From 9ba7fee7e6d7af170d8ee65f9604372588414176 Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Wed, 19 Jul 2017 10:37:12 +0100 Subject: [PATCH 1/3] pkg/init-lcow: Use our own init The sample init script from opengcs is quite basic (and doesn't set up several mounts and symlinks). Use the relevant portion from rc.init from the LinuxKit init package instead. Signed-off-by: Rolf Neugebauer --- pkg/init-lcow/Dockerfile | 3 +- pkg/init-lcow/init | 63 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 2 deletions(-) create mode 100755 pkg/init-lcow/init diff --git a/pkg/init-lcow/Dockerfile b/pkg/init-lcow/Dockerfile index 2f0a243c6..2f96bc0b3 100644 --- a/pkg/init-lcow/Dockerfile +++ b/pkg/init-lcow/Dockerfile @@ -19,8 +19,6 @@ RUN git clone $OPENGCS_REPO /go/src/github.com/Microsoft/opengcs && \ make RUN mkdir /out && \ cp -r /go/src/github.com/Microsoft/opengcs/service/bin /out/bin && \ - cp /go/src/github.com/Microsoft/opengcs/kernelconfig/4.11/scripts/init_script /out/init && \ - chmod ugo+rx /out/init && \ mkdir /out/sbin && \ curl -fSL "https://raw.githubusercontent.com/mirror/busybox/38d966943f5288bb1f2e7219f50a92753c730b14/examples/udhcp/simple.script" -o /out/sbin/udhcpc_config.script && \ chmod ugo+rx /out/sbin/udhcpc_config.script && \ @@ -33,3 +31,4 @@ CMD [] WORKDIR / COPY --from=mirror /out/ / COPY --from=build /out/ / +COPY init / diff --git a/pkg/init-lcow/init b/pkg/init-lcow/init new file mode 100755 index 000000000..725a12321 --- /dev/null +++ b/pkg/init-lcow/init @@ -0,0 +1,63 @@ +#!/bin/sh + +export PATH=/sbin:/bin/:/usr/sbin/:/usr/bin/:/usr/local/sbin:/usr/local/bin + +# Set up mounts +mount -n -t proc proc /proc -o nodev,nosuid,noexec,relatime + +mount -n -t tmpfs tmpfs /run -o nodev,nosuid,noexec,relatime,size=10%,mode=755 +mount -n -t tmpfs tmpfs /tmp -o nodev,nosuid,noexec,relatime,size=10%,mode=1777 + +# mount devfs +mount -n -t devtmpfs dev /dev -o nosuid,noexec,relatime,size=10m,nr_inodes=248418,mode=755 +# devices +[ -c /dev/console ] || mknod -m 600 /dev/console c 5 1 +[ -c /dev/tty1 ] || mknod -m 620 /dev/tty1 c 4 1 +[ -c /dev/tty ] || mknod -m 666 /dev/tty c 5 0 + +[ -c /dev/null ] || mknod -m 666 /dev/null c 1 3 +[ -c /dev/kmsg ] || mknod -m 660 /dev/kmsg c 1 11 + +# extra symbolic links not provided by default +[ -e /dev/fd ] || ln -snf /proc/self/fd /dev/fd +[ -e /dev/stdin ] || ln -snf /proc/self/fd/0 /dev/stdin +[ -e /dev/stdout ] || ln -snf /proc/self/fd/1 /dev/stdout +[ -e /dev/stderr ] || ln -snf /proc/self/fd/2 /dev/stderr +[ -e /proc/kcore ] && ln -snf /proc/kcore /dev/core + +# devfs filesystems +mkdir -p -m 1777 /dev/mqueue +mkdir -p -m 1777 /dev/shm +mkdir -p -m 0755 /dev/pts +mount -n -t mqueue -o noexec,nosuid,nodev mqueue /dev/mqueue +mount -n -t tmpfs -o noexec,nosuid,nodev,mode=1777 shm /dev/shm +mount -n -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts /dev/pts + +# mount sysfs +sysfs_opts=nodev,noexec,nosuid +mount -n -t sysfs -o ${sysfs_opts} sysfs /sys +[ -d /sys/kernel/security ] && mount -n -t securityfs -o ${sysfs_opts} securityfs /sys/kernel/security +[ -d /sys/kernel/debug ] && mount -n -t debugfs -o ${sysfs_opts} debugfs /sys/kernel/debug +[ -d /sys/kernel/config ] && mount -n -t configfs -o ${sysfs_opts} configfs /sys/kernel/config +[ -d /sys/fs/fuse/connections ] && mount -n -t fusectl -o ${sysfs_opts} fusectl /sys/fs/fuse/connections +[ -d /sys/fs/selinux ] && mount -n -t selinuxfs -o nosuid,noexec selinuxfs /sys/fs/selinux +[ -d /sys/fs/pstore ] && mount -n -t pstore pstore -o ${sysfs_opts} /sys/fs/pstore +[ -d /sys/firmware/efi/efivars ] && mount -n -t efivarfs -o ro,${sysfs_opts} efivarfs /sys/firmware/efi/efivars + +# mount cgroups +mount -n -t tmpfs -o nodev,noexec,nosuid,mode=755,size=10m cgroup_root /sys/fs/cgroup + +while read name hier groups enabled rest +do + case "${enabled}" in + 1) mkdir -p /sys/fs/cgroup/${name} + mount -n -t cgroup -o ${sysfs_opts},${name} ${name} /sys/fs/cgroup/${name} + ;; + esac +done < /proc/cgroups + +# Run gcs in the background +/bin/gcs -loglevel=debug -logfile=/tmp/gcs.log & + +# Start shell so we can have access for debug +sh From 7eb81ba38cf088bc9ef769b63dda9dbf92c7b4d3 Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Wed, 19 Jul 2017 12:20:52 +0100 Subject: [PATCH 2/3] pkg/init-lcow: Include fix for rootfs permissions Update the git commit to point at a branch with the joint networking and rootfs permission fixes at: https://github.com/rn/opengcs/tree/net+rootfs This is includes the patches from PRs: https://github.com/Microsoft/opengcs/pull/63 https://github.com/Microsoft/opengcs/pull/70 Signed-off-by: Rolf Neugebauer --- pkg/init-lcow/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/init-lcow/Dockerfile b/pkg/init-lcow/Dockerfile index 2f96bc0b3..4b413c604 100644 --- a/pkg/init-lcow/Dockerfile +++ b/pkg/init-lcow/Dockerfile @@ -9,7 +9,7 @@ RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache FROM linuxkit/alpine:3744607156e6b67e3e7d083b15be9e7722215e73 AS build ENV OPENGCS_REPO=https://github.com/rn/opengcs -ENV OPENGCS_COMMIT=d3ba8e211c0df4b0ee663bcfc00b4c2d88abcb9c +ENV OPENGCS_COMMIT=3a4ca49c445caaf4c6d4f0c1e613bae0c7455fb6 RUN apk add --no-cache build-base curl git go musl-dev ENV GOPATH=/go PATH=$PATH:/go/bin RUN git clone $OPENGCS_REPO /go/src/github.com/Microsoft/opengcs && \ From 4e4ab770c77c76c870cf798673538f31fa71146e Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Wed, 19 Jul 2017 14:20:33 +0100 Subject: [PATCH 3/3] blueprint: Update LCOW YAML blueprint Signed-off-by: Rolf Neugebauer --- blueprints/lcow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blueprints/lcow.yml b/blueprints/lcow.yml index 6270028af..35dce21ea 100644 --- a/blueprints/lcow.yml +++ b/blueprints/lcow.yml @@ -3,7 +3,7 @@ kernel: cmdline: "console=ttyS0" tar: none init: - - linuxkit/init-lcow:19ef62ccc57d3aa53c3fd9f7467ed4492b55f032 + - linuxkit/init-lcow:5375fa62bada3faec048b22d41033dcf1e9ba727 - linuxkit/runc:d5cbeb95bdafedb82ad2cf11cff1a5da7fcae630 trust: org: