From 4a69a575577ebf824cbf28efa5222e7a4c6545fd Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Fri, 26 May 2017 09:23:38 -0600 Subject: [PATCH 1/4] ima namespace project: account for new -output in moby tool The moby tool requires us to specify outputs on invocation. Let's do that. Signed-off-by: Tycho Andersen --- projects/ima-namespace/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/projects/ima-namespace/Makefile b/projects/ima-namespace/Makefile index 5819a3c00..fbce8a6d2 100644 --- a/projects/ima-namespace/Makefile +++ b/projects/ima-namespace/Makefile @@ -3,7 +3,7 @@ run: ima-namespace-kernel ../../bin/linuxkit run ima-namespace ima-namespace-kernel: ima-namespace.yml - ../../bin/moby build ima-namespace + ../../bin/moby build -output kernel+initrd ima-namespace .PHONY: clean clean: From 06d7157e3cf88d08fd4033ff2119421d27cccab8 Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Fri, 26 May 2017 14:31:38 -0600 Subject: [PATCH 2/4] ima-namespace: only build utils if it doesn't exist Signed-off-by: Tycho Andersen --- projects/ima-namespace/ima-utils/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/projects/ima-namespace/ima-utils/Makefile b/projects/ima-namespace/ima-utils/Makefile index 9e9e2f3a6..edac27939 100644 --- a/projects/ima-namespace/ima-utils/Makefile +++ b/projects/ima-namespace/ima-utils/Makefile @@ -7,6 +7,7 @@ DEPS=Dockerfile HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}') tag: $(DEPS) + docker pull linuxkit/$(IMAGE):$(HASH) || \ docker build --no-cache -t linuxkit/$(IMAGE):$(HASH) . push: tag From 26d0dc20ec28b627e84af6654414973c163ea0ba Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Fri, 26 May 2017 14:48:39 -0600 Subject: [PATCH 3/4] ima-namespace: use images that actually exist We have a linuxkit/{kernel-ima,ima-utils} now, let's use the images that are uploaded there! Signed-off-by: Tycho Andersen --- projects/ima-namespace/ima-namespace.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/projects/ima-namespace/ima-namespace.yml b/projects/ima-namespace/ima-namespace.yml index 4d2d87513..153e323b5 100644 --- a/projects/ima-namespace/ima-namespace.yml +++ b/projects/ima-namespace/ima-namespace.yml @@ -1,12 +1,12 @@ kernel: - image: "linuxkit/kernel-ima:4.11.1-" + image: "linuxkit/kernel-ima:4.11.1-186dd3605ee7b23214850142f8f02b4679dbd148" cmdline: "console=ttyS0 console=tty0 page_poison=1 ima_appraise=enforce_ns" init: - linuxkit/init:b3740303f3d1e5689a84c87b7dfb48fd2a40a192 - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d - - linuxkit/ima-utils:fe119c7dac08884f4144cd106dc279ddd8b37517 + - linuxkit/ima-utils:dfeb3896fd29308b80ff9ba7fe5b8b767e40ca29 onboot: - name: sysctl image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" From 2b8756ac165aa22bcd48087f5a4b3414b00739bd Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Fri, 26 May 2017 15:43:59 -0600 Subject: [PATCH 4/4] ima-namespacing utils: use ORG pattern as in other makefiles Signed-off-by: Tycho Andersen --- projects/ima-namespace/ima-utils/Makefile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/projects/ima-namespace/ima-utils/Makefile b/projects/ima-namespace/ima-utils/Makefile index edac27939..7b04aca5c 100644 --- a/projects/ima-namespace/ima-utils/Makefile +++ b/projects/ima-namespace/ima-utils/Makefile @@ -3,13 +3,14 @@ default: push IMAGE=ima-utils DEPS=Dockerfile +ORG?=linuxkit HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}') tag: $(DEPS) - docker pull linuxkit/$(IMAGE):$(HASH) || \ - docker build --no-cache -t linuxkit/$(IMAGE):$(HASH) . + docker pull $(ORG)/$(IMAGE):$(HASH) || \ + docker build --no-cache -t $(ORG)/$(IMAGE):$(HASH) . push: tag - docker pull linuxkit/$(IMAGE):$(HASH) || \ - docker push linuxkit/$(IMAGE):$(HASH) + docker pull $(ORG)/$(IMAGE):$(HASH) || \ + docker push $(ORG)/$(IMAGE):$(HASH)