Merge pull request #1934 from justincormack/default-ns-change

Default ns change

pkg/binfmt/Dockerfile

@@ -19,4 +19,4 @@ COPY --from=qemu usr/bin/qemu-* usr/bin/
 COPY --from=mirror /go/bin/binfmt usr/bin/binfmt
 COPY etc/binfmt.d/00_linuxkit.conf etc/binfmt.d/00_linuxkit.conf
 CMD ["/usr/bin/binfmt", "-dir", "/etc/binfmt.d/", "-mount", "/binfmt_misc"]
-LABEL org.mobyproject.config='{"binds": ["/proc/sys/fs/binfmt_misc:/binfmt_misc"], "readonly": true}'
+LABEL org.mobyproject.config='{"binds": ["/proc/sys/fs/binfmt_misc:/binfmt_misc"], "readonly": true, "net": "new", "ipc": "new"}'

pkg/dhcpcd/Dockerfile

@@ -16,4 +16,4 @@ WORKDIR /
 COPY --from=mirror /out/ /
 COPY /dhcpcd.conf /usr/ /
 CMD ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf"]
-LABEL org.mobyproject.config='{"binds": ["/var:/var", "/tmp/etc:/etc"], "net": "host", "capabilities": ["CAP_NET_ADMIN", "CAP_NET_BIND_SERVICE", "CAP_NET_RAW"]}'
+LABEL org.mobyproject.config='{"binds": ["/var:/var", "/tmp/etc:/etc"], "capabilities": ["CAP_NET_ADMIN", "CAP_NET_BIND_SERVICE", "CAP_NET_RAW"]}'

pkg/format/Dockerfile

@@ -19,4 +19,4 @@ WORKDIR /
 COPY --from=mirror /out/ /
 COPY format.sh /
 CMD ["/bin/sh", "/format.sh"]
-LABEL org.mobyproject.config='{"binds": ["/dev:/dev"], "capabilities": ["CAP_SYS_ADMIN", "CAP_MKNOD"]}'
+LABEL org.mobyproject.config='{"binds": ["/dev:/dev"], "capabilities": ["CAP_SYS_ADMIN", "CAP_MKNOD"], "net": "new", "ipc": "new"}'

pkg/metadata/Dockerfile

@@ -12,4 +12,4 @@ CMD []
 WORKDIR /
 COPY --from=mirror /go/bin/metadata /usr/bin/metadata
 CMD ["/usr/bin/metadata"]
-LABEL org.mobyproject.config='{"net": "host", "binds": ["/dev:/dev", "/var:/var", "/tmp/etc/resolv.conf:/etc/resolv.conf"], "capabilities": ["CAP_SYS_ADMIN"]}'
+LABEL org.mobyproject.config='{"binds": ["/dev:/dev", "/var:/var", "/tmp/etc/resolv.conf:/etc/resolv.conf"], "capabilities": ["CAP_SYS_ADMIN"]}'

pkg/mount/Dockerfile

@@ -17,4 +17,4 @@ WORKDIR /
 COPY --from=mirror /out/ /
 COPY mount.sh /
 CMD ["/bin/sh", "/mount.sh"]
-LABEL org.mobyproject.config='{"binds": ["/dev:/dev", "/var:/var:rshared,rbind"], "capabilities": ["CAP_SYS_ADMIN"], "rootfsPropagation": "shared"}'
+LABEL org.mobyproject.config='{"binds": ["/dev:/dev", "/var:/var:rshared,rbind"], "capabilities": ["CAP_SYS_ADMIN"], "rootfsPropagation": "shared", "net": "new", "ipc": "new"}'

pkg/node_exