diff --git a/base/binfmt/Makefile b/base/binfmt/Makefile index 90b4f3a3f..200297090 100644 --- a/base/binfmt/Makefile +++ b/base/binfmt/Makefile @@ -2,7 +2,7 @@ QEMU_IMAGE=mobylinux/qemu-user-static:da39a3ee5e6b4b0d3255bfef95601890afd80709@s QEMU_FILES=qemu-arm qemu-aarch64 qemu-ppc64le QEMU_BINARIES=$(addprefix usr/bin/,$(QEMU_FILES)) -GO_COMPILE=mobylinux/go-compile:d2d25ac665b5148ad356d0eab3ff3762a68c633d@sha256:aab55d0c317460850e66a07dd94139cc11ea9e1c0bee88716a6a8c768740885f +GO_COMPILE=mobylinux/go-compile:236629d9fc0779db9e7573ceb8b0e92f08f553be@sha256:16020c2d90cecb1f1d2d731187e947535c23f38b62319dd386ae642b4b32e1fb BINFMT_BINARY=usr/bin/binfmt diff --git a/base/sysctl/.gitignore b/base/sysctl/.gitignore new file mode 100644 index 000000000..db2b4ca32 --- /dev/null +++ b/base/sysctl/.gitignore @@ -0,0 +1,4 @@ +dev +proc +sys +usr diff --git a/base/sysctl/Dockerfile b/base/sysctl/Dockerfile new file mode 100644 index 000000000..2f131268e --- /dev/null +++ b/base/sysctl/Dockerfile @@ -0,0 +1,3 @@ +FROM scratch +COPY . ./ +CMD ["/usr/bin/sysctl"] diff --git a/base/sysctl/Makefile b/base/sysctl/Makefile new file mode 100644 index 000000000..57b44f693 --- /dev/null +++ b/base/sysctl/Makefile @@ -0,0 +1,44 @@ +GO_COMPILE=mobylinux/go-compile:236629d9fc0779db9e7573ceb8b0e92f08f553be@sha256:16020c2d90cecb1f1d2d731187e947535c23f38b62319dd386ae642b4b32e1fb + +SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 + +SYSCTL_BINARY=usr/bin/sysctl + +IMAGE=sysctl + +.PHONY: tag push clean container +default: push + +$(SYSCTL_BINARY): main.go + mkdir -p $(dir $@) + tar cf - $^ | docker run --rm --net=none --log-driver=none -i $(GO_COMPILE) -o $@ | tar xf - + +DIRS=dev proc sys +$(DIRS): + mkdir -p $@ + +DEPS=$(DIRS) $(SYSCTL_BINARY) etc/sysctl.d/00-moby.conf + +container: Dockerfile $(DEPS) + tar cf - $^ | docker build --no-cache -t $(IMAGE):build - + +hash: Dockerfile $(DEPS) + find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash + +push: hash container + docker pull mobylinux/$(IMAGE):$(shell cat hash) || \ + (docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \ + docker push mobylinux/$(IMAGE):$(shell cat hash)) + docker rmi $(IMAGE):build + rm -f hash + +tag: hash container + docker pull mobylinux/$(IMAGE):$(shell cat hash) || \ + docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) + docker rmi $(IMAGE):build + rm -f hash + +clean: + rm -rf hash $(DIRS) usr + +.DELETE_ON_ERROR: diff --git a/base/sysctl/etc/sysctl.d/00-moby.conf b/base/sysctl/etc/sysctl.d/00-moby.conf new file mode 100644 index 000000000..49ffed8ad --- /dev/null +++ b/base/sysctl/etc/sysctl.d/00-moby.conf @@ -0,0 +1,22 @@ +# general limits +vm.max_map_count = 262144 +vm.overcommit_memory = 1 +net.core.somaxconn = 1024 +net.ipv4.neigh.default.gc_thresh1 = 30000 +net.ipv4.neigh.default.gc_thresh2 = 32000 +net.ipv4.neigh.default.gc_thresh3 = 32768 +fs.aio-max-nr = 1048576 +fs.inotify.max_user_watches = 524288 +fs.file-max = 524288 +# for rngd +kernel.random.write_wakeup_threshold = 3072 +# security restrictions +kernel.kptr_restrict = 2 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 +kernel.perf_event_paranoid = 3 +fs.protected_hardlinks = 1 +fs.protected_symlinks = 1 diff --git