mirror of
https://github.com/linuxkit/linuxkit.git
synced 2025-07-22 18:41:37 +00:00
Merge pull request #827 from justincormack/container-rngd
Run rngd inside a system container
This commit is contained in:
commit
43c531f8f6
@ -1,5 +1,5 @@
|
||||
# Tag: 547930eb50022274934ee70b0fd9c73c75515216
|
||||
FROM mobylinux/alpine-base@sha256:e1ec2779ecbea58c78130aeb29500ad17ada4d34f5822c9436fc7a388ae95c06
|
||||
# Tag: be663b9af6f6ca464dbfec5aeea7ac94274fba34
|
||||
FROM mobylinux/alpine-base@sha256:3cd5f66d3ae6970905bea2a562358dd53b45483c47caba67acb7c0d049a0fb8a
|
||||
|
||||
ENV ARCH=x86_64
|
||||
|
||||
@ -36,7 +36,6 @@ RUN \
|
||||
rc-update add dmesg sysinit && \
|
||||
rc-update add devfs sysinit && \
|
||||
rc-update add hwdrivers sysinit && \
|
||||
rc-update add rngd && \
|
||||
rc-update add sysfs && \
|
||||
rc-update add procfs && \
|
||||
rc-update add sysfsconf && \
|
||||
|
@ -41,7 +41,7 @@ initrd.img: Dockerfile mkinitrd.sh init $(ETCFILES)
|
||||
-C packages/containerd etc -C ../.. \
|
||||
-C packages/aws etc -C ../.. \
|
||||
-C packages/azure etc -C ../.. \
|
||||
containers/binfmt/rootfs containers/binfmt/config.json \
|
||||
containers/*/rootfs containers/*/config.json \
|
||||
| \
|
||||
docker build -q - ) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && \
|
||||
docker run --net=none --log-driver=none --rm $$BUILD > $@
|
||||
|
@ -19,7 +19,6 @@ RUN \
|
||||
jq \
|
||||
openrc \
|
||||
openssh-client \
|
||||
rng-tools@community \
|
||||
sfdisk \
|
||||
strace \
|
||||
sysklogd \
|
||||
|
@ -13,7 +13,7 @@ e2fsprogs-extra 1.43.3-r0
|
||||
e2fsprogs-libs 1.43.3-r0
|
||||
expat 2.2.0-r0
|
||||
fuse 2.9.7-r0
|
||||
git 2.10.2-r0
|
||||
git 2.11.0-r0
|
||||
hvtools 4.4.15-r0
|
||||
iptables 1.6.0-r0
|
||||
jq 1.5-r3
|
||||
@ -40,7 +40,6 @@ oniguruma 6.1.2-r0
|
||||
openrc 0.21.7-r3
|
||||
openssh-client 7.3_p1-r2
|
||||
pcre 8.39-r0
|
||||
rng-tools 5-r3
|
||||
scanelf 1.1.6-r0
|
||||
sfdisk 2.28.2-r0
|
||||
strace 4.14-r0
|
||||
|
@ -1,2 +1 @@
|
||||
http://dl-cdn.alpinelinux.org/alpine/v3.5/main
|
||||
@community http://dl-cdn.alpinelinux.org/alpine/v3.5/community
|
||||
|
@ -3,9 +3,11 @@ RUN \
|
||||
apk update && apk upgrade && \
|
||||
apk add \
|
||||
alpine-sdk \
|
||||
argp-standalone \
|
||||
automake \
|
||||
bash \
|
||||
bc \
|
||||
cmake \
|
||||
curl \
|
||||
gmp-dev \
|
||||
installkernel \
|
||||
|
9
alpine/base/tini/Dockerfile
Normal file
9
alpine/base/tini/Dockerfile
Normal file
@ -0,0 +1,9 @@
|
||||
# Tag: 7b94dce736818ca5c9d5367be360b79714687ca5
|
||||
FROM mobylinux/alpine-build-c@sha256:9157aa25a781b5c47c563c0b9a5d564d41b32ceac9bf26d1e1249e8849d62c8b
|
||||
|
||||
ENV TINI_VERSION=0.13.0
|
||||
ADD https://github.com/krallin/tini/archive/v${TINI_VERSION}.tar.gz tini-${TINI_VERSION}.tar.gz
|
||||
RUN zcat tini-${TINI_VERSION}.tar.gz | tar xvf -
|
||||
WORKDIR tini-${TINI_VERSION}
|
||||
RUN cmake . && make
|
||||
RUN cp -a tini-static /bin/tini
|
27
alpine/base/tini/Makefile
Normal file
27
alpine/base/tini/Makefile
Normal file
@ -0,0 +1,27 @@
|
||||
.PHONY: tag push
|
||||
|
||||
IMAGE=tini
|
||||
|
||||
default: push
|
||||
|
||||
hash: Dockerfile
|
||||
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
|
||||
docker run --entrypoint sh $(IMAGE):build -c 'cat /Dockerfile /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash
|
||||
|
||||
push: hash
|
||||
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
|
||||
(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
|
||||
docker push mobylinux/$(IMAGE):$(shell cat hash))
|
||||
docker rmi $(IMAGE):build
|
||||
rm -f hash
|
||||
|
||||
tag: hash
|
||||
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
|
||||
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
|
||||
docker rmi $(IMAGE):build
|
||||
rm -f hash
|
||||
|
||||
clean:
|
||||
rm -f hash
|
||||
|
||||
.DELETE_ON_ERROR:
|
2
alpine/containers/rng-tools/.gitignore
vendored
Normal file
2
alpine/containers/rng-tools/.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
rootfs
|
||||
tini
|
33
alpine/containers/rng-tools/Dockerfile
Normal file
33
alpine/containers/rng-tools/Dockerfile
Normal file
@ -0,0 +1,33 @@
|
||||
FROM mobylinux/alpine-build-c:701eedf80c332bafcb8dd085b758702ed37dab0e
|
||||
|
||||
ENV pkgname=rng-tools pkgver=5
|
||||
|
||||
COPY . .
|
||||
|
||||
RUN curl -O -sSL http://downloads.sourceforge.net/project/gkernel/$pkgname/$pkgver/$pkgname-$pkgver.tar.gz
|
||||
RUN sha256sum -c sha256sums
|
||||
RUN zcat $pkgname-$pkgver.tar.gz | tar xf -
|
||||
|
||||
WORKDIR $pkgname-$pkgver
|
||||
RUN for p in ../*.patch; do cat $p | patch -p1; done
|
||||
|
||||
RUN export LIBS="-largp" && \
|
||||
LDFLAGS=-static ./configure \
|
||||
--prefix=/usr \
|
||||
--libexecdir=/usr/lib/rng-tools \
|
||||
--sysconfdir=/etc \
|
||||
--disable-silent-rules && \
|
||||
make && \
|
||||
make DESTDIR=/ install && \
|
||||
strip /usr/sbin/rngd
|
||||
|
||||
WORKDIR /rootfs
|
||||
|
||||
RUN mkdir -p dev proc sys usr/sbin bin
|
||||
|
||||
RUN cp -a /usr/sbin/rngd usr/sbin/
|
||||
RUN cp -a /tini bin/
|
||||
|
||||
RUN printf 'FROM scratch\nCOPY . ./\nCMD ["/bin/tini", "/usr/sbin/rngd", "-f"]\n' > Dockerfile
|
||||
|
||||
CMD ["tar", "cf", "-", "."]
|
26
alpine/containers/rng-tools/Makefile
Normal file
26
alpine/containers/rng-tools/Makefile
Normal file
@ -0,0 +1,26 @@
|
||||
# Tag 7b94dce736818ca5c9d5367be360b79714687ca5
|
||||
TINI_IMAGE=mobylinux/tini@sha256:5f697e501ce12af1c72fbdf5dd74299bcc8c4f58e6215a7c48627dc6e11d9a29
|
||||
TINI_BINARY=tini
|
||||
|
||||
default: rootfs
|
||||
|
||||
$(TINI_BINARY): Dockerfile
|
||||
docker run --rm --net=none $(TINI_IMAGE) tar cf - -C /bin $@ | tar xf -
|
||||
|
||||
rootfs: Dockerfile fix-textrels-on-PIC-x86.patch sha256sums $(TINI_BINARY)
|
||||
mkdir -p $@
|
||||
BUILD=$$( tar cf - $^ | docker build -q - ) && \
|
||||
[ -n "$$BUILD" ] && \
|
||||
echo "Built $$BUILD" && \
|
||||
IMAGE=$$( docker run --rm --net=none $$BUILD | docker build -q - ) && \
|
||||
[ -n "$$IMAGE" ] && \
|
||||
echo "Built $$IMAGE" && \
|
||||
CONTAINER=$$( docker create $$IMAGE /dev/null ) && \
|
||||
docker export $$CONTAINER | tar -xf - -C $@ && \
|
||||
docker rm $$CONTAINER && \
|
||||
( cd $@ && rm -rf .dockerenv Dockerfile dev/* etc/hostname etc/hosts etc/mtab etc/resolv.conf )
|
||||
|
||||
clean:
|
||||
rm -rf rootfs $(TINI_BINARY)
|
||||
|
||||
.DELETE_ON_ERROR:
|
158
alpine/containers/rng-tools/config.json
Normal file
158
alpine/containers/rng-tools/config.json
Normal file
@ -0,0 +1,158 @@
|
||||
{
|
||||
"ociVersion": "1.0.0-rc2-dev",
|
||||
"platform": {
|
||||
"os": "linux",
|
||||
"arch": "amd64"
|
||||
},
|
||||
"process": {
|
||||
"terminal": false,
|
||||
"user": {
|
||||
"uid": 0,
|
||||
"gid": 0
|
||||
},
|
||||
"args": [
|
||||
"/bin/tini",
|
||||
"/usr/sbin/rngd",
|
||||
"-f"
|
||||
],
|
||||
"env": [
|
||||
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
],
|
||||
"cwd": "/",
|
||||
"capabilities": [
|
||||
"CAP_SYS_ADMIN"
|
||||
],
|
||||
"rlimits": [
|
||||
{
|
||||
"type": "RLIMIT_NOFILE",
|
||||
"hard": 1024,
|
||||
"soft": 1024
|
||||
}
|
||||
],
|
||||
"noNewPrivileges": true
|
||||
},
|
||||
"root": {
|
||||
"path": "rootfs",
|
||||
"readonly": true
|
||||
},
|
||||
"hostname": "gloomy_saha",
|
||||
"mounts": [
|
||||
{
|
||||
"destination": "/proc",
|
||||
"type": "proc",
|
||||
"source": "proc"
|
||||
},
|
||||
{
|
||||
"destination": "/dev",
|
||||
"type": "tmpfs",
|
||||
"source": "tmpfs",
|
||||
"options": [
|
||||
"nosuid",
|
||||
"strictatime",
|
||||
"mode=755",
|
||||
"size=65536k"
|
||||
]
|
||||
},
|
||||
{
|
||||
"destination": "/dev/pts",
|
||||
"type": "devpts",
|
||||
"source": "devpts",
|
||||
"options": [
|
||||
"nosuid",
|
||||
"noexec",
|
||||
"newinstance",
|
||||
"ptmxmode=0666",
|
||||
"mode=0620",
|
||||
"gid=5"
|
||||
]
|
||||
},
|
||||
{
|
||||
"destination": "/dev/shm",
|
||||
"type": "tmpfs",
|
||||
"source": "shm",
|
||||
"options": [
|
||||
"nosuid",
|
||||
"noexec",
|
||||
"nodev",
|
||||
"mode=1777",
|
||||
"size=65536k"
|
||||
]
|
||||
},
|
||||
{
|
||||
"destination": "/dev/mqueue",
|
||||
"type": "mqueue",
|
||||
"source": "mqueue",
|
||||
"options": [
|
||||
"nosuid",
|
||||
"noexec",
|
||||
"nodev"
|
||||
]
|
||||
},
|
||||
{
|
||||
"destination": "/sys",
|
||||
"type": "sysfs",
|
||||
"source": "sysfs",
|
||||
"options": [
|
||||
"nosuid",
|
||||
"noexec",
|
||||
"nodev"
|
||||
]
|
||||
},
|
||||
{
|
||||
"destination": "/sys/fs/cgroup",
|
||||
"type": "cgroup",
|
||||
"source": "cgroup",
|
||||
"options": [
|
||||
"nosuid",
|
||||
"noexec",
|
||||
"nodev",
|
||||
"relatime",
|
||||
"ro"
|
||||
]
|
||||
}
|
||||
],
|
||||
"hooks": {},
|
||||
"linux": {
|
||||
"resources": {
|
||||
"devices": [
|
||||
{
|
||||
"allow": false,
|
||||
"access": "rwm"
|
||||
}
|
||||
]
|
||||
},
|
||||
"namespaces": [
|
||||
{
|
||||
"type": "pid"
|
||||
},
|
||||
{
|
||||
"type": "network"
|
||||
},
|
||||
{
|
||||
"type": "ipc"
|
||||
},
|
||||
{
|
||||
"type": "uts"
|
||||
},
|
||||
{
|
||||
"type": "mount"
|
||||
}
|
||||
],
|
||||
"maskedPaths": [
|
||||
"/proc/kcore",
|
||||
"/proc/latency_stats",
|
||||
"/proc/timer_list",
|
||||
"/proc/timer_stats",
|
||||
"/proc/sched_debug",
|
||||
"/sys/firmware"
|
||||
],
|
||||
"readonlyPaths": [
|
||||
"/proc/asound",
|
||||
"/proc/bus",
|
||||
"/proc/fs",
|
||||
"/proc/irq",
|
||||
"/proc/sys",
|
||||
"/proc/sysrq-trigger"
|
||||
]
|
||||
}
|
||||
}
|
50
alpine/containers/rng-tools/fix-textrels-on-PIC-x86.patch
Normal file
50
alpine/containers/rng-tools/fix-textrels-on-PIC-x86.patch
Normal file
@ -0,0 +1,50 @@
|
||||
--- rng-tools/rdrand_asm.S
|
||||
+++ rng-tools/rdrand_asm.S
|
||||
@@ -49,6 +49,7 @@
|
||||
ret
|
||||
ENDPROC(x86_rdrand_nlong)
|
||||
|
||||
+#define INIT_PIC()
|
||||
#define SETPTR(var,ptr) leaq var(%rip),ptr
|
||||
#define PTR0 %rdi
|
||||
#define PTR1 %rsi
|
||||
@@ -84,7 +85,16 @@
|
||||
ret
|
||||
ENDPROC(x86_rdrand_nlong)
|
||||
|
||||
+#if defined(__PIC__)
|
||||
+#undef __i686 /* gcc builtin define gets in our way */
|
||||
+#define INIT_PIC() \
|
||||
+ call __i686.get_pc_thunk.bx ; \
|
||||
+ addl $_GLOBAL_OFFSET_TABLE_, %ebx
|
||||
+#define SETPTR(var,ptr) leal (var)@GOTOFF(%ebx),ptr
|
||||
+#else
|
||||
+#define INIT_PIC()
|
||||
#define SETPTR(var,ptr) movl $(var),ptr
|
||||
+#endif
|
||||
#define PTR0 %eax
|
||||
#define PTR1 %edx
|
||||
#define PTR2 %ecx
|
||||
@@ -101,6 +111,7 @@
|
||||
movl 8(%ebp), %eax
|
||||
movl 12(%ebp), %edx
|
||||
#endif
|
||||
+ INIT_PIC()
|
||||
|
||||
SETPTR(aes_round_keys, PTR2)
|
||||
|
||||
@@ -166,6 +177,17 @@
|
||||
#endif
|
||||
ret
|
||||
ENDPROC(x86_aes_mangle)
|
||||
+
|
||||
+#if defined(__i386__) && defined(__PIC__)
|
||||
+ .section .gnu.linkonce.t.__i686.get_pc_thunk.bx,"ax",@progbits
|
||||
+.globl __i686.get_pc_thunk.bx
|
||||
+ .hidden __i686.get_pc_thunk.bx
|
||||
+ .type __i686.get_pc_thunk.bx,@function
|
||||
+__i686.get_pc_thunk.bx:
|
||||
+ movl (%esp), %ebx
|
||||
+ ret
|
||||
+#endif
|
||||
+
|
1
alpine/containers/rng-tools/sha256sums
Normal file
1
alpine/containers/rng-tools/sha256sums
Normal file
@ -0,0 +1 @@
|
||||
60a102b6603bbcce2da341470cad42eeaa9564a16b4490e7867026ca11a3078e rng-tools-5.tar.gz
|
@ -1 +0,0 @@
|
||||
RNGD_OPTS=""
|
@ -7,3 +7,4 @@ net.ipv4.neigh.default.gc_thresh3 = 32768
|
||||
fs.aio-max-nr = 1048576
|
||||
fs.inotify.max_user_watches = 524288
|
||||
fs.file-max = 524288
|
||||
kernel.random.write_wakeup_threshold = 3072
|
||||
|
@ -21,11 +21,16 @@ start()
|
||||
|
||||
ebegin "Running system containers"
|
||||
|
||||
LOG=/var/log/system-containers.log
|
||||
touch $LOG
|
||||
|
||||
for f in /containers/*
|
||||
do
|
||||
# note we attach, so will be synchronous for now
|
||||
containerd-ctr containers start --no-pivot --attach "$(basename $f)" "$f"
|
||||
containerd-ctr containers start --no-pivot --attach "$(basename $f)" "$f" 2>$LOG >$LOG &
|
||||
printf " $(basename $f)"
|
||||
done
|
||||
|
||||
printf "\n"
|
||||
|
||||
eend $? "Failed to start system containers"
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user