github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-21 10:09:07 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #985 from justincormack/riddler-config

Browse Source 
Use riddler to generate config.json
This commit is contained in:
Justin Cormack 2017-01-10 23:32:57 +00:00 committed by GitHub
commit 19798c5468
10 changed files with 102 additions and 338 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
alpine/base/riddler/Dockerfile Normal file
View File

@ -0,0 +1,23 @@
FROM golang:1.7-alpine
RUN \
apk update && apk upgrade && \
apk add \
docker \
gcc \
git \
jq \
linux-headers \
musl-dev \
&& true
COPY Dockerfile /
COPY riddler.sh /usr/bin/
RUN git clone https://github.com/jessfraz/riddler.git /go/src/github.com/jessfraz/riddler
WORKDIR /go/src/github.com/jessfraz/riddler
RUN git checkout 23befa0b232877b5b502b828e24161d801bd67f6
RUN go build -o /usr/bin/riddler .
ENTRYPOINT ["/usr/bin/riddler.sh"]

29
alpine/base/riddler/Makefile Normal file
View File

@ -0,0 +1,29 @@
.PHONY: tag push
BASE=golang:1.7-alpine
IMAGE=riddler
default: push
hash: Dockerfile riddler.sh
DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
docker run --entrypoint=/bin/sh --rm $(IMAGE):build -c 'cat /Dockerfile /usr/bin/riddler.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash
push: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
(docker tag $(IMAGE):build mobylinux/$(IMAGE):latest && \
docker push mobylinux/$(IMAGE):$(shell cat hash))
docker rmi $(IMAGE):build
rm -f hash
tag: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
docker rmi $(IMAGE):build
rm -f hash
clean:
rm -f hash
.DELETE_ON_ERROR:

28
alpine/base/riddler/riddler.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/sh
set -e
# riddler always adds the apparmor options if this is not present
EXTRA_OPTIONS="--security-opt apparmor=unconfined"
ARGS="$@"
CONTAINER=$(docker create $EXTRA_OPTIONS $ARGS)
riddler $CONTAINER > /dev/null
docker rm $CONTAINER > /dev/null
# unfixed known issues
# noNewPrivileges is always set by riddler, but that is fine for our use cases
# These fixes should be removed when riddler is fixed
# process.rlimits, just a constant at present, not useful
# memory swappiness is too big by default
# remove user namespaces
# --read-only sets /dev ro
# /sysfs ro unless privileged - cannot detect so will do if grant all caps
#
cat config.json | \
jq 'del(.process.rlimits)' | \
jq 'del (.linux.resources.memory.swappiness)' | \
jq 'del(.linux.uidMappings) | del(.linux.gidMappings) | .linux.namespaces = (.linux.namespaces|map(select(.type!="user")))' | \
jq 'if .root.readonly==true then .mounts = (.mounts|map(if .destination=="/dev" then .options |= .+ ["ro"] else . end)) else . end' | \
jq '.mounts = if .process.capabilities | length != 38 then (.mounts|map(if .destination=="/sys" then .options |= .+ ["ro"] else . end)) else . end'

1
alpine/containers/binfmt/.gitignore vendored
View File

@ -1,2 +1,3 @@
rootfs rootfs
config.json
qemu-* qemu-*

13
alpine/containers/binfmt/Makefile
View File

@ -2,7 +2,7 @@
QEMU_IMAGE=mobylinux/qemu-user-static@sha256:cbeba25809c7c3feebc9e20522145e33d8abe5956674afa52814fc57c6644497 QEMU_IMAGE=mobylinux/qemu-user-static@sha256:cbeba25809c7c3feebc9e20522145e33d8abe5956674afa52814fc57c6644497
QEMU_BINARIES=qemu-arm-static qemu-aarch64-static qemu-ppc64le-static QEMU_BINARIES=qemu-arm-static qemu-aarch64-static qemu-ppc64le-static
default: rootfs default: config.json
$(QEMU_BINARIES): $(QEMU_BINARIES):
docker run --rm --net=none $(QEMU_IMAGE) tar cf - -C /usr/bin $@ | tar xf - docker run --rm --net=none $(QEMU_IMAGE) tar cf - -C /usr/bin $@ | tar xf -
@ -11,8 +11,8 @@ EXCLUDE=--exclude .dockerenv --exclude Dockerfile \
--exclude dev/console --exclude dev/pts --exclude dev/shm \ --exclude dev/console --exclude dev/pts --exclude dev/shm \
--exclude etc/hostname --exclude etc/hosts --exclude etc/mtab --exclude etc/resolv.conf --exclude etc/hostname --exclude etc/hosts --exclude etc/mtab --exclude etc/resolv.conf
rootfs: Dockerfile main.go 00_moby.conf $(QEMU_BINARIES) config.json: Dockerfile main.go 00_moby.conf $(QEMU_BINARIES)
mkdir -p $@ mkdir -p rootfs
BUILD=$$( tar cf - $^ | docker build -q - ) && \ BUILD=$$( tar cf - $^ | docker build -q - ) && \
[ -n "$$BUILD" ] && \ [ -n "$$BUILD" ] && \
echo "Built $$BUILD" && \ echo "Built $$BUILD" && \
@ -20,10 +20,11 @@ rootfs: Dockerfile main.go 00_moby.conf $(QEMU_BINARIES)
[ -n "$$IMAGE" ] && \ [ -n "$$IMAGE" ] && \
echo "Built $$IMAGE" && \ echo "Built $$IMAGE" && \
CONTAINER=$$( docker create $$IMAGE /dev/null ) && \ CONTAINER=$$( docker create $$IMAGE /dev/null ) && \
docker export $$CONTAINER | tar -xf - -C $@ $(EXCLUDE) && \ docker export $$CONTAINER | tar -xf - -C rootfs $(EXCLUDE) && \
docker rm $$CONTAINER docker rm $$CONTAINER && \
../riddler.sh --cap-drop all --read-only -v /proc/sys/fs/binfmt_misc:/binfmt_misc $$IMAGE /usr/bin/binfmt -dir /etc/binfmt.d/ -mount /binfmt_misc >$@
clean: clean:
rm -rf rootfs $(QEMU_BINARIES) rm -rf rootfs config.json $(QEMU_BINARIES)
.DELETE_ON_ERROR: .DELETE_ON_ERROR:

168
alpine/containers/binfmt/config.json
View File

@ -1,168 +0,0 @@
{
"ociVersion": "1.0.0-rc2-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"terminal": false,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"/usr/bin/binfmt",
"-dir",
"/etc/binfmt.d/",
"-mount",
"/binfmt_misc"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"cwd": "/",
"capabilities": [],
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1024,
"soft": 1024
}
],
"noNewPrivileges": true
},
"root": {
"path": "rootfs",
"readonly": true
},
"hostname": "elegant_albattani",
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc"
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/shm",
"type": "tmpfs",
"source": "shm",
"options": [
"nosuid",
"noexec",
"nodev",
"mode=1777",
"size=65536k"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "cgroup",
"options": [
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
},
{
"destination": "/binfmt_misc",
"type": "bind",
"source": "/proc/sys/fs/binfmt_misc",
"options": [
"rw",
"rbind",
"rprivate"
]
}
],
"hooks": {},
"linux": {
"resources": {
"devices": [
{
"allow": false,
"access": "rwm"
}
]
},
"namespaces": [
{
"type": "pid"
},
{
"type": "network"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
}
],
"maskedPaths": [
"/proc/kcore",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware"
],
"readonlyPaths": [
"/proc/asound",
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
}
}

6
alpine/containers/riddler.sh Executable file
View File

@ -0,0 +1,6 @@
#!/bin/sh
# tag: 801f33408e43e6a22985aa994ab0bcba41659ec6
RIDDLER=mobylinux/riddler@sha256:2dda30eb24ac531a9f2164e9592a21538b5841f2ca8459b0c190da46ea7dfafd
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock $RIDDLER "$@"

1
alpine/containers/rng-tools/.gitignore vendored
View File

@ -1,2 +1,3 @@
rootfs rootfs
config.json
tini tini

13
alpine/containers/rng-tools/Makefile
View File

@ -2,7 +2,7 @@
TINI_IMAGE=mobylinux/tini@sha256:7da8c5b371e0d7d3fb1778e96c0bc634e39ace7bf1e7a73bffbf1f8360127fdb TINI_IMAGE=mobylinux/tini@sha256:7da8c5b371e0d7d3fb1778e96c0bc634e39ace7bf1e7a73bffbf1f8360127fdb
TINI_BINARY=tini TINI_BINARY=tini
default: rootfs default: config.json
$(TINI_BINARY): Dockerfile $(TINI_BINARY): Dockerfile
docker run --rm --net=none $(TINI_IMAGE) tar cf - -C /bin $@ | tar xf - docker run --rm --net=none $(TINI_IMAGE) tar cf - -C /bin $@ | tar xf -
@ -11,8 +11,8 @@ EXCLUDE=--exclude .dockerenv --exclude Dockerfile \
--exclude dev/console --exclude dev/pts --exclude dev/shm \ --exclude dev/console --exclude dev/pts --exclude dev/shm \
--exclude etc/hostname --exclude etc/hosts --exclude etc/mtab --exclude etc/resolv.conf --exclude etc/hostname --exclude etc/hosts --exclude etc/mtab --exclude etc/resolv.conf
rootfs: Dockerfile fix-textrels-on-PIC-x86.patch sha256sums $(TINI_BINARY) config.json: Dockerfile fix-textrels-on-PIC-x86.patch sha256sums $(TINI_BINARY)
mkdir -p $@ mkdir -p rootfs
BUILD=$$( tar cf - $^ | docker build -q - ) && \ BUILD=$$( tar cf - $^ | docker build -q - ) && \
[ -n "$$BUILD" ] && \ [ -n "$$BUILD" ] && \
echo "Built $$BUILD" && \ echo "Built $$BUILD" && \
@ -20,10 +20,11 @@ rootfs: Dockerfile fix-textrels-on-PIC-x86.patch sha256sums $(TINI_BINARY)
[ -n "$$IMAGE" ] && \ [ -n "$$IMAGE" ] && \
echo "Built $$IMAGE" && \ echo "Built $$IMAGE" && \
CONTAINER=$$( docker create $$IMAGE /dev/null ) && \ CONTAINER=$$( docker create $$IMAGE /dev/null ) && \
docker export $$CONTAINER | tar -xf - -C $@ $(EXCLUDE) && \ docker export $$CONTAINER | tar -xf - -C rootfs $(EXCLUDE) && \
docker rm $$CONTAINER docker rm $$CONTAINER && \
../riddler.sh --cap-drop all --cap-add SYS_ADMIN --read-only $$IMAGE /bin/tini /usr/sbin/rngd -f >$@
clean: clean:
rm -rf rootfs $(TINI_BINARY) rm -rf rootfs config.json $(TINI_BINARY)
.DELETE_ON_ERROR: .DELETE_ON_ERROR:

158
alpine/containers/rng-tools/config.json
View File

@ -1,158 +0,0 @@
{
"ociVersion": "1.0.0-rc2-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"terminal": false,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"/bin/tini",
"/usr/sbin/rngd",
"-f"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"cwd": "/",
"capabilities": [
"CAP_SYS_ADMIN"
],
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1024,
"soft": 1024
}
],
"noNewPrivileges": true
},
"root": {
"path": "rootfs",
"readonly": true
},
"hostname": "gloomy_saha",
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc"
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/shm",
"type": "tmpfs",
"source": "shm",
"options": [
"nosuid",
"noexec",
"nodev",
"mode=1777",
"size=65536k"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "cgroup",
"options": [
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
}
],
"hooks": {},
"linux": {
"resources": {
"devices": [
{
"allow": false,
"access": "rwm"
}
]
},
"namespaces": [
{
"type": "pid"
},
{
"type": "network"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
}
],
"maskedPaths": [
"/proc/kcore",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware"
],
"readonlyPaths": [
"/proc/asound",
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
}
}