a/base/sysctl/main.go b/base/sysctl/main.go new file mode 100644 index 000000000..bcb2967b8 --- /dev/null +++ b/base/sysctl/main.go @@ -0,0 +1,72 @@ +package main + +import ( + "bytes" + "flag" + "fmt" + "io/ioutil" + "log" + "os" + "path/filepath" + "strings" +) + +var ( + configDir string + sysctlDir string +) + +func init() { + flag.StringVar(&configDir, "configDir", "/etc/sysctl.d", "directory with config files") + flag.StringVar(&sysctlDir, "sysctlDir", "/proc/sys", "mount point for sysctls") +} + +func sysctl(line []byte) error { + // parse line into a string of expected form X.Y.Z=VALUE + sysctlLineKV := strings.Split(string(line[:]), "=") + if len(sysctlLineKV) != 2 { + if len(sysctlLineKV) >= 1 && len(sysctlLineKV[0]) >= 1 && strings.Trim(sysctlLineKV[0], " ")[:1] == "#" { + return nil + } + return fmt.Errorf("Cannot parse %s", string(line)) + } + // trim any extra whitespace + sysctlSetting, sysctlValue := strings.Trim(sysctlLineKV[0], " "), strings.Trim(sysctlLineKV[1], " ") + sysctlFile := filepath.Join(sysctlDir, filepath.Join(strings.Split(sysctlSetting, ".")...)) + file, err := os.OpenFile(sysctlFile, os.O_WRONLY, 0) + if err != nil { + return fmt.Errorf("Cannot open %s: %s", sysctlFile, err) + } + defer file.Close() + _, err = file.Write([]byte(sysctlValue)) + if err != nil { + return fmt.Errorf("Cannot write to %s: %s", sysctlFile, err) + } + return nil +} + +func main() { + flag.Parse() + + files, err := ioutil.ReadDir(configDir) + if err != nil { + log.Fatalf("Cannot read directory %s: %s", configDir, err) + } + + for _, file := range files { + contents, err := ioutil.ReadFile(filepath.Join(configDir, file.Name())) + if err != nil { + log.Fatalf("Cannot read file %s: %s", file.Name(), err) + } + lines := bytes.Split(contents, []byte("\n")) + for _, line := range lines { + if len(line) == 0 { + continue + } + err = sysctl(line) + if err != nil { + log.Fatal(err) + } + } + } +} diff --git a/config.go b/config.go index b4d2096fa..37a2bc345 100644 --- a/config.go +++ b/config.go @@ -37,6 +37,7 @@ type MobyImage struct { Command []string NetworkMode string `yaml:"network_mode"` Pid string + Ipc string } const riddler = "mobylinux/riddler:7d4545d8b8ac2700971a83f12a3446a76db28c14@sha256:11b7310df6482fc38aa52b419c2ef1065d7b9207c633d47554e13aa99f6c0b72" @@ -77,6 +78,10 @@ func ConfigToRun(order int, path string, image *MobyImage) []string { // TODO only "host" supported args = append(args, "--pid="+image.Pid) } + if image.Ipc != "" { + // TODO only "host" supported + args = append(args, "--ipc="+image.Pid) + } for _, bind := range image.Binds { args = append(args, "-v", bind) } diff --git a/moby.yaml b/moby.yaml index 751930448..cc993cd8e 100644 --- a/moby.yaml +++ b/moby.yaml @@ -1,6 +1,13 @@ kernel: "mobylinux/kernel:598481c08deafa37dccb33c88ad69fdecda57909" init: "mobylinux/init:2f1b5c1be1157cb17e5b1e6dee171dccdebb5277" system: + - name: sysctl + image: "mobylinux/sysctl:9bef9130afb8023ed1b2cecb4d961ba34a0f6628" + network_mode: host + pid: host + ipc: host + capabilities: + - CAP_SYS_ADMIN - name: binfmt image: "mobylinux/binfmt:a94e0587b702edaa95cc6f303464959d0eb2311c@sha256:432732b90cbe0498f5ca148d75b90bb1eabd8fbfe8c872df8b23906c225091b1" binds: