From e0bc13451f295059f4d34b1aca042250ca61e695 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Mon, 31 Jul 2017 19:53:32 +0100 Subject: [PATCH 1/4] Replace rngd with a Go version Only supports the use cases we currently need, currently support for using Intel hardware rng to initialise and add entropy. Supports oneshot and service mode. Call as `rngd -1` for one shot mode. Signed-off-by: Justin Cormack --- pkg/rngd/Dockerfile | 47 +++----------- pkg/rngd/Makefile | 2 +- pkg/rngd/cmd/rngd/main.go | 66 ++++++++++++++++++++ pkg/rngd/cmd/rngd/rng_amd64.go | 84 ++++++++++++++++++++++++++ pkg/rngd/cmd/rngd/rng_unsupported.go | 13 ++++ pkg/rngd/fix-textrels-on-PIC-x86.patch | 50 --------------- pkg/rngd/sha256sums | 1 - 7 files changed, 172 insertions(+), 91 deletions(-) create mode 100644 pkg/rngd/cmd/rngd/main.go create mode 100644 pkg/rngd/cmd/rngd/rng_amd64.go create mode 100644 pkg/rngd/cmd/rngd/rng_unsupported.go delete mode 100644 pkg/rngd/fix-textrels-on-PIC-x86.patch delete mode 100644 pkg/rngd/sha256sums diff --git a/pkg/rngd/Dockerfile b/pkg/rngd/Dockerfile index e877bda5a..0ff49e675 100644 --- a/pkg/rngd/Dockerfile +++ b/pkg/rngd/Dockerfile @@ -1,46 +1,15 @@ -FROM linuxkit/alpine:9bcf61f605ef0ce36cc94d59b8eac307862de6e1 AS mirror -RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ -RUN apk add --no-cache --initdb -p /out \ - tini -RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache -RUN mkdir -p /out/dev /out/proc /out/sys +FROM linuxkit/alpine:c23813875499d85163dc358fc6370c9de650df57 AS mirror -FROM linuxkit/alpine:9bcf61f605ef0ce36cc94d59b8eac307862de6e1 AS build -RUN apk add \ - argp-standalone \ - automake \ - curl \ - gcc \ - linux-headers \ - make \ - musl-dev \ - patch +RUN apk add --no-cache go gcc musl-dev linux-headers +ENV GOPATH=/go PATH=$PATH:/go/bin -COPY . / - -ENV pkgname=rng-tools pkgver=5 - -RUN curl -fSL "http://downloads.sourceforge.net/project/gkernel/$pkgname/$pkgver/$pkgname-$pkgver.tar.gz" -o "$pkgname-$pkgver.tar.gz" -RUN sha256sum -c sha256sums -RUN zcat $pkgname-$pkgver.tar.gz | tar xf - - -RUN cd $pkgname-$pkgver && for p in ../*.patch; do cat $p | patch -p1; done - -RUN cd $pkgname-$pkgver && \ - export LIBS="-largp" && \ - LDFLAGS=-static ./configure \ - --prefix=/usr \ - --libexecdir=/usr/lib/rng-tools \ - --sysconfdir=/etc \ - --disable-silent-rules && \ - make && \ - make DESTDIR=/ install && \ - strip /usr/sbin/rngd +COPY cmd/rngd/*.go /go/src/rngd/ +RUN REQUIRE_CGO=1 go-compile.sh /go/src/rngd FROM scratch ENTRYPOINT [] +CMD [] WORKDIR / -COPY --from=mirror /out/ / -COPY --from=build usr/sbin/rngd usr/sbin/rngd -CMD ["/sbin/tini", "/usr/sbin/rngd", "-f"] +COPY --from=mirror /go/bin/rngd /sbin/rngd +CMD ["/sbin/rngd"] LABEL org.mobyproject.config='{"capabilities": ["CAP_SYS_ADMIN"], "oomScoreAdj": -800, "readonly": true, "net": "new", "ipc": "new"}' diff --git a/pkg/rngd/Makefile b/pkg/rngd/Makefile index c37ede3ef..ed48b44aa 100644 --- a/pkg/rngd/Makefile +++ b/pkg/rngd/Makefile @@ -1,4 +1,4 @@ IMAGE=rngd -NETWORK=1 +DEPS=$(wildcard cmd/rngd/*.go) include ../package.mk diff --git a/pkg/rngd/cmd/rngd/main.go b/pkg/rngd/cmd/rngd/main.go new file mode 100644 index 000000000..31708e261 --- /dev/null +++ b/pkg/rngd/cmd/rngd/main.go @@ -0,0 +1,66 @@ +package main + +import ( + "log" + "os" + "syscall" +) + +func main() { + oneshot := len(os.Args) > 1 && os.Args[1] == "-1" + + timeout := -1 + if oneshot { + timeout = 0 + } + + supported := initRand() + if !supported { + log.Fatalf("No random source available") + } + + random, err := os.Open("/dev/random") + if err != nil { + log.Fatalf("Cannot open /dev/random: %v", err) + } + defer random.Close() + fd := int(random.Fd()) + + epfd, err := syscall.EpollCreate1(0) + if err != nil { + log.Fatalf("epoll create error: %v", err) + } + defer syscall.Close(epfd) + + var event syscall.EpollEvent + var events [1]syscall.EpollEvent + + event.Events = syscall.EPOLLOUT + event.Fd = int32(fd) + if err := syscall.EpollCtl(epfd, syscall.EPOLL_CTL_ADD, fd, &event); err != nil { + log.Fatalf("epoll add error: %v", err) + } + + count := 0 + + for { + // write some entropy + n, err := writeEntropy(random) + if err != nil { + log.Fatalf("write entropy: %v", err) + } + count += n + // sleep until we can write more + nevents, err := syscall.EpollWait(epfd, events[:], timeout) + if err != nil { + log.Fatalf("epoll wait error: %v", err) + } + if nevents == 1 && events[0].Events&syscall.EPOLLOUT == syscall.EPOLLOUT { + continue + } + if oneshot { + log.Printf("Wrote %d bytes of entropy, exiting as oneshot\n", count) + break + } + } +} diff --git a/pkg/rngd/cmd/rngd/rng_amd64.go b/pkg/rngd/cmd/rngd/rng_amd64.go new file mode 100644 index 000000000..eeddc71a3 --- /dev/null +++ b/pkg/rngd/cmd/rngd/rng_amd64.go @@ -0,0 +1,84 @@ +package main + +// #cgo CFLAGS: -mrdrnd -mrdseed +// #include +// #include +// #include +// #include +// #include +// #include +// +// int hasrdrand() { +// unsigned int eax, ebx, ecx, edx; +// __get_cpuid(1, &eax, &ebx, &ecx, &edx); +// +// return ((ecx & bit_RDRND) == bit_RDRND); +// } +// +// int hasrdseed() { +// unsigned int eax, ebx, ecx, edx; +// __get_cpuid(7, &eax, &ebx, &ecx, &edx); +// +// return ((ebx & bit_RDSEED) == bit_RDSEED); +// } +// +// int rdrand(uint64_t *val) { +// return _rdrand64_step((unsigned long long *)val); +// } +// +// int rdseed(uint64_t *val) { +// return _rdseed64_step((unsigned long long *)val); +// } +// +// int rndaddentropy = RNDADDENTROPY; +// +import "C" + +import ( + "errors" + "os" + "syscall" + "unsafe" +) + +var hasRdrand, hasRdseed bool + +type randInfo struct { + entropyCount int + size int + buf uint64 +} + +func initRand() bool { + hasRdrand = C.hasrdrand() == 1 + hasRdseed = C.hasrdseed() == 1 + return hasRdrand || hasRdseed +} + +func rand() (uint64, error) { + var x C.uint64_t + // prefer rdseed as that is correct seed + if hasRdseed && C.rdseed(&x) == 1 { + return uint64(x), nil + } + // failed rdseed, rdrand better than nothing + if hasRdrand && C.rdrand(&x) == 1 { + return uint64(x), nil + } + return 0, errors.New("No randomness available") +} + +func writeEntropy(random *os.File) (int, error) { + r, err := rand() + if err != nil { + // assume can fail occasionally + return 0, nil + } + const entropy = 64 // they are good random numbers, Brent + info := randInfo{entropy, 8, r} + ret, _, err := syscall.Syscall(syscall.SYS_IOCTL, uintptr(random.Fd()), uintptr(C.rndaddentropy), uintptr(unsafe.Pointer(&info))) + if ret == 0 { + return 8, nil + } + return 0, err +} diff --git a/pkg/rngd/cmd/rngd/rng_unsupported.go b/pkg/rngd/cmd/rngd/rng_unsupported.go new file mode 100644 index 000000000..e5bbc79d2 --- /dev/null +++ b/pkg/rngd/cmd/rngd/rng_unsupported.go @@ -0,0 +1,13 @@ +// +build !amd64 + +package main + +import "errors" + +func initRand() bool { + return false +} + +func rand() (uint64, error) { + return 0, errors.New("No rng available") +} diff --git a/pkg/rngd/fix-textrels-on-PIC-x86.patch b/pkg/rngd/fix-textrels-on-PIC-x86.patch deleted file mode 100644 index 7ea76d6fd..000000000 --- a/pkg/rngd/fix-textrels-on-PIC-x86.patch +++ /dev/null @@ -1,50 +0,0 @@ ---- rng-tools/rdrand_asm.S -+++ rng-tools/rdrand_asm.S -@@ -49,6 +49,7 @@ - ret - ENDPROC(x86_rdrand_nlong) - -+#define INIT_PIC() - #define SETPTR(var,ptr) leaq var(%rip),ptr - #define PTR0 %rdi - #define PTR1 %rsi -@@ -84,7 +85,16 @@ - ret - ENDPROC(x86_rdrand_nlong) - -+#if defined(__PIC__) -+#undef __i686 /* gcc builtin define gets in our way */ -+#define INIT_PIC() \ -+ call __i686.get_pc_thunk.bx ; \ -+ addl $_GLOBAL_OFFSET_TABLE_, %ebx -+#define SETPTR(var,ptr) leal (var)@GOTOFF(%ebx),ptr -+#else -+#define INIT_PIC() - #define SETPTR(var,ptr) movl $(var),ptr -+#endif - #define PTR0 %eax - #define PTR1 %edx - #define PTR2 %ecx -@@ -101,6 +111,7 @@ - movl 8(%ebp), %eax - movl 12(%ebp), %edx - #endif -+ INIT_PIC() - - SETPTR(aes_round_keys, PTR2) - -@@ -166,6 +177,17 @@ - #endif - ret - ENDPROC(x86_aes_mangle) -+ -+#if defined(__i386__) && defined(__PIC__) -+ .section .gnu.linkonce.t.__i686.get_pc_thunk.bx,"ax",@progbits -+.globl __i686.get_pc_thunk.bx -+ .hidden __i686.get_pc_thunk.bx -+ .type __i686.get_pc_thunk.bx,@function -+__i686.get_pc_thunk.bx: -+ movl (%esp), %ebx -+ ret -+#endif -+ diff --git a/pkg/rngd/sha256sums b/pkg/rngd/sha256sums deleted file mode 100644 index 8416a085c..000000000 --- a/pkg/rngd/sha256sums +++ /dev/null @@ -1 +0,0 @@ -60a102b6603bbcce2da341470cad42eeaa9564a16b4490e7867026ca11a3078e rng-tools-5.tar.gz From 0a3d78e47fc1d5edb56f2bbd3ccda21c9187f10c Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Mon, 31 Jul 2017 20:18:20 +0100 Subject: [PATCH 2/4] Update hashes for rngd and add a one shot example in sshd Signed-off-by: Justin Cormack --- examples/aws.yml | 2 +- examples/azure.yml | 2 +- examples/docker.yml | 2 +- examples/gcp.yml | 2 +- examples/getty.yml | 2 +- examples/node_exporter.yml | 2 +- examples/packet.yml | 2 +- examples/sshd.yml | 5 ++++- examples/swap.yml | 2 +- examples/tpm.yml | 2 +- examples/vmware.yml | 2 +- examples/vultr.yml | 2 +- linuxkit.yml | 2 +- projects/compose/compose-dynamic.yml | 2 +- projects/compose/compose-static.yml | 2 +- projects/etcd/etcd.yml | 2 +- projects/ima-namespace/ima-namespace.yml | 2 +- projects/kubernetes/kube-master.yml | 2 +- projects/kubernetes/kube-node.yml | 2 +- projects/logging/examples/logging.yml | 2 +- projects/miragesdk/examples/fdd.yml | 2 +- projects/okernel/examples/okernel_simple.yaml | 2 +- projects/shiftfs/shiftfs.yml | 2 +- projects/swarmd/swarmd.yml | 2 +- .../030_security/000_docker-bench/test-docker-bench.yml | 2 +- 25 files changed, 28 insertions(+), 25 deletions(-) diff --git a/examples/aws.yml b/examples/aws.yml index 2ec17b5a7..e72598d75 100644 --- a/examples/aws.yml +++ b/examples/aws.yml @@ -16,7 +16,7 @@ onboot: image: linuxkit/metadata:f5d4299909b159db35f72547e4ae70bd76c42c6c services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: sshd image: linuxkit/sshd:5dc5c3c4470c85f6c89f0e26b9d477ae4ff85a3c binds: diff --git a/examples/azure.yml b/examples/azure.yml index 69069b8a2..d4983ba6e 100644 --- a/examples/azure.yml +++ b/examples/azure.yml @@ -11,7 +11,7 @@ onboot: image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: sshd diff --git a/examples/docker.yml b/examples/docker.yml index 8efc9027c..4bfc4bbb7 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -24,7 +24,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: ntpd diff --git a/examples/gcp.yml b/examples/gcp.yml index 7bb30bd71..15b6ddfd3 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -20,7 +20,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: sshd image: linuxkit/sshd:5dc5c3c4470c85f6c89f0e26b9d477ae4ff85a3c binds: diff --git a/examples/getty.yml b/examples/getty.yml index 5599db970..6f80cd87a 100644 --- a/examples/getty.yml +++ b/examples/getty.yml @@ -19,7 +19,7 @@ services: #env: # - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf files: - path: etc/getty.shadow # sample sets password for root to "abcdefgh" (without quotes) diff --git a/examples/node_exporter.yml b/examples/node_exporter.yml index 74d1b5fac..21f2fb5e4 100644 --- a/examples/node_exporter.yml +++ b/examples/node_exporter.yml @@ -11,7 +11,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: node_exporter diff --git a/examples/packet.yml b/examples/packet.yml index 9785d9715..a0e693353 100644 --- a/examples/packet.yml +++ b/examples/packet.yml @@ -11,7 +11,7 @@ onboot: image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: sshd diff --git a/examples/sshd.yml b/examples/sshd.yml index 555347cba..7d8cf8dac 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -9,13 +9,16 @@ init: onboot: - name: sysctl image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + - name: rngd1 + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf + command: ["/sbin/rngd", "-1"] services: - name: getty image: linuxkit/getty:58620cff1b0bf8b5d144d087602115e996f18a02 env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: sshd diff --git a/examples/swap.yml b/examples/swap.yml index 067044dbe..e229cbf59 100644 --- a/examples/swap.yml +++ b/examples/swap.yml @@ -28,7 +28,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: nginx image: nginx:alpine capabilities: diff --git a/examples/tpm.yml b/examples/tpm.yml index 35d4706d6..41a4a2fea 100644 --- a/examples/tpm.yml +++ b/examples/tpm.yml @@ -20,7 +20,7 @@ services: - name: tss image: linuxkit/tss:51d73be868e12af76965f5682ed59309c19972b6 - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf files: - path: etc/getty.shadow # sample sets password for root to "abcdefgh" (without quotes) diff --git a/examples/vmware.yml b/examples/vmware.yml index 90c293d5a..8d6c74029 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -15,7 +15,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: nginx diff --git a/examples/vultr.yml b/examples/vultr.yml index 0cddf7cfd..aa8e5ce8c 100644 --- a/examples/vultr.yml +++ b/examples/vultr.yml @@ -20,7 +20,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: sshd image: linuxkit/sshd:5dc5c3c4470c85f6c89f0e26b9d477ae4ff85a3c binds: diff --git a/linuxkit.yml b/linuxkit.yml index 299b7b1e9..1bebb820e 100644 --- a/linuxkit.yml +++ b/linuxkit.yml @@ -24,7 +24,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: nginx image: nginx:alpine capabilities: diff --git a/projects/compose/compose-dynamic.yml b/projects/compose/compose-dynamic.yml index a372ce646..f24a19466 100644 --- a/projects/compose/compose-dynamic.yml +++ b/projects/compose/compose-dynamic.yml @@ -23,7 +23,7 @@ onboot: command: ["/usr/bin/mountie", "/var/lib/docker"] services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: ntpd image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a - name: docker diff --git a/projects/compose/compose-static.yml b/projects/compose/compose-static.yml index fa3753191..9eb67c58c 100644 --- a/projects/compose/compose-static.yml +++ b/projects/compose/compose-static.yml @@ -23,7 +23,7 @@ onboot: command: ["/usr/bin/mountie", "/var/lib/docker"] services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: ntpd image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a - name: docker diff --git a/projects/etcd/etcd.yml b/projects/etcd/etcd.yml index 8a1e47772..21824d5d4 100644 --- a/projects/etcd/etcd.yml +++ b/projects/etcd/etcd.yml @@ -21,7 +21,7 @@ onboot: image: linuxkit/metadata:f5d4299909b159db35f72547e4ae70bd76c42c6c services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: ntpd image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a - name: node_exporter diff --git a/projects/ima-namespace/ima-namespace.yml b/projects/ima-namespace/ima-namespace.yml index a60bf55a1..2c39fdac4 100644 --- a/projects/ima-namespace/ima-namespace.yml +++ b/projects/ima-namespace/ima-namespace.yml @@ -17,7 +17,7 @@ onboot: command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: nginx image: nginx:alpine capabilities: diff --git a/projects/kubernetes/kube-master.yml b/projects/kubernetes/kube-master.yml index fb2e35959..6b643f4ae 100644 --- a/projects/kubernetes/kube-master.yml +++ b/projects/kubernetes/kube-master.yml @@ -34,7 +34,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: ntpd image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a - name: sshd diff --git a/projects/kubernetes/kube-node.yml b/projects/kubernetes/kube-node.yml index ed33a9b19..1bbd545e0 100644 --- a/projects/kubernetes/kube-node.yml +++ b/projects/kubernetes/kube-node.yml @@ -34,7 +34,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: ntpd image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a - name: sshd diff --git a/projects/logging/examples/logging.yml b/projects/logging/examples/logging.yml index 1d97052b7..05814eee8 100644 --- a/projects/logging/examples/logging.yml +++ b/projects/logging/examples/logging.yml @@ -17,7 +17,7 @@ onboot: command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: nginx image: nginx:alpine capabilities: diff --git a/projects/miragesdk/examples/fdd.yml b/projects/miragesdk/examples/fdd.yml index 20ca6e153..f91ca1868 100644 --- a/projects/miragesdk/examples/fdd.yml +++ b/projects/miragesdk/examples/fdd.yml @@ -16,7 +16,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b files: diff --git a/projects/okernel/examples/okernel_simple.yaml b/projects/okernel/examples/okernel_simple.yaml index 6a699838e..448fcd831 100644 --- a/projects/okernel/examples/okernel_simple.yaml +++ b/projects/okernel/examples/okernel_simple.yaml @@ -11,7 +11,7 @@ onboot: image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: sshd diff --git a/projects/shiftfs/shiftfs.yml b/projects/shiftfs/shiftfs.yml index 68c82be4a..1a2a317bf 100644 --- a/projects/shiftfs/shiftfs.yml +++ b/projects/shiftfs/shiftfs.yml @@ -20,7 +20,7 @@ services: env: - INSECURE=true - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: nginx image: nginx:alpine capabilities: diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index b851dd941..4fa85dac7 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -31,7 +31,7 @@ services: binds: - /dev/vport0p1:/dev/vport0p1 - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: ntpd image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a - name: weave diff --git a/test/cases/030_security/000_docker-bench/test-docker-bench.yml b/test/cases/030_security/000_docker-bench/test-docker-bench.yml index 635e28a9c..c9040b0bd 100644 --- a/test/cases/030_security/000_docker-bench/test-docker-bench.yml +++ b/test/cases/030_security/000_docker-bench/test-docker-bench.yml @@ -20,7 +20,7 @@ onboot: command: ["/usr/bin/mountie", "/var/lib/docker"] services: - name: rngd - image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b + image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b - name: docker From b1c80b54b3307ff3031fa7406f11ef4006188104 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Mon, 31 Jul 2017 23:05:46 +0100 Subject: [PATCH 3/4] Revert #2317 remove kernel.random.write_wakeup_threshold from sysctl Signed-off-by: Justin Cormack --- pkg/sysctl/etc/sysctl.d/00-linuxkit.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf b/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf index fb4fb4e82..bb59b989c 100644 --- a/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf +++ b/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf @@ -13,6 +13,8 @@ net.ipv4.neigh.default.gc_thresh3 = 32768 fs.aio-max-nr = 1048576 fs.inotify.max_user_watches = 524288 fs.file-max = 524288 +# for rngd +kernel.random.write_wakeup_threshold = 3072 # security restrictions kernel.kptr_restrict = 2 net.ipv4.conf.all.send_redirects = 0 From 3bcd6b5113155df81185d5745892ce42b02c6706 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Mon, 31 Jul 2017 23:10:25 +0100 Subject: [PATCH 4/4] update sysctl hashes Signed-off-by: Justin Cormack --- blueprints/docker-for-mac/base.yml | 2 +- examples/aws.yml | 2 +- examples/azure.yml | 2 +- examples/docker.yml | 2 +- examples/gcp.yml | 2 +- examples/getty.yml | 2 +- examples/packet.yml | 2 +- examples/sshd.yml | 2 +- examples/swap.yml | 2 +- examples/tpm.yml | 2 +- examples/vmware.yml | 2 +- examples/vultr.yml | 2 +- linuxkit.yml | 2 +- projects/compose/compose-dynamic.yml | 2 +- projects/compose/compose-static.yml | 2 +- projects/etcd/etcd.yml | 2 +- projects/etcd/prom-us-central1-f.yml | 2 +- projects/ima-namespace/ima-namespace.yml | 2 +- projects/kubernetes/kube-master.yml | 2 +- projects/kubernetes/kube-node.yml | 2 +- projects/logging/examples/logging.yml | 2 +- projects/miragesdk/examples/fdd.yml | 2 +- projects/miragesdk/examples/mirage-dhcp.yml | 2 +- projects/okernel/examples/okernel_simple.yaml | 2 +- projects/shiftfs/shiftfs.yml | 2 +- projects/swarmd/swarmd.yml | 2 +- test/cases/030_security/000_docker-bench/test-docker-bench.yml | 2 +- test/cases/040_packages/003_containerd/test-containerd.yml | 2 +- test/cases/040_packages/019_sysctl/test-sysctl.yml | 2 +- 29 files changed, 29 insertions(+), 29 deletions(-) diff --git a/blueprints/docker-for-mac/base.yml b/blueprints/docker-for-mac/base.yml index 929fe85c8..bc718f172 100644 --- a/blueprints/docker-for-mac/base.yml +++ b/blueprints/docker-for-mac/base.yml @@ -12,7 +12,7 @@ onboot: - name: metadata image: linuxkit/metadata:f5d4299909b159db35f72547e4ae70bd76c42c6c - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: binfmt diff --git a/examples/aws.yml b/examples/aws.yml index e72598d75..8231030b9 100644 --- a/examples/aws.yml +++ b/examples/aws.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/azure.yml b/examples/azure.yml index d4983ba6e..e64a8845d 100644 --- a/examples/azure.yml +++ b/examples/azure.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 services: - name: rngd image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf diff --git a/examples/docker.yml b/examples/docker.yml index 4bfc4bbb7..be74436c7 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: binfmt diff --git a/examples/gcp.yml b/examples/gcp.yml index 15b6ddfd3..89aa33ae9 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/getty.yml b/examples/getty.yml index 6f80cd87a..9b83e1853 100644 --- a/examples/getty.yml +++ b/examples/getty.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/packet.yml b/examples/packet.yml index a0e693353..1735c258e 100644 --- a/examples/packet.yml +++ b/examples/packet.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 services: - name: rngd image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf diff --git a/examples/sshd.yml b/examples/sshd.yml index 7d8cf8dac..f8c49bb11 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: rngd1 image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf command: ["/sbin/rngd", "-1"] diff --git a/examples/swap.yml b/examples/swap.yml index e229cbf59..4fde9d4bd 100644 --- a/examples/swap.yml +++ b/examples/swap.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/tpm.yml b/examples/tpm.yml index 41a4a2fea..5524435ea 100644 --- a/examples/tpm.yml +++ b/examples/tpm.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:4b7b8bb024cebb1bbb9c8026d44d7cbc8e202c41 command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/vmware.yml b/examples/vmware.yml index 8d6c74029..f4d7c90d0 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 services: - name: getty image: linuxkit/getty:58620cff1b0bf8b5d144d087602115e996f18a02 diff --git a/examples/vultr.yml b/examples/vultr.yml index aa8e5ce8c..d802864eb 100644 --- a/examples/vultr.yml +++ b/examples/vultr.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/linuxkit.yml b/linuxkit.yml index 1bebb820e..1b262b939 100644 --- a/linuxkit.yml +++ b/linuxkit.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: binfmt image: linuxkit/binfmt:257b5174a8e33bc62d5448cc026d72cae3713628 - name: dhcpcd diff --git a/projects/compose/compose-dynamic.yml b/projects/compose/compose-dynamic.yml index f24a19466..200ceae0c 100644 --- a/projects/compose/compose-dynamic.yml +++ b/projects/compose/compose-dynamic.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: dhcpcd diff --git a/projects/compose/compose-static.yml b/projects/compose/compose-static.yml index 9eb67c58c..cb0dc8baf 100644 --- a/projects/compose/compose-static.yml +++ b/projects/compose/compose-static.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: dhcpcd diff --git a/projects/etcd/etcd.yml b/projects/etcd/etcd.yml index 21824d5d4..67cab7e71 100644 --- a/projects/etcd/etcd.yml +++ b/projects/etcd/etcd.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: format image: linuxkit/format:efafddf9bc6165b5efaf09c532c15a1100a10e61 - name: mount diff --git a/projects/etcd/prom-us-central1-f.yml b/projects/etcd/prom-us-central1-f.yml index 7976dd665..8633bc0f2 100644 --- a/projects/etcd/prom-us-central1-f.yml +++ b/projects/etcd/prom-us-central1-f.yml @@ -8,7 +8,7 @@ init: - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcpcd image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/projects/ima-namespace/ima-namespace.yml b/projects/ima-namespace/ima-namespace.yml index 2c39fdac4..afb602bbb 100644 --- a/projects/ima-namespace/ima-namespace.yml +++ b/projects/ima-namespace/ima-namespace.yml @@ -9,7 +9,7 @@ init: - linuxkit/ima-utils:dfeb3896fd29308b80ff9ba7fe5b8b767e40ca29 onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: binfmt image: linuxkit/binfmt:257b5174a8e33bc62d5448cc026d72cae3713628 - name: dhcpcd diff --git a/projects/kubernetes/kube-master.yml b/projects/kubernetes/kube-master.yml index 6b643f4ae..ef6c24f64 100644 --- a/projects/kubernetes/kube-master.yml +++ b/projects/kubernetes/kube-master.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: binfmt diff --git a/projects/kubernetes/kube-node.yml b/projects/kubernetes/kube-node.yml index 1bbd545e0..3181503ce 100644 --- a/projects/kubernetes/kube-node.yml +++ b/projects/kubernetes/kube-node.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: binfmt diff --git a/projects/logging/examples/logging.yml b/projects/logging/examples/logging.yml index 05814eee8..02423a872 100644 --- a/projects/logging/examples/logging.yml +++ b/projects/logging/examples/logging.yml @@ -9,7 +9,7 @@ init: - linuxkit/memlogd:9b5834189f598f43c507f6938077113906f51012 onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: binfmt image: linuxkit/binfmt:257b5174a8e33bc62d5448cc026d72cae3713628 - name: dhcpcd diff --git a/projects/miragesdk/examples/fdd.yml b/projects/miragesdk/examples/fdd.yml index f91ca1868..033d3320d 100644 --- a/projects/miragesdk/examples/fdd.yml +++ b/projects/miragesdk/examples/fdd.yml @@ -9,7 +9,7 @@ init: - samoht/fdd onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 services: - name: getty image: linuxkit/getty:58620cff1b0bf8b5d144d087602115e996f18a02 diff --git a/projects/miragesdk/examples/mirage-dhcp.yml b/projects/miragesdk/examples/mirage-dhcp.yml index 50af2c8e8..fba001002 100644 --- a/projects/miragesdk/examples/mirage-dhcp.yml +++ b/projects/miragesdk/examples/mirage-dhcp.yml @@ -7,7 +7,7 @@ init: - linuxkit/containerd:1ff17c0908bed91a7bff252fba2e3d360d05a3de onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: dhcp-client image: miragesdk/dhcp-client:22aa9d527820534295a8cd59901c0c5197af6585 net: host diff --git a/projects/okernel/examples/okernel_simple.yaml b/projects/okernel/examples/okernel_simple.yaml index 448fcd831..005550fd2 100644 --- a/projects/okernel/examples/okernel_simple.yaml +++ b/projects/okernel/examples/okernel_simple.yaml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 services: - name: rngd image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf diff --git a/projects/shiftfs/shiftfs.yml b/projects/shiftfs/shiftfs.yml index 1a2a317bf..a6bb410fd 100644 --- a/projects/shiftfs/shiftfs.yml +++ b/projects/shiftfs/shiftfs.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: binfmt image: linuxkit/binfmt:257b5174a8e33bc62d5448cc026d72cae3713628 - name: dhcpcd diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index 4fa85dac7..c0975d940 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 binds: - /etc/sysctl.d/01-swarmd.conf:/etc/sysctl.d/01-swarmd.conf - name: dhcpcd diff --git a/test/cases/030_security/000_docker-bench/test-docker-bench.yml b/test/cases/030_security/000_docker-bench/test-docker-bench.yml index c9040b0bd..ea598c163 100644 --- a/test/cases/030_security/000_docker-bench/test-docker-bench.yml +++ b/test/cases/030_security/000_docker-bench/test-docker-bench.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: sysfs image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc - name: binfmt diff --git a/test/cases/040_packages/003_containerd/test-containerd.yml b/test/cases/040_packages/003_containerd/test-containerd.yml index 760ebe4af..48c80efed 100644 --- a/test/cases/040_packages/003_containerd/test-containerd.yml +++ b/test/cases/040_packages/003_containerd/test-containerd.yml @@ -11,7 +11,7 @@ onboot: image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: format image: linuxkit/format:efafddf9bc6165b5efaf09c532c15a1100a10e61 - name: mount diff --git a/test/cases/040_packages/019_sysctl/test-sysctl.yml b/test/cases/040_packages/019_sysctl/test-sysctl.yml index 2b875b655..846e1c4fc 100644 --- a/test/cases/040_packages/019_sysctl/test-sysctl.yml +++ b/test/cases/040_packages/019_sysctl/test-sysctl.yml @@ -6,7 +6,7 @@ init: - linuxkit/runc:842318b6ab524783554428c89a27d95af7bd2844 onboot: - name: sysctl - image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb + image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 - name: test image: alpine:3.6 net: host