@@ -96,8 +96,7 @@ RUN set -x \

 ENV PATH /osxcross/target/bin:$PATH

 # install seccomp

-# this can be changed to the ubuntu package libseccomp-dev if dockerinit is removed,

-# we need libseccomp.a (which the package does not provide) for dockerinit

+# TODO: switch to libseccomp-dev since dockerinit is gone

 ENV SECCOMP_VERSION 2.2.3

 RUN set -x \

 	&& export SECCOMP_PATH="$(mktemp -d)" \

@@ -114,7 +113,7 @@ RUN set -x \

 # Install Go

 # IMPORTANT: If the version of Go is updated, the Windows to Linux CI machines

-#            will need updating, to avoid errors. Ping #docker-maintainers on IRC 

+#            will need updating, to avoid errors. Ping #docker-maintainers on IRC

 #            with a heads-up.

 ENV GO_VERSION 1.5.3

 RUN curl -fsSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" \

@@ -111,8 +111,7 @@ RUN git clone https://github.com/golang/lint.git /go/src/github.com/golang/lint

 	&& go install -v github.com/golang/lint/golint

 # install seccomp

-# this can be changed to the ubuntu package libseccomp-dev if dockerinit is removed,

-# we need libseccomp.a (which the package does not provide) for dockerinit

+# TODO: switch to libseccomp-dev since dockerinit is gone

 ENV SECCOMP_VERSION 2.2.3

 RUN set -x \

 	&& export SECCOMP_PATH="$(mktemp -d)" \

@@ -42,8 +42,7 @@ RUN cd /usr/local/lvm2 \

 # see https://git.fedorahosted.org/cgit/lvm2.git/tree/INSTALL

 # install seccomp

-# this can be changed to the ubuntu package libseccomp-dev if dockerinit is removed,

-# we need libseccomp.a (which the package does not provide) for dockerinit

+# TODO: switch to libseccomp-dev since dockerinit is gone

 ENV SECCOMP_VERSION v2.2.3

 RUN set -x \

     && export SECCOMP_PATH=$(mktemp -d) \

@@ -74,8 +74,6 @@ func (cli *DockerCli) CmdInfo(args ...string) error {

 		fmt.Fprintf(cli.out, " Goroutines: %d\n", info.NGoroutines)

 		fmt.Fprintf(cli.out, " System Time: %s\n", info.SystemTime)

 		fmt.Fprintf(cli.out, " EventsListeners: %d\n", info.NEventsListener)

-		fmt.Fprintf(cli.out, " Init SHA1: %s\n", info.InitSha1)

-		fmt.Fprintf(cli.out, " Init Path: %s\n", info.InitPath)

 		fmt.Fprintf(cli.out, " Docker Root Dir: %s\n", info.DockerRootDir)

 	}

@@ -63,10 +63,6 @@ func (container *Container) CreateDaemonEnvironment(linkedEnv []string) []string

 	env := []string{

 		"PATH=" + system.DefaultPathEnv,

 		"HOSTNAME=" + fullHostname,

-		// Note: we don't set HOME here because it'll get autoset intelligently

-		// based on the value of USER inside dockerinit, but only if it isn't

-		// set already (ie, that can be overridden by setting HOME via -e or ENV

-		// in a Dockerfile).

 	}

 	if container.Config.Tty {

 		env = append(env, "TERM=xterm")

@@ -118,9 +118,7 @@ for version in "${versions[@]}"; do

 	echo >> "$version/Dockerfile"

-	# fedora does not have a libseccomp.a for compiling static dockerinit

-	# ONLY install libseccomp.a from source, this can be removed once dockerinit is removed

-	# TODO remove this manual seccomp compilation once dockerinit is gone or no longer needs to be statically compiled

+	# TODO remove this since dockerinit is finally gone

 	case "$from" in

 		fedora:*)

 			awk '$1 == "ENV" && $2 == "SECCOMP_VERSION" { print; exit }' ../../../Dockerfile >> "$version/Dockerfile"

@@ -254,7 +254,6 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro

 	c.Command = &execdriver.Command{

 		CommonCommand: execdriver.CommonCommand{

 			ID:            c.ID,

-			InitPath:      "/.dockerinit",

 			MountLabel:    c.GetMountLabel(),

 			Network:       en,

 			ProcessConfig: processConfig,

@@ -124,7 +124,6 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro

 		CommonCommand: execdriver.CommonCommand{

 			ID:            c.ID,

 			Rootfs:        c.BaseFS,

-			InitPath:      "/.dockerinit",

 			WorkingDir:    c.Config.WorkingDir,

 			Network:       en,

 			MountLabel:    c.GetMountLabel(),

@@ -688,8 +688,7 @@ func initBridgeDriver(controller libnetwork.NetworkController, config *Config) e

 }

 // setupInitLayer populates a directory with mountpoints suitable

-// for bind-mounting dockerinit into the container. The mountpoint is simply an

-// empty file at /.dockerinit

+// for bind-mounting things into the container.

