
-  [% END -%]
-  [% IF c('lsb_release/id') == 'Ubuntu' || c('lsb_release/id') == 'Debian' %]
-  apt-get update -y
-  apt-get upgrade -y
-  [% END %]
-  [%
-     deps = [];
-     IF pc(c('origin_project'), 'var/deps');
-       CALL deps.import(pc(c('origin_project'), 'var/deps'));
-     END;
-     IF pc(c('origin_project'), 'var/arch_deps');
-       CALL deps.import(pc(c('origin_project'), 'var/arch_deps'));
-     END;
-     IF deps.size;
-       IF pc(c('origin_project'), 'var/sort_deps');
-         deps = deps.sort;
-       END;
-       FOREACH pkg IN deps;
-         SET p = tmpl(pkg);
-         IF p;
-           GET c('install_package', { pkg_name => p });
-           GET "\n";
-         END;
-       END;
-     END;
-  -%]
-  [% IF pc(c('origin_project'), 'var/post_pkginst') -%]
-  [% pc(c('origin_project'), 'var/post_pkginst') %]
-  [% END -%]
diff --git a/projects/ed25519/config b/projects/ed25519/config
index 5bab68b..c6790b8 100644
--- a/projects/ed25519/config
+++ b/projects/ed25519/config
@@ -3,16 +3,17 @@ version: '[% c("abbrev") %]'
 git_url: https://github.com/agl/ed25519.git
 git_hash: c4161f4c7483313562781c61b9a20aba73daf9de
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 
 build: '[% c("projects/go/var/build_go_lib") %]'
 
 var:
+  container:
+    use_container: 1
   go_lib: github.com/agl/ed25519
   go_lib_install:
     - github.com/agl/ed25519/extra25519
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: go
     project: go
diff --git a/projects/firefox/config b/projects/firefox/config
index 2c74e4b..d6a68fe 100644
--- a/projects/firefox/config
+++ b/projects/firefox/config
@@ -5,7 +5,6 @@ git_hash: 'tor-browser-[% c("var/firefox_version") %]-[% c("var/torbrowser_branc
 tag_gpg_id: 1
 git_url: https://git.torproject.org/tor-browser.git
 gpg_keyring: torbutton.gpg
-remote_docker: 1
 
 var:
   firefox_version: 52.1.0esr
@@ -19,6 +18,8 @@ var:
     - autoconf2.13
     - yasm
     - python
+  container:
+    use_container: 1
 
 targets:
   nightly:
@@ -74,7 +75,7 @@ targets:
       martools_filename: mar-tools-win32.zip
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: '[% c("var/compiler") %]'
     project: '[% c("var/compiler") %]'
   - filename: get-moz-build-date
diff --git a/projects/fonts/config b/projects/fonts/config
index 69e16b3..382804d 100644
--- a/projects/fonts/config
+++ b/projects/fonts/config
@@ -3,8 +3,9 @@ version: '[% c("abbrev") %]'
 git_url: https://github.com/googlei18n/noto-fonts.git
 git_hash: 720e34851382ee3c1ef024d8dffb68ffbfb234c2
 filename: "[% project %]-[% c('version') %]-[% c('var/build_id') %].tar.gz"
-remote_docker: 1
 var:
+  container:
+    use_container: 1
   noto_fonts_hinted:
     - Arimo-Regular.ttf
     - Arimo-Bold.ttf
@@ -85,7 +86,7 @@ targets:
         - NotoSansYi-Regular.ttf
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - URL: https://github.com/googlei18n/noto-emoji/raw/2f1ffdd6fbbd05d6f382138a3d3adcd89c5ce800/fonts/NotoEmoji-Regular.ttf
     sha256sum: 415dc6290378574135b64c808dc640c1df7531973290c4970c51fdeb849cb0c5
     enable: '[% c("var/linux") %]'
diff --git a/projects/gcc/config b/projects/gcc/config
index 391e453..1acf30a 100644
--- a/projects/gcc/config
+++ b/projects/gcc/config
@@ -1,8 +1,9 @@
 # vim: filetype=yaml sw=2
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
 version: 5.1.0
-remote_docker: 1
 var:
+  container:
+    use_container: 1
   configure_opt: --enable-multilib --enable-languages=c,c++ --with-arch_32=i686
   deps:
     - build-essential
@@ -42,6 +43,6 @@ targets:
     var:
       configure_opt: --disable-multilib --enable-languages=c,c++
 input_files:
+  - project: container-image
   - URL: 'https://ftp.gnu.org/gnu/gcc/gcc-[% c("version") %]/gcc-[% c("version") %].tar.bz2'
     sha256sum: b7dafdf89cbb0e20333dbf5b5349319ae06e3d1a30bf3515b5488f7e89dca5ad
-  - project: docker-image
diff --git a/projects/gmp/config b/projects/gmp/config
index 913f181..41eb630 100644
--- a/projects/gmp/config
+++ b/projects/gmp/config
@@ -1,7 +1,10 @@
 # vim: filetype=yaml sw=2
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
 version: 5.1.3
-remote_docker: 1
+
+var:
+  container:
+    use_container: 1
 
 targets:
   linux:
@@ -9,9 +12,9 @@ targets:
       configure_opt_gmp: --enable-fat
 
 input_files:
+  - project: container-image
   - name: gmp
     URL: 'https://ftp.gnu.org/gnu/gmp/gmp-[% c("version") %].tar.bz2'
     sha256sum: 752079520b4690531171d0f4532e40f08600215feefede70b24fabdc6f1ab160
   - name: '[% c("var/compiler") %]'
     project: '[% c("var/compiler") %]'
-  - project: docker-image
diff --git a/projects/go-webrtc/config b/projects/go-webrtc/config
index 3a1a9d4..d7c31d6 100644
--- a/projects/go-webrtc/config
+++ b/projects/go-webrtc/config
@@ -3,11 +3,12 @@ version: '[% c("abbrev") %]'
 git_url: https://github.com/keroserene/go-webrtc.git
 git_hash: ab1b64862e0c4b4182010699911c2c5818f0a101
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 
 build: '[% c("projects/go/var/build_go_lib") %]'
 
 var:
+  container:
+    use_container: 1
   go_lib: github.com/keroserene/go-webrtc
   build_go_lib_pre: |
     [% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
@@ -43,7 +44,7 @@ targets:
         - lib32stdc++6
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: go
     project: go
   - name: webrtc
diff --git a/projects/go/config b/projects/go/config
index 89b4b45..ef9c411 100644
--- a/projects/go/config
+++ b/projects/go/config
@@ -1,10 +1,11 @@
 # vim: filetype=yaml sw=2
 version: 1.7.5
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 
 var:
   go14_version: 1.4.3
+  container:
+    use_container: 1
 
   setup: |
     mkdir -p /var/tmp/dist
@@ -69,7 +70,7 @@ targets:
       GOARCH: 386
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: '[% c("var/compiler") %]'
     project: '[% c("var/compiler") %]'
     enable: '[% c("var/windows") || c("var/osx") %]'
diff --git a/projects/goerrors/config b/projects/goerrors/config
index 4451f7b..3c11fab 100644
--- a/projects/goerrors/config
+++ b/projects/goerrors/config
@@ -3,14 +3,15 @@ version: '[% c("abbrev") %]'
 git_url: https://github.com/pkg/errors
 git_hash: 248dadf4e9068a0b3e79f02ed0a610d935de5302
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 
 build: '[% c("projects/go/var/build_go_lib") %]'
 
 var:
+  container:
+    use_container: 1
   go_lib: github.com/pkg/errors
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: go
     project: go
diff --git a/projects/gogb/config b/projects/gogb/config
index a358819..dcf30f6 100644
--- a/projects/gogb/config
+++ b/projects/gogb/config
@@ -3,18 +3,19 @@ version: '[% c("abbrev") %]'
 git_url: https://github.com/constabulary/gb
 git_hash: 06cc925cce6592e922dcc4839a8b44feb384e71e
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 
 build: '[% c("projects/go/var/build_go_lib") %]'
 
 var:
+  container:
+    use_container: 1
   go_lib: github.com/constabulary/gb
   go_lib_install: github.com/constabulary/gb/cmd/gb
   go_lib_deps:
     - goerrors
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: go
     project: go
   - name: goerrors
diff --git a/projects/goptlib/config b/projects/goptlib/config
index dd520ec..c083763 100644
--- a/projects/goptlib/config
+++ b/projects/goptlib/config
@@ -5,14 +5,15 @@ git_hash: '[% c("version") %]'
 tag_gpg_id: 1
 gpg_keyring: goptlib.gpg
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 
 build: '[% c("projects/go/var/build_go_lib") %]'
 
 var:
+  container:
+    use_container: 1
   go_lib: git.torproject.org/pluggable-transports/goptlib.git
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: go
     project: go
diff --git a/projects/goxcrypto/config b/projects/goxcrypto/config
index 8362f28..b51b578 100644
--- a/projects/goxcrypto/config
+++ b/projects/goxcrypto/config
@@ -3,11 +3,12 @@ version: '[% c("abbrev") %]'
 git_url: https://go.googlesource.com/crypto
 git_hash: 4ed45ec682102c643324fae5dff8dab085b6c300
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 
 build: '[% c("projects/go/var/build_go_lib") %]'
 
 var:
+  container:
+    use_container: 1
   go_lib: golang.org/x/crypto
   go_lib_install:
     - golang.org/x/crypto/curve25519
@@ -19,6 +20,6 @@ targets:
     git_hash: master
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: go
     project: go
diff --git a/projects/goxnet/config b/projects/goxnet/config
index 507f997..ec368a2 100644
--- a/projects/goxnet/config
+++ b/projects/goxnet/config
@@ -3,11 +3,12 @@ version: '[% c("abbrev") %]'
 git_url: https://go.googlesource.com/net
 git_hash: 7dbad50ab5b31073856416cdcfeb2796d682f844
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 
 build: '[% c("projects/go/var/build_go_lib") %]'
 
 var:
+  container:
+    use_container: 1
   go_lib: golang.org/x/net
   go_lib_install:
     - golang.org/x/net/proxy
@@ -17,6 +18,6 @@ targets:
     git_hash: master
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: go
     project: go
diff --git a/projects/https-everywhere/config b/projects/https-everywhere/config
index 3e5100e..f149cac 100644
--- a/projects/https-everywhere/config
+++ b/projects/https-everywhere/config
@@ -6,9 +6,11 @@ git_submodule: 1
 gpg_keyring: https-everywhere.gpg
 tag_gpg_id: 1
 filename: "[% project %]-[% c('version') %]-[% c('var/build_id') %].xpi"
-remote_docker: 1
-distribution: Debian-7.11
 var:
+  container:
+    use_container: 1
+    suite: wheezy
+    arch: amd64
   deps:
     - git
     - python
@@ -19,8 +21,9 @@ var:
     - rsync
     - zip
     - unzip
+
 input_files:
-  - project: docker-image
+  - project: container-image
 
 targets:
   nightly:
diff --git a/projects/libdmg-hfsplus/config b/projects/libdmg-hfsplus/config
index 9071078..67e8287 100644
--- a/projects/libdmg-hfsplus/config
+++ b/projects/libdmg-hfsplus/config
@@ -3,13 +3,14 @@ version: '[% c("abbrev") %]'
 git_url: https://github.com/vasi/libdmg-hfsplus
 git_hash: dfd5e5cc3dc1191e37d3c3a6118975afdd1d7014
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 var:
+  container:
+    use_container: 1
   deps:
     - build-essential
     - cmake
     - zlib1g-dev
     - libbz2-dev
 input_files:
+  - project: container-image
   - filename: libdmg.patch
-  - project: docker-image
diff --git a/projects/libevent/config b/projects/libevent/config
index 15ada11..46cbb7e 100644
--- a/projects/libevent/config
+++ b/projects/libevent/config
@@ -5,7 +5,10 @@ git_hash: 'release-[% c("version") %]-stable'
 tag_gpg_id: 1
 gpg_keyring: libevent.gpg
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
+
+var:
+  container:
+    use_container: 1
 
 targets:
   osx-x86_64:
@@ -14,6 +17,6 @@ targets:
         - faketime
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: '[% c("var/compiler") %]'
     project: '[% c("var/compiler") %]'
diff --git a/projects/llvm/config b/projects/llvm/config
index 81f7aaa..f0a803b 100644
--- a/projects/llvm/config
+++ b/projects/llvm/config
@@ -1,10 +1,13 @@
 # vim: filetype=yaml sw=2
 version: 3.8.0
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
+
+var:
+  container:
+    use_container: 1
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - project: cmake
     name: cmake
   - URL: 'http://releases.llvm.org/[% c("version") %]/llvm-[% c("version") %].src.tar.xz'
diff --git a/projects/macosx-toolchain/config b/projects/macosx-toolchain/config
index b237e4d..55fb554 100644
--- a/projects/macosx-toolchain/config
+++ b/projects/macosx-toolchain/config
@@ -1,8 +1,9 @@
 # vim: filetype=yaml sw=2
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
 version: 10.7-1
-remote_docker: 1
 var:
+  container:
+    use_container: 1
   setup: |
     mkdir -p /var/tmp/dist
     tar -C /var/tmp/dist -xf [% c("compiler_tarfile") %]
@@ -15,6 +16,7 @@ var:
     export LDFLAGS="[% c('var/LDFLAGS') %]"
 
 input_files:
+  - project: container-image
   - name: llvm
     project: llvm
   - name: cctools
@@ -23,4 +25,3 @@ input_files:
   - name: SDK
     URL: https://people.torproject.org/~mikeperry/mirrors/sources/MacOSX10.7.sdk.tar.gz
     sha256sum: da77bb0003fcca5ea8c4e8cb2da8828ded750c54afdcac29ec6f3b46ad5e3adf
-  - project: docker-image
diff --git a/projects/meek/config b/projects/meek/config
index 84ed2bd..46f4ec9 100644
--- a/projects/meek/config
+++ b/projects/meek/config
@@ -5,10 +5,12 @@ git_hash: '[% c("version") %]'
 tag_gpg_id: 1
 gpg_keyring: meek.gpg
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
+var:
+  container:
+    use_container: 1
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: go
     project: go
   - name: goptlib
diff --git a/projects/mingw-w64/config b/projects/mingw-w64/config
index 060857c..21d498a 100644
--- a/projects/mingw-w64/config
+++ b/projects/mingw-w64/config
@@ -3,8 +3,9 @@ filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
 git_url: http://git.code.sf.net/p/mingw-w64/mingw-w64
 git_hash: 98e5b4930a717eafddd8ca0f0dfeb7c57c6b026a
 version: '[% c("abbrev") %]'
-remote_docker: 1
 var:
+  container:
+    use_container: 1
   gcc_version: 5.1.0
   deps:
     - automake
@@ -17,6 +18,7 @@ var:
     export PATH="/var/tmp/dist/mingw-w64/helpers:/var/tmp/dist/mingw-w64/bin:$PATH"
     export gcclibs=/var/tmp/dist/mingw-w64/gcclibs
 input_files:
+  - project: container-image
   - URL: 'https://ftp.gnu.org/gnu/gcc/gcc-[% c("var/gcc_version") %]/gcc-[% c("var/gcc_version") %].tar.bz2'
     sha256sum: b7dafdf89cbb0e20333dbf5b5349319ae06e3d1a30bf3515b5488f7e89dca5ad
   - name: binutils
@@ -24,4 +26,3 @@ input_files:
   - filename: i686-w64-mingw32-g++
   - filename: i686-w64-mingw32-gcc
   - filename: i686-w64-mingw32-ld
-  - project: docker-image
diff --git a/projects/nsis/config b/projects/nsis/config
index 6729101..2812a22 100644
--- a/projects/nsis/config
+++ b/projects/nsis/config
@@ -1,8 +1,9 @@
 # vim: filetype=yaml sw=2
 version: 2.51
 filename: 'nsis-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 var:
+  container:
+    use_container: 1
   deps:
     - build-essential
     - libmpc-dev
@@ -12,6 +13,7 @@ var:
     - xsltproc
 
 input_files:
+  - project: container-image
   - filename: 'nsis-[% c("version") %].tar.bz2'
     URL: 'http://downloads.sourceforge.net/nsis/nsis-[% c("version") %]-src.tar.bz2'
     sha256sum: 43d4c9209847e35eb6e2c7cd5a7586e1445374c056c2c7899e40a080e17a1be7
@@ -21,4 +23,3 @@ input_files:
   - filename: nsis-missing-unistd-include.patch
   - name: '[% c("var/compiler") %]'
     project: '[% c("var/compiler") %]'
-  - project: docker-image
diff --git a/projects/obfs4/config b/projects/obfs4/config
index 952b054..44db79d 100644
--- a/projects/obfs4/config
+++ b/projects/obfs4/config
@@ -5,7 +5,10 @@ git_hash: 'obfs4proxy-[% c("version") %]'
 tag_gpg_id: 1
 gpg_keyring: obfs4.gpg
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
+
+var:
+  container:
+    use_container: 1
 
 targets:
   nightly:
@@ -13,7 +16,7 @@ targets:
     tag_gpg_id: 0
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: go
     project: go
   - name: goptlib
diff --git a/projects/openssl/config b/projects/openssl/config
index 1a2e4dd..8b4ea4f 100644
--- a/projects/openssl/config
+++ b/projects/openssl/config
@@ -1,7 +1,10 @@
 # vim: filetype=yaml sw=2
 version: 1.0.2k
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
+
+var:
+  container:
+    use_container: 1
 
 targets:
   linux-x86_64:
@@ -18,7 +21,7 @@ targets:
       configure_opts: --cross-compile-prefix=x86_64-apple-darwin10- darwin64-x86_64-cc enable-ec_nistp_64_gcc_128
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: '[% c("var/compiler") %]'
     project: '[% c("var/compiler") %]'
   - URL: 'https://www.openssl.org/source/openssl-[% c("version") %].tar.gz'
diff --git a/projects/sandbox/config b/projects/sandbox/config
index 218a276..3970322 100644
--- a/projects/sandbox/config
+++ b/projects/sandbox/config
@@ -5,10 +5,12 @@ git_hash: 'sandboxed-tor-browser-[% c("version") %]'
 tag_gpg_id: 1
 gpg_keyring: obfs4.gpg
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
-distribution: Debian-8.7
 
 var:
+  container:
+    use_container: 1
+    suite: jessie
+    arch: amd64
   deps:
     - libx11-dev
     - pkg-config
@@ -22,7 +24,7 @@ targets:
     tag_gpg_id: 0
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: go
     project: go
   - name: gogb
diff --git a/projects/siphash/config b/projects/siphash/config
index 0f3f4b5..b2cb2a9 100644
--- a/projects/siphash/config
+++ b/projects/siphash/config
@@ -3,14 +3,15 @@ version: '[% c("abbrev") %]'
 git_url: https://github.com/dchest/siphash.git
 git_hash: 42ba037e748c9062a75e0924705c43b893edefcd
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 
 build: '[% c("projects/go/var/build_go_lib") %]'
 
 var:
+  container:
+    use_container: 1
   go_lib: github.com/dchest/siphash
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: go
     project: go
diff --git a/projects/snowflake/config b/projects/snowflake/config
index 3233ba4..212e86c 100644
--- a/projects/snowflake/config
+++ b/projects/snowflake/config
@@ -3,7 +3,10 @@ version: '[% c("abbrev") %]'
 git_url: https://git.torproject.org/pluggable-transports/snowflake.git
 git_hash: 9f2e9a6ecb696149708716ca06ce842df03cf492
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
+
+var:
+  container:
+    use_container: 1
 
 targets:
   linux-i686:
@@ -19,7 +22,7 @@ targets:
         - libx11-dev
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: go
     project: go
   - name: '[% c("var/compiler") %]'
diff --git a/projects/tor-browser/config b/projects/tor-browser/config
index 87cc6b2..c4c2521 100644
--- a/projects/tor-browser/config
+++ b/projects/tor-browser/config
@@ -1,9 +1,10 @@
 # vim: filetype=yaml sw=2
 version: '[% c("var/torbrowser_version") %]'
 filename: 'tor-browser-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %]'
-remote_docker: 1
 
 var:
+  container:
+    use_container: 1
   ddmg: '[% INCLUDE ddmg.sh %]'
 
 targets:
@@ -24,12 +25,13 @@ targets:
         - bzip2
         - faketime
   windows-i686:
-    distribution: Ubuntu-14.10
     var:
       mar_osname: win32
+      container:
+        suite: utopic
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - project: firefox
     name: firefox
   - project: tor
diff --git a/projects/tor-launcher/config b/projects/tor-launcher/config
index 70f8acd..9211844 100644
--- a/projects/tor-launcher/config
+++ b/projects/tor-launcher/config
@@ -5,9 +5,11 @@ git_hash: '[% c("version") %]'
 gpg_keyring: torbutton.gpg
 tag_gpg_id: 1
 filename: "[% project %]-[% c('version') %]-[% c('var/build_id') %].xpi"
-remote_docker: 1
+var:
+  container:
+    use_container: 1
 input_files:
-  - project: docker-image
+  - project: container-image
 
 targets:
   nightly:
diff --git a/projects/tor/config b/projects/tor/config
index c8940dd..a9da811 100644
--- a/projects/tor/config
+++ b/projects/tor/config
@@ -5,9 +5,10 @@ git_hash: 'tor-[% c("version") %]'
 git_url: https://git.torproject.org/tor.git
 gpg_keyring: tor.gpg
 tag_gpg_id: 1
-remote_docker: 1
 
 var:
+  container:
+    use_container: 1
   deps:
     - build-essential
     - automake
@@ -50,6 +51,7 @@ targets:
       flag_mwindows: ''
 
 input_files:
+  - project: container-image
   - name: openssl
     project: openssl
   - name: libevent
@@ -59,4 +61,3 @@ input_files:
     enable: '[% c("var/windows") %]'
   - name: '[% c("var/compiler") %]'
     project: '[% c("var/compiler") %]'
-  - project: docker-image
diff --git a/projects/torbutton/config b/projects/torbutton/config
index b60e217..41d4d69 100644
--- a/projects/torbutton/config
+++ b/projects/torbutton/config
@@ -5,9 +5,11 @@ git_hash: '[% c("version") %]'
 gpg_keyring: torbutton.gpg
 tag_gpg_id: 1
 filename: "[% project %]-[% c('version') %]-[% c('var/build_id') %].xpi"
-remote_docker: 1
+var:
+  container:
+    use_container: 1
 input_files:
-  - project: docker-image
+  - project: container-image
 
 targets:
   nightly:
diff --git a/projects/uniuri/config b/projects/uniuri/config
index 62fa8ef..e4c7294 100644
--- a/projects/uniuri/config
+++ b/projects/uniuri/config
@@ -3,11 +3,12 @@ version: '[% c("abbrev") %]'
 git_url: https://github.com/dchest/uniuri
 git_hash: 8902c56451e9b58ff940bbe5fec35d5f9c04584a
 filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
 
 build: '[% c("projects/go/var/build_go_lib") %]'
 
 var:
+  container:
+    use_container: 1
   go_lib: github.com/dchest/uniuri
 
 targets:
@@ -15,6 +16,6 @@ targets:
     git_hash: master
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - name: go
     project: go
diff --git a/projects/webrtc/config b/projects/webrtc/config
index bfd38c9..d46d821 100644
--- a/projects/webrtc/config
+++ b/projects/webrtc/config
@@ -1,13 +1,14 @@
 # vim: filetype=yaml sw=2
 version: '[% c("var/webrtc_tag") %]'
-remote_docker: 1
 filename: 'webrtc-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
 
 var:
+  container:
+    use_container: 1
   webrtc_tag: c279861207c5b15fc51069e96595782350e0ac12
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - project: webrtc
     pkg_type: fetch_sources
   - project: depot_tools
@@ -27,7 +28,6 @@ targets:
         os: linux
   linux-i686:
     var:
-      dockerbuild: "[% pc('docker-image', 'pre') %]"
       sort_deps: 0
       arch_deps:
         - lib32asound2-dev
@@ -65,7 +65,9 @@ targets:
 
 steps:
   fetch_sources:
-    remote_docker: 0
+    var:
+      container:
+        use_container: 0
     filename: 'webrtc-sources-[% c("var/webrtc_tag") %].tar.gz'
     fetch_sources: |
       #!/bin/bash
diff --git a/projects/yasm/config b/projects/yasm/config
index 3d8a28a..12d009b 100644
--- a/projects/yasm/config
+++ b/projects/yasm/config
@@ -1,10 +1,12 @@
 # vim: filetype=yaml sw=2
 version: 1.2.0
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
-remote_docker: 1
+var:
+  container:
+    use_container: 1
 
 input_files:
-  - project: docker-image
+  - project: container-image
   - URL: 'https://www.tortall.net/projects/yasm/releases/yasm-[% c("version") %].tar.gz'
     name: yasm
     sha256sum: 768ffab457b90a20a6d895c39749adb547c1b7cb5c108e84b151a838a23ccf31
diff --git a/projects/zlib/config b/projects/zlib/config
index 5219559..3ad562c 100644
--- a/projects/zlib/config
+++ b/projects/zlib/config
@@ -5,9 +5,12 @@ git_hash: 'v[% c("version") %]'
 git_url: https://github.com/madler/zlib.git
 gpg_keyring: zlib.gpg
 tag_gpg_id: 1
-remote_docker: 1
+
+var:
+  container:
+    use_container: 1
 
 input_files:
+  - project: container-image
   - name: '[% c("var/compiler") %]'
     project: '[% c("var/compiler") %]'
-  - project: docker-image
diff --git a/rbm b/rbm
index 3f3886e..106e9b0 160000
--- a/rbm
+++ b/rbm
@@ -1 +1 @@
-Subproject commit 3f3886e1f210ad2853209c5aecd0951350a6f758
+Subproject commit 106e9b05aeff6309e241a3c9bae1781e0d551e7a
diff --git a/rbm.conf b/rbm.conf
index 651acfa..722c85a 100644
--- a/rbm.conf
+++ b/rbm.conf
@@ -20,12 +20,16 @@ var:
   build_id_txt: |
     [% c("version") %]
     [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %]
-    [% IF c("remote_docker") -%]
-    [% c("distribution") %]
+    [% IF c("var/container/use_container") -%]
+    [% c("var/container/suite") %]
+    [% c("var/container/arch") %]
     [% END -%]
     input_files: [% c("input_files_id") %]
     build:
     [% c("build", { filename => 'f', output_dir => '/out' }) %]
+  container:
+    dir: '[% c("tmp_dir") %]/rbm-containers/[% sha256(c("build_id")) %]'
+    user: rbm
   input_files_list: |
     [% FOREACH file IN c("input_files_by_name").keys.sort -%]
     [% c("input_files_by_name/" _ file) %]
@@ -136,19 +140,23 @@ targets:
         - zip
         - unzip
   linux:
-    distribution: Debian-7.11
     var:
       linux: 1
       compiler: gcc
+      container:
+        suite: wheezy
+        arch: amd64
 
