Merge pull request #2331 from justincormack/rng-golang

Replace rngd with a Go version

blueprints/docker-for-mac/base.yml

@@ -12,7 +12,7 @@ onboot:
   - name: metadata
     image: linuxkit/metadata:f5d4299909b159db35f72547e4ae70bd76c42c6c
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: sysfs
     image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc
   - name: binfmt

examples/aws.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
@@ -16,7 +16,7 @@ onboot:
     image: linuxkit/metadata:f5d4299909b159db35f72547e4ae70bd76c42c6c
 services:
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: sshd
     image: linuxkit/sshd:5dc5c3c4470c85f6c89f0e26b9d477ae4ff85a3c
     binds:

examples/azure.yml

@@ -8,10 +8,10 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
 services:
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
   - name: sshd

examples/docker.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: sysfs
     image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc
   - name: binfmt
@@ -24,7 +24,7 @@ services:
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
   - name: ntpd

examples/gcp.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
@@ -20,7 +20,7 @@ services:
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: sshd
     image: linuxkit/sshd:5dc5c3c4470c85f6c89f0e26b9d477ae4ff85a3c
     binds:

examples/getty.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
@@ -19,7 +19,7 @@ services:
     #env:
     # - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
 files:
   - path: etc/getty.shadow
     # sample sets password for root to "abcdefgh" (without quotes)

examples/node_exporter.yml

@@ -11,7 +11,7 @@ services:
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
   - name: node_exporter

examples/packet.yml

@@ -8,10 +8,10 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
 services:
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
   - name: sshd

examples/sshd.yml

@@ -8,14 +8,17 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
+  - name: rngd1
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
+    command: ["/sbin/rngd", "-1"]
 services:
   - name: getty
     image: linuxkit/getty:58620cff1b0bf8b5d144d087602115e996f18a02
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
   - name: sshd

examples/swap.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
@@ -28,7 +28,7 @@ services:
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: nginx
     image: nginx:alpine
     capabilities:

examples/tpm.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: dhcpcd
     image: linuxkit/dhcpcd:4b7b8bb024cebb1bbb9c8026d44d7cbc8e202c41
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
@@ -20,7 +20,7 @@ services:
   - name: tss
     image: linuxkit/tss:51d73be868e12af76965f5682ed59309c19972b6
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
 files:
   - path: etc/getty.shadow
     # sample sets password for root to "abcdefgh" (without quotes)

examples/vmware.yml

@@ -8,14 +8,14 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
 services:
   - name: getty
     image: linuxkit/getty:58620cff1b0bf8b5d144d087602115e996f18a02
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
   - name: nginx

examples/vultr.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
@@ -20,7 +20,7 @@ services:
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: sshd
     image: linuxkit/sshd:5dc5c3c4470c85f6c89f0e26b9d477ae4ff85a3c
     binds:

linuxkit.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: binfmt
     image: linuxkit/binfmt:257b5174a8e33bc62d5448cc026d72cae3713628
   - name: dhcpcd
@@ -24,7 +24,7 @@ services:
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: nginx
     image: nginx:alpine
     capabilities:

pkg/rngd/Dockerfile

@@ -1,46 +1,15 @@
-FROM linuxkit/alpine:9bcf61f605ef0ce36cc94d59b8eac307862de6e1 AS mirror
+FROM linuxkit/alpine:c23813875499d85163dc358fc6370c9de650df57 AS mirror
-RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
-RUN apk add --no-cache --initdb -p /out \
-    tini
-RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
-RUN mkdir -p /out/dev /out/proc /out/sys
 
-FROM linuxkit/alpine:9bcf61f605ef0ce36cc94d59b8eac307862de6e1 AS build
+RUN apk add --no-cache go gcc musl-dev linux-headers
-RUN apk add \
+ENV GOPATH=/go PATH=$PATH:/go/bin
-    argp-standalone \
-    automake \
-    curl \
-    gcc \
-    linux-headers \
-    make \
-    musl-dev \
-    patch    
 
-COPY . /
+COPY cmd/rngd/*.go /go/src/rngd/
-
+RUN REQUIRE_CGO=1 go-compile.sh /go/src/rngd
-ENV pkgname=rng-tools pkgver=5
-
-RUN curl -fSL "http://downloads.sourceforge.net/project/gkernel/$pkgname/$pkgver/$pkgname-$pkgver.tar.gz" -o "$pkgname-$pkgver.tar.gz"
-RUN sha256sum -c sha256sums
-RUN zcat $pkgname-$pkgver.tar.gz | tar xf -
-
-RUN cd $pkgname-$pkgver && for p in ../*.patch; do cat $p | patch -p1; done
-
-RUN cd $pkgname-$pkgver && \
-  export LIBS="-largp" && \
-  LDFLAGS=-static ./configure \
-    --prefix=/usr \
-    --libexecdir=/usr/lib/rng-tools \
-    --sysconfdir=/etc \
-    --disable-silent-rules && \
-  make && \
-  make DESTDIR=/ install && \
-  strip /usr/sbin/rngd
 
 FROM scratch
 ENTRYPOINT []
+CMD []
 WORKDIR /
-COPY --from=mirror /out/ /
+COPY --from=mirror /go/bin/rngd /sbin/rngd
-COPY --from=build usr/sbin/rngd usr/sbin/rngd
+CMD ["/sbin/rngd"]
-CMD ["/sbin/tini", "/usr/sbin/rngd", "-f"]
 LABEL org.mobyproject.config='{"capabilities": ["CAP_SYS_ADMIN"], "oomScoreAdj": -800, "readonly": true, "net": "new", "ipc": "new"}'

pkg/rngd/Makefile

@@ -1,4 +1,4 @@
 IMAGE=rngd
-NETWORK=1
+DEPS=$(wildcard cmd/rngd/*.go)
 
 include ../package.mk

pkg/rngd/cmd/rngd/main.go

@@ -0,0 +1,66 @@
+package main
+
+import (
+	"log"
+	"os"
+	"syscall"
+)
+
+func main() {
+	oneshot := len(os.Args) > 1 && os.Args[1] == "-1"
+
+	timeout := -1
+	if oneshot {
+		timeout = 0
+	}
+
+	supported := initRand()
+	if !supported {
+		log.Fatalf("No random source available")
+	}
+
+	random, err := os.Open("/dev/random")
+	if err != nil {
+		log.Fatalf("Cannot open /dev/random: %v", err)
+	}
+	defer random.Close()
+	fd := int(random.Fd())
+
+	epfd, err := syscall.EpollCreate1(0)
+	if err != nil {
+		log.Fatalf("epoll create error: %v", err)
+	}
+	defer syscall.Close(epfd)
+
+	var event syscall.EpollEvent
+	var events [1]syscall.EpollEvent
+
+	event.Events = syscall.EPOLLOUT
+	event.Fd = int32(fd)
+	if err := syscall.EpollCtl(epfd, syscall.EPOLL_CTL_ADD, fd, &event); err != nil {
+		log.Fatalf("epoll add error: %v", err)
+	}
+
+	count := 0
+
+	for {
+		// write some entropy
+		n, err := writeEntropy(random)
+		if err != nil {
+			log.Fatalf("write entropy: %v", err)
+		}
+		count += n
+		// sleep until we can write more
+		nevents, err := syscall.EpollWait(epfd, events[:], timeout)
+		if err != nil {
+			log.Fatalf("epoll wait error: %v", err)
+		}
+		if nevents == 1 && events[0].Events&syscall.EPOLLOUT == syscall.EPOLLOUT {
+			continue
+		}
+		if oneshot {
+			log.Printf("Wrote %d bytes of entropy, exiting as oneshot\n", count)
+			break
+		}
+	}
+}

pkg/rngd/cmd/rngd/rng_amd64.go

@@ -0,0 +1,84 @@
+package main
+
+// #cgo CFLAGS: -mrdrnd -mrdseed
+// #include <immintrin.h>
+// #include <x86intrin.h>
+// #include <stdint.h>
+// #include <cpuid.h>
+// #include <linux/random.h>
+// #include <sys/ioctl.h>
+//
+// int hasrdrand() {
+//   unsigned int eax, ebx, ecx, edx;
+//   __get_cpuid(1, &eax, &ebx, &ecx, &edx);
+//
+//   return ((ecx & bit_RDRND) == bit_RDRND);
+// }
+//
+// int hasrdseed() {
+//   unsigned int eax, ebx, ecx, edx;
+//   __get_cpuid(7, &eax, &ebx, &ecx, &edx);
+//
+//   return ((ebx & bit_RDSEED) == bit_RDSEED);
+// }
+//
+// int rdrand(uint64_t *val) {
+//   return _rdrand64_step((unsigned long long *)val);
+// }
+//
+// int rdseed(uint64_t *val) {
+//   return _rdseed64_step((unsigned long long *)val);
+// }
+//
+// int rndaddentropy = RNDADDENTROPY;
+//
+import "C"
+
+import (
+	"errors"
+	"os"
+	"syscall"
+	"unsafe"
+)
+
+var hasRdrand, hasRdseed bool
+
+type randInfo struct {
+	entropyCount int
+	size         int
+	buf          uint64
+}
+
+func initRand() bool {
+	hasRdrand = C.hasrdrand() == 1
+	hasRdseed = C.hasrdseed() == 1
+	return hasRdrand || hasRdseed
+}
+
+func rand() (uint64, error) {
+	var x C.uint64_t
+	// prefer rdseed as that is correct seed
+	if hasRdseed && C.rdseed(&x) == 1 {
+		return uint64(x), nil
+	}
+	// failed rdseed, rdrand better than nothing
+	if hasRdrand && C.rdrand(&x) == 1 {
+		return uint64(x), nil
+	}
+	return 0, errors.New("No randomness available")
+}
+
+func writeEntropy(random *os.File) (int, error) {
+	r, err := rand()
+	if err != nil {
+		// assume can fail occasionally
+		return 0, nil
+	}
+	const entropy = 64 // they are good random numbers, Brent
+	info := randInfo{entropy, 8, r}
+	ret, _, err := syscall.Syscall(syscall.SYS_IOCTL, uintptr(random.Fd()), uintptr(C.rndaddentropy), uintptr(unsafe.Pointer(&info)))
+	if ret == 0 {
+		return 8, nil
+	}
+	return 0, err
+}

pkg/rngd/cmd/rngd/rng_unsupported.go

@@ -0,0 +1,13 @@
+// +build !amd64
+
+package main
+
+import "errors"
+
+func initRand() bool {
+	return false
+}
+
+func rand() (uint64, error) {
+	return 0, errors.New("No rng available")
+}

pkg/rngd/fix-textrels-on-PIC-x86.patch

@@ -1,50 +0,0 @@
---- rng-tools/rdrand_asm.S
-+++ rng-tools/rdrand_asm.S
-@@ -49,6 +49,7 @@
-	ret
- ENDPROC(x86_rdrand_nlong)
-
-+#define INIT_PIC()
- #define SETPTR(var,ptr)	leaq var(%rip),ptr
- #define PTR0	%rdi
- #define PTR1	%rsi
-@@ -84,7 +85,16 @@
-	ret
- ENDPROC(x86_rdrand_nlong)
-
-+#if defined(__PIC__)
-+#undef __i686 /* gcc builtin define gets in our way */
-+#define INIT_PIC() \
-+	call __i686.get_pc_thunk.bx ; \
-+	addl $_GLOBAL_OFFSET_TABLE_, %ebx
-+#define SETPTR(var,ptr)	leal (var)@GOTOFF(%ebx),ptr
-+#else
-+#define INIT_PIC()
- #define SETPTR(var,ptr)	movl $(var),ptr
-+#endif
- #define PTR0	%eax
- #define PTR1	%edx
- #define PTR2	%ecx
-@@ -101,6 +111,7 @@
-	movl	8(%ebp), %eax
-	movl	12(%ebp), %edx
- #endif
-+	INIT_PIC()
-
-	SETPTR(aes_round_keys, PTR2)
-
-@@ -166,6 +177,17 @@
- #endif
-	ret
- ENDPROC(x86_aes_mangle)
-+
-+#if defined(__i386__) && defined(__PIC__)
-+	.section .gnu.linkonce.t.__i686.get_pc_thunk.bx,"ax",@progbits
-+.globl __i686.get_pc_thunk.bx
-+	.hidden  __i686.get_pc_thunk.bx
-+	.type    __i686.get_pc_thunk.bx,@function
-+__i686.get_pc_thunk.bx:
-+	movl (%esp), %ebx
-+	ret
-+#endif
-+

pkg/rngd/sha256sums

@@ -1 +0,0 @@
-60a102b6603bbcce2da341470cad42eeaa9564a16b4490e7867026ca11a3078e  rng-tools-5.tar.gz

pkg/sysctl/etc/sysctl.d/00-linuxkit.conf

@@ -13,6 +13,8 @@ net.ipv4.neigh.default.gc_thresh3 = 32768
 fs.aio-max-nr = 1048576
 fs.inotify.max_user_watches = 524288
 fs.file-max = 524288
+# for rngd
+kernel.random.write_wakeup_threshold = 3072
 # security restrictions
 kernel.kptr_restrict = 2
 net.ipv4.conf.all.send_redirects = 0

projects/compose/compose-dynamic.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: sysfs
     image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc
   - name: dhcpcd
@@ -23,7 +23,7 @@ onboot:
     command: ["/usr/bin/mountie", "/var/lib/docker"]
 services:
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: ntpd
     image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a
   - name: docker