 //

 // This extra layer is used by all containers as the top-most ro layer. It protects

 // the container from unwanted side-effects on the rw layer.

@@ -699,7 +698,6 @@ func setupInitLayer(initLayer string, rootUID, rootGID int) error {

 		"/dev/shm":         "dir",

 		"/proc":            "dir",

 		"/sys":             "dir",

-		"/.dockerinit":     "file",

 		"/.dockerenv":      "file",

 		"/etc/resolv.conf": "file",

 		"/etc/hosts":       "file",

@@ -131,7 +131,6 @@ type CommonProcessConfig struct {

 type CommonCommand struct {

 	ContainerPid  int           `json:"container_pid"` // the pid for the process inside a container

 	ID            string        `json:"id"`

-	InitPath      string        `json:"initpath"`    // dockerinit

 	MountLabel    string        `json:"mount_label"` // TODO Windows. More involved, but can be factored out

 	Mounts        []Mount       `json:"mounts"`

 	Network       *Network      `json:"network"`

@@ -49,11 +49,6 @@ func (daemon *Daemon) SystemInfo() (*types.Info, error) {

 		logrus.Errorf("Could not read system memory info: %v", err)

 	}

-	// if we still have the original dockerinit binary from before

-	// we copied it locally, let's return the path to that, since

-	// that's more intuitive (the copied path is trivial to derive

-	// by hand given VERSION)

-	initPath := utils.DockerInitPath("")

 	sysInfo := sysinfo.New(true)

 	var cRunning, cPaused, cStopped int32

@@ -94,8 +89,6 @@ func (daemon *Daemon) SystemInfo() (*types.Info, error) {

 		OSType:             platform.OSType,

 		Architecture:       platform.Architecture,

 		RegistryConfig:     daemon.RegistryService.Config,

-		InitSha1:           dockerversion.InitSHA1,

-		InitPath:           initPath,

 		NCPU:               runtime.NumCPU(),

 		MemTotal:           meminfo.MemTotal,

 		DockerRootDir:      daemon.configStore.Root,

deleted file mode 100644

@@ -1,11 +0,0 @@

-package main

-

-import (

-	_ "github.com/docker/docker/daemon/execdriver/native"

-	"github.com/docker/docker/pkg/reexec"

-)

-

-func main() {

-	// Running in init mode

-	reexec.Init()

-}

@@ -9,8 +9,5 @@ const (

 	GitCommit string = "library-import"

 	Version   string = "library-import"

 	BuildTime string = "library-import"

-

 	IAmStatic string = "library-import"

-	InitSHA1  string = "library-import"

-	InitPath  string = "library-import"

 )

@@ -76,7 +76,6 @@ _dockerfile_env() {

 clean() {

 	local packages=(

 		"${PROJECT}/docker" # package main

-		"${PROJECT}/dockerinit" # package main

 		"${PROJECT}/integration-cli" # external tests

 	)

 	local dockerPlatforms=( ${DOCKER_ENGINE_OSARCH:="linux/amd64"} $(_dockerfile_env DOCKER_CROSSPLATFORMS) )

@@ -237,7 +237,6 @@ test_env() {

 		HOME="$ABS_DEST/fake-HOME" \

 		PATH="$PATH" \

 		TEMP="$TEMP" \

-		TEST_DOCKERINIT_PATH="$TEST_DOCKERINIT_PATH" \

 		"$@"

 }

@@ -17,14 +17,12 @@ override_dh_auto_test:

 	./bundles/$(VERSION)/dynbinary/docker -v

 override_dh_strip:

-	# the SHA1 of dockerinit is important: don't strip it

-	# also, Go has lots of problems with stripping, so just don't

+	# Go has lots of problems with stripping, so just don't

 override_dh_auto_install:

 	mkdir -p debian/docker-engine/usr/bin

 	cp -aT "$$(readlink -f bundles/$(VERSION)/dynbinary/docker)" debian/docker-engine/usr/bin/docker

 	mkdir -p debian/docker-engine/usr/lib/docker

-	cp -aT "$$(readlink -f bundles/$(VERSION)/dynbinary/dockerinit)" debian/docker-engine/usr/lib/docker/dockerinit

 override_dh_installinit:

 	# use "docker" as our service name, not "docker-engine"

@@ -11,11 +11,6 @@ URL: https://dockerproject.org

 Vendor: Docker

 Packager: Docker <support@docker.com>

-# docker builds in a checksum of dockerinit into docker,

-# # so stripping the binaries breaks docker

-%global __os_install_post %{_rpmconfigdir}/brp-compress

-%global debug_package %{nil}

-

 # is_systemd conditional

 %if 0%{?fedora} >= 21 || 0%{?centos} >= 7 || 0%{?rhel} >= 7 || 0%{?suse_version} >= 1300

 %global is_systemd 1

@@ -124,10 +119,6 @@ export DOCKER_GITCOMMIT=%{_gitcommit}

 install -d $RPM_BUILD_ROOT/%{_bindir}

 install -p -m 755 bundles/%{_origversion}/dynbinary/docker-%{_origversion} $RPM_BUILD_ROOT/%{_bindir}/docker

-# install dockerinit

-install -d $RPM_BUILD_ROOT/%{_libexecdir}/docker

-install -p -m 755 bundles/%{_origversion}/dynbinary/dockerinit-%{_origversion} $RPM_BUILD_ROOT/%{_libexecdir}/docker/dockerinit

-

 # install udev rules

 install -d $RPM_BUILD_ROOT/%{_sysconfdir}/udev/rules.d

 install -p -m 644 contrib/udev/80-docker.rules $RPM_BUILD_ROOT/%{_sysconfdir}/udev/rules.d/80-docker.rules

@@ -175,7 +166,6 @@ install -p -m 644 contrib/syntax/nano/Dockerfile.nanorc $RPM_BUILD_ROOT/usr/shar

 %files

 %doc AUTHORS CHANGELOG.md CONTRIBUTING.md LICENSE MAINTAINERS NOTICE README.md

 /%{_bindir}/docker

-/%{_libexecdir}/docker/dockerinit

 /%{_sysconfdir}/udev/rules.d/80-docker.rules

 %if 0%{?is_systemd}

 /%{_unitdir}/docker.service

deleted file mode 100644

@@ -1,33 +0,0 @@

-#!/bin/bash

-set -e

-

-IAMSTATIC="true"

-source "${MAKEDIR}/.go-autogen"

-

-# dockerinit still needs to be a static binary, even if docker is dynamic

-go build \

-	-o "$DEST/dockerinit-$VERSION" \

-	"${BUILDFLAGS[@]}" \

-	-ldflags "

-		$LDFLAGS

-		$LDFLAGS_STATIC

-		-extldflags \"$EXTLDFLAGS_STATIC\"

-	" \

-	./dockerinit

-

-echo "Created binary: $DEST/dockerinit-$VERSION"

-ln -sf "dockerinit-$VERSION" "$DEST/dockerinit"

-

-sha1sum=

-if command -v sha1sum &> /dev/null; then

-	sha1sum=sha1sum

-elif command -v shasum &> /dev/null; then

-	# Mac OS X - why couldn't they just use the same command name and be happy?

-	sha1sum=shasum

-else

-	echo >&2 'error: cannot find sha1sum command or equivalent'

-	exit 1

-fi

-

-# sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another

-export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1)

deleted file mode 100644

@@ -1,31 +0,0 @@

-#!/bin/bash

-set -e

-

-IAMSTATIC="true"

-source "${MAKEDIR}/.go-autogen"

-

-# dockerinit still needs to be a static binary, even if docker is dynamic

-go build --compiler=gccgo \

-	-o "$DEST/dockerinit-$VERSION" \

-	"${BUILDFLAGS[@]}" \

-	--gccgoflags "

-		-g

-		-Wl,--no-export-dynamic

-		$EXTLDFLAGS_STATIC

-		-lnetgo

-	" \

-	./dockerinit

-

-echo "Created binary: $DEST/dockerinit-$VERSION"

-ln -sf "dockerinit-$VERSION" "$DEST/dockerinit"

-

-sha1sum=

-if command -v sha1sum &> /dev/null; then

-	sha1sum=sha1sum

-else

-	echo >&2 'error: cannot find sha1sum command or equivalent'

-	exit 1

-fi

-

-# sha1 our new dockerinit to ensure separate docker and dockerinit always run in a perfect pair compiled for one another

-export DOCKER_INITSHA1=$($sha1sum "$DEST/dockerinit-$VERSION" | cut -d' ' -f1)

