github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-19 09:16:29 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1269 from justincormack/sysctl

Browse Source 
Add in sysctl container
This commit is contained in:
Justin Cormack 2017-03-09 14:55:49 +00:00 committed by GitHub
commit 5aa5852eb0
8 changed files with 158 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
base/binfmt/Makefile
View File

@ -2,7 +2,7 @@ QEMU_IMAGE=mobylinux/qemu-user-static:da39a3ee5e6b4b0d3255bfef95601890afd80709@s
QEMU_FILES=qemu-arm qemu-aarch64 qemu-ppc64le
QEMU_BINARIES=$(addprefix usr/bin/,$(QEMU_FILES))
GO_COMPILE=mobylinux/go-compile:d2d25ac665b5148ad356d0eab3ff3762a68c633d@sha256:aab55d0c317460850e66a07dd94139cc11ea9e1c0bee88716a6a8c768740885f
GO_COMPILE=mobylinux/go-compile:236629d9fc0779db9e7573ceb8b0e92f08f553be@sha256:16020c2d90cecb1f1d2d731187e947535c23f38b62319dd386ae642b4b32e1fb
BINFMT_BINARY=usr/bin/binfmt

4
base/sysctl/.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
dev
proc
sys
usr

3
base/sysctl/Dockerfile Normal file
View File

@ -0,0 +1,3 @@
FROM scratch
COPY . ./
CMD ["/usr/bin/sysctl"]

44
base/sysctl/Makefile Normal file
View File

@ -0,0 +1,44 @@
GO_COMPILE=mobylinux/go-compile:236629d9fc0779db9e7573ceb8b0e92f08f553be@sha256:16020c2d90cecb1f1d2d731187e947535c23f38b62319dd386ae642b4b32e1fb
SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
SYSCTL_BINARY=usr/bin/sysctl
IMAGE=sysctl
.PHONY: tag push clean container
default: push
$(SYSCTL_BINARY): main.go
mkdir -p $(dir $@)
tar cf - $^ | docker run --rm --net=none --log-driver=none -i $(GO_COMPILE) -o $@ | tar xf -
DIRS=dev proc sys
$(DIRS):
mkdir -p $@
DEPS=$(DIRS) $(SYSCTL_BINARY) etc/sysctl.d/00-moby.conf
container: Dockerfile $(DEPS)
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
hash: Dockerfile $(DEPS)
find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash
push: hash container
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
docker push mobylinux/$(IMAGE):$(shell cat hash))
docker rmi $(IMAGE):build
rm -f hash
tag: hash container
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
docker rmi $(IMAGE):build
rm -f hash
clean:
rm -rf hash $(DIRS) usr
.DELETE_ON_ERROR:

22
base/sysctl/etc/sysctl.d/00-moby.conf Normal file
View File

@ -0,0 +1,22 @@
# general limits
vm.max_map_count = 262144
vm.overcommit_memory = 1
net.core.somaxconn = 1024
net.ipv4.neigh.default.gc_thresh1 = 30000
net.ipv4.neigh.default.gc_thresh2 = 32000
net.ipv4.neigh.default.gc_thresh3 = 32768
fs.aio-max-nr = 1048576
fs.inotify.max_user_watches = 524288
fs.file-max = 524288
# for rngd
kernel.random.write_wakeup_threshold = 3072
# security restrictions
kernel.kptr_restrict = 2
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
kernel.perf_event_paranoid = 3
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

72
base/sysctl/main.go Normal file
View File

@ -0,0 +1,72 @@
package main
import (
"bytes"
"flag"
"fmt"
"io/ioutil"
"log"
"os"
"path/filepath"
"strings"
)
var (
configDir string
sysctlDir string
)
func init() {
flag.StringVar(&configDir, "configDir", "/etc/sysctl.d", "directory with config files")
flag.StringVar(&sysctlDir, "sysctlDir", "/proc/sys", "mount point for sysctls")
}
func sysctl(line []byte) error {
// parse line into a string of expected form X.Y.Z=VALUE
sysctlLineKV := strings.Split(string(line[:]), "=")
if len(sysctlLineKV) != 2 {
if len(sysctlLineKV) >= 1 && len(sysctlLineKV[0]) >= 1 && strings.Trim(sysctlLineKV[0], " ")[:1] == "#" {
return nil
}
return fmt.Errorf("Cannot parse %s", string(line))
}
// trim any extra whitespace
sysctlSetting, sysctlValue := strings.Trim(sysctlLineKV[0], " "), strings.Trim(sysctlLineKV[1], " ")
sysctlFile := filepath.Join(sysctlDir, filepath.Join(strings.Split(sysctlSetting, ".")...))
file, err := os.OpenFile(sysctlFile, os.O_WRONLY, 0)
if err != nil {
return fmt.Errorf("Cannot open %s: %s", sysctlFile, err)
}
defer file.Close()
_, err = file.Write([]byte(sysctlValue))
if err != nil {
return fmt.Errorf("Cannot write to %s: %s", sysctlFile, err)
}
return nil
}
func main() {
flag.Parse()
files, err := ioutil.ReadDir(configDir)
if err != nil {
log.Fatalf("Cannot read directory %s: %s", configDir, err)
}
for _, file := range files {
contents, err := ioutil.ReadFile(filepath.Join(configDir, file.Name()))
if err != nil {
log.Fatalf("Cannot read file %s: %s", file.Name(), err)
}
lines := bytes.Split(contents, []byte("\n"))
for _, line := range lines {
if len(line) == 0 {
continue
}
err = sysctl(line)
if err != nil {
log.Fatal(err)
}
}
}
}

5
config.go
View File

@ -37,6 +37,7 @@ type MobyImage struct {
Command []string
NetworkMode string `yaml:"network_mode"`
Pid string
Ipc string
}
const riddler = "mobylinux/riddler:7d4545d8b8ac2700971a83f12a3446a76db28c14@sha256:11b7310df6482fc38aa52b419c2ef1065d7b9207c633d47554e13aa99f6c0b72"
@ -77,6 +78,10 @@ func ConfigToRun(order int, path string, image *MobyImage) []string {
// TODO only "host" supported
args = append(args, "--pid="+image.Pid)
}
if image.Ipc != "" {
// TODO only "host" supported
args = append(args, "--ipc="+image.Pid)
}
for _, bind := range image.Binds {
args = append(args, "-v", bind)
}

7
moby.yaml
View File

@ -1,6 +1,13 @@
kernel: "mobylinux/kernel:598481c08deafa37dccb33c88ad69fdecda57909"
init: "mobylinux/init:2f1b5c1be1157cb17e5b1e6dee171dccdebb5277"
system:
- name: sysctl
image: "mobylinux/sysctl:9bef9130afb8023ed1b2cecb4d961ba34a0f6628"
network_mode: host
pid: host
ipc: host
capabilities:
- CAP_SYS_ADMIN
- name: binfmt
image: "mobylinux/binfmt:a94e0587b702edaa95cc6f303464959d0eb2311c@sha256:432732b90cbe0498f5ca148d75b90bb1eabd8fbfe8c872df8b23906c225091b1"
binds: