linuxkit pkg: Add config field to build.yml

This is a `moby.ImageConfig` struct which is marshalled into JSON and added as
the `org.mobyproject.config` label on the built image.

Convert `pkg/sysctl` as PoC.

Signed-off-by: Ian Campbell <ijc@docker.com>

docs/packages.md

@@ -29,6 +29,7 @@ A package source consists of a directory containing at least two files:
 - `network` _(bool)_: Allow network access during the package build (default: no)
 - `disable-content-trust` _(bool)_: Disable Docker content trust for this package (default: no)
 - `disable-cache` _(bool)_: Disable build cache for this package (default: no)
+- `config`: _(struct `github.com/moby/tool/src/moby.ImageConfig`)_: Image configuration, marshalled to JSON and added as `org.mobyproject.config` label on image (default: no label)
 
 ## Building packages
 

pkg/sysctl/Dockerfile

@@ -13,4 +13,3 @@ WORKDIR /
 COPY --from=mirror /go/bin/sysctl /usr/bin/sysctl
 COPY etc/ /etc/
 CMD ["/usr/bin/sysctl"]
-LABEL org.mobyproject.config='{"pid": "host", "readonly": true, "capabilities": ["CAP_SYS_ADMIN"]}'

pkg/sysctl/build.yml

@@ -1 +1,6 @@
 image: sysctl
+config:
+  pid: "host"
+  readonly: true
+  capabilities:
+    - CAP_SYS_ADMIN

src/cmd/linuxkit/pkglib/build.go

@@ -1,6 +1,7 @@
 package pkglib
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
 	"runtime"
@@ -122,6 +123,15 @@ func (p Pkg) Build(bos ...BuildOpt) error {
 			args = append(args, "--network=none")
 		}
 
+		if p.config != nil {
+			b, err := json.Marshal(*p.config)
+			if err != nil {
+				return err
+			}
+
+			args = append(args, "--label=org.mobyproject.config="+string(b))
+		}
+
 		if err := d.build(p.Tag()+suffix, p.pkgPath, args...); err != nil {
 			return err
 		}

src/cmd/linuxkit/pkglib/pkglib.go

@@ -8,6 +8,8 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/moby/tool/src/moby"
 )
 
 // Containers fields settable in the build.yml
@@ -19,6 +21,7 @@ type pkgInfo struct {
 	Network             bool              `yaml:"network"`
 	DisableContentTrust bool              `yaml:"disable-content-trust"`
 	DisableCache        bool              `yaml:"disable-cache"`
+	Config              *moby.ImageConfig `yaml:"config"`
 }
 
 // Pkg encapsulates information about a package's source
@@ -31,6 +34,7 @@ type Pkg struct {
 	network bool
 	trust   bool
 	cache   bool
+	config  *moby.ImageConfig
 
 	// Internal state
 	pkgPath    string
@@ -185,6 +189,7 @@ func NewFromCLI(fs *flag.FlagSet, args ...string) (Pkg, error) {
 		network:    pi.Network,
 		trust:      !pi.DisableContentTrust,
 		cache:      !pi.DisableCache,
+		config:     pi.Config,
 		dirty:      dirty,
 		pkgPath:    pkgPath,
 		git:        git,

src/cmd/linuxkit/vendor.conf

@@ -24,7 +24,7 @@ github.com/jmespath/go-jmespath bd40a432e4c76585ef6b72d3fd96fb9b6dc7b68d
 github.com/mitchellh/go-ps 4fdf99ab29366514c69ccccddab5dc58b8d84062
 github.com/moby/datakit 97b3d230535397a813323902c23751e176481a86
 github.com/moby/hyperkit a12cd7250bcd8d689078e3e42ae4a7cf6a0cbaf3
-github.com/moby/tool 63a5dedd28a459900eba56dd191edaeb688cfdf4
+github.com/moby/tool 656bd87fd26b4cfc7da735939ce78cc7cb541181
 github.com/moby/vpnkit 0e4293bb1058598c4b0a406ed171f52573ef414c
 github.com/opencontainers/go-digest 21dfd564fd89c944783d00d069f33e3e7123c448
 github.com/opencontainers/image-spec v1.0.0

src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/config.go

@@ -64,6 +64,12 @@ type File struct {
 type Image struct {
 	Name        string `yaml:"name" json:"name"`
 	Image       string `yaml:"image" json:"image"`
+	ImageConfig `yaml:",inline"`
+}
+
+// ImageConfig is the configuration part of Image, it is the subset
+// which is valid in a "org.mobyproject.config" label on an image.
+type ImageConfig struct {
 	Capabilities      *[]string               `yaml:"capabilities" json:"capabilities,omitempty"`
 	Ambient           *[]string               `yaml:"ambient" json:"ambient,omitempty"`
 	Mounts            *[]specs.Mount          `yaml:"mounts" json:"mounts,omitempty"`