@@ -14,10 +14,7 @@ const (

 	GitCommit string = "$GITCOMMIT"

 	Version   string = "$VERSION"

 	BuildTime string = "$BUILDTIME"

-

 	IAmStatic string = "${IAMSTATIC:-true}"

-	InitSHA1  string = "$DOCKER_INITSHA1"

-	InitPath  string = "$DOCKER_INITPATH"

 )

 // AUTOGENERATED FILE; see $BASH_SOURCE

 DVEOF

@@ -44,9 +41,9 @@ When make binary is run, the Dockerfile prepares the build environment by:

 make.sh invokes hack/make/.go-autogen to:

- - Run rsrc to create a binary file (autogen/winresources/rsrc.syso) that 

-   contains the manifest and icon. This file is automatically picked up by 

-   'go build', so no post-processing steps are required. The sources for 

+ - Run rsrc to create a binary file (autogen/winresources/rsrc.syso) that

+   contains the manifest and icon. This file is automatically picked up by

+   'go build', so no post-processing steps are required. The sources for

    rsrc.syso are under hack/make/.resources-windows.

 */

@@ -1,16 +1,6 @@

 #!/bin/bash

 set -e

-if [ -z "$DOCKER_CLIENTONLY" ]; then

-	source "${MAKEDIR}/.dockerinit"

-

-	hash_files "$DEST/dockerinit-$VERSION"

-else

-	# DOCKER_CLIENTONLY must be truthy, so we don't need to bother with dockerinit :)

-	export DOCKER_INITSHA1=""

-fi

-# DOCKER_INITSHA1 is exported so that other bundlescripts can easily access it later without recalculating it

-

 (

 	export IAMSTATIC="false"

 	export LDFLAGS_STATIC_DOCKER=''

@@ -1,16 +1,6 @@

 #!/bin/bash

 set -e

-if [ -z "$DOCKER_CLIENTONLY" ]; then

-	source "${MAKEDIR}/.dockerinit-gccgo"

-

-	hash_files "$DEST/dockerinit-$VERSION"

-else

-	# DOCKER_CLIENTONLY must be truthy, so we don't need to bother with dockerinit :)

-	export DOCKER_INITSHA1=""

-fi

-# DOCKER_INITSHA1 is exported so that other bundlescripts can easily access it later without recalculating it

-

 (

 	export IAMSTATIC="false"

 	export EXTLDFLAGS_STATIC=''

@@ -27,10 +27,10 @@ func (s *DockerSuite) TestDiffFilenameShownInOutput(c *check.C) {

 }

 // test to ensure GH #3840 doesn't occur any more

-func (s *DockerSuite) TestDiffEnsureDockerinitFilesAreIgnored(c *check.C) {

+func (s *DockerSuite) TestDiffEnsureInitLayerFilesAreIgnored(c *check.C) {

 	testRequires(c, DaemonIsLinux)

 	// this is a list of files which shouldn't show up in `docker diff`

-	dockerinitFiles := []string{"/etc/resolv.conf", "/etc/hostname", "/etc/hosts", "/.dockerinit", "/.dockerenv"}

+	initLayerFiles := []string{"/etc/resolv.conf", "/etc/hostname", "/etc/hosts", "/.dockerenv"}

 	containerCount := 5

 	// we might not run into this problem from the first run, so start a few containers

@@ -41,7 +41,7 @@ func (s *DockerSuite) TestDiffEnsureDockerinitFilesAreIgnored(c *check.C) {

 		cleanCID := strings.TrimSpace(out)

 		out, _ = dockerCmd(c, "diff", cleanCID)

-		for _, filename := range dockerinitFiles {

+		for _, filename := range initLayerFiles {

 			c.Assert(out, checker.Not(checker.Contains), filename)

 		}

 	}

@@ -224,7 +224,6 @@ const (

 43 16 0:34 / /proc/fs/nfsd rw,nosuid,nodev,noexec,relatime - nfsd nfsd rw

 44 15 0:35 / /home/tianon/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=1000,group_id=1000

 68 15 0:3336 / /var/lib/docker/aufs/mnt/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd rw,relatime - aufs none rw,si=9b4a7640128db39c

-85 68 8:6 /var/lib/docker/init/dockerinit-0.7.2-dev//deleted /var/lib/docker/aufs/mnt/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd/.dockerinit rw,noatime,nodiratime - ext4 /dev/sda6 rw,data=ordered

 86 68 8:6 /var/lib/docker/containers/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd/config.env /var/lib/docker/aufs/mnt/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd/.dockerenv rw,noatime,nodiratime - ext4 /dev/sda6 rw,data=ordered

 87 68 8:6 /etc/resolv.conf /var/lib/docker/aufs/mnt/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd/etc/resolv.conf rw,noatime,nodiratime - ext4 /dev/sda6 rw,data=ordered

 88 68 8:6 /var/lib/docker/containers/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd/hostname /var/lib/docker/aufs/mnt/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd/etc/hostname rw,noatime,nodiratime - ext4 /dev/sda6 rw,data=ordered

@@ -1,124 +1,17 @@

 package utils

 import (

-	"crypto/sha1"

-	"encoding/hex"

 	"fmt"

-	"io"

 	"io/ioutil"

 	"os"

-	"os/exec"

-	"path/filepath"

 	"runtime"

 	"strings"

 	"github.com/docker/distribution/registry/api/errcode"

-	"github.com/docker/docker/dockerversion"

 	"github.com/docker/docker/pkg/archive"

 	"github.com/docker/docker/pkg/stringid"

 )

-// SelfPath figures out the absolute path of our own binary (if it's still around).

-func SelfPath() string {

-	path, err := exec.LookPath(os.Args[0])

-	if err != nil {

-		if os.IsNotExist(err) {

-			return ""

-		}

-		if execErr, ok := err.(*exec.Error); ok && os.IsNotExist(execErr.Err) {

-			return ""

-		}

-		panic(err)

-	}

-	path, err = filepath.Abs(path)

-	if err != nil {

-		if os.IsNotExist(err) {

-			return ""

-		}

-		panic(err)

-	}

-	return path

-}

-

-func dockerInitSha1(target string) string {

-	f, err := os.Open(target)

-	if err != nil {

-		return ""

-	}

-	defer f.Close()

-	h := sha1.New()

-	_, err = io.Copy(h, f)

-	if err != nil {

-		return ""

-	}

-	return hex.EncodeToString(h.Sum(nil))

-}

-

-func isValidDockerInitPath(target string, selfPath string) bool { // target and selfPath should be absolute (InitPath and SelfPath already do this)

-	if target == "" {

-		return false

-	}

-	if dockerversion.IAmStatic == "true" {

-		if selfPath == "" {

-			return false

-		}

-		if target == selfPath {

-			return true

-		}

-		targetFileInfo, err := os.Lstat(target)

-		if err != nil {

-			return false

-		}

-		selfPathFileInfo, err := os.Lstat(selfPath)

-		if err != nil {

-			return false

-		}

-		return os.SameFile(targetFileInfo, selfPathFileInfo)

-	}

-	return dockerversion.InitSHA1 != "" && dockerInitSha1(target) == dockerversion.InitSHA1

-}

-

-// DockerInitPath figures out the path of our dockerinit (which may be SelfPath())

-func DockerInitPath(localCopy string) string {

-	selfPath := SelfPath()

-	if isValidDockerInitPath(selfPath, selfPath) {

-		// if we're valid, don't bother checking anything else

-		return selfPath

-	}

-	var possibleInits = []string{

-		localCopy,

-		dockerversion.InitPath,

-		filepath.Join(filepath.Dir(selfPath), "dockerinit"),

-

-		// FHS 3.0 Draft: "/usr/libexec includes internal binaries that are not intended to be executed directly by users or shell scripts. Applications may use a single subdirectory under /usr/libexec."

-		// https://www.linuxbase.org/betaspecs/fhs/fhs.html#usrlibexec

-		"/usr/libexec/docker/dockerinit",

-		"/usr/local/libexec/docker/dockerinit",

-

-		// FHS 2.3: "/usr/lib includes object files, libraries, and internal binaries that are not intended to be executed directly by users or shell scripts."

-		// https://refspecs.linuxfoundation.org/FHS_2.3/fhs-2.3.html#USRLIBLIBRARIESFORPROGRAMMINGANDPA

-		"/usr/lib/docker/dockerinit",

-		"/usr/local/lib/docker/dockerinit",

-	}

-	for _, dockerInit := range possibleInits {

-		if dockerInit == "" {

-			continue

-		}

-		path, err := exec.LookPath(dockerInit)

-		if err == nil {

-			path, err = filepath.Abs(path)

-			if err != nil {

-				// LookPath already validated that this file exists and is executable (following symlinks), so how could Abs fail?

-				panic(err)

-			}

-			if isValidDockerInitPath(path, selfPath) {

-				return path

-			}

-		}

-	}

-	return ""

-}

-

 var globalTestID string

 // TestDirectory creates a new temporary directory and returns its path.