diff --git a/.circleci/config.yml b/.circleci/config.yml index 061c92b57..560cfa68c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -3,7 +3,7 @@ jobs: build: working_directory: /go/src/github.com/linuxkit/linuxkit docker: - - image: circleci/golang:1.9-stretch + - image: circleci/golang:1.10-stretch steps: - checkout - run: mkdir -p ./bin diff --git a/README.md b/README.md index 2b77d5f21..00aaa14c7 100644 --- a/README.md +++ b/README.md @@ -58,8 +58,6 @@ linuxkit build linuxkit.yml to build the example configuration. You can also specify different output formats, eg `linuxkit build -format raw-bios linuxkit.yml` to output a raw BIOS bootable disk image, or `linuxkit build -format iso-efi linuxkit.yml` to output an EFI bootable ISO image. See `linuxkit build -help` for more information. -Since `linuxkit build` is built around the [Moby tool](https://github.com/moby/tool) the input yml files are described in the [Moby tool documentation](https://github.com/moby/tool/blob/master/docs/yaml.md). - ### Booting and Testing You can use `linuxkit run ` or `linuxkit run .` to @@ -117,7 +115,7 @@ To customise, copy or modify the [`linuxkit.yml`](linuxkit.yml) to your own `fil generate its specified output. You can run the output with `linuxkit run file`. The yaml file specifies a kernel and base init system, a set of containers that are built into the generated image and started at boot time. You can specify the type -of artifact to build with the `moby` tool eg `linuxkit build -format vhd linuxkit.yml`. +of artifact to build eg `linuxkit build -format vhd linuxkit.yml`. If you want to build your own packages, see this [document](docs/packages.md). @@ -131,7 +129,7 @@ The yaml format specifies the image to be built: - `services` is the system services, which normally run for the whole time the system is up - `files` are additional files to add to the image -For a more detailed overview of the options see [yaml documentation](https://github.com/moby/tool/blob/master/docs/yaml.md) +For a more detailed overview of the options see [yaml documentation](docs/yaml.md) ## Architecture and security diff --git a/docs/privateimages.md b/docs/privateimages.md new file mode 100644 index 000000000..0f684b594 --- /dev/null +++ b/docs/privateimages.md @@ -0,0 +1,13 @@ +## Private Images +When building, `linuxkit build` downloads, and optionally checks the notary signature, on any OCI images referenced in any section. + +As of this writing, it does **not** have the ability to download these images from registries that require credentials to access. This is equally true for private images on public registries, like https://hub.docker.com, as for private registries. + +We are working on enabling private images with credentials. Until such time as that feature is added, you can follow these steps to build a moby image using OCI images +that require credentials to access: + +1. `docker login` as relevant to authenticate against the desired registry. +2. `docker pull` to download the images to your local machine where you will run `moby build`. +3. Run `moby build` (or `linuxkit build`). + +Additionally, ensure that you do **not** have trust enabled for those images. See the section on [trust](#trust) in this document. Alternately, you can run `linuxkit build` with `--disable-trust`. diff --git a/docs/vendoring.md b/docs/vendoring.md index 7f1c9638c..1e4b499fe 100644 --- a/docs/vendoring.md +++ b/docs/vendoring.md @@ -13,12 +13,6 @@ Details of usage of the `vndr` tool and the format of `vendor.conf` can be found Once done, you must run the `vndr` tool to add the necessary files to the `vendor` directory. The easiest way to do this is in a container. -Currently if updating `github.com/moby/tool` it is also necessary to -update `src/cmd/linuxkit/build.go` manually after updating `vendor.conf`: - - hash=$(awk '/^github.com\/moby\/tool/ { print $2 }' src/cmd/linuxkit/vendor.conf) - curl -fsSL -o src/cmd/linuxkit/build.go https://raw.githubusercontent.com/moby/tool/${hash}/cmd/moby/build.go - ## Updating in a container To update all dependencies: diff --git a/docs/yaml.md b/docs/yaml.md new file mode 100644 index 000000000..71f37020a --- /dev/null +++ b/docs/yaml.md @@ -0,0 +1,273 @@ +# Configuration Reference + +The `moby` tool assembles a set of containerised components into in image. The simplest +type of image is just a `tar` file of the contents (useful for debugging) but more useful +outputs add a `Dockerfile` to build a container, or build a full disk image that can be +booted as a linuxKit VM. The main use case is to build an assembly that includes +`containerd` to run a set of containers, but the tooling is very generic. + +The yaml configuration specifies the components used to build up an image . All components +are downloaded at build time to create an image. The image is self-contained and immutable, +so it can be tested reliably for continuous delivery. + +The configuration file is processed in the order `kernel`, `init`, `onboot`, `onshutdown`, +`services`, `files`. Each section adds files to the root file system. Sections may be omitted. + +Each container that is specified is allocated a unique `uid` and `gid` that it may use if it +wishes to run as an isolated user (or user namespace). Anywhere you specify a `uid` or `gid` +field you specify either the numeric id, or if you use a name it will refer to the id allocated +to the container with that name. + +``` +services: + - name: redis + image: redis:latest + uid: redis + gid: redis + binds: + - /etc/redis:/etc/redis +files: + - path: /etc/redis/redis.conf + contents: "..." + uid: redis + gid: redis + mode: "0600" +``` + +## `kernel` + +The `kernel` section is only required if booting a VM. The files will be put into the `boot/` +directory, where they are used to build bootable images. + +The `kernel` section defines the kernel configuration. The `image` field specifies the Docker image, +which should contain a `kernel` file that will be booted (eg a `bzImage` for `amd64`) and a file +called `kernel.tar` which is a tarball that is unpacked into the root, which should usually +contain a kernel modules directory. `cmdline` specifies the kernel command line options if required. + +To override the names, you can specify the kernel image name with `binary: bzImage` and the tar image +with `tar: kernel.tar` or the empty string or `none` if you do not want to use a tarball at all. + +Kernel packages may also contain a cpio archive containing CPU microcode which needs prepending to +the initrd. To select this option, recommended when booting on bare metal, add `ucode: intel-ucode.cpio` +to the kernel section. + +## `init` + +The `init` section is a list of images that are used for the `init` system and are unpacked directly +into the root filesystem. This should bring up `containerd`, start the system and daemon containers, +and set up basic filesystem mounts. in the case of a LinuxKit system. For ease of +modification `runc` and `containerd` images, which just contain these programs are added here +rather than bundled into the `init` container. + +## `onboot` + +The `onboot` section is a list of images. These images are run before any other +images. They are run sequentially and each must exit before the next one is run. +These images can be used to configure one shot settings. See [Image +specification](#image-specification) for a list of supported fields. + +## `onshutdown` + +This is a list of images to run on a clean shutdown. Note that you must not rely on these +being run at all, as machines may be be powered off or shut down without having time to run +these scripts. If you add anything here you should test both in the case where they are +run and when they are not. Most systems are likely to be "crash only" and not have any setup here, +but you can attempt to deregister cleanly from a network service here, rather than relying +on timeouts, for example. + +## `services` + +The `services` section is a list of images for long running services which are +run with `containerd`. Startup order is undefined, so containers should wait +on any resources, such as networking, that they need. See [Image +specification](#image-specification) for a list of supported fields. + +## `files` + +The files section can be used to add files inline in the config, or from an external file. + +``` +files: + - path: dir + directory: true + mode: "0777" + - path: dir/name1 + source: "/some/path/on/local/filesystem" + mode: "0666" + - path: dir/name2 + source: "/some/path/that/it/is/ok/to/omit" + optional: true + mode: "0666" + - path: dir/name3 + contents: "orange" + mode: "0644" + uid: 100 + gid: 100 +``` + +Specifying the `mode` is optional, and will default to `0600`. Leading directories will be +created if not specified. You can use `~/path` in `source` to specify a path in the build +user's home directory. + +In addition there is a `metadata` option that will generate the file. Currently the only value +supported here is `"yaml"` which will output the yaml used to generate the image into the specified +file: +``` + - path: etc/linuxkit.yml + metadata: yaml +``` + +Because a `tmpfs` is mounted onto `/var`, `/run`, and `/tmp` by default, the `tmpfs` mounts will shadow anything specified in `files` section for those directories. + +## `trust` + +The `trust` section specifies which build components are to be cryptographically verified with +[Docker Content Trust](https://docs.docker.com/engine/security/trust/content_trust/) prior to pulling. +Trust is a central concern in any build system, and LinuxKit's is no exception: Docker Content Trust provides authenticity, +integrity, and freshness guarantees for the components it verifies. The LinuxKit maintainers are responsible for signing +`linuxkit` components, though collaborators can sign their own images with Docker Content Trust or [Notary](https://github.com/docker/notary). + +- `image` lists which individual images to enforce pulling with Docker Content Trust. +The image name may include tag or digest, but the matching also succeeds if the base image name is the same. +- `org` lists which organizations for which Docker Content Trust is to be enforced across all images, +for example `linuxkit` is the org for `linuxkit/kernel` + +## Image specification + +Entries in the `onboot` and `services` sections specify an OCI image and +options. Default values may be specified using the `org.mobyproject.config` image label. +For more details see the [OCI specification](https://github.com/opencontainers/runtime-spec/blob/master/spec.md). + +If the `org.mobylinux.config` label is set in the image, that specifies default values for these fields if they +are not set in the yaml file. You can override the label by setting the value, or setting it to be empty to remove +the specification for that value in the label. + +If you need an OCI option that is not specified here please open an issue or pull request as the list is not yet +complete. + +By default the containers will be run in the host `net`, `ipc` and `uts` namespaces, as that is the usual requirement; +in many ways they behave like pods in Kubernetes. Mount points must already exist, as must a file or directory being +bind mounted into a container. + +- `name` a unique name for the program being executed, used as the `containerd` id. +- `image` the Docker image to use for the root filesystem. The default command, path and environment are + extracted from this so they need not be filled in. +- `capabilities` the Linux capabilities required, for example `CAP_SYS_ADMIN`. If there is a single + capability `all` then all capabilities are added. +- `ambient` the Linux ambient capabilities (capabilities passed to non root users) that are required. +- `mounts` is the full form for specifying a mount, which requires `type`, `source`, `destination` + and a list of `options`. If any fields are omitted, sensible defaults are used if possible, for example + if the `type` is `dev` it is assumed you want to mount at `/dev`. The default mounts and their options + can be replaced by specifying a mount with new options here at the same mount point. +- `binds` is a simpler interface to specify bind mounts, accepting a string like `/src:/dest:opt1,opt2` + similar to the `-v` option for bind mounts in Docker. +- `tmpfs` is a simpler interface to mount a `tmpfs`, like `--tmpfs` in Docker, taking `/dest:opt1,opt2`. +- `command` will override the command and entrypoint in the image with a new list of commands. +- `env` will override the environment in the image with a new environment list. Specify variables as `VAR=value`. +- `cwd` will set the working directory, defaults to `/`. +- `net` sets the network namespace, either to a path, or if `none` or `new` is specified it will use a new namespace. +- `ipc` sets the ipc namespace, either to a path, or if `new` is specified it will use a new namespace. +- `uts` sets the uts namespace, either to a path, or if `new` is specified it will use a new namespace. +- `pid` sets the pid namespace, either to a path, or if `host` is specified it will use the host namespace. +- `readonly` sets the root filesystem to read only, and changes the other default filesystems to read only. +- `maskedPaths` sets paths which should be hidden. +- `readonlyPaths` sets paths to read only. +- `uid` sets the user id of the process. +- `gid` sets the group id of the process. +- `additionalGids` sets a list of additional groups for the process. +- `noNewPrivileges` is `true` means no additional capabilities can be acquired and `suid` binaries do not work. +- `hostname` sets the hostname inside the image. +- `oomScoreAdj` changes the OOM score. +- `rootfsPropagation` sets the rootfs propagation, eg `shared`, `slave` or (default) `private`. +- `cgroupsPath` sets the path for cgroups. +- `resources` sets cgroup resource limits as per the OCI spec. +- `sysctl` sets a map of `sysctl` key value pairs that are set inside the container namespace. +- `rmlimits` sets a list of `rlimit` values in the form `name,soft,hard`, eg `nofile,100,200`. You can use `unlimited` as a value too. +- `annotations` sets a map of key value pairs as OCI metadata. + +There are experimental `userns`, `uidMappings` and `gidMappings` options for user namespaces but these are not yet supported, and may have +permissions issues in use. + +In addition to the parts of the specification above used to generate the OCI spec, there is a `runtime` section in the image specification +which specifies some actions to take place when the container is being started. +- `cgroups` takes a list of cgroups that will be created before the container is run. +- `mounts` takes a list of mount specifications (`source`, `destination`, `type`, `options`) and mounts them in the root namespace before the container is created. It will + try to make any missing destination directories. +- `mkdir` takes a list of directories to create at runtime, in the root mount namespace. These are created before the container is started, so they can be used to create + directories for bind mounts, for example in `/tmp` or `/run` which would otherwise be empty. +- `interface` defines a list of actions to perform on a network interface: + - `name` specifies the name of an interface. An existing interface with this name will be moved into the container's network namespace. + - `add` specifies a type of interface to be created in the containers namespace, with the specified name. + - `createInRoot` is a boolean which specifes that the interface being `add`ed should be created in the root namespace first, then moved. This is needed for `wireguard` interfaces. + - `peer` specifies the name of the other end when creating a `veth` interface. This end will remain in the root namespace, where it can be attached to a bridge. Specifying this implies `add: veth`. +- `bindNS` specifies a namespace type and a path where the namespace from the container being created will be bound. This allows a namespace to be set up in an `onboot` container, and then + using `net: path` for a `service` container to use that network namespace later. +- `namespace` overrides the LinuxKit default containerd namespace to put the container in; only applicable to services. + +An example of using the `runtime` config to configure a network namespace with `wireguard` and then run `nginx` in that namespace is shown below: +``` +onboot: + - name: dhcpcd + image: linuxkit/dhcpcd: + command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] + - name: wg + image: linuxkit/ip: + net: new + binds: + - /etc/wireguard:/etc/wireguard + command: ["sh", "-c", "ip link set dev wg0 up; ip address add dev wg0 192.168.2.1 peer 192.168.2.2; wg setconf wg0 /etc/wireguard/wg0.conf; wg show wg0"] + runtime: + interfaces: + - name: wg0 + add: wireguard + createInRoot: true + bindNS: + net: /run/netns/wg +services: + - name: nginx + image: nginx:alpine + net: /run/netns/wg + capabilities: + - CAP_NET_BIND_SERVICE + - CAP_CHOWN + - CAP_SETUID + - CAP_SETGID + - CAP_DAC_OVERRIDE +``` + + +### Mount Options +When mounting filesystem paths into a container - whether as part of `onboot` or `services` - there are several options of which you need to be aware. Using them properly is necessary for your containers to function properly. + +For most containers - e.g. nginx or even docker - these options are not needed. Simply doing the following will work fine: + +```yml +binds: + - /var:/some/var/path +``` + +Please note that `binds` doesn't **add** the mount points, but **replaces** them. +You can examine the `Dockerfile` of the component (in particular, `binds` value of +`org.mobyproject.config` label) to get the list of the existing binds. + +However, in some circumstances you will need additional options. These options are used primarily if you intend to make changes to mount points _from within your container_ that should be visible from outside the container, e.g., if you intend to mount an external disk from inside the container but have it be visible outside. + +In order for new mounts from within a container to be propagated, you must set the following on the container: + +1. `rootfsPropagation: shared` +2. The mount point into the container below which new mounts are to occur must be `rshared,rbind`. In practice, this is `/var` (or some subdir of `/var`), since that is the only true read-write area of the filesystem where you will mount things. + +Thus, if you have a regular container that is only reading and writing, go ahead and do: + +```yml +binds: + - /var:/some/var/path +``` + +On the other hand, if you have a container that will make new mounts that you wish to be visible outside the container, do: + +```yml +binds: + - /var:/var:rshared,rbind +rootfsPropagation: shared +``` diff --git a/pkg/init/cmd/service/prepare.go b/pkg/init/cmd/service/prepare.go index b8c97e9bf..9df68349a 100644 --- a/pkg/init/cmd/service/prepare.go +++ b/pkg/init/cmd/service/prepare.go @@ -14,7 +14,7 @@ import ( "golang.org/x/sys/unix" ) -// Note these definitions are from moby/tool/src/moby/config.go and should be kept in sync +// Note these definitions are from src/moby/config.go and should be kept in sync // Runtime is the type of config processed at runtime, not used to build the OCI spec type Runtime struct { diff --git a/src/cmd/linuxkit/build.go b/src/cmd/linuxkit/build.go index ef8f623e0..6c991a15e 100644 --- a/src/cmd/linuxkit/build.go +++ b/src/cmd/linuxkit/build.go @@ -11,7 +11,7 @@ import ( "path/filepath" "strings" - "github.com/moby/tool/src/moby" + "github.com/linuxkit/linuxkit/src/cmd/linuxkit/moby" log "github.com/sirupsen/logrus" ) diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/initrd/initrd.go b/src/cmd/linuxkit/initrd/initrd.go similarity index 98% rename from src/cmd/linuxkit/vendor/github.com/moby/tool/src/initrd/initrd.go rename to src/cmd/linuxkit/initrd/initrd.go index 6575cdf85..bfdeb7d27 100644 --- a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/initrd/initrd.go +++ b/src/cmd/linuxkit/initrd/initrd.go @@ -10,7 +10,7 @@ import ( "path/filepath" "strings" - "github.com/moby/tool/src/pad4" + "github.com/linuxkit/linuxkit/src/cmd/linuxkit/pad4" "github.com/surma/gocpio" ) diff --git a/src/cmd/linuxkit/main.go b/src/cmd/linuxkit/main.go index ed6d95517..88f34455f 100644 --- a/src/cmd/linuxkit/main.go +++ b/src/cmd/linuxkit/main.go @@ -8,34 +8,11 @@ import ( "path/filepath" "github.com/linuxkit/linuxkit/src/cmd/linuxkit/version" - "github.com/moby/tool/src/moby" log "github.com/sirupsen/logrus" "gopkg.in/yaml.v2" ) -func init() { - // Register LinuxKit images to build outputs with the vendored moby tool. - // This allows us to overwrite the hashes locally without having - // to re-vendor the 'github.com/moby/tool' when we update 'mkimage-*' - imgs := map[string]string{ - "iso-bios": "linuxkit/mkimage-iso-bios:fd0092700bc19ea36cc8dccccc9799b7847b4909", - "iso-efi": "linuxkit/mkimage-iso-efi:79148c60bbf2a9526d976d708840492d85b0c576", - "raw-bios": "linuxkit/mkimage-raw-bios:0ff04de5d11a88b0712cdc85b2ee5f0b966ffccf", - "raw-efi": "linuxkit/mkimage-raw-efi:084f159cb44dc6c22351a70f1c1a043857be4e12", - "squashfs": "linuxkit/mkimage-squashfs:36f3fa106cfb7f8b818a828d7aebb27f946c9526", - "gcp": "linuxkit/mkimage-gcp:e6cdcf859ab06134c0c37a64ed5f886ec8dae1a1", - "qcow2-efi": "linuxkit/mkimage-qcow2-efi:0eb853459785fad0b518d8edad3b7434add6ad96", - "vhd": "linuxkit/mkimage-vhd:3820219e5c350fe8ab2ec6a217272ae82f4b9242", - "dynamic-vhd": "linuxkit/mkimage-dynamic-vhd:743ac9959fe6d3912ebd78b4fd490b117c53f1a6", - "vmdk": "linuxkit/mkimage-vmdk:cee81a3ed9c44ae446ef7ebff8c42c1e77b3e1b5", - "rpi3": "linuxkit/mkimage-rpi3:be740259f3b49bfe46f5322e22709c3af2111b33", - } - if err := moby.UpdateOutputImages(imgs); err != nil { - log.Fatalf("Failed to register mkimage-*. %v", err) - } -} - // GlobalConfig is the global tool configuration type GlobalConfig struct { Pkg PkgConfig `yaml:"pkg"` diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/build.go b/src/cmd/linuxkit/moby/build.go similarity index 95% rename from src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/build.go rename to src/cmd/linuxkit/moby/build.go index bdd8c79ea..ffd99c403 100644 --- a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/build.go +++ b/src/cmd/linuxkit/moby/build.go @@ -49,9 +49,10 @@ var additions = map[string]addFun{ "docker": func(tw *tar.Writer) error { log.Infof(" Adding Dockerfile") hdr := &tar.Header{ - Name: "Dockerfile", - Mode: 0644, - Size: int64(len(dockerfile)), + Name: "Dockerfile", + Mode: 0644, + Size: int64(len(dockerfile)), + Format: tar.FormatPAX, } if err := tw.WriteHeader(hdr); err != nil { return err @@ -340,6 +341,7 @@ func (k *kernelFilter) WriteHeader(hdr *tar.Header) error { Name: "boot", Mode: 0755, Typeflag: tar.TypeDir, + Format: tar.FormatPAX, } if err := tw.WriteHeader(whdr); err != nil { return err @@ -347,9 +349,10 @@ func (k *kernelFilter) WriteHeader(hdr *tar.Header) error { } // add the cmdline in /boot/cmdline whdr := &tar.Header{ - Name: "boot/cmdline", - Mode: 0644, - Size: int64(len(k.cmdline)), + Name: "boot/cmdline", + Mode: 0644, + Size: int64(len(k.cmdline)), + Format: tar.FormatPAX, } if err := tw.WriteHeader(whdr); err != nil { return err @@ -360,9 +363,10 @@ func (k *kernelFilter) WriteHeader(hdr *tar.Header) error { return err } whdr = &tar.Header{ - Name: "boot/kernel", - Mode: hdr.Mode, - Size: hdr.Size, + Name: "boot/kernel", + Mode: hdr.Mode, + Size: hdr.Size, + Format: tar.FormatPAX, } if err := tw.WriteHeader(whdr); err != nil { return err @@ -380,15 +384,17 @@ func (k *kernelFilter) WriteHeader(hdr *tar.Header) error { Name: "boot", Mode: 0755, Typeflag: tar.TypeDir, + Format: tar.FormatPAX, } if err := tw.WriteHeader(whdr); err != nil { return err } } whdr := &tar.Header{ - Name: "boot/ucode.cpio", - Mode: hdr.Mode, - Size: hdr.Size, + Name: "boot/ucode.cpio", + Mode: hdr.Mode, + Size: hdr.Size, + Format: tar.FormatPAX, } if err := tw.WriteHeader(whdr); err != nil { return err @@ -544,6 +550,7 @@ func filesystem(m Moby, tw *tar.Writer, idMap map[string]uint32) error { Mode: dirMode, Uid: int(uid), Gid: int(gid), + Format: tar.FormatPAX, } err := tw.WriteHeader(hdr) if err != nil { @@ -554,10 +561,11 @@ func filesystem(m Moby, tw *tar.Writer, idMap map[string]uint32) error { } addedFiles[f.Path] = true hdr := &tar.Header{ - Name: f.Path, - Mode: mode, - Uid: int(uid), - Gid: int(gid), + Name: f.Path, + Mode: mode, + Uid: int(uid), + Gid: int(gid), + Format: tar.FormatPAX, } if f.Directory { if f.Contents != nil { diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/config.go b/src/cmd/linuxkit/moby/config.go similarity index 100% rename from src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/config.go rename to src/cmd/linuxkit/moby/config.go diff --git a/src/cmd/linuxkit/moby/config_test.go b/src/cmd/linuxkit/moby/config_test.go new file mode 100644 index 000000000..12f317b74 --- /dev/null +++ b/src/cmd/linuxkit/moby/config_test.go @@ -0,0 +1,113 @@ +package moby + +import ( + "encoding/json" + "reflect" + "testing" + + "github.com/docker/docker/api/types" + "github.com/docker/docker/api/types/container" +) + +func setupInspect(t *testing.T, label ImageConfig) types.ImageInspect { + var inspect types.ImageInspect + var config container.Config + + labelJSON, err := json.Marshal(label) + if err != nil { + t.Error(err) + } + config.Labels = map[string]string{"org.mobyproject.config": string(labelJSON)} + + inspect.Config = &config + + return inspect +} + +func TestOverrides(t *testing.T) { + idMap := map[string]uint32{} + + var yamlCaps = []string{"CAP_SYS_ADMIN"} + + var yaml = Image{ + Name: "test", + Image: "testimage", + ImageConfig: ImageConfig{ + Capabilities: &yamlCaps, + }, + } + + var labelCaps = []string{"CAP_SYS_CHROOT"} + + var label = ImageConfig{ + Capabilities: &labelCaps, + Cwd: "/label/directory", + } + + inspect := setupInspect(t, label) + + oci, _, err := ConfigInspectToOCI(&yaml, inspect, idMap) + if err != nil { + t.Error(err) + } + + if !reflect.DeepEqual(oci.Process.Capabilities.Bounding, yamlCaps) { + t.Error("Expected yaml capabilities to override but got", oci.Process.Capabilities.Bounding) + } + if oci.Process.Cwd != label.Cwd { + t.Error("Expected label Cwd to be applied, got", oci.Process.Cwd) + } +} + +func TestInvalidCap(t *testing.T) { + idMap := map[string]uint32{} + + yaml := Image{ + Name: "test", + Image: "testimage", + } + + labelCaps := []string{"NOT_A_CAP"} + var label = ImageConfig{ + Capabilities: &labelCaps, + } + + inspect := setupInspect(t, label) + + _, _, err := ConfigInspectToOCI(&yaml, inspect, idMap) + if err == nil { + t.Error("expected error, got valid OCI config") + } +} + +func TestIdMap(t *testing.T) { + idMap := map[string]uint32{"test": 199} + + var uid interface{} = "test" + var gid interface{} = 76 + + yaml := Image{ + Name: "test", + Image: "testimage", + ImageConfig: ImageConfig{ + UID: &uid, + GID: &gid, + }, + } + + var label = ImageConfig{} + + inspect := setupInspect(t, label) + + oci, _, err := ConfigInspectToOCI(&yaml, inspect, idMap) + if err != nil { + t.Error(err) + } + + if oci.Process.User.UID != 199 { + t.Error("Expected named uid to work") + } + if oci.Process.User.GID != 76 { + t.Error("Expected numerical gid to work") + } +} diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/docker.go b/src/cmd/linuxkit/moby/docker.go similarity index 100% rename from src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/docker.go rename to src/cmd/linuxkit/moby/docker.go diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/image.go b/src/cmd/linuxkit/moby/image.go similarity index 95% rename from src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/image.go rename to src/cmd/linuxkit/moby/image.go index cb1e23be0..fb881100b 100644 --- a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/image.go +++ b/src/cmd/linuxkit/moby/image.go @@ -72,6 +72,7 @@ func tarPrefix(path string, tw tarWriter) error { Name: mkdir, Mode: 0755, Typeflag: tar.TypeDir, + Format: tar.FormatPAX, } if err := tw.WriteHeader(hdr); err != nil { return err @@ -217,9 +218,10 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt } hdr := &tar.Header{ - Name: path.Join(prefix, "config.json"), - Mode: 0644, - Size: int64(len(config)), + Name: path.Join(prefix, "config.json"), + Mode: 0644, + Size: int64(len(config)), + Format: tar.FormatPAX, } if err := tw.WriteHeader(hdr); err != nil { return err @@ -237,6 +239,7 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt Name: tmp, Mode: 0755, Typeflag: tar.TypeDir, + Format: tar.FormatPAX, } if err := tw.WriteHeader(hdr); err != nil { return err @@ -246,6 +249,7 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt Name: path.Join(prefix, "rootfs"), Mode: 0755, Typeflag: tar.TypeDir, + Format: tar.FormatPAX, } if err := tw.WriteHeader(hdr); err != nil { return err @@ -264,6 +268,7 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt Name: path.Join(prefix, "rootfs"), Mode: 0755, Typeflag: tar.TypeDir, + Format: tar.FormatPAX, } if err := tw.WriteHeader(hdr); err != nil { return err @@ -286,9 +291,10 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt } hdr = &tar.Header{ - Name: path.Join(prefix, "runtime.json"), - Mode: 0644, - Size: int64(len(runtimeConfig)), + Name: path.Join(prefix, "runtime.json"), + Mode: 0644, + Size: int64(len(runtimeConfig)), + Format: tar.FormatPAX, } if err := tw.WriteHeader(hdr); err != nil { return err diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/linuxkit.go b/src/cmd/linuxkit/moby/linuxkit.go similarity index 100% rename from src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/linuxkit.go rename to src/cmd/linuxkit/moby/linuxkit.go diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/output.go b/src/cmd/linuxkit/moby/output.go similarity index 90% rename from src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/output.go rename to src/cmd/linuxkit/moby/output.go index a5427c2a7..f64a85ced 100644 --- a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/output.go +++ b/src/cmd/linuxkit/moby/output.go @@ -10,23 +10,23 @@ import ( "runtime" "strings" - "github.com/moby/tool/src/initrd" + "github.com/linuxkit/linuxkit/src/cmd/linuxkit/initrd" log "github.com/sirupsen/logrus" ) var ( outputImages = map[string]string{ - "iso-bios": "linuxkit/mkimage-iso-bios:9a51dc64a461f1cc50ba05f30a38f73f5227ac03", - "iso-efi": "linuxkit/mkimage-iso-efi:343cf1a8ac0aba7d8a1f13b7f45fa0b57ab897dc", - "raw-bios": "linuxkit/mkimage-raw-bios:d90713b2dd610cf9a0f5f9d9095f8bf86f40d5c6", - "raw-efi": "linuxkit/mkimage-raw-efi:8938ffb6014543e557b624a40cce1714f30ce4b6", - "squashfs": "linuxkit/mkimage-squashfs:b44d00b0a336fd32c122ff32bd2b39c36a965135", + "iso-bios": "linuxkit/mkimage-iso-bios:fd0092700bc19ea36cc8dccccc9799b7847b4909", + "iso-efi": "linuxkit/mkimage-iso-efi:79148c60bbf2a9526d976d708840492d85b0c576", + "raw-bios": "linuxkit/mkimage-raw-bios:0ff04de5d11a88b0712cdc85b2ee5f0b966ffccf", + "raw-efi": "linuxkit/mkimage-raw-efi:084f159cb44dc6c22351a70f1c1a043857be4e12", + "squashfs": "linuxkit/mkimage-squashfs:36f3fa106cfb7f8b818a828d7aebb27f946c9526", "gcp": "linuxkit/mkimage-gcp:e6cdcf859ab06134c0c37a64ed5f886ec8dae1a1", - "qcow2-efi": "linuxkit/mkimage-qcow2-efi:787b54906e14a56b9f1da35dcc8e46bd58435285", + "qcow2-efi": "linuxkit/mkimage-qcow2-efi:0eb853459785fad0b518d8edad3b7434add6ad96", "vhd": "linuxkit/mkimage-vhd:3820219e5c350fe8ab2ec6a217272ae82f4b9242", "dynamic-vhd": "linuxkit/mkimage-dynamic-vhd:743ac9959fe6d3912ebd78b4fd490b117c53f1a6", "vmdk": "linuxkit/mkimage-vmdk:cee81a3ed9c44ae446ef7ebff8c42c1e77b3e1b5", - "rpi3": "linuxkit/mkimage-rpi3:0f23c4f37cdca99281ca33ac6188e1942fa7a2b8", + "rpi3": "linuxkit/mkimage-rpi3:be740259f3b49bfe46f5322e22709c3af2111b33", } ) @@ -273,9 +273,10 @@ func tarInitrdKernel(kernel, initrd []byte, cmdline string) (*bytes.Buffer, erro buf := new(bytes.Buffer) tw := tar.NewWriter(buf) hdr := &tar.Header{ - Name: "kernel", - Mode: 0600, - Size: int64(len(kernel)), + Name: "kernel", + Mode: 0600, + Size: int64(len(kernel)), + Format: tar.FormatPAX, } err := tw.WriteHeader(hdr) if err != nil { @@ -286,9 +287,10 @@ func tarInitrdKernel(kernel, initrd []byte, cmdline string) (*bytes.Buffer, erro return buf, err } hdr = &tar.Header{ - Name: "initrd.img", - Mode: 0600, - Size: int64(len(initrd)), + Name: "initrd.img", + Mode: 0600, + Size: int64(len(initrd)), + Format: tar.FormatPAX, } err = tw.WriteHeader(hdr) if err != nil { @@ -299,9 +301,10 @@ func tarInitrdKernel(kernel, initrd []byte, cmdline string) (*bytes.Buffer, erro return buf, err } hdr = &tar.Header{ - Name: "cmdline", - Mode: 0600, - Size: int64(len(cmdline)), + Name: "cmdline", + Mode: 0600, + Size: int64(len(cmdline)), + Format: tar.FormatPAX, } err = tw.WriteHeader(hdr) if err != nil { @@ -389,9 +392,10 @@ func outputKernelInitrdTarball(base string, kernel []byte, initrd []byte, cmdlin defer f.Close() tw := tar.NewWriter(f) hdr := &tar.Header{ - Name: "kernel", - Mode: 0644, - Size: int64(len(kernel)), + Name: "kernel", + Mode: 0644, + Size: int64(len(kernel)), + Format: tar.FormatPAX, } if err := tw.WriteHeader(hdr); err != nil { return err @@ -400,9 +404,10 @@ func outputKernelInitrdTarball(base string, kernel []byte, initrd []byte, cmdlin return err } hdr = &tar.Header{ - Name: "initrd.img", - Mode: 0644, - Size: int64(len(initrd)), + Name: "initrd.img", + Mode: 0644, + Size: int64(len(initrd)), + Format: tar.FormatPAX, } if err := tw.WriteHeader(hdr); err != nil { return err @@ -411,9 +416,10 @@ func outputKernelInitrdTarball(base string, kernel []byte, initrd []byte, cmdlin return err } hdr = &tar.Header{ - Name: "cmdline", - Mode: 0644, - Size: int64(len(cmdline)), + Name: "cmdline", + Mode: 0644, + Size: int64(len(cmdline)), + Format: tar.FormatPAX, } if err := tw.WriteHeader(hdr); err != nil { return err @@ -423,9 +429,10 @@ func outputKernelInitrdTarball(base string, kernel []byte, initrd []byte, cmdlin } if len(ucode) != 0 { hdr := &tar.Header{ - Name: "ucode.cpio", - Mode: 0644, - Size: int64(len(ucode)), + Name: "ucode.cpio", + Mode: 0644, + Size: int64(len(ucode)), + Format: tar.FormatPAX, } if err := tw.WriteHeader(hdr); err != nil { return err @@ -454,6 +461,7 @@ func outputKernelSquashFS(image, base string, filesystem io.Reader) error { if err != nil { return err } + thdr.Format = tar.FormatPAX switch { case thdr.Name == "boot/kernel": kernel, err := ioutil.ReadAll(tr) diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/schema.go b/src/cmd/linuxkit/moby/schema.go similarity index 100% rename from src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/schema.go rename to src/cmd/linuxkit/moby/schema.go diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/trust.go b/src/cmd/linuxkit/moby/trust.go similarity index 100% rename from src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/trust.go rename to src/cmd/linuxkit/moby/trust.go diff --git a/src/cmd/linuxkit/moby/trust_test.go b/src/cmd/linuxkit/moby/trust_test.go new file mode 100644 index 000000000..e5d8d7693 --- /dev/null +++ b/src/cmd/linuxkit/moby/trust_test.go @@ -0,0 +1,58 @@ +package moby + +import "testing" + +func TestEnforceContentTrust(t *testing.T) { + type enforceContentTrustCase struct { + result bool + imageName string + trustConfig *TrustConfig + } + testCases := []enforceContentTrustCase{ + // Simple positive and negative cases for Image subkey + {true, "image", &TrustConfig{Image: []string{"image"}}}, + {true, "image", &TrustConfig{Image: []string{"more", "than", "one", "image"}}}, + {true, "image", &TrustConfig{Image: []string{"more", "than", "one", "image"}, Org: []string{"random", "orgs"}}}, + {false, "image", &TrustConfig{}}, + {false, "image", &TrustConfig{Image: []string{"not", "in", "here!"}}}, + {false, "image", &TrustConfig{Image: []string{"not", "in", "here!"}, Org: []string{""}}}, + + // Tests for Image subkey with tags + {true, "image:tag", &TrustConfig{Image: []string{"image:tag"}}}, + {true, "image:tag", &TrustConfig{Image: []string{"image"}}}, + {false, "image:tag", &TrustConfig{Image: []string{"image:otherTag"}}}, + {false, "image:tag", &TrustConfig{Image: []string{"image@sha256:abc123"}}}, + + // Tests for Image subkey with digests + {true, "image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:abc123"}}}, + {true, "image@sha256:abc123", &TrustConfig{Image: []string{"image"}}}, + {false, "image@sha256:abc123", &TrustConfig{Image: []string{"image:Tag"}}}, + {false, "image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:def456"}}}, + + // Tests for Image subkey with digests + {true, "image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:abc123"}}}, + {true, "image@sha256:abc123", &TrustConfig{Image: []string{"image"}}}, + {false, "image@sha256:abc123", &TrustConfig{Image: []string{"image:Tag"}}}, + {false, "image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:def456"}}}, + + // Tests for Org subkey + {true, "linuxkit/image", &TrustConfig{Image: []string{"notImage"}, Org: []string{"linuxkit"}}}, + {true, "linuxkit/differentImage", &TrustConfig{Image: []string{}, Org: []string{"linuxkit"}}}, + {true, "linuxkit/differentImage:tag", &TrustConfig{Image: []string{}, Org: []string{"linuxkit"}}}, + {true, "linuxkit/differentImage@sha256:abc123", &TrustConfig{Image: []string{}, Org: []string{"linuxkit"}}}, + {false, "linuxkit/differentImage", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}}, + {false, "linuxkit/differentImage:tag", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}}, + {false, "linuxkit/differentImage@sha256:abc123", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}}, + + // Tests for Org with library organization + {true, "nginx", &TrustConfig{Image: []string{}, Org: []string{"library"}}}, + {true, "nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}}}, + {true, "library/nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}}}, + {false, "nginx", &TrustConfig{Image: []string{}, Org: []string{"notLibrary"}}}, + } + for _, testCase := range testCases { + if enforceContentTrust(testCase.imageName, testCase.trustConfig) != testCase.result { + t.Errorf("incorrect trust enforcement result for %s against configuration %v, expected: %v", testCase.imageName, testCase.trustConfig, testCase.result) + } + } +} diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/util.go b/src/cmd/linuxkit/moby/util.go similarity index 100% rename from src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/util.go rename to src/cmd/linuxkit/moby/util.go diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/util_unix.go b/src/cmd/linuxkit/moby/util_unix.go similarity index 100% rename from src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/util_unix.go rename to src/cmd/linuxkit/moby/util_unix.go diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/util_windows.go b/src/cmd/linuxkit/moby/util_windows.go similarity index 100% rename from src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/util_windows.go rename to src/cmd/linuxkit/moby/util_windows.go diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/pad4/pad4.go b/src/cmd/linuxkit/pad4/pad4.go similarity index 100% rename from src/cmd/linuxkit/vendor/github.com/moby/tool/src/pad4/pad4.go rename to src/cmd/linuxkit/pad4/pad4.go diff --git a/src/cmd/linuxkit/pkglib/pkglib.go b/src/cmd/linuxkit/pkglib/pkglib.go index 3581f770f..1954a504e 100644 --- a/src/cmd/linuxkit/pkglib/pkglib.go +++ b/src/cmd/linuxkit/pkglib/pkglib.go @@ -9,7 +9,7 @@ import ( "path/filepath" "strings" - "github.com/moby/tool/src/moby" + "github.com/linuxkit/linuxkit/src/cmd/linuxkit/moby" ) // Contains fields settable in the build.yml diff --git a/src/cmd/linuxkit/vendor.conf b/src/cmd/linuxkit/vendor.conf index 8e87a8bc3..50cb658fd 100644 --- a/src/cmd/linuxkit/vendor.conf +++ b/src/cmd/linuxkit/vendor.conf @@ -24,9 +24,6 @@ github.com/jmespath/go-jmespath bd40a432e4c76585ef6b72d3fd96fb9b6dc7b68d github.com/mitchellh/go-ps 4fdf99ab29366514c69ccccddab5dc58b8d84062 github.com/moby/datakit 97b3d230535397a813323902c23751e176481a86 github.com/moby/hyperkit d65b09c1c28a2bfb6a976c86ecd885d2ee4c71d3 -# When updating also: -# curl -fsSL -o src/cmd/linuxkit/build.go https://raw.githubusercontent.com/moby/tool/«hash»/cmd/moby/build.go -github.com/moby/tool 3dbad3b7daffd631d036493a1e883608206d2e03 github.com/moby/vpnkit 0e4293bb1058598c4b0a406ed171f52573ef414c github.com/opencontainers/go-digest 21dfd564fd89c944783d00d069f33e3e7123c448 github.com/opencontainers/image-spec v1.0.0 diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/LICENSE b/src/cmd/linuxkit/vendor/github.com/moby/tool/LICENSE deleted file mode 100644 index 2eda16c9c..000000000 --- a/src/cmd/linuxkit/vendor/github.com/moby/tool/LICENSE +++ /dev/null @@ -1,191 +0,0 @@ - - Apache License - Version 2.0, January 2004 - https://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - Copyright 2015-2017 Docker, Inc. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - https://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/NOTICE b/src/cmd/linuxkit/vendor/github.com/moby/tool/NOTICE deleted file mode 100644 index 516c4ccb1..000000000 --- a/src/cmd/linuxkit/vendor/github.com/moby/tool/NOTICE +++ /dev/null @@ -1,13 +0,0 @@ -Copyright 2015-2017 Docker, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - https://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/README.md b/src/cmd/linuxkit/vendor/github.com/moby/tool/README.md deleted file mode 100644 index 7f2909a9b..000000000 --- a/src/cmd/linuxkit/vendor/github.com/moby/tool/README.md +++ /dev/null @@ -1,14 +0,0 @@ -# Moby - -[Moby Project](https://mobyproject.org) - -The Moby Project is an open framework created by Docker to assemble specialized container systems without reinventing the wheel. - -At the core of Moby is a framework which provides a “lego set” of dozens of standard components and tools for assembling them into custom platforms. - -For more information, please visit the [Moby Project home page](https://mobyproject.org). - -## Documentation - -* [Format of moby input yml](./docs/yaml.md) -* [Using private images](./docs/privateimages.md) diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/vendor.conf b/src/cmd/linuxkit/vendor/github.com/moby/tool/vendor.conf deleted file mode 100644 index 9c422a88c..000000000 --- a/src/cmd/linuxkit/vendor/github.com/moby/tool/vendor.conf +++ /dev/null @@ -1,24 +0,0 @@ -github.com/agl/ed25519 278e1ec8e8a6e017cd07577924d6766039146ced -github.com/containerd/containerd v1.0.0 -github.com/docker/distribution 3800056b8832cf6075e78b282ac010131d8687bc -github.com/docker/docker ba99c19b593bdb9e7b90793681fe89b0a91781ed -github.com/docker/go d30aec9fd63c35133f8f79c3412ad91a3b08be06 -github.com/docker/go-connections v0.3.0 -github.com/docker/go-units v0.3.1 -github.com/gogo/protobuf v0.5 -github.com/gorilla/mux v1.6.1 -github.com/opencontainers/go-digest 21dfd564fd89c944783d00d069f33e3e7123c448 -github.com/opencontainers/image-spec v1.0.0 -github.com/opencontainers/runtime-spec v1.0.0 -github.com/pkg/errors v0.8.0 -github.com/sirupsen/logrus v1.0.3 -github.com/surma/gocpio fcb68777e7dc4ea43ffce871b552c0d073c17495 -github.com/theupdateframework/notary v0.6.1 -github.com/xeipuuv/gojsonpointer 6fe8760cad3569743d51ddbb243b26f8456742dc -github.com/xeipuuv/gojsonreference e02fc20de94c78484cd5ffb007f8af96be030a45 -github.com/xeipuuv/gojsonschema 702b404897d4364af44dc8dcabc9815947942325 -golang.org/x/crypto 573951cbe80bb6352881271bb276f48749eab6f4 -golang.org/x/net 7dcfb8076726a3fdd9353b6b8a1f1b6be6811bd6 -golang.org/x/sys 739734461d1c916b6c72a63d7efda2b27edb369f -gopkg.in/yaml.v2 v2.2.1 -github.com/Microsoft/go-winio v0.4.1