   torbrowser-windows-i686:
     - windows-i686
   windows-i686:
-    distribution: Ubuntu-12.04
     arch: i686
     var:
       windows: 1
       osname: windows-i686
+      container:
+        suite: precise
+        arch: amd64
       configure_opt: '--host=i686-w64-mingw32 CFLAGS="[% c("var/CFLAGS") %]" LDFLAGS="[% c("var/LDFLAGS") %]"'
       CFLAGS: '[% c("var/flag_mwindows") %] -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security'
       LDFLAGS: '[% c("var/flag_mwindows") %] -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$gcclibs'
@@ -167,11 +175,13 @@ targets:
   torbrowser-osx-x86_64:
     - osx-x86_64
   osx-x86_64:
-    distribution: Debian-8.7
     arch: x86_64
     var:
       osx: 1
       osname: osx-x86_64
+      container:
+        suite: jessie
+        arch: amd64
       compiler: 'macosx-toolchain'
       configure_opt: '--host=x86_64-apple-darwin10 CC="x86_64-apple-darwin10-clang [% c("var/FLAGS") %]" CXX="x86_64-apple-darwin10-clang++ [% c("var/FLAGS") %]"'
       FLAGS: "-target x86_64-apple-darwin10 -mlinker-version=136 -B $cctoolsdir -isysroot $sysrootdir"
@@ -195,9 +205,6 @@ targets:
       build_id: 1
 
 
-docker_image: '[% pc("docker-image", "docker_save_image") %]'
-docker_image_prefix: '[% GET c("var/project_name") ? c("var/project_name") : "rbm-build" %]_[% GET ENV.RBM_BUILDNAME ? ENV.RBM_BUILDNAME : ENV.USER ? ENV.USER : c("uid") %]'
-
 # change the default gpg_wrapper to allow git tag signed using an
 # expired key.
 # https://bugs.torproject.org/19737
@@ -218,6 +225,76 @@ gpg_wrapper: |
         exec [% c('gpg_bin') %] [% c('gpg_args') %] --with-fingerprint [% gpg_kr %] "$@"
   fi
 
