Merge pull request #2951 from justincormack/mobyup

Update moby tool

src/cmd/linuxkit/vendor.conf

@@ -26,7 +26,7 @@ github.com/moby/datakit 97b3d230535397a813323902c23751e176481a86
 github.com/moby/hyperkit a285521725f44f3d10ca1042c2c07d3a6e24bed8
 # When updating also:
 # curl -fsSL -o src/cmd/linuxkit/build.go https://raw.githubusercontent.com/moby/tool/«hash»/cmd/moby/build.go
-github.com/moby/tool bd556c86f7b1ea3667990468ab28789e61e6f2f1
+github.com/moby/tool c9d52b57874b36a474206a867d9bc3ea7bacaffe
 github.com/moby/vpnkit 0e4293bb1058598c4b0a406ed171f52573ef414c
 github.com/opencontainers/go-digest 21dfd564fd89c944783d00d069f33e3e7123c448
 github.com/opencontainers/image-spec v1.0.0
@@ -40,7 +40,7 @@ github.com/rn/iso9660wrap baf8d62ad3155152b488d5ff9d4f2b9bb0d6986a
 github.com/sirupsen/logrus v1.0.3
 github.com/stretchr/testify v1.1.4
 github.com/surma/gocpio fcb68777e7dc4ea43ffce871b552c0d073c17495
-github.com/theupdateframework/notary c3574cbdf09c9b52ffd364451d1c793b129edb0a
+github.com/theupdateframework/notary v0.6.0
 github.com/vmware/govmomi 6f8ebd89d521d9f9af7a6c2219c4deee511020dd
 github.com/xeipuuv/gojsonpointer 6fe8760cad3569743d51ddbb243b26f8456742dc
 github.com/xeipuuv/gojsonreference e02fc20de94c78484cd5ffb007f8af96be030a45

src/cmd/linuxkit/vendor/github.com/moby/tool/README.md

@@ -0,0 +1,18 @@
+# Moby
+
+[Moby Project](https://mobyproject.org)
+
+The Moby Project is an open framework to assemble specialized container systems without reinventing the wheel.
+
+Moby is an open framework created by Docker to assemble specialized container systems without reinventing the wheel. It provides a “lego set” of dozens of standard components and a framework for assembling them into custom platforms. At the core of Moby is a framework to assemble specialized container systems which provides:
+
+* Components
+* Tools
+* Assemblies
+
+For more information, please visit the [Moby Project home page](https://mobyproject.org).
+
+## Documentation
+
+* [Format of moby input yml](./docs/yaml.md)
+* [Using private images](./docs/privateimages.md)

src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/linuxkit.go

@@ -17,7 +17,7 @@ kernel:
   image: linuxkit/kernel:4.9.39
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:b212cfeb4bb6330e0a7547d8010fe2e8489b677a
+  - linuxkit/init:00ab58c9681a0bf42b2e35134c1ccf1591ebb64d
   - linuxkit/runc:f5960b83a8766ae083efc744fa63dbf877450e4f
 onboot:
   - name: mkimage

src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/output.go

@@ -23,6 +23,7 @@ const (
 	vmdk       = "linuxkit/mkimage-vmdk:deb9018d06dbb9da29464a4320187ce7e4ae1856"
 	dynamicvhd = "linuxkit/mkimage-dynamic-vhd:172fb196713a4aff677b88422026512600b1ca55"
 	rpi3       = "linuxkit/mkimage-rpi3:553c6c2d13b7d54f6b73b3b0c1c15f2e47ffb0df"
+	qcow2Efi   = "linuxkit/mkimage-qcow2-efi:9bc3de981188da099eaf44cc467f5bbb29c13033"
 )
 
 var outFuns = map[string]func(string, io.Reader, int) error{
@@ -108,6 +109,17 @@ var outFuns = map[string]func(string, io.Reader, int) error{
 		}
 		return nil
 	},
+	"qcow2-efi": func(base string, image io.Reader, size int) error {
+		kernel, initrd, cmdline, _, err := tarToInitrd(image)
+		if err != nil {
+			return fmt.Errorf("Error converting to initrd: %v", err)
+		}
+		err = outputImg(qcow2Efi, base+"-efi.qcow2", kernel, initrd, cmdline)
+		if err != nil {
+			return fmt.Errorf("Error writing qcow2 EFI output: %v", err)
+		}
+		return nil
+	},
 	"qcow2-bios": func(base string, image io.Reader, size int) error {
 		filename := base + ".qcow2"
 		log.Infof("  %s", filename)

src/cmd/linuxkit/vendor/github.com/moby/tool/vendor.conf

@@ -13,7 +13,7 @@ github.com/opencontainers/runtime-spec v1.0.0
 github.com/pkg/errors v0.8.0
 github.com/sirupsen/logrus v1.0.3
 github.com/surma/gocpio fcb68777e7dc4ea43ffce871b552c0d073c17495
-github.com/theupdateframework/notary c3574cbdf09c9b52ffd364451d1c793b129edb0a
+github.com/theupdateframework/notary v0.6.0
 github.com/xeipuuv/gojsonpointer 6fe8760cad3569743d51ddbb243b26f8456742dc
 github.com/xeipuuv/gojsonreference e02fc20de94c78484cd5ffb007f8af96be030a45
 github.com/xeipuuv/gojsonschema 702b404897d4364af44dc8dcabc9815947942325

src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/README.md

@@ -1,5 +1,6 @@
 <img src="docs/images/notary-blk.svg" alt="Notary" width="400px"/>
 
+[![GoDoc](https://godoc.org/github.com/theupdateframework/notary?status.svg)](https://godoc.org/github.com/theupdateframework/notary)
 [![Circle CI](https://circleci.com/gh/theupdateframework/notary/tree/master.svg?style=shield)](https://circleci.com/gh/theupdateframework/notary/tree/master) [![CodeCov](https://codecov.io/github/theupdateframework/notary/coverage.svg?branch=master)](https://codecov.io/github/theupdateframework/notary) [![GoReportCard](https://goreportcard.com/badge/theupdateframework/notary)](https://goreportcard.com/report/github.com/theupdateframework/notary)
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary?ref=badge_shield)
 
@@ -15,7 +16,7 @@ location via GitHub's redirect.
 # Overview
 
 The Notary project comprises a [server](cmd/notary-server) and a [client](cmd/notary) for running and interacting
-with trusted collections.  Please see the [service architecture](docs/service_architecture.md) documentation
+with trusted collections. See the [service architecture](docs/service_architecture.md) documentation
 for more information.
 
 Notary aims to make the internet more secure by making it easy for people to
@@ -45,26 +46,26 @@ Notary is based on [The Update Framework](https://www.theupdateframework.com/),
 
 ## Security
 
-Please see our [service architecture docs](docs/service_architecture.md#threat-model) for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations.
+See Notary's [service architecture docs](docs/service_architecture.md#threat-model) for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations.
 
-Our last security audit was on July 31, 2015 by NCC ([results](docs/resources/ncc_docker_notary_audit_2015_07_31.pdf)).
+Notary's last security audit was on July 31, 2015 by NCC ([results](docs/resources/ncc_docker_notary_audit_2015_07_31.pdf)).
 
 Any security vulnerabilities can be reported to security@docker.com.
 
 # Getting started with the Notary CLI
 
-Please get the Notary Client CLI binary from [the official releases page](https://github.com/theupdateframework/notary/releases) or you can [build one yourself](#building-notary).
+Get the Notary Client CLI binary from [the official releases page](https://github.com/theupdateframework/notary/releases) or you can [build one yourself](#building-notary).
 The version of Notary server and signer should be greater than or equal to Notary CLI's version to ensure feature compatibility (ex: CLI version 0.2, server/signer version >= 0.2), and all official releases are associated with GitHub tags.
 
-To use the Notary CLI with Docker hub images, please have a look at our
+To use the Notary CLI with Docker hub images, have a look at Notary's
 [getting started docs](docs/getting_started.md).
 
-For more advanced usage, please see the
+For more advanced usage, see the
 [advanced usage docs](docs/advanced_usage.md).
 
 To use the CLI against a local Notary server rather than against Docker Hub:
 
-1. Please ensure that you have [docker and docker-compose](http://docs.docker.com/compose/install/) installed.
+1. Ensure that you have [docker and docker-compose](http://docs.docker.com/compose/install/) installed.
 1. `git clone https://github.com/theupdateframework/notary.git` and from the cloned repository path,
     start up a local Notary server and signer and copy the config file and testing certs to your
     local notary config directory:
@@ -90,31 +91,30 @@ to use `notary` with Docker images.
 
 ## Building Notary
 
-Note that our [latest stable release](https://github.com/theupdateframework/notary/releases) is at the head of the
+Note that Notary's [latest stable release](https://github.com/theupdateframework/notary/releases) is at the head of the
 [releases branch](https://github.com/theupdateframework/notary/tree/releases).  The master branch is the development
 branch and contains features for the next release.
 
 Prerequisites:
 
 - Go >= 1.7.1
-- [godep](https://github.com/tools/godep) installed
+    - Fedora: `dnf install golang`
 - libtool development headers installed
     - Ubuntu: `apt-get install libltdl-dev`
     - CentOS/RedHat: `yum install libtool-ltdl-devel`
+    - Fedora: `dnf install libtool-ltdl-devel`
     - Mac OS ([Homebrew](http://brew.sh/)): `brew install libtool`
 
-Run `make client`, which creates the Notary Client CLI binary at `bin/notary`.
+Set [```GOPATH```](https://golang.org/doc/code.html#GOPATH). Then, run:
-Note that `make client` assumes a standard Go directory structure, in which
+
-Notary is checked out to the `src` directory in your `GOPATH`. For example:
+```bash
-```
+$ go get github.com/theupdateframework/notary
-$GOPATH/
+# build with pcks11 support by default to support yubikey
-    src/
+$ go install -tags pkcs11 github.com/theupdateframework/notary/cmd/notary
-        github.com/
+$ notary
-            docker/
-                notary/
 ```
 
-To build the server and signer, please run `docker-compose build`.
+To build the server and signer, run `docker-compose build`.
 
 
 ## License

src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/client/client.go

@@ -1,88 +1,4 @@
-/*
+//Package client implements everything required for interacting with a Notary repository.
-Package client implements everything required for interacting with a Notary repository.
-
-Usage
-
-Use this package by creating a new repository object and calling methods on it.
-
-	package main
-
-	import (
-		"encoding/hex"
-		"fmt"
-		"net/http"
-		"os"
-		"time"
-
-		"github.com/docker/distribution/registry/client/auth"
-		"github.com/docker/distribution/registry/client/auth/challenge"
-		"github.com/docker/distribution/registry/client/transport"
-		notary "github.com/theupdateframework/notary/client"
-		"github.com/theupdateframework/notary/trustpinning"
-		"github.com/theupdateframework/notary/tuf/data"
-	)
-
-	func main() {
-		rootDir := ".trust"
-		if err := os.MkdirAll(rootDir, 0700); err != nil {
-			panic(err)
-		}
-
-		server := "https://notary.docker.io"
-		image := "docker.io/library/alpine"
-		repo, err := notary.NewFileCachedNotaryRepository(
-			rootDir,
-			data.GUN(image),
-			server,
-			makeHubTransport(server, image),
-			nil,
-			trustpinning.TrustPinConfig{},
-		)
-
-		targets, err := repo.ListTargets()
-		if err != nil {
-			panic(err)
-		}
-
-		for _, tgt := range targets {
-			fmt.Printf("%s\t%s\n", tgt.Name, hex.EncodeToString(tgt.Hashes["sha256"]))
-		}
-	}
-
-	func makeHubTransport(server, image string) http.RoundTripper {
-		base := http.DefaultTransport
-		modifiers := []transport.RequestModifier{
-			transport.NewHeaderRequestModifier(http.Header{
-				"User-Agent": []string{"my-client"},
-			}),
-		}
-
-		authTransport := transport.NewTransport(base, modifiers...)
-		pingClient := &http.Client{
-			Transport: authTransport,
-			Timeout:   5 * time.Second,
-		}
-		req, err := http.NewRequest("GET", server+"/v2/", nil)
-		if err != nil {
-			panic(err)
-		}
-
-		challengeManager := challenge.NewSimpleManager()
-		resp, err := pingClient.Do(req)
-		if err != nil {
-			panic(err)
-		}
-		defer resp.Body.Close()
-		if err := challengeManager.AddResponse(resp); err != nil {
-			panic(err)
-		}
-		tokenHandler := auth.NewTokenHandler(base, nil, image, "pull")
-		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, auth.NewBasicHandler(nil)))
-
-		return transport.NewTransport(base, modifiers...)
-	}
-
-*/
 package client
 
 import (

src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/trustmanager/keys.go

@@ -3,6 +3,7 @@ package trustmanager
 import (
 	"encoding/pem"
 	"errors"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"path/filepath"
@@ -100,8 +101,9 @@ func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN
 		return err
 	}
 	var (
-		writeTo string
+		writeTo   string
-		toWrite []byte
+		toWrite   []byte
+		errBlocks []string
 	)
 	for block, rest := pem.Decode(data); block != nil; block, rest = pem.Decode(rest) {
 		handleLegacyPath(block)
@@ -110,6 +112,7 @@ func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN
 		loc, err := checkValidity(block)
 		if err != nil {
 			// already logged in checkValidity
+			errBlocks = append(errBlocks, err.Error())
 			continue
 		}
 
@@ -157,6 +160,9 @@ func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN
 	if toWrite != nil { // close out final iteration if there's data left
 		return importToStores(to, writeTo, toWrite)
 	}
+	if len(errBlocks) > 0 {
+		return fmt.Errorf("failed to import all keys: %s", strings.Join(errBlocks, ", "))
+	}
 	return nil
 }
 

src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_linux.go

@@ -4,7 +4,9 @@ package yubikey
 
 var possiblePkcs11Libs = []string{
 	"/usr/lib/libykcs11.so",
+	"/usr/lib/libykcs11.so.1", // yubico-piv-tool on Fedora installs here
 	"/usr/lib64/libykcs11.so",
+	"/usr/lib64/libykcs11.so.1", // yubico-piv-tool on Fedora installs here
 	"/usr/lib/x86_64-linux-gnu/libykcs11.so",
 	"/usr/local/lib/libykcs11.so",
 }

src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/tuf/tuf.go

@@ -248,17 +248,14 @@ func (tr *Repo) GetDelegationRole(name data.RoleName) (data.DelegationRole, erro
 				}
 				// Check all public key certificates in the role for expiry
 				// Currently we do not reject expired delegation keys but warn if they might expire soon or have already
-				for keyID, pubKey := range delgRole.Keys {
+				for _, pubKey := range delgRole.Keys {
 					certFromKey, err := utils.LoadCertFromPEM(pubKey.Public())
 					if err != nil {
 						continue
 					}
-					if err := utils.ValidateCertificate(certFromKey, true); err != nil {
+					//Don't check the delegation certificate expiry once added, use the TUF role expiry instead
-						if _, ok := err.(data.ErrCertExpired); !ok {
+					if err := utils.ValidateCertificate(certFromKey, false); err != nil {
-							// do not allow other invalid cert errors
+						return err
-							return err
-						}
-						logrus.Warnf("error with delegation %s key ID %d: %s", delgRole.Name, keyID, err)
 					}
 				}
 				foundRole = &delgRole

src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/vendor.conf

@@ -6,7 +6,7 @@ github.com/bugsnag/panicwrap	    e2c28503fcd0675329da73bf48b33404db873782
 github.com/bugsnag/osext	    0dd3f918b21bec95ace9dc86c7e70266cfc5c702
 github.com/docker/distribution      edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c
 github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
-github.com/docker/go-connections    3ede32e2033de7505e6500d6c868c2b9ed9f169d
+github.com/docker/go-connections    7395e3f8aa162843a74ed6d48e79627d9792ac55
 github.com/docker/go                d30aec9fd63c35133f8f79c3412ad91a3b08be06
 github.com/dvsekhvalnov/jose2go     6387d3c1f5abd8443b223577d5a7e0f4e0e5731f   # v1.2
 github.com/go-sql-driver/mysql      a0583e0143b1624142adab07e0e97fe106d99561   # v1.3
@@ -15,22 +15,22 @@ github.com/jinzhu/gorm              5409931a1bb87e484d68d649af9367c207713ea2
 github.com/jinzhu/inflection        1c35d901db3da928c72a72d8458480cc9ade058f
 github.com/lib/pq                   0dad96c0b94f8dee039aa40467f767467392a0af
 github.com/mattn/go-sqlite3         b4142c444a8941d0d92b0b7103a24df9cd815e42   # v1.0.0
-github.com/miekg/pkcs11             ba39b9c6300b7e0be41b115330145ef8afdff7d6
+github.com/miekg/pkcs11             5f6e0d0dad6f472df908c8e968a98ef00c9224bb
 github.com/mitchellh/go-homedir     df55a15e5ce646808815381b3db47a8c66ea62f4
 github.com/prometheus/client_golang 449ccefff16c8e2b7229f6be1921ba22f62461fe
 github.com/prometheus/client_model  fa8ad6fec33561be4280a8f0514318c79d7f6cb6   # model-0.0.2-12-gfa8ad6f
 github.com/prometheus/procfs	    b1afdc266f54247f5dc725544f5d351a8661f502
 github.com/prometheus/common	    4fdc91a58c9d3696b982e8a680f4997403132d44
 github.com/golang/protobuf          c3cefd437628a0b7d31b34fe44b3a7a540e98527
-github.com/spf13/cobra              f368244301305f414206f889b1735a54cfc8bde8
+github.com/spf13/cobra              7b2c5ac9fc04fc5efafb60700713d4fa609b777b   # v0.0.1
 github.com/spf13/viper              be5ff3e4840cf692388bde7a057595a474ef379e
 golang.org/x/crypto                 76eec36fa14229c4b25bb894c2d0e591527af429
 golang.org/x/net                    6a513affb38dc9788b449d59ffed099b8de18fa0
-golang.org/x/sys                    739734461d1c916b6c72a63d7efda2b27edb369f
+golang.org/x/sys                    314a259e304ff91bd6985da2a7149bbf91237993
 google.golang.org/grpc              708a7f9f3283aa2d4f6132d287d78683babe55c8   # v1.0.5
 github.com/pkg/errors 		    839d9e913e063e28dfd0e6c7b7512793e0a48be9
 
-github.com/spf13/pflag		    cb88ea77998c3f024757528e3305022ab50b43be
+github.com/spf13/pflag		    e57e3eeb33f795204c1ca35f56c44f83227c6e66  # v1.0.0
 github.com/spf13/cast		    4d07383ffe94b5e5a6fa3af9211374a4507a0184
 gopkg.in/yaml.v2 		    bef53efd0c76e49e6de55ead051f886bea7e9420
 gopkg.in/fatih/pool.v2		    cba550ebf9bce999a02e963296d4bc7a486cb715