diff --git a/blueprints/docker-for-mac/base.yml b/blueprints/docker-for-mac/base.yml index 41950218a..b5a3b2edd 100644 --- a/blueprints/docker-for-mac/base.yml +++ b/blueprints/docker-for-mac/base.yml @@ -12,7 +12,7 @@ onboot: - name: metadata image: linuxkit/metadata:f5d4299909b159db35f72547e4ae70bd76c42c6c - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: binfmt diff --git a/examples/aws.yml b/examples/aws.yml index 4f155731b..2bd22ddb8 100644 --- a/examples/aws.yml +++ b/examples/aws.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] @@ -16,7 +16,7 @@ onboot: image: linuxkit/metadata:f5d4299909b159db35f72547e4ae70bd76c42c6c services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: sshd image: linuxkit/sshd:5dc5c3c4470c85f6c89f0e26b9d477ae4ff85a3c binds: diff --git a/examples/azure.yml b/examples/azure.yml index 44de5e950..535de8184 100644 --- a/examples/azure.yml +++ b/examples/azure.yml @@ -8,10 +8,10 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: sshd diff --git a/examples/docker.yml b/examples/docker.yml index 56d9e186e..0d22bcc1a 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: binfmt @@ -24,7 +24,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: ntpd diff --git a/examples/gcp.yml b/examples/gcp.yml index ca73dd9d5..f4b8815e0 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] @@ -20,7 +20,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: sshd image: linuxkit/sshd:5dc5c3c4470c85f6c89f0e26b9d477ae4ff85a3c binds: diff --git a/examples/getty.yml b/examples/getty.yml index 5d4743c56..a4f0e660a 100644 --- a/examples/getty.yml +++ b/examples/getty.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] @@ -19,7 +19,7 @@ services: #env: # - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf files: - path: etc/getty.shadow # sample sets password for root to "abcdefgh" (without quotes) diff --git a/examples/node_exporter.yml b/examples/node_exporter.yml index 10142827f..21adbde9b 100644 --- a/examples/node_exporter.yml +++ b/examples/node_exporter.yml @@ -11,7 +11,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: node_exporter diff --git a/examples/packet.yml b/examples/packet.yml index f552bbf9c..42c8ab5b9 100644 --- a/examples/packet.yml +++ b/examples/packet.yml @@ -8,10 +8,10 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: sshd diff --git a/examples/sshd.yml b/examples/sshd.yml index b4a9b727c..e35723672 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -8,14 +8,17 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 + - name: rngd1 + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf + command: ["/sbin/rngd", "-1"] services: - name: getty image: linuxkit/getty:58620cff1b0bf8b5d144d087602115e996f18a02 env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: sshd diff --git a/examples/swap.yml b/examples/swap.yml index a02702544..865abcb78 100644 --- a/examples/swap.yml +++ b/examples/swap.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] @@ -28,7 +28,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: nginx image: nginx:alpine capabilities: diff --git a/examples/tpm.yml b/examples/tpm.yml index 35d4706d6..5524435ea 100644 --- a/examples/tpm.yml +++ b/examples/tpm.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:4b7b8bb024cebb1bbb9c8026d44d7cbc8e202c41 command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] @@ -20,7 +20,7 @@ services: - name: tss image: linuxkit/tss:51d73be868e12af76965f5682ed59309c19972b6 - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf files: - path: etc/getty.shadow # sample sets password for root to "abcdefgh" (without quotes) diff --git a/examples/vmware.yml b/examples/vmware.yml index 81d46fa9c..54bd2ca94 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -8,14 +8,14 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 services: - name: getty image: linuxkit/getty:58620cff1b0bf8b5d144d087602115e996f18a02 env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: nginx diff --git a/examples/vultr.yml b/examples/vultr.yml index 377f3002b..0f203dc0d 100644 --- a/examples/vultr.yml +++ b/examples/vultr.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] @@ -20,7 +20,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: sshd image: linuxkit/sshd:5dc5c3c4470c85f6c89f0e26b9d477ae4ff85a3c binds: diff --git a/linuxkit.yml b/linuxkit.yml index 49d482014..5d263b46d 100644 --- a/linuxkit.yml +++ b/linuxkit.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: binfmt image: linuxkit/binfmt:257b5174a8e33bc62d5448cc026d72cae3713628 - name: dhcpcd @@ -24,7 +24,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: nginx image: nginx:alpine capabilities: diff --git a/pkg/rngd/Dockerfile b/pkg/rngd/Dockerfile index e877bda5a..0ff49e675 100644 --- a/pkg/rngd/Dockerfile +++ b/pkg/rngd/Dockerfile @@ -1,46 +1,15 @@ -FROM linuxkit/alpine:9bcf61f605ef0ce36cc94d59b8eac307862de6e1 AS mirror -RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ -RUN apk add --no-cache --initdb -p /out \ - tini -RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache -RUN mkdir -p /out/dev /out/proc /out/sys +FROM linuxkit/alpine:c23813875499d85163dc358fc6370c9de650df57 AS mirror -FROM linuxkit/alpine:9bcf61f605ef0ce36cc94d59b8eac307862de6e1 AS build -RUN apk add \ - argp-standalone \ - automake \ - curl \ - gcc \ - linux-headers \ - make \ - musl-dev \ - patch +RUN apk add --no-cache go gcc musl-dev linux-headers +ENV GOPATH=/go PATH=$PATH:/go/bin -COPY . / - -ENV pkgname=rng-tools pkgver=5 - -RUN curl -fSL "http://downloads.sourceforge.net/project/gkernel/$pkgname/$pkgver/$pkgname-$pkgver.tar.gz" -o "$pkgname-$pkgver.tar.gz" -RUN sha256sum -c sha256sums -RUN zcat $pkgname-$pkgver.tar.gz | tar xf - - -RUN cd $pkgname-$pkgver && for p in ../*.patch; do cat $p | patch -p1; done - -RUN cd $pkgname-$pkgver && \ - export LIBS="-largp" && \ - LDFLAGS=-static ./configure \ - --prefix=/usr \ - --libexecdir=/usr/lib/rng-tools \ - --sysconfdir=/etc \ - --disable-silent-rules && \ - make && \ - make DESTDIR=/ install && \ - strip /usr/sbin/rngd +COPY cmd/rngd/*.go /go/src/rngd/ +RUN REQUIRE_CGO=1 go-compile.sh /go/src/rngd FROM scratch ENTRYPOINT [] +CMD [] WORKDIR / -COPY --from=mirror /out/ / -COPY --from=build usr/sbin/rngd usr/sbin/rngd -CMD ["/sbin/tini", "/usr/sbin/rngd", "-f"] +COPY --from=mirror /go/bin/rngd /sbin/rngd +CMD ["/sbin/rngd"] LABEL org.mobyproject.config='{"capabilities": ["CAP_SYS_ADMIN"], "oomScoreAdj": -800, "readonly": true, "net": "new", "ipc": "new"}' diff --git a/pkg/rngd/Makefile b/pkg/rngd/Makefile index c37ede3ef..ed48b44aa 100644 --- a/pkg/rngd/Makefile +++ b/pkg/rngd/Makefile @@ -1,4 +1,4 @@ IMAGE=rngd -NETWORK=1 +DEPS=$(wildcard cmd/rngd/*.go) include ../package.mk diff --git a/pkg/rngd/cmd/rngd/main.go b/pkg/rngd/cmd/rngd/main.go new file mode 100644 index 000000000..31708e261 --- /dev/null +++ b/pkg/rngd/cmd/rngd/main.go @@ -0,0 +1,66 @@ +package main + +import ( + "log" + "os" + "syscall" +) + +func main() { + oneshot := len(os.Args) > 1 && os.Args[1] == "-1" + + timeout := -1 + if oneshot { + timeout = 0 + } + + supported := initRand() + if !supported { + log.Fatalf("No random source available") + } + + random, err := os.Open("/dev/random") + if err != nil { + log.Fatalf("Cannot open /dev/random: %v", err) + } + defer random.Close() + fd := int(random.Fd()) + + epfd, err := syscall.EpollCreate1(0) + if err != nil { + log.Fatalf("epoll create error: %v", err) + } + defer syscall.Close(epfd) + + var event syscall.EpollEvent + var events [1]syscall.EpollEvent + + event.Events = syscall.EPOLLOUT + event.Fd = int32(fd) + if err := syscall.EpollCtl(epfd, syscall.EPOLL_CTL_ADD, fd, &event); err != nil { + log.Fatalf("epoll add error: %v", err) + } + + count := 0 + + for { + // write some entropy + n, err := writeEntropy(random) + if err != nil { + log.Fatalf("write entropy: %v", err) + } + count += n + // sleep until we can write more + nevents, err := syscall.EpollWait(epfd, events[:], timeout) + if err != nil { + log.Fatalf("epoll wait error: %v", err) + } + if nevents == 1 && events[0].Events&syscall.EPOLLOUT == syscall.EPOLLOUT { + continue + } + if oneshot { + log.Printf("Wrote %d bytes of entropy, exiting as oneshot\n", count) + break + } + } +} diff --git a/pkg/rngd/cmd/rngd/rng_amd64.go b/pkg/rngd/cmd/rngd/rng_amd64.go new file mode 100644 index 000000000..eeddc71a3 --- /dev/null +++ b/pkg/rngd/cmd/rngd/rng_amd64.go @@ -0,0 +1,84 @@ +package main + +// #cgo CFLAGS: -mrdrnd -mrdseed +// #include +// #include +// #include +// #include +// #include +// #include +// +// int hasrdrand() { +// unsigned int eax, ebx, ecx, edx; +// __get_cpuid(1, &eax, &ebx, &ecx, &edx); +// +// return ((ecx & bit_RDRND) == bit_RDRND); +// } +// +// int hasrdseed() { +// unsigned int eax, ebx, ecx, edx; +// __get_cpuid(7, &eax, &ebx, &ecx, &edx); +// +// return ((ebx & bit_RDSEED) == bit_RDSEED); +// } +// +// int rdrand(uint64_t *val) { +// return _rdrand64_step((unsigned long long *)val); +// } +// +// int rdseed(uint64_t *val) { +// return _rdseed64_step((unsigned long long *)val); +// } +// +// int rndaddentropy = RNDADDENTROPY; +// +import "C" + +import ( + "errors" + "os" + "syscall" + "unsafe" +) + +var hasRdrand, hasRdseed bool + +type randInfo struct { + entropyCount int + size int + buf uint64 +} + +func initRand() bool { + hasRdrand = C.hasrdrand() == 1 + hasRdseed = C.hasrdseed() == 1 + return hasRdrand || hasRdseed +} + +func rand() (uint64, error) { + var x C.uint64_t + // prefer rdseed as that is correct seed + if hasRdseed && C.rdseed(&x) == 1 { + return uint64(x), nil + } + // failed rdseed, rdrand better than nothing + if hasRdrand && C.rdrand(&x) == 1 { + return uint64(x), nil + } + return 0, errors.New("No randomness available") +} + +func writeEntropy(random *os.File) (int, error) { + r, err := rand() + if err != nil { + // assume can fail occasionally + return 0, nil + } + const entropy = 64 // they are good random numbers, Brent + info := randInfo{entropy, 8, r} + ret, _, err := syscall.Syscall(syscall.SYS_IOCTL, uintptr(random.Fd()), uintptr(C.rndaddentropy), uintptr(unsafe.Pointer(&info))) + if ret == 0 { + return 8, nil + } + return 0, err +} diff --git a/pkg/rngd/cmd/rngd/rng_unsupported.go b/pkg/rngd/cmd/rngd/rng_unsupported.go new file mode 100644 index 000000000..e5bbc79d2 --- /dev/null +++ b/pkg/rngd/cmd/rngd/rng_unsupported.go @@ -0,0 +1,13 @@ +// +build !amd64 + +package main + +import "errors" + +func initRand() bool { + return false +} + +func rand() (uint64, error) { + return 0, errors.New("No rng available") +} diff --git a/pkg/rngd/fix-textrels-on-PIC-x86.patch b/pkg/rngd/fix-textrels-on-PIC-x86.patch deleted file mode 100644 index 7ea76d6fd..000000000 --- a/pkg/rngd/fix-textrels-on-PIC-x86.patch +++ /dev/null @@ -1,50 +0,0 @@ ---- rng-tools/rdrand_asm.S -+++ rng-tools/rdrand_asm.S -@@ -49,6 +49,7 @@ - ret - ENDPROC(x86_rdrand_nlong) - -+#define INIT_PIC() - #define SETPTR(var,ptr) leaq var(%rip),ptr - #define PTR0 %rdi - #define PTR1 %rsi -@@ -84,7 +85,16 @@ - ret - ENDPROC(x86_rdrand_nlong) - -+#if defined(__PIC__) -+#undef __i686 /* gcc builtin define gets in our way */ -+#define INIT_PIC() \ -+ call __i686.get_pc_thunk.bx ; \ -+ addl $_GLOBAL_OFFSET_TABLE_, %ebx -+#define SETPTR(var,ptr) leal (var)@GOTOFF(%ebx),ptr -+#else -+#define INIT_PIC() - #define SETPTR(var,ptr) movl $(var),ptr -+#endif - #define PTR0 %eax - #define PTR1 %edx - #define PTR2 %ecx -@@ -101,6 +111,7 @@ - movl 8(%ebp), %eax - movl 12(%ebp), %edx - #endif -+ INIT_PIC() - - SETPTR(aes_round_keys, PTR2) - -@@ -166,6 +177,17 @@ - #endif - ret - ENDPROC(x86_aes_mangle) -+ -+#if defined(__i386__) && defined(__PIC__) -+ .section .gnu.linkonce.t.__i686.get_pc_thunk.bx,"ax",@progbits -+.globl __i686.get_pc_thunk.bx -+ .hidden __i686.get_pc_thunk.bx -+ .type __i686.get_pc_thunk.bx,@function -+__i686.get_pc_thunk.bx: -+ movl (%esp), %ebx -+ ret -+#endif -+ diff --git a/pkg/rngd/sha256sums b/pkg/rngd/sha256sums deleted file mode 100644 index 8416a085c..000000000 --- a/pkg/rngd/sha256sums +++ /dev/null @@ -1 +0,0 @@ -60a102b6603bbcce2da341470cad42eeaa9564a16b4490e7867026ca11a3078e rng-tools-5.tar.gz diff --git a/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf b/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf index fb4fb4e82..bb59b989c 100644 --- a/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf +++ b/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf @@ -13,6 +13,8 @@ net.ipv4.neigh.default.gc_thresh3 = 32768 fs.aio-max-nr = 1048576 fs.inotify.max_user_watches = 524288 fs.file-max = 524288 +# for rngd +kernel.random.write_wakeup_threshold = 3072 # security restrictions kernel.kptr_restrict = 2 net.ipv4.conf.all.send_redirects = 0 diff --git a/projects/compose/compose-dynamic.yml b/projects/compose/compose-dynamic.yml index 429374582..c120151d3 100644 --- a/projects/compose/compose-dynamic.yml +++ b/projects/compose/compose-dynamic.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: dhcpcd @@ -23,7 +23,7 @@ onboot: command: ["/usr/bin/mountie", "/var/lib/docker"] services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: ntpd image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a - name: docker diff --git a/projects/compose/compose-static.yml b/projects/compose/compose-static.yml index f34bdefc0..5a66148d7 100644 --- a/projects/compose/compose-static.yml +++ b/projects/compose/compose-static.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: dhcpcd @@ -23,7 +23,7 @@ onboot: command: ["/usr/bin/mountie", "/var/lib/docker"] services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: ntpd image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a - name: docker diff --git a/projects/etcd/etcd.yml b/projects/etcd/etcd.yml index 3a7b995c5..3e18544eb 100644 --- a/projects/etcd/etcd.yml +++ b/projects/etcd/etcd.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: format image: linuxkit/format:efafddf9bc6165b5efaf09c532c15a1100a10e61 - name: mount @@ -21,7 +21,7 @@ onboot: image: linuxkit/metadata:f5d4299909b159db35f72547e4ae70bd76c42c6c services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: ntpd image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a - name: node_exporter diff --git a/projects/etcd/prom-us-central1-f.yml b/projects/etcd/prom-us-central1-f.yml index 7976dd665..8633bc0f2 100644 --- a/projects/etcd/prom-us-central1-f.yml +++ b/projects/etcd/prom-us-central1-f.yml @@ -8,7 +8,7 @@ init: - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/projects/ima-namespace/ima-namespace.yml b/projects/ima-namespace/ima-namespace.yml index ca596258d..4c33287df 100644 --- a/projects/ima-namespace/ima-namespace.yml +++ b/projects/ima-namespace/ima-namespace.yml @@ -9,7 +9,7 @@ init: - linuxkit/ima-utils:dfeb3896fd29308b80ff9ba7fe5b8b767e40ca29 onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: binfmt image: linuxkit/binfmt:257b5174a8e33bc62d5448cc026d72cae3713628 - name: dhcpcd @@ -17,7 +17,7 @@ onboot: command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: nginx image: nginx:alpine capabilities: diff --git a/projects/kubernetes/kube-master.yml b/projects/kubernetes/kube-master.yml index 2c5a92a3b..8094fe51d 100644 --- a/projects/kubernetes/kube-master.yml +++ b/projects/kubernetes/kube-master.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: binfmt @@ -34,7 +34,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: ntpd image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a - name: sshd diff --git a/projects/kubernetes/kube-node.yml b/projects/kubernetes/kube-node.yml index 4e2d5a4cf..940ef3b63 100644 --- a/projects/kubernetes/kube-node.yml +++ b/projects/kubernetes/kube-node.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: binfmt @@ -34,7 +34,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: ntpd image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a - name: sshd diff --git a/projects/logging/examples/logging.yml b/projects/logging/examples/logging.yml index 1d97052b7..02423a872 100644 --- a/projects/logging/examples/logging.yml +++ b/projects/logging/examples/logging.yml @@ -9,7 +9,7 @@ init: - linuxkit/memlogd:9b5834189f598f43c507f6938077113906f51012 onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: binfmt image: linuxkit/binfmt:257b5174a8e33bc62d5448cc026d72cae3713628 - name: dhcpcd @@ -17,7 +17,7 @@ onboot: command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: nginx image: nginx:alpine capabilities: diff --git a/projects/miragesdk/examples/fdd.yml b/projects/miragesdk/examples/fdd.yml index c8537c36b..b8c82ab90 100644 --- a/projects/miragesdk/examples/fdd.yml +++ b/projects/miragesdk/examples/fdd.yml @@ -9,14 +9,14 @@ init: - samoht/fdd onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 services: - name: getty image: linuxkit/getty:58620cff1b0bf8b5d144d087602115e996f18a02 env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b files: diff --git a/projects/miragesdk/examples/mirage-dhcp.yml b/projects/miragesdk/examples/mirage-dhcp.yml index f4a99ed77..16c88ea48 100644 --- a/projects/miragesdk/examples/mirage-dhcp.yml +++ b/projects/miragesdk/examples/mirage-dhcp.yml @@ -7,7 +7,7 @@ init: - linuxkit/containerd:1ff17c0908bed91a7bff252fba2e3d360d05a3de onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcp-client image: miragesdk/dhcp-client:22aa9d527820534295a8cd59901c0c5197af6585 net: host diff --git a/projects/okernel/examples/okernel_simple.yaml b/projects/okernel/examples/okernel_simple.yaml index 31cef099c..2c2d7a0d8 100644 --- a/projects/okernel/examples/okernel_simple.yaml +++ b/projects/okernel/examples/okernel_simple.yaml @@ -8,10 +8,10 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: sshd diff --git a/projects/shiftfs/shiftfs.yml b/projects/shiftfs/shiftfs.yml index 61df54bc8..1364bd63c 100644 --- a/projects/shiftfs/shiftfs.yml +++ b/projects/shiftfs/shiftfs.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: binfmt image: linuxkit/binfmt:257b5174a8e33bc62d5448cc026d72cae3713628 - name: dhcpcd @@ -20,7 +20,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: nginx image: nginx:alpine capabilities: diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index 2c4df8fc0..d76542184 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 binds: - /etc/sysctl.d/01-swarmd.conf:/etc/sysctl.d/01-swarmd.conf - name: dhcpcd @@ -31,7 +31,7 @@ services: binds: - /dev/vport0p1:/dev/vport0p1 - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: ntpd image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a - name: weave diff --git a/test/cases/030_security/000_docker-bench/test-docker-bench.yml b/test/cases/030_security/000_docker-bench/test-docker-bench.yml index 79d148bb3..351478160 100644 --- a/test/cases/030_security/000_docker-bench/test-docker-bench.yml +++ b/test/cases/030_security/000_docker-bench/test-docker-bench.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: binfmt @@ -20,7 +20,7 @@ onboot: command: ["/usr/bin/mountie", "/var/lib/docker"] services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: docker diff --git a/test/cases/040_packages/003_containerd/test-containerd.yml b/test/cases/040_packages/003_containerd/test-containerd.yml index 1168b5d46..faf73fc8c 100644 --- a/test/cases/040_packages/003_containerd/test-containerd.yml +++ b/test/cases/040_packages/003_containerd/test-containerd.yml @@ -11,7 +11,7 @@ onboot: image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: format image: linuxkit/format:efafddf9bc6165b5efaf09c532c15a1100a10e61 - name: mount diff --git a/test/cases/040_packages/019_sysctl/test-sysctl.yml b/test/cases/040_packages/019_sysctl/test-sysctl.yml index d66670855..50001f035 100644 --- a/test/cases/040_packages/019_sysctl/test-sysctl.yml +++ b/test/cases/040_packages/019_sysctl/test-sysctl.yml @@ -6,7 +6,7 @@ init: - linuxkit/runc:842318b6ab524783554428c89a27d95af7bd2844 onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: test image: alpine:3.6 net: host