diff --git a/projects/ima-namespace/Makefile b/projects/ima-namespace/Makefile index 08770f129..5819a3c00 100644 --- a/projects/ima-namespace/Makefile +++ b/projects/ima-namespace/Makefile @@ -2,7 +2,7 @@ run: ima-namespace-kernel ../../bin/linuxkit run ima-namespace -ima-namespace-kernel: +ima-namespace-kernel: ima-namespace.yml ../../bin/moby build ima-namespace .PHONY: clean diff --git a/projects/ima-namespace/ima-namespace.yml b/projects/ima-namespace/ima-namespace.yml index 93ac38520..a2f1316b9 100644 --- a/projects/ima-namespace/ima-namespace.yml +++ b/projects/ima-namespace/ima-namespace.yml @@ -1,26 +1,60 @@ kernel: - image: "linuxkit/kernel-ima:4.11.x" - cmdline: "console=ttyS0 page_poison=1 ima_appraise=enforce_ns" + image: "linuxkit/kernel-ima:4.11.1-" + cmdline: "console=ttyS0 console=tty0 page_poison=1 ima_appraise=enforce_ns" init: - - linuxkit/init-ima:1bf49efd6df8d137813884211860607c58ff383e - - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - - mobylinux/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 + - linuxkit/init:b3740303f3d1e5689a84c87b7dfb48fd2a40a192 + - linuxkit/runc:47b1c38d63468c0f3078f8b1b055d07965a1895d + - linuxkit/containerd:cf2614f5a96c569a0bd4bd54e054a65ba17d167f + - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 + - linuxkit/ima-utils:fe119c7dac08884f4144cd106dc279ddd8b37517 onboot: - name: sysctl - image: "mobylinux/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" + image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" net: host pid: host ipc: host capabilities: - CAP_SYS_ADMIN readonly: true + - name: binfmt + image: "linuxkit/binfmt:131026c0cf6084467316395fed3b358f64bda00c" + binds: + - /proc/sys/fs/binfmt_misc:/binfmt_misc + readonly: true + - name: dhcpcd + image: "linuxkit/dhcpcd:2def74ab3f9233b4c09ebb196ba47c27c08b0ed8" + binds: + - /var:/var + - /tmp/etc:/etc + capabilities: + - CAP_NET_ADMIN + - CAP_NET_BIND_SERVICE + - CAP_NET_RAW + net: host + command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: rngd - image: "mobylinux/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9" + image: "linuxkit/rngd:61a07ced77a9747708223ca16a4aec621eacf518" capabilities: - CAP_SYS_ADMIN oomScoreAdj: -800 readonly: true + - name: nginx + image: "nginx:alpine" + capabilities: + - CAP_NET_BIND_SERVICE + - CAP_CHOWN + - CAP_SETUID + - CAP_SETGID + - CAP_DAC_OVERRIDE + net: host +files: + - path: etc/docker/daemon.json + contents: '{"debug": true}' +trust: + image: + - linuxkit/kernel + - linuxkit/binfmt + - linuxkit/rngd outputs: - format: kernel+initrd diff --git a/projects/ima-namespace/ima-utils/Dockerfile b/projects/ima-namespace/ima-utils/Dockerfile new file mode 100644 index 000000000..10d744b10 --- /dev/null +++ b/projects/ima-namespace/ima-utils/Dockerfile @@ -0,0 +1,9 @@ +FROM alpine:edge as utils +RUN apk add --no-cache attr openssl + +FROM scratch +ENTRYPOINT [] +CMD [] +WORKDIR / +COPY --from=utils /usr/bin/openssl /usr/bin/setfattr /usr/bin/ +COPY --from=utils /lib/libattr.so* /lib/libssl.so* /lib/libcrypto.so* /lib/ diff --git a/projects/ima-namespace/init/Makefile b/projects/ima-namespace/ima-utils/Makefile similarity index 77% rename from projects/ima-namespace/init/Makefile rename to projects/ima-namespace/ima-utils/Makefile index 3f465ad25..9e9e2f3a6 100644 --- a/projects/ima-namespace/init/Makefile +++ b/projects/ima-namespace/ima-utils/Makefile @@ -1,8 +1,8 @@ .PHONY: tag push default: push -IMAGE=init-ima -DEPS=Dockerfile init $(wildcard etc/*) $(wildcard etc/init.d/*) +IMAGE=ima-utils +DEPS=Dockerfile HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}') diff --git a/projects/ima-namespace/init/Dockerfile b/projects/ima-namespace/init/Dockerfile deleted file mode 100644 index f6f86d17a..000000000 --- a/projects/ima-namespace/init/Dockerfile +++ /dev/null @@ -1,12 +0,0 @@ -# Use sha256 here to get a fixed version -FROM alpine:edge -ENTRYPOINT [] -CMD [] -WORKDIR / -COPY init / -COPY etc etc/ - -RUN ip a -RUN apk update -RUN apk add --no-cache attr openssl -RUN rm -rf /mirror /etc/apk/repositories /etc/apk/keys diff --git a/projects/ima-namespace/init/etc/init.d/containerd b/projects/ima-namespace/init/etc/init.d/containerd deleted file mode 100755 index f62710d7e..000000000 --- a/projects/ima-namespace/init/etc/init.d/containerd +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -# bring up containerd -ulimit -n 1048576 -ulimit -p unlimited - -printf "\nStarting containerd\n" -mkdir -p /var/log -exec /usr/bin/containerd diff --git a/projects/ima-namespace/init/etc/init.d/containers b/projects/ima-namespace/init/etc/init.d/containers deleted file mode 100755 index 982a1bafc..000000000 --- a/projects/ima-namespace/init/etc/init.d/containers +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -# start onboot containers, run to completion - -if [ -d /containers/onboot ] -then - for f in $(find /containers/onboot -mindepth 1 -maxdepth 1 | sort) - do - base="$(basename $f)" - /bin/mount --bind "$f/rootfs" "$f/rootfs" - mount -o remount,rw "$f/rootfs" - /usr/bin/runc run --bundle "$f" "$(basename $f)" - printf " - $base\n" - done -fi - -# start service containers - -if [ -d /containers/services ] -then - for f in $(find /containers/services -mindepth 1 -maxdepth 1 | sort) - do - base="$(basename $f)" - /bin/mount --bind "$f/rootfs" "$f/rootfs" - mount -o remount,rw "$f/rootfs" - log="/var/log/$base.log" - ctr run --runtime-config "$f/config.json" --rootfs "$f/rootfs" --id "$(basename $f)" $log >$log & - printf " - $base\n" - done -fi - -wait diff --git a/projects/ima-namespace/init/etc/init.d/rcS b/projects/ima-namespace/init/etc/init.d/rcS deleted file mode 100755 index 339a428ba..000000000 --- a/projects/ima-namespace/init/etc/init.d/rcS +++ /dev/null @@ -1,112 +0,0 @@ -#!/bin/sh - -# mount filesystems -mount -n -t proc proc /proc -o nodev,nosuid,noexec,relatime - -mount -n -t tmpfs tmpfs /run -o nodev,nosuid,noexec,relatime,size=10%,mode=755 -mount -n -t tmpfs tmpfs /tmp -o nodev,nosuid,noexec,relatime,size=10%,mode=1777 - -# mount devfs -mount -n -t devtmpfs dev /dev -o nosuid,noexec,relatime,size=10m,nr_inodes=248418,mode=755 -# devices -[ -c /dev/console ] || mknod -m 600 /dev/console c 5 1 -[ -c /dev/tty1 ] || mknod -m 620 /dev/tty1 c 4 1 -[ -c /dev/tty ] || mknod -m 666 /dev/tty c 5 0 - -[ -c /dev/null ] || mknod -m 666 /dev/null c 1 3 -[ -c /dev/kmsg ] || mknod -m 660 /dev/kmsg c 1 11 - -# extra symbolic links not provided by default -[ -e /dev/fd ] || ln -snf /proc/self/fd /dev/fd -[ -e /dev/stdin ] || ln -snf /proc/self/fd/0 /dev/stdin -[ -e /dev/stdout ] || ln -snf /proc/self/fd/1 /dev/stdout -[ -e /dev/stderr ] || ln -snf /proc/self/fd/2 /dev/stderr -[ -e /proc/kcore ] && ln -snf /proc/kcore /dev/core - -# devfs filesystems -mkdir -p -m 1777 /dev/mqueue -mkdir -p -m 1777 /dev/shm -mkdir -p -m 0755 /dev/pts -mount -n -t mqueue -o noexec,nosuid,nodev mqueue /dev/mqueue -mount -n -t tmpfs -o noexec,nosuid,nodev,mode=1777 shm /dev/shm -mount -n -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts /dev/pts - -# mount sysfs -sysfs_opts=nodev,noexec,nosuid -mount -n -t sysfs -o ${sysfs_opts} sysfs /sys -[ -d /sys/kernel/security ] && mount -n -t securityfs -o ${sysfs_opts} securityfs /sys/kernel/security -[ -d /sys/kernel/debug ] && mount -n -t debugfs -o ${sysfs_opts} debugfs /sys/kernel/debug -[ -d /sys/kernel/config ] && mount -n -t configfs -o ${sysfs_opts} configfs /sys/kernel/config -[ -d /sys/fs/fuse/connections ] && mount -n -t fusectl -o ${sysfs_opts} fusectl /sys/fs/fuse/connections -[ -d /sys/fs/selinux ] && mount -n -t selinuxfs -o nosuid,noexec selinuxfs /sys/fs/selinux -[ -d /sys/fs/pstore ] && mount -n -t pstore pstore -o ${sysfs_opts} /sys/fs/pstore -[ -d /sys/firmware/efi/efivars ] && mount -n -t efivarfs -o ro,${sysfs_opts} efivarfs /sys/firmware/efi/efivars - -# misc /proc mounted fs -[ -d /proc/sys/fs/binfmt_misc ] && mount -t binfmt_misc -o nodev,noexec,nosuid binfmt_misc /proc/sys/fs/binfmt_misc - -# mount cgroups -mount -n -t tmpfs -o nodev,noexec,nosuid,mode=755,size=10m cgroup_root /sys/fs/cgroup - -while read name hier groups enabled rest -do - case "${enabled}" in - 1) mkdir -p /sys/fs/cgroup/${name} - mount -n -t cgroup -o ${sysfs_opts},${name} ${name} /sys/fs/cgroup/${name} - ;; - esac -done < /proc/cgroups - -# use hierarchy for memory -echo 1 > /sys/fs/cgroup/memory/memory.use_hierarchy - -# for compatibility -mkdir -p /sys/fs/cgroup/systemd -mount -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemd - -# start mdev for hotplug -echo "/sbin/mdev" > /proc/sys/kernel/hotplug - -# mdev -s will not create /dev/usb[1-9] devices with recent kernels -# so we trigger hotplug events for usb for now -for i in $(find /sys/devices -name 'usb[0-9]*'); do - [ -e $i/uevent ] && echo add > $i/uevent -done - -mdev -s - -# set hostname -if [ -s /etc/hostname ] -then - hostname -F /etc/hostname -fi - -if [ $(hostname) = "(none)" -a -f /sys/class/net/eth0/address ] -then - mac=$(cat /sys/class/net/eth0/address) - hostname linuxkit-$(echo $mac | sed 's/://g') -fi - -# set system clock from hwclock -hwclock --hctosys --utc - -# bring up loopback interface -ip addr add 127.0.0.1/8 dev lo brd + scope host -ip route add 127.0.0.0/8 dev lo scope host -ip link set lo up - -# for containerising dhcpcd and other containers that need writable etc -mkdir /tmp/etc -mv /etc/resolv.conf /tmp/etc/resolv.conf -ln -snf /tmp/etc/resolv.conf /etc/resolv.conf - -# remount rootfs as readonly -mount -o remount,ro / - -# make /var writeable and shared -mount -o bind /var /var -mount -o remount,rw,nodev,nosuid,noexec,relatime /var /var -mount --make-rshared /var - -# make / rshared -mount --make-rshared / diff --git a/projects/ima-namespace/init/etc/inittab b/projects/ima-namespace/init/etc/inittab deleted file mode 100644 index 8ef3e8565..000000000 --- a/projects/ima-namespace/init/etc/inittab +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/inittab - -::sysinit:/etc/init.d/rcS -::once:/etc/init.d/containerd -::once:/etc/init.d/containers - -# Stuff to do for the 3-finger salute -::ctrlaltdel:/sbin/reboot - -# Stuff to do before rebooting -::shutdown:/usr/sbin/killall5 -15 -::shutdown:/bin/sleep 5 -::shutdown:/usr/sbin/killall5 -9 -::shutdown:/bin/echo "Unmounting filesystems" -::shutdown:/bin/umount -a -r diff --git a/projects/ima-namespace/init/etc/issue b/projects/ima-namespace/init/etc/issue deleted file mode 100644 index ac3f79e41..000000000 --- a/projects/ima-namespace/init/etc/issue +++ /dev/null @@ -1,12 +0,0 @@ - -Welcome to LinuxKit - - ## . - ## ## ## == - ## ## ## ## ## === - /"""""""""""""""""\___/ === - ~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ / ===- ~~~ - \______ o __/ - \ \ __/ - \____\_______/ - diff --git a/projects/ima-namespace/init/init b/projects/ima-namespace/init/init deleted file mode 100755 index f27b647b0..000000000 --- a/projects/ima-namespace/init/init +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh - -setup_console() { - tty=${1%,*} - speed=${1#*,} - inittab="$2" - securetty="$3" - line= - term="linux" - [ "$speed" = "$1" ] && speed=115200 - - case "$tty" in - ttyS*|ttyAMA*|ttyUSB*|ttyMFD*) - line="-L" - term="vt100" - ;; - tty?) - line="" - speed="38400" - term="" - ;; - esac - # skip consoles already in inittab - grep -q "^$tty:" "$inittab" && return - - echo "$tty::once:cat /etc/issue" >> "$inittab" - echo "$tty::respawn:/sbin/getty -n -l /bin/sh $line $speed $tty $term" >> "$inittab" - if ! grep -q -w "$tty" "$securetty"; then - echo "$tty" >> "$securetty" - fi -} - -/bin/mount -t tmpfs tmpfs /mnt - -/bin/cp -a / /mnt 2>/dev/null - -/bin/mount -t proc -o noexec,nosuid,nodev proc /proc -for opt in $(cat /proc/cmdline); do - case "$opt" in - console=*) - setup_console ${opt#console=} /mnt/etc/inittab /mnt/etc/securetty;; - esac -done - -exec /bin/busybox switch_root /mnt /sbin/init