Add an ip package

This contans the upstream (non busybox) version of `ip` and also the
Wireguard tools as these aere not yet integrated into `ip`. It is designed
to be used for network configuration.

For example a Wireguard interface can be setup with something like:
```
  - name: wg
    image: linuxkit/ip
    net: new
    binds:
      - /etc/wireguard:/etc/wireguard
    command: ["sh", "-c", "ip link set dev wg0 up; ip address add dev wg0 192.168.2.1 peer 192.168.2.2; wg setconf wg0 /etc/wireguard/wg0.conf; wg show wg0"]
    runtime:
      interfaces:
        - name: wg0
          add: wireguard
          createInRoot: true
      bindNS:
          net: /run/netns/wg
```

This binds the net namespace so other containers can use it later.

Note that `ip` supports batch scripts with `ip -b file` which is quite convenient for
this use case.

Alas `wg-quick` requires `bash` so this is currently a bit bloated, maybe @zx2c4
might be persuaded to rewrite it without bashisms...

Signed-off-by: Justin Cormack <justin.cormack@docker.com>

pkg/ip/Dockerfile

@@ -0,0 +1,19 @@
+FROM linuxkit/alpine:87a0cd10449d72f374f950004467737dbf440630 AS mirror
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --no-cache --initdb -p /out \
+    alpine-baselayout \
+    bash \
+    busybox \
+    iproute2 \
+    musl \
+    wireguard-tools
+
+# Remove apk residuals
+RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
+
+FROM scratch
+ENTRYPOINT []
+CMD []
+WORKDIR /
+COPY --from=mirror /out/ /
+LABEL org.mobyproject.config='{"capabilities": ["CAP_NET_ADMIN", "CAP_NET_RAW"]}'

pkg/ip/Makefile

@@ -0,0 +1,3 @@
+IMAGE=ip
+
+include ../package.mk