Merge pull request #4065 from deitch/volumes

Volumes

docs/yaml.md

@@ -3,7 +3,7 @@
 The `linuxkit build` command assembles a set of containerised components into in image. The simplest
 type of image is just a `tar` file of the contents (useful for debugging) but more useful
 outputs add a `Dockerfile` to build a container, or build a full disk image that can be
-booted as a linuxKit VM. The main use case is to build an assembly that includes
+booted as a linuxkit VM. The main use case is to build an assembly that includes
 `containerd` to run a set of containers, but the tooling is very generic.
 
 The yaml configuration specifies the components used to build up an image . All components
@@ -16,8 +16,10 @@ The Docker images are optionally verified with Docker Content Trust.
 For private registries or private repositories on a registry credentials provided via
 `docker login` are re-used.
 
+## Sections
+
 The configuration file is processed in the order `kernel`, `init`, `onboot`, `onshutdown`,
-`services`, `files`. Each section adds files to the root file system. Sections may be omitted.
+`services`, `files`, `volumes`. Each section adds files to the root file system. Sections may be omitted.
 
 Each container that is specified is allocated a unique `uid` and `gid` that it may use if it
 wishes to run as an isolated user (or user namespace). Anywhere you specify a `uid` or `gid`
@@ -40,7 +42,7 @@ files:
     mode: "0600"
 ```
 
-## `kernel`
+### `kernel`
 
 The `kernel` section is only required if booting a VM. The files will be put into the `boot/`
 directory, where they are used to build bootable images.
@@ -57,7 +59,7 @@ Kernel packages may also contain a cpio archive containing CPU microcode which n
 the initrd. To select this option, recommended when booting on bare metal, add `ucode: intel-ucode.cpio`
 to the kernel section.
 
-## `init`
+### `init`
 
 The `init` section is a list of images that are used for the `init` system and are unpacked directly
 into the root filesystem. This should bring up `containerd`, start the system and daemon containers,
@@ -65,14 +67,14 @@ and set up basic filesystem mounts. in the case of a LinuxKit system. For ease o
 modification `runc` and `containerd` images, which just contain these programs are added here
 rather than bundled into the `init` container.
 
-## `onboot`
+### `onboot`
 
 The `onboot` section is a list of images. These images are run before any other
 images. They are run sequentially and each must exit before the next one is run.
 These images can be used to configure one shot settings. See [Image
 specification](#image-specification) for a list of supported fields.
 
-## `onshutdown`
+### `onshutdown`
 
 This is a list of images to run on a clean shutdown. Note that you must not rely on these
 being run at all, as machines may be be powered off or shut down without having time to run
@@ -81,18 +83,67 @@ run and when they are not. Most systems are likely to be "crash only" and not ha
 but you can attempt to deregister cleanly from a network service here, rather than relying
 on timeouts, for example.
 
-## `services`
+### `services`
 
 The `services` section is a list of images for long running services which are
 run with `containerd`.  Startup order is undefined, so containers should wait
 on any resources, such as networking, that they need.  See [Image
 specification](#image-specification) for a list of supported fields.
 
-## `files`
+### `volumes`
+
+The volumes section is a list of named volumes that can be used by other containers,
+including those in `services`, `onboot` and `onshutdown`. The volumes are created in a directory
+chosen by linuxkit at build-time. The volumes then can be referenced by other containers and
+mounted into them.
+
+Volumes normally are blank directories. If an image is provided, the contents of that image
+will be used to populate the volume.
+
+The `volumes` section can declare a volume to be read-write or read-only. If the volume is read-write,
+a volume that is mounted into a container can be mounted read-only or read-write. If the volume is read-only,
+it can be mounted into a container read-only; attempting to do so read-write will generate a build-time error.
+By default, volumes are created read-write, and are mounted read-write.
+
+Volume names **must** be unique, and must contain only lower-case alphanumeric characters, hyphens, and
+underscores.
+
+Sample `volumes` section:
+
+```yml
+volumes:
+- name: vola
+  image: alpine:latest
+  readonly: true
+- name: volb
+  image: alpine:latest
+  readonly: false
+- name: volc
+  readonly: false
+```
+
+In the above example:
+
+* `vola` is populated by the contents of `alpine:latest` and is read-only.
+* `volb` is populated by the contents of `alpine:latest` and is read-write.
+* `volc` is an empty volume and is read-write.
+
+Sample usage of volumes in `services` section:
+
+```yml
+services:
+- name: myservice
+  image: alpine:latest
+  binds:
+  - volA:/mnt/volA:ro
+  - volB:/mnt/volB
+```
+
+### `files`
 
 The files section can be used to add files inline in the config, or from an external file.
 
-```
+```yml
 files:
   - path: dir
     directory: true
@@ -118,7 +169,8 @@ user's home directory.
 In addition there is a `metadata` option that will generate the file. Currently the only value
 supported here is `"yaml"` which will output the yaml used to generate the image into the specified
 file:
-```
+
+```yml
   - path: etc/linuxkit.yml
     metadata: yaml
 ```
@@ -130,7 +182,7 @@ Because a `tmpfs` is mounted onto `/var`, `/run`, and `/tmp` by default, the `tm
 
 ## Image specification
 
-Entries in the `onboot` and `services` sections specify an OCI image and
+Entries in the `onboot`, `onshutdown`, `volumes` and `services` sections specify an OCI image and
 options. Default values may be specified using the `org.mobyproject.config` image label.
 For more details see the [OCI specification](https://github.com/opencontainers/runtime-spec/blob/master/spec.md).
 
@@ -205,7 +257,8 @@ which specifies some actions to take place when the container is being started.
 - `namespace` overrides the LinuxKit default containerd namespace to put the container in; only applicable to services.
 
 An example of using the `runtime` config to configure a network namespace with `wireguard` and then run `nginx` in that namespace is shown below:
-```
+
+```yml
 onboot:
   - name: dhcpcd
     image: linuxkit/dhcpcd:<hash>

examples/addbinds.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/cadvisor.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/containerd-debug.yml

@@ -3,7 +3,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/dm-crypt-loop.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/dm-crypt.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/docker-for-mac.yml

@@ -4,7 +4,7 @@ kernel:
   cmdline: "console=ttyS0 page_poison=1"
 init:
   - linuxkit/vpnkit-expose-port:77e45e4681c78d59f1d8a48818260948d55f9d05 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/docker.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/getty.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/hostmount-writeable-overlay.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/influxdb-os.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/logging.yml

@@ -3,7 +3,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/minimal.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 onboot:

examples/node_exporter.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 services:

examples/openstack.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-aws.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-azure.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-equinixmetal.yml

@@ -3,7 +3,7 @@ kernel:
   cmdline: console=ttyS1
   ucode: intel-ucode.cpio
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-gcp.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-hetzner.yml

@@ -3,7 +3,7 @@ kernel:
   cmdline: console=ttyS1
   ucode: intel-ucode.cpio
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-rt-for-vmware.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13-rt
   cmdline: "console=tty0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-scaleway.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0 root=/dev/vda"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-vmware.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-vultr.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/redis-os.yml

@@ -4,7 +4,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 onboot:

examples/sshd.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/static-ip.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 onboot:

examples/swap.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/tpm.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/volumes.yml

@@ -0,0 +1,45 @@
+# example with volumes, both blank and populated
+kernel:
+  image: linuxkit/kernel:6.6.13
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
+  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
+  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
+  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+onshutdown:
+  - name: shutdown
+    image: busybox:latest
+    command: ["/bin/echo", "so long and thanks for all the fish"]
+services:
+  - name: getty
+    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+  - name: nginx
+    image: nginx:1.19.5-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf
+     - blank:/blank
+     - alpine:/alpine
+volumes:
+- name: blank   # blank volume
+- name: alpine  # populated volume
+  image: alpine:3.19
+files:
+  - path: etc/linuxkit-config
+    metadata: yaml

examples/vpnkit-forwarder.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 onboot:

examples/vsudd-containerd.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 onboot:

examples/wireguard.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

linuxkit.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

pkg/init/Dockerfile

@@ -24,6 +24,9 @@ COPY --from=containerd-dev /go/src/github.com/containerd/containerd $GOPATH/src/
 RUN cd /go/src/cmd/service && ./skanky-vendor.sh $GOPATH/src/github.com/containerd/containerd
 RUN go-compile.sh /go/src/cmd/service
 
+# volumes link to start
+RUN mkdir -p /etc/init.d && ln -s /usr/bin/service /etc/init.d/005-volumes
+
 FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out alpine-baselayout busybox musl
@@ -34,6 +37,7 @@ RUN mkdir -p /out/etc/ssl/certs
 # Remove cache residuals. We retain apk for SBOM tools
 RUN rm -rf /out/var/cache
 
+
 FROM scratch
 ENTRYPOINT []
 CMD []
@@ -42,5 +46,6 @@ COPY --from=build /go/bin/init /
 COPY --from=build /tmp/bin /bin/
 COPY --from=build /go/bin/service /usr/bin/
 COPY --from=build usermode-helper /sbin/
+COPY --from=build /etc/init.d/ /etc/init.d/
 COPY --from=mirror /out/ /
 COPY etc etc/

pkg/init/cmd/service/cmd.go

@@ -25,7 +25,7 @@ func parseCmd(ctx context.Context, command string, args []string) (*log.Entry, s
 	}
 
 	sock := flags.String("sock", defaultSocket, "Path to containerd socket")
-	path := flags.String("path", defaultPath, "Path to service configs")
+	path := flags.String("path", defaultServicesPath, "Path to service configs")
 
 	dumpSpec := flags.String("dump-spec", "", "Dump container spec to file before start")
 

pkg/init/cmd/service/main.go

@@ -14,7 +14,8 @@ import (
 
 const (
 	defaultSocket              = "/run/containerd/containerd.sock"
-	defaultPath                = "/containers/services"
+	defaultServicesPath        = "/containers/services"
+	defaultVolumesPath         = "/containers/volumes"
 	defaultContainerd          = "/usr/bin/containerd"
 	installPath                = "/usr/bin/service"
 	onbootPath                 = "/containers/onboot"
@@ -84,6 +85,8 @@ func main() {
 		// check if called form startup scripts
 		command := os.Args[0]
 		switch {
+		case strings.Contains(command, "volumes"):
+			os.Exit(volumeInitCmd(ctx))
 		case strings.Contains(command, "onboot"):
 			os.Exit(runcInit(onbootPath, "onboot"))
 		case strings.Contains(command, "onshutdown"):

pkg/init/cmd/service/system_init.go

@@ -67,7 +67,7 @@ func systemInitCmd(ctx context.Context, args []string) {
 	}
 
 	sock := flags.String("sock", defaultSocket, "Path to containerd socket")
-	path := flags.String("path", defaultPath, "Path to service configs")
+	path := flags.String("path", defaultServicesPath, "Path to service configs")
 	binary := flags.String("containerd", defaultContainerd, "Path to containerd")
 
 	if err := flags.Parse(args); err != nil {

pkg/init/cmd/service/volumeinit.go

@@ -0,0 +1,95 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+func volumeInitCmd(ctx context.Context) int {
+	invoked := filepath.Base(os.Args[0])
+	flags := flag.NewFlagSet("volume", flag.ExitOnError)
+	flags.Usage = func() {
+		fmt.Printf("USAGE: %s volume\n\n", invoked)
+		fmt.Printf("Options:\n")
+		flags.PrintDefaults()
+	}
+
+	path := flags.String("path", defaultVolumesPath, "Path to volume configs")
+
+	// Set up volumes
+	vols, err := os.ReadDir(*path)
+	// just skip if there is an error, eg no such path
+	if err != nil {
+		return 1
+	}
+	// go through each volume, ensure that the volPath/merged exists as a directory,
+	// and is one of:
+	// - read-only: i.e. no tmp exists, merged bindmounted to lower
+	// - read-write: i.e. tmp exists, overlayfs lower/upper/merged
+	for _, vol := range vols {
+		subs, err := os.ReadDir(filepath.Join(*path, vol.Name()))
+		if err != nil {
+			log.WithError(err).Errorf("Error reading volume %s", vol.Name())
+			return 1
+		}
+		var hasLower, hasMerged, readWrite bool
+		for _, sub := range subs {
+			switch sub.Name() {
+			case "lower":
+				hasLower = true
+			case "tmp":
+				readWrite = true
+			case "merged":
+				hasMerged = true
+			}
+		}
+		if !hasMerged {
+			log.Errorf("Volume %s does not have a merged directory", vol.Name())
+			return 1
+		}
+		if !hasLower {
+			log.Errorf("Volume %s does not have a lower directory", vol.Name())
+			return 1
+		}
+		lowerDir := filepath.Join(*path, vol.Name(), "lower")
+		mergedDir := filepath.Join(*path, vol.Name(), "merged")
+		if !readWrite {
+			log.Infof("Volume %s is read-only, bind-mounting read-only", vol.Name())
+			if err := unix.Mount(lowerDir, mergedDir, "bind", unix.MS_RDONLY, ""); err != nil {
+				log.WithError(err).Errorf("Error bind-mounting volume %s", vol.Name())
+				return 1
+			}
+		} else {
+			log.Infof("Volume %s is read-write, overlay mounting", vol.Name())
+			// need a tmpfs to create the workdir and upper
+			tmpDir := filepath.Join(*path, vol.Name(), "tmp")
+			if err := unix.Mount("tmpfs", tmpDir, "tmpfs", unix.MS_RELATIME, ""); err != nil {
+				log.WithError(err).Errorf("Error creating tmpDir for volume %s", vol.Name())
+				return 1
+			}
+			workDir := filepath.Join(tmpDir, "work")
+			upperDir := filepath.Join(tmpDir, "upper")
+			if err := os.Mkdir(upperDir, 0755); err != nil {
+				log.WithError(err).Errorf("Error creating upper dir for volume %s", vol.Name())
+				return 1
+			}
+			if err := os.Mkdir(workDir, 0755); err != nil {
+				log.WithError(err).Errorf("Error creating work dir for volume %s", vol.Name())
+				return 1
+			}
+			// and let's mount the actual dir
+			data := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lowerDir, upperDir, workDir)
+			if err := unix.Mount("overlay", mergedDir, "overlay", unix.MS_RELATIME, data); err != nil {
+				log.WithError(err).Errorf("Error overlay-mounting volume %s", vol.Name())
+				return 1
+			}
+		}
+	}
+	return 0
+}

projects/clear-containers/clear-containers.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel-clear-containers:4.9.x
   cmdline: "root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro rw rootfstype=ext4 tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k panic=1 console=hvc0 console=hvc1 initcall_debug iommu=off quiet  cryptomgr.notests page_poison=on"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
 onboot:
   - name: sysctl
     image: mobylinux/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c

projects/compose/compose-dynamic.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

projects/compose/compose-static.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

projects/ima-namespace/ima-namespace.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel-ima:4.11.1-186dd3605ee7b23214850142f8f02b4679dbd148
   cmdline: "console=ttyS0 console=tty0 page_poison=1 ima_appraise=enforce_ns"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

projects/landlock/landlock.yml

@@ -2,7 +2,7 @@ kernel:
   image: mobylinux/kernel-landlock:4.9.x
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
   - mobylinux/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
   - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935

projects/memorizer/memorizer.yml

@@ -2,7 +2,7 @@ kernel:
   image: "linuxkitprojects/kernel-memorizer:4.10_dbg"
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 onboot:

projects/miragesdk/examples/fdd.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

projects/miragesdk/examples/mirage-dhcp.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 onboot:

projects/okernel/examples/okernel_simple.yaml

@@ -2,7 +2,7 @@ kernel:
   image: okernel:latest
   cmdline: "console=tty0 page_poison=1"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

projects/shiftfs/shiftfs.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkitprojects/kernel-shiftfs:4.11.4-881a041fc14bd95814cf140b5e98d97dd65160b5
   cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

src/cmd/linuxkit/moby/build/build.go

@@ -99,7 +99,13 @@ func outputImage(image *moby.Image, section string, index int, prefix string, m
 	if err != nil {
 		return fmt.Errorf("failed to retrieve config for %s: %v", image.Image, err)
 	}
-	oci, runtime, err := moby.ConfigToOCI(image, configRaw, idMap)
+	// use a modified version of onboot which replaces volume names with paths
+	imageWithVolPaths, err := updateMountsAndBindsFromVolumes(image, m)
+	if err != nil {
+		return fmt.Errorf("failed update image %s from volumes: %w", image.Image, err)
+	}
+
+	oci, runtime, err := moby.ConfigToOCI(imageWithVolPaths, configRaw, idMap)
 	if err != nil {
 		return fmt.Errorf("failed to create OCI spec for %s: %v", image.Image, err)
 	}
@@ -256,6 +262,65 @@ func Build(m moby.Moby, w io.Writer, opts BuildOpts) error {
 		return err
 	}
 
+	if len(m.Volumes) != 0 {
+		log.Infof("Add volumes:")
+	}
+
+	for i, vol := range m.Volumes {
+		log.Infof("Process volume image: %s", vol.Name)
+		// there is an Image, so we need to extract it, either from inputTar or from the image
+		if oldConfig != nil && len(oldConfig.Volumes) > i && oldConfig.Volumes[i].Image == vol.Image {
+			if err := extractPackageFilesFromTar(in, iw, vol.Image, fmt.Sprintf("volumes[%d]", i)); err != nil {
+				return err
+			}
+			continue
+		}
+		location := fmt.Sprintf("volume[%d]", i)
+		lower, tmpDir, merged := vol.LowerDir(), vol.TmpDir(), vol.MergedDir()
+		lowerPath := strings.TrimPrefix(lower, "/") + "/"
+
+		// get volume tarball from container
+		if err := ImageTar(location, vol.ImageRef(), lowerPath, apkTar, resolvconfSymlink, opts); err != nil {
+			return fmt.Errorf("failed to build volume tarball from %s: %v", vol.Name, err)
+		}
+		// make upper and merged dirs which will be used for mounting
+		// no need to make lower dir, as it is made automatically by ImageTar()
+		// the existence of an upper dir indicates that it is read-write and should be overlayfs.
+		if !vol.ReadOnly {
+			// need the tmp dir where work gets done, since the whole thing fs is read-only
+			tmpPath := strings.TrimPrefix(tmpDir, "/") + "/"
+			tmphdr := &tar.Header{
+				Name:     tmpPath,
+				Mode:     0755,
+				Typeflag: tar.TypeDir,
+				ModTime:  defaultModTime,
+				Format:   tar.FormatPAX,
+				PAXRecords: map[string]string{
+					moby.PaxRecordLinuxkitSource:   "linuxkit.volumes",
+					moby.PaxRecordLinuxkitLocation: location,
+				},
+			}
+			if err := apkTar.WriteHeader(tmphdr); err != nil {
+				return err
+			}
+		}
+		mergedPath := strings.TrimPrefix(merged, "/") + "/"
+		mhdr := &tar.Header{
+			Name:     mergedPath,
+			Mode:     0755,
+			Typeflag: tar.TypeDir,
+			ModTime:  defaultModTime,
+			Format:   tar.FormatPAX,
+			PAXRecords: map[string]string{
+				moby.PaxRecordLinuxkitSource:   "linuxkit.volumes",
+				moby.PaxRecordLinuxkitLocation: location,
+			},
+		}
+		if err := apkTar.WriteHeader(mhdr); err != nil {
+			return err
+		}
+	}
+
 	if len(m.Onboot) != 0 {
 		log.Infof("Add onboot containers:")
 	}

src/cmd/linuxkit/moby/build/image.go

@@ -142,7 +142,7 @@ var touch = map[string]tar.Header{
 
 // tarPrefix creates the leading directories for a path
 // path is the path to prefix, location is where this appears in the linuxkit.yaml file
-func tarPrefix(path, location string, ref *reference.Spec, tw tarWriter) error {
+func tarPrefix(path, location, refName string, tw tarWriter) error {
 	if path == "" {
 		return nil
 	}
@@ -163,7 +163,7 @@ func tarPrefix(path, location string, ref *reference.Spec, tw tarWriter) error {
 			Typeflag: tar.TypeDir,
 			Format:   tar.FormatPAX,
 			PAXRecords: map[string]string{
-				moby.PaxRecordLinuxkitSource:   ref.String(),
+				moby.PaxRecordLinuxkitSource:   refName,
 				moby.PaxRecordLinuxkitLocation: location,
 			},
 		}
@@ -178,16 +178,25 @@ func tarPrefix(path, location string, ref *reference.Spec, tw tarWriter) error {
 // ImageTar takes a Docker image and outputs it to a tar stream
 // location is where it is in the linuxkit.yaml file
 func ImageTar(location string, ref *reference.Spec, prefix string, tw tarWriter, resolv string, opts BuildOpts) (e error) {
-	log.Debugf("image tar: %s %s", ref, prefix)
+	refName := "empty"
+	if ref != nil {
+		refName = ref.String()
+	}
+	log.Debugf("image tar: %s %s", refName, prefix)
 	if prefix != "" && prefix[len(prefix)-1] != '/' {
 		return fmt.Errorf("prefix does not end with /: %s", prefix)
 	}
 
-	err := tarPrefix(prefix, location, ref, tw)
+	err := tarPrefix(prefix, location, refName, tw)
 	if err != nil {
 		return err
 	}
 
+	// if the image is blank, we do not need to do any more
+	if ref == nil {
+		return nil
+	}
+
 	// pullImage first checks in the cache, then pulls the image.
 	// If pull==true, then it always tries to pull from registry.
 	src, err := imagePull(ref, opts.Pull, opts.CacheDir, opts.DockerCache, opts.Arch)
@@ -364,7 +373,7 @@ func ImageBundle(prefix, location string, ref *reference.Spec, config []byte, ru
 		}
 		dupMap[ref.String()] = root
 	} else {
-		if err := tarPrefix(prefix+"/", location, ref, tw); err != nil {
+		if err := tarPrefix(prefix+"/", location, ref.String(), tw); err != nil {
 			return err
 		}
 		root = dupMap[ref.String()]

src/cmd/linuxkit/moby/build/mkimage.yaml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: mkimage

src/cmd/linuxkit/moby/build/volume.go

@@ -0,0 +1,102 @@
+package build
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/linuxkit/linuxkit/src/cmd/linuxkit/moby"
+)
+
+func updateMountsAndBindsFromVolumes(image *moby.Image, m moby.Moby) (*moby.Image, error) {
+	// clean image to send back
+	img := *image
+	if img.Mounts != nil {
+		for i, mount := range *img.Mounts {
+			// only care about type bind
+			if mount.Type != "bind" {
+				continue
+			}
+			// starts with / = not a volume
+			if strings.HasPrefix(mount.Source, "/") {
+				continue
+			}
+			vol := m.VolByName(mount.Source)
+			if vol == nil {
+				return nil, fmt.Errorf("volume %s not found in onboot image mount %d", mount.Source, i)
+			}
+			merged := vol.MergedDir()
+			// make sure it is not read-write if the underlying volume is read-only
+			if vol.ReadOnly {
+				var foundReadOnly bool
+				for _, opt := range mount.Options {
+					if opt == "rw" {
+						foundReadOnly = false
+						break
+					}
+					if opt == "ro" {
+						foundReadOnly = true
+						break
+					}
+				}
+				if !foundReadOnly {
+					return nil, fmt.Errorf("volume %s is read-only, but attempting to write into container read-write", mount.Source)
+				}
+			}
+			mount.Source = merged
+		}
+	}
+	if img.Binds != nil {
+		var newBinds []string
+		for i, bind := range *img.Binds {
+			parts := strings.Split(bind, ":")
+			// starts with / = not a volume
+			if strings.HasPrefix(parts[0], "/") {
+				newBinds = append(newBinds, bind)
+				continue
+			}
+			source := parts[0]
+			// split
+			vol := m.VolByName(source)
+			if vol == nil {
+				return nil, fmt.Errorf("volume %s not found in onboot image bin %d", source, i)
+			}
+			merged := vol.MergedDir()
+			if vol.ReadOnly {
+				if len(parts) < 3 || parts[2] != "ro" {
+					return nil, fmt.Errorf("volume %s is read-only, but attempting to write into container read-write", source)
+				}
+			}
+			parts[0] = merged
+			newBinds = append(newBinds, strings.Join(parts, ":"))
+		}
+		img.Binds = &newBinds
+	}
+	if img.BindsAdd != nil {
+		var newBinds []string
+		for i, bind := range *img.BindsAdd {
+			parts := strings.Split(bind, ":")
+			// starts with / = not a volume
+			if strings.HasPrefix(parts[0], "/") {
+				newBinds = append(newBinds, bind)
+				continue
+			}
+			source := parts[0]
+			vol := m.VolByName(source)
+			// split
+			if vol == nil {
+				return nil, fmt.Errorf("volume %s not found in onboot image bin %d", parts[0], i)
+			}
+			merged := vol.MergedDir()
+			if vol.ReadOnly {
+				if len(parts) < 3 || parts[2] != "ro" {
+					return nil, fmt.Errorf("volume %s is read-only, but attempting to write into container read-write", source)
+				}
+			}
+			parts[0] = merged
+			newBinds = append(newBinds, strings.Join(parts, ":"))
+		}
+		img.BindsAdd = &newBinds
+	}
+
+	return &img, nil
+}

src/cmd/linuxkit/moby/config.go

@@ -4,6 +4,8 @@ import (
 	"bytes"
 	"fmt"
 	"os"
+	"path"
+	"regexp"
 	"sort"
 	"strconv"
 	"strings"
@@ -19,6 +21,8 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
+var nameRE = regexp.MustCompile(`^[a-z0-9_-]*$`)
+
 // Moby is the type of a Moby config file
 type Moby struct {
 	Kernel     KernelConfig `kernel:"cmdline,omitempty" json:"kernel,omitempty"`
@@ -27,14 +31,20 @@ type Moby struct {
 	Onshutdown []*Image     `yaml:"onshutdown" json:"onshutdown"`
 	Services   []*Image     `yaml:"services" json:"services"`
 	Files      []File       `yaml:"files" json:"files"`
+	Volumes    []*Volume    `yaml:"volumes" json:"volumes"`
 
 	initRefs []*reference.Spec
+	vols     map[string]*Volume
 }
 
 func (m Moby) InitRefs() []*reference.Spec {
 	return m.initRefs
 }
 
+func (m Moby) VolByName(name string) *Volume {
+	return m.vols[name]
+}
+
 // KernelConfig is the type of the config for a kernel
 type KernelConfig struct {
 	Image   string  `yaml:"image" json:"image"`
@@ -64,6 +74,34 @@ type File struct {
 	GID       interface{} `yaml:"gid,omitempty" json:"gid,omitempty"`
 }
 
+// Volume is the type of a volume specification
+type Volume struct {
+	Name     string `yaml:"name" json:"name"`
+	Image    string `yaml:"image,omitempty" json:"image,omitempty"`
+	ReadOnly bool   `yaml:"readonly,omitempty" json:"readonly,omitempty"`
+	ref      *reference.Spec
+}
+
+func (v Volume) ImageRef() *reference.Spec {
+	return v.ref
+}
+
+func (v Volume) BaseDir() string {
+	return volumeBaseDir(v.Name)
+}
+
+func (v Volume) LowerDir() string {
+	return volumeLowerDir(v.Name)
+}
+
+func (v Volume) TmpDir() string {
+	return volumeTmpDir(v.Name)
+}
+
+func (v Volume) MergedDir() string {
+	return volumeMergedDir(v.Name)
+}
+
 // Image is the type of an image config
 type Image struct {
 	Name        string `yaml:"name" json:"name"`
@@ -210,6 +248,37 @@ func uniqueServices(m Moby) error {
 	return nil
 }
 
+func uniqueVolumes(m *Moby) error {
+	// volume names must be unique
+	m.vols = map[string]*Volume{}
+	for _, v := range m.Volumes {
+		if !nameRE.MatchString(v.Name) {
+			return fmt.Errorf("invalid volume name: %s", v.Name)
+		}
+		if _, ok := m.vols[v.Name]; ok {
+			return fmt.Errorf("duplicate volume name: %s", v.Name)
+		}
+		m.vols[v.Name] = v
+	}
+	return nil
+}
+
+func volumeBaseDir(name string) string {
+	return path.Join(allVolumesBaseDir, name)
+}
+
+func volumeLowerDir(name string) string {
+	return path.Join(volumeBaseDir(name), "lower")
+}
+
+func volumeTmpDir(name string) string {
+	return path.Join(volumeBaseDir(name), "tmp")
+}
+
+func volumeMergedDir(name string) string {
+	return path.Join(volumeBaseDir(name), "merged")
+}
+
 func extractReferences(m *Moby) error {
 	if m.Kernel.Image != "" {
 		r, err := reference.Parse(util.ReferenceExpand(m.Kernel.Image))
@@ -246,6 +315,16 @@ func extractReferences(m *Moby) error {
 		}
 		image.ref = &r
 	}
+	for _, image := range m.Volumes {
+		if image.Image == "" {
+			continue
+		}
+		r, err := reference.Parse(util.ReferenceExpand(image.Image))
+		if err != nil {
+			return fmt.Errorf("extract volume image reference: %v", err)
+		}
+		image.ref = &r
+	}
 	return nil
 }
 
@@ -318,6 +397,10 @@ func NewConfig(config []byte, packageFinder spec.PackageResolver) (Moby, error)
 		return m, err
 	}
 
+	if err := uniqueVolumes(&m); err != nil {
+		return m, err
+	}
+
 	if err := extractReferences(&m); err != nil {
 		return m, err
 	}
@@ -352,6 +435,11 @@ func AppendConfig(m0, m1 Moby) (Moby, error) {
 	moby.Services = append(moby.Services, m1.Services...)
 	moby.Files = append(moby.Files, m1.Files...)
 	moby.initRefs = append(moby.initRefs, m1.initRefs...)
+	moby.Volumes = append(moby.Volumes, m1.Volumes...)
+	moby.vols = map[string]*Volume{}
+	for k, v := range m1.vols {
+		moby.vols[k] = v
+	}
 
 	return moby, uniqueServices(moby)
 }

src/cmd/linuxkit/moby/const.go

@@ -6,4 +6,5 @@ const (
 	// PaxRecordLinuxkitLocation report the location of the file in the linuxkit.yaml
 	// that led to this file being in this location
 	PaxRecordLinuxkitLocation = "LINUXKIT.location"
+	allVolumesBaseDir         = "/containers/volumes"
 )

src/cmd/linuxkit/moby/schema.go

@@ -37,6 +37,19 @@ var schema = `
         "type": "array",
         "items": { "$ref": "#/definitions/file" }
     },
+    "volume": {
+      "type": "object",
+      "additionalProperties": false,
+        "properties": {
+          "name": {"type": "string"},
+          "image": {"type": "string"},
+          "readonly": {"type": "boolean"}
+        }
+    },
+    "volumes": {
+        "type": "array",
+        "items": { "$ref": "#/definitions/volume" }
+    },
     "trust": {
       "type": "object",
       "additionalProperties": false,
@@ -333,7 +346,8 @@ var schema = `
     "onshutdown": { "$ref": "#/definitions/images" },
     "services": { "$ref": "#/definitions/images" },
     "trust": { "$ref": "#/definitions/trust" },
-    "files": { "$ref": "#/definitions/files" }
+    "files": { "$ref": "#/definitions/files" },
+    "volumes": { "$ref": "#/definitions/volumes" }
   }
 }
 `

test/cases/000_build/000_formats/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: dhcpcd

test/cases/000_build/001_tarheaders/test.yml

@@ -3,7 +3,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 

test/cases/000_build/010_reproducible/test.yml

@@ -3,7 +3,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 

test/cases/000_build/020_binds/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: mount

test/cases/000_build/050_sbom/test.yml

@@ -3,7 +3,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 

test/cases/000_build/060_input_tar/000_build/test1.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 onboot:

test/cases/000_build/060_input_tar/000_build/test2.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

test/cases/000_build/060_input_tar/010_same_filename/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 onboot:

test/cases/000_build/070_volumes/000_rw_on_rw/check.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -x
+
+function failed {
+	printf "rw_on_rw test suite FAILED\n" >&1
+	exit 1
+}
+
+# check that the files we created are there and have the contents
+
+[ -d /vola ] || failed
+[ -e /vola/mytestfile ] || failed
+[ "$(cat /vola/mytestfile)" == "file" ] || failed
+printf "rw_on_rw test suite PASSED\n" >&1

test/cases/000_build/070_volumes/000_rw_on_rw/test.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+# SUMMARY: Check that writing to a volume makes it visible
+# LABELS:
+# REPEAT:
+
+set -ex
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+NAME=volume_rw_on_rw
+
+clean_up() {
+	rm -rf ${NAME}-* ${DISK}
+}
+trap clean_up EXIT
+
+# Test code goes here
+
+linuxkit build --format kernel+initrd --name ${NAME} test.yml
+RESULT="$(linuxkit run ${NAME})"
+echo "${RESULT}"
+echo "${RESULT}" | grep -q "suite PASSED"
+
+exit 0

test/cases/000_build/070_volumes/000_rw_on_rw/test.yml

@@ -0,0 +1,31 @@
+kernel:
+  image: linuxkit/kernel:6.6.13
+  cmdline: "console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
+  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
+onboot:
+  - name: test1
+    image: alpine:3.20
+    binds:
+      - /write.sh:/write.sh
+      - vola:/vola
+    command: ["sh", "-c", "/write.sh"]
+  - name: test2
+    image: alpine:3.20
+    binds:
+      - /check.sh:/check.sh
+      - vola:/vola
+    command: ["sh", "-c", "/check.sh"]
+  - name: poweroff
+    image: linuxkit/poweroff:401dc53c604c0b2179ed0369a6968fd4179cc176
+    command: ["/bin/sh", "/poweroff.sh", "10"]
+volumes:
+  - name: vola
+files:
+  - path: check.sh
+    source: ./check.sh
+    mode: "0700"
+  - path: write.sh
+    source: ./write.sh
+    mode: "0700"

test/cases/000_build/070_volumes/000_rw_on_rw/write.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -x
+
+echo -n "file" > /vola/mytestfile

test/cases/000_build/070_volumes/001_ro_on_ro/check.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -x
+
+function failed {
+	printf "ro_on_ro test suite FAILED\n" >&1
+	exit 1
+}
+
+# this should fail as it is read-only
+echo -n "file" > /vola/mytestfile || true
+
+[ -e /vola/mytestfile ] && failed
+
+printf "ro_on_ro test suite PASSED\n" >&1

test/cases/000_build/070_volumes/001_ro_on_ro/test.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+# SUMMARY: Check that writing to a volume makes it visible
+# LABELS:
+# REPEAT:
+
+set -ex
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+NAME=volume_ro_on_ro
+
+clean_up() {
+	rm -rf ${NAME}-* ${DISK}
+}
+trap clean_up EXIT
+
+# Test code goes here
+
+linuxkit build --format kernel+initrd --name ${NAME} test.yml
+RESULT="$(linuxkit run ${NAME})"
+echo "${RESULT}"
+echo "${RESULT}" | grep -q "suite PASSED"
+
+exit 0

test/cases/000_build/070_volumes/001_ro_on_ro/test.yml

@@ -0,0 +1,23 @@
+kernel:
+  image: linuxkit/kernel:6.6.13
+  cmdline: "console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
+  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
+onboot:
+  - name: test
+    image: alpine:3.20
+    binds:
+      - /check.sh:/check.sh
+      - vola:/vola:ro
+    command: ["sh", "-c", "/check.sh"]
+  - name: poweroff
+    image: linuxkit/poweroff:401dc53c604c0b2179ed0369a6968fd4179cc176
+    command: ["/bin/sh", "/poweroff.sh", "10"]
+volumes:
+  - name: vola
+    readonly: true
+files:
+  - path: check.sh
+    source: ./check.sh
+    mode: "0700"

test/cases/000_build/070_volumes/002_rw_on_ro/check.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -x
+
+function failed {
+	printf "rw_on_ro test suite FAILED\n" >&1
+	exit 1
+}
+
+# this should fail as it is read-only
+echo -n "file" > /vola/mytestfile || true
+
+[ -e /vola/mytestfile ] && failed
+
+printf "rw_on_ro test suite PASSED\n" >&1

test/cases/000_build/070_volumes/002_rw_on_ro/test.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+# SUMMARY: Check that writing to a volume makes it visible
+# LABELS:
+# REPEAT:
+
+set -ex
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+NAME=volume_rw_on_r0
+
+clean_up() {
+	rm -rf ${NAME}-* ${DISK}
+}
+trap clean_up EXIT
+
+# Test code goes here
+
+set +e
+linuxkit build --format kernel+initrd --name ${NAME} test.yml
+retcode=$?
+set -e
+
+# the build should fail, as we have are mounting a read-only volume as read-write in a container
+if [ $retcode -eq 0 ]; then
+	exit 1
+fi

test/cases/000_build/070_volumes/002_rw_on_ro/test.yml

@@ -0,0 +1,23 @@
+kernel:
+  image: linuxkit/kernel:6.6.13
+  cmdline: "console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
+  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
+onboot:
+  - name: test
+    image: alpine:3.20
+    binds:
+      - /check.sh:/check.sh
+      - vola:/vola
+    command: ["sh", "-c", "/check.sh"]
+  - name: poweroff
+    image: linuxkit/poweroff:401dc53c604c0b2179ed0369a6968fd4179cc176
+    command: ["/bin/sh", "/poweroff.sh", "10"]
+volumes:
+  - name: vola
+    readonly: true
+files:
+  - path: check.sh
+    source: ./check.sh
+    mode: "0700"

test/cases/000_build/070_volumes/003_ro_on_rw/check.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -x
+
+function failed {
+	printf "ro_on_rw test suite FAILED\n" >&1
+	exit 1
+}
+
+# the file should not exist, as it was mounted read-only
+
+[ -d /vola ] || failed
+[ -e /vola/mytestfile ] && failed
+printf "ro_on_rw test suite PASSED\n" >&1

test/cases/000_build/070_volumes/003_ro_on_rw/test.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+# SUMMARY: Check that writing to a volume makes it visible
+# LABELS:
+# REPEAT:
+
+set -ex
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+NAME=volume_ro_on_rw
+
+clean_up() {
+	rm -rf ${NAME}-* ${DISK}
+}
+trap clean_up EXIT
+
+# Test code goes here
+
+linuxkit build --format kernel+initrd --name ${NAME} test.yml
+RESULT="$(linuxkit run ${NAME})"
+echo "${RESULT}"
+echo "${RESULT}" | grep -q "suite PASSED"
+
+exit 0

test/cases/000_build/070_volumes/003_ro_on_rw/test.yml

@@ -0,0 +1,28 @@
+kernel:
+  image: linuxkit/kernel:6.6.13
+  cmdline: "console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
+  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
+onboot:
+  - name: test1
+    image: alpine:3.20
+    binds:
+      - /write.sh:/write.sh
+      - vola:/vola:ro
+    command: ["sh", "-c", "/write.sh"]
+  - name: test2
+    image: alpine:3.20
+    binds:
+      - /check.sh:/check.sh
+      - vola:/vola:ro
+    command: ["sh", "-c", "/check.sh"]
+  - name: poweroff
+    image: linuxkit/poweroff:401dc53c604c0b2179ed0369a6968fd4179cc176
+    command: ["/bin/sh", "/poweroff.sh", "10"]
+volumes:
+  - name: vola
+files:
+  - path: check.sh
+    source: ./check.sh
+    mode: "0700"

test/cases/000_build/070_volumes/003_ro_on_rw/write.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -x
+
+function failed {
+	printf "ro_on_ro test suite FAILED\n" >&1
+	exit 1
+}
+
+# this should fail as it is read-only
+echo -n "file" > /vola/mytestfile || true
+
+[ -e /vola/mytestfile ] && failed
+
+printf "ro_on_ro test suite PASSED\n" >&1

test/cases/000_build/070_volumes/004_blank/check.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -x
+
+function failed {
+	printf "blank volume test suite FAILED\n" >&1
+	exit 1
+}
+
+# check that no files exist
+
+[ -d /vola ] || failed
+
+contents=$(ls -A /vola)
+[ -z "$contents" ] || failed
+printf "blank volume test suite PASSED\n" >&1

test/cases/000_build/070_volumes/004_blank/test.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+# SUMMARY: Check that writing to a volume makes it visible
+# LABELS:
+# REPEAT:
+
+set -ex
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+NAME=volume_blank
+
+clean_up() {
+	rm -rf ${NAME}-* ${DISK}
+}
+trap clean_up EXIT
+
+# Test code goes here
+
+linuxkit build --format kernel+initrd --name ${NAME} test.yml
+RESULT="$(linuxkit run ${NAME})"
+echo "${RESULT}"
+echo "${RESULT}" | grep -q "suite PASSED"
+
+exit 0

test/cases/000_build/070_volumes/004_blank/test.yml

@@ -0,0 +1,22 @@
+kernel:
+  image: linuxkit/kernel:6.6.13
+  cmdline: "console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
+  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
+onboot:
+  - name: test
+    image: alpine:3.20
+    binds:
+      - /check.sh:/check.sh
+      - vola:/vola
+    command: ["sh", "-c", "/check.sh"]
+  - name: poweroff
+    image: linuxkit/poweroff:401dc53c604c0b2179ed0369a6968fd4179cc176
+    command: ["/bin/sh", "/poweroff.sh", "10"]
+volumes:
+  - name: vola
+files:
+  - path: check.sh
+    source: ./check.sh
+    mode: "0700"

test/cases/000_build/070_volumes/005_image/check.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -x
+
+function failed {
+	printf "blank volume test suite FAILED\n" >&1
+	exit 1
+}
+
+# check that no files exist
+
+[ -d /vola ] || failed
+
+contents=$(ls -A /vola)
+[ -n "$contents" ] || failed
+[ -e "/vola/bin/busybox" ] || failed
+printf "blank volume test suite PASSED\n" >&1

test/cases/000_build/070_volumes/005_image/test.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+# SUMMARY: Check that writing to a volume makes it visible
+# LABELS:
+# REPEAT:
+
+set -ex
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+NAME=volume_image
+
+clean_up() {
+	rm -rf ${NAME}-* ${DISK}
+}
+trap clean_up EXIT
+
+# Test code goes here
+
+linuxkit build --format kernel+initrd --name ${NAME} test.yml
+RESULT="$(linuxkit run ${NAME})"
+echo "${RESULT}"
+echo "${RESULT}" | grep -q "suite PASSED"
+
+exit 0

test/cases/000_build/070_volumes/005_image/test.yml

@@ -0,0 +1,23 @@
+kernel:
+  image: linuxkit/kernel:6.6.13
+  cmdline: "console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
+  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
+onboot:
+  - name: test
+    image: alpine:3.20
+    binds:
+      - /check.sh:/check.sh
+      - vola:/vola
+    command: ["sh", "-c", "/check.sh"]
+  - name: poweroff
+    image: linuxkit/poweroff:401dc53c604c0b2179ed0369a6968fd4179cc176
+    command: ["/bin/sh", "/poweroff.sh", "10"]
+volumes:
+  - name: vola
+    image: alpine:3.19
+files:
+  - path: check.sh
+    source: ./check.sh
+    mode: "0700"

test/cases/000_build/070_volumes/006_mount_types/check.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -x
+
+function failed {
+	printf "blank volume test suite FAILED\n" >&1
+	exit 1
+}
+
+# check that no files exist
+
+[ -d /vola ] || failed
+
+contents=$(ls -A /vola)
+[ -n "$contents" ] || failed
+[ -e "/vola/bin/busybox" ] || failed
+printf "blank volume test suite PASSED\n" >&1

test/cases/000_build/070_volumes/006_mount_types/test.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+# SUMMARY: Check that writing to a volume makes it visible
+# LABELS:
+# REPEAT:
+
+set -ex
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+NAME=volume_mount_types
+
+clean_up() {
+	rm -rf ${NAME}-* ${DISK}
+}
+trap clean_up EXIT
+
+# Test code goes here
+
+linuxkit build --format kernel+initrd --name ${NAME} test.yml
+RESULT="$(linuxkit run ${NAME})"
+echo "${RESULT}"
+echo "${RESULT}" | grep -q "suite PASSED"
+
+exit 0

test/cases/000_build/070_volumes/006_mount_types/test.yml

@@ -0,0 +1,38 @@
+kernel:
+  image: linuxkit/kernel:6.6.13
+  cmdline: "console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
+  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
+onboot:
+  - name: testbinds
+    image: alpine:3.20
+    binds:
+      - /check.sh:/check.sh
+      - vola:/vola
+    command: ["sh", "-c", "/check.sh"]
+  - name: testmounts
+    image: alpine:3.20
+    binds:
+      - /check.sh:/check.sh
+    mounts:
+      - type: bind
+        source: vola
+        destination: /vola
+    command: ["sh", "-c", "/check.sh"]
+  - name: testbindadds
+    image: alpine:3.20
+    binds.add:
+      - /check.sh:/check.sh
+      - vola:/vola
+    command: ["sh", "-c", "/check.sh"]
+  - name: poweroff
+    image: linuxkit/poweroff:401dc53c604c0b2179ed0369a6968fd4179cc176
+    command: ["/bin/sh", "/poweroff.sh", "10"]
+volumes:
+  - name: vola
+    image: alpine:3.19
+files:
+  - path: check.sh
+    source: ./check.sh
+    mode: "0700"

test/cases/010_platforms/000_qemu/000_run_kernel+initrd/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: poweroff

test/cases/010_platforms/000_qemu/005_run_kernel+squashfs/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: poweroff

test/cases/010_platforms/000_qemu/010_run_iso/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: poweroff

test/cases/010_platforms/000_qemu/020_run_efi/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: poweroff

test/cases/010_platforms/000_qemu/030_run_qcow_bios/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: poweroff

test/cases/010_platforms/000_qemu/040_run_raw_bios/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: poweroff

test/cases/010_platforms/000_qemu/050_run_aws/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: poweroff

test/cases/010_platforms/000_qemu/100_container/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: poweroff

test/cases/010_platforms/010_hyperkit/000_run_kernel+initrd/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: poweroff

test/cases/010_platforms/010_hyperkit/005_run_kernel+squashfs/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: poweroff

test/cases/010_platforms/010_hyperkit/010_acpi/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
 services:

test/cases/010_platforms/110_gcp/000_run/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: poweroff

test/cases/020_kernel/011_config_5.4.x/test.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:5.4.172-9005a97e2b2cba68b4374092167b079a2874f66b
   cmdline: "console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:59b5282b07b782091de8915ac30b512a227f72f9
+  - linuxkit/init:872d2e1be745f1acb948762562cf31c367303a3b
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
 onboot:
   - name: check-kernel-config