+remote_start: '[% IF c("var/container/use_container") %][% c("runc/remote_start") %][% END %]'
+remote_exec: '[% IF c("var/container/use_container") %][% c("runc/remote_exec") %][% END %]'
+remote_put: '[% IF c("var/container/use_container") %][% c("runc/remote_put") %][% END %]'
+remote_get: '[% IF c("var/container/use_container") %][% c("runc/remote_get") %][% END %]'
+remote_finish: '[% IF c("var/container/use_container") %][% c("runc/remote_finish") %][% END %]'
+
+runc:
+  remote_start: |
+    #!/bin/sh
+    set -e
+    if [ $(ls -1 '[% c("remote_srcdir", { error_if_undef => 1 }) %]/container-image_'* | wc -l) -ne 1 ]
+    then
+      echo "Can't find container image in input files" >&2
+      ls -l '[% c("remote_srcdir") %]' >&2
+      exit 1
+    fi
+    mkdir -p '[% c("var/container/dir") %]'/rootfs/rbm
+    sudo tar -C '[% c("var/container/dir") %]'/rootfs -xf $(ls -1 '[% c("remote_srcdir", { error_if_undef => 1 }) %]/container-image_'*)
+    cat > '[% c("var/container/dir") %]'/config.json << EOF
+    [% INCLUDE 'runc-config.json' %]
+    EOF
+    [% SET user = c("var/container/user") -%]
+    [% c("remote_exec", { exec_as_root => 1, exec_cmd => 'id ' _ user
+        _ ' >/dev/null 2>&1 || adduser -m ' _ user _ ' || useradd -m ' _ user }) %]
+
+  remote_exec: |
+    #!/bin/sh
+    set -e
+    mkdir -p '[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs/rbm
+    echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rootfs/rbm/cmd
+    echo [% shell_quote(c('exec_cmd')) %] >> '[% c("var/container/dir") %]'/rootfs/rbm/cmd
+    echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rootfs/rbm/run
+    [% IF c('exec_as_root'); SET user = 'root'; ELSE; SET user = c("var/container/user", { error_if_undef => 1 }); END; %]
+    echo 'su - [% user %] -c /rbm/cmd' >> '[% c("var/container/dir") %]'/rootfs/rbm/run
+    chmod +x '[% c("var/container/dir") %]'/rootfs/rbm/cmd
+    chmod +x '[% c("var/container/dir") %]'/rootfs/rbm/run
+    sudo runc start -b '[% c("var/container/dir") %]' rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]
+
+  remote_put: |
+    #!/bin/sh
+    set -e
+    [%
+      SET src = shell_quote(c('put_src', { error_if_undef => 1 }));
+      SET dst = shell_quote(c('put_dst', { error_if_undef => 1 }));
+    -%]
+    sudo mkdir -p '[% c("var/container/dir") %]'/rootfs/[% dst %]
+    sudo cp -aP [% src %] '[% c("var/container/dir") %]'/rootfs/[% dst %]
+    [% c("remote_exec", { exec_as_root => 1, exec_cmd => 'chown -R ' _ c("var/container/user") _ ' ' _ dst }) %]
+
+  remote_get: |
+    #!/bin/sh
+    set -e
+    [%
+      SET src = shell_quote(c('get_src', { error_if_undef => 1 }));
+      SET dst = shell_quote(c('get_dst', { error_if_undef => 1 }));
+    -%]
+    mkdir -p [% dst %]
+    srcdir='[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs/[% src %]
+    if [ $(ls -1 "$srcdir"/* 2> /dev/null | wc -l) -gt 0 ]
+    then
+      sudo chown $(whoami) "$srcdir"/*
+      sudo mv -f "$srcdir"/* [% dst %]/
+    fi
+
+  remote_finish: |
+    #!/bin/sh
+    set -e
+    sudo rm -Rf '[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs '[% c("var/container/dir", { error_if_undef => 1 }) %]'/config.json
+    rmdir '[% c("var/container/dir") %]'
+
 ENV:
   TZ: UTC
   LC_ALL: C
diff --git a/rbm.local.conf.example b/rbm.local.conf.example
index 78de08f..203ce5f 100644
--- a/rbm.local.conf.example
+++ b/rbm.local.conf.example
@@ -16,12 +16,6 @@
 ### this.
 #debug: 0
 
-### If you are doing multiple builds in different directories on the
-### same host, you should define docker_image_prefix with a different
-### value for each build directory, so that the different builds don't
-### use the same docker image names.
-#docker_image_prefix: tor-browser_XXXXX
-
 ### The build_log option defines in which file the build logs of each
 ### component are stored. If you set it to '-' the logs are output on
 ### stdout and stderr.
diff --git a/tools/clean-old b/tools/clean-old
index 4d603fc..c7d9e0c 100755
--- a/tools/clean-old
+++ b/tools/clean-old
@@ -27,24 +27,6 @@ sub clean_file {
     }
 }
 
-sub clean_docker_images {
-    my ($dockerdir, $used_files) = @_;
-    my $imgprefix = RBM::project_config('docker-image', 'docker_image_prefix');
-    my @imgs = read_dir($dockerdir);
-    foreach my $dockerimage (@imgs) {
-        next if $used_files->{"$dockerdir/$dockerimage"};
-        my $img = "$imgprefix:$dockerimage";
-        print "Cleaning docker image $img\n";
-        next if $options{'dry-run'};
-        my ($out, $err, $success) = capture_exec('docker', 'rmi', '-f', $img);
-        if (!$success) {
-            print STDERR "Error removing docker image $img:\n$err\n";
-            exit 1;
-        }
-        unlink "$dockerdir/$dockerimage";
-    }
-}
-
 sub get_project_input_files {
     my ($project, @targets) = @_;
     print "Getting input files for $project ", join(' ', @targets), "\n";
@@ -108,7 +90,4 @@ foreach my $branch (keys %$clean) {
 }
 my %used_files = map { $_ => 1 } @files;
 my $outdir = $RBM::config->{basedir} . '/out';
-# Don't clean docker-image files yet
-$used_files{"$outdir/docker-image"} = 1;
 clean_file($outdir, \%used_files);
-clean_docker_images("$outdir/docker-image", \%used_files);



More information about the tor-commits mailing list