projects/compose/compose-static.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: sysfs
     image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc
   - name: dhcpcd
@@ -23,7 +23,7 @@ onboot:
     command: ["/usr/bin/mountie", "/var/lib/docker"]
 services:
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: ntpd
     image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a
   - name: docker

projects/etcd/etcd.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: format
     image: linuxkit/format:efafddf9bc6165b5efaf09c532c15a1100a10e61
   - name: mount
@@ -21,7 +21,7 @@ onboot:
     image: linuxkit/metadata:f5d4299909b159db35f72547e4ae70bd76c42c6c
 services:
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: ntpd
     image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a
   - name: node_exporter

projects/etcd/prom-us-central1-f.yml

@@ -8,7 +8,7 @@ init:
   - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]

projects/ima-namespace/ima-namespace.yml

@@ -9,7 +9,7 @@ init:
   - linuxkit/ima-utils:dfeb3896fd29308b80ff9ba7fe5b8b767e40ca29
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: binfmt
     image: linuxkit/binfmt:257b5174a8e33bc62d5448cc026d72cae3713628
   - name: dhcpcd
@@ -17,7 +17,7 @@ onboot:
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: nginx
     image: nginx:alpine
     capabilities:

projects/kubernetes/kube-master.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: sysfs
     image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc
   - name: binfmt
@@ -34,7 +34,7 @@ services:
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: ntpd
     image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a
   - name: sshd

projects/kubernetes/kube-node.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: sysfs
     image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc
   - name: binfmt
@@ -34,7 +34,7 @@ services:
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: ntpd
     image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a
   - name: sshd

projects/logging/examples/logging.yml

@@ -9,7 +9,7 @@ init:
   - linuxkit/memlogd:9b5834189f598f43c507f6938077113906f51012
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: binfmt
     image: linuxkit/binfmt:257b5174a8e33bc62d5448cc026d72cae3713628
   - name: dhcpcd
@@ -17,7 +17,7 @@ onboot:
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: nginx
     image: nginx:alpine
     capabilities:

projects/miragesdk/examples/fdd.yml

@@ -9,14 +9,14 @@ init:
   - samoht/fdd
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
 services:
   - name: getty
     image: linuxkit/getty:58620cff1b0bf8b5d144d087602115e996f18a02
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
 files:

projects/miragesdk/examples/mirage-dhcp.yml

@@ -7,7 +7,7 @@ init:
   - linuxkit/containerd:1ff17c0908bed91a7bff252fba2e3d360d05a3de
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: dhcp-client
     image: miragesdk/dhcp-client:22aa9d527820534295a8cd59901c0c5197af6585
     net: host

projects/okernel/examples/okernel_simple.yaml

@@ -8,10 +8,10 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
 services:
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
   - name: sshd

projects/shiftfs/shiftfs.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: binfmt
     image: linuxkit/binfmt:257b5174a8e33bc62d5448cc026d72cae3713628
   - name: dhcpcd
@@ -20,7 +20,7 @@ services:
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: nginx
     image: nginx:alpine
     capabilities:

projects/swarmd/swarmd.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
     binds:
      - /etc/sysctl.d/01-swarmd.conf:/etc/sysctl.d/01-swarmd.conf
   - name: dhcpcd
@@ -31,7 +31,7 @@ services:
     binds:
       - /dev/vport0p1:/dev/vport0p1
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: ntpd
     image: linuxkit/openntpd:2874b66c9fa51fa5b4d11c8b50441eb94ee22a5a
   - name: weave

test/cases/030_security/000_docker-bench/test-docker-bench.yml

@@ -8,7 +8,7 @@ init:
   - linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: sysfs
     image: linuxkit/sysfs:006a65b30cfdd9d751d7ab042fde7eca2c3bc9dc
   - name: binfmt
@@ -20,7 +20,7 @@ onboot:
     command: ["/usr/bin/mountie", "/var/lib/docker"]
 services:
   - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
+    image: linuxkit/rngd:6565ae49f6be29d4e64614a4df3978b972956ebf
   - name: dhcpcd
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
   - name: docker

test/cases/040_packages/003_containerd/test-containerd.yml

@@ -11,7 +11,7 @@ onboot:
     image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: format
     image: linuxkit/format:efafddf9bc6165b5efaf09c532c15a1100a10e61
   - name: mount

test/cases/040_packages/019_sysctl/test-sysctl.yml

@@ -6,7 +6,7 @@ init:
   - linuxkit/runc:842318b6ab524783554428c89a27d95af7bd2844
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:3f7a3f6f9e7e1d3f245c766fcf5c2b9e97382cfb
+    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
   - name: test
     image: alpine:3.6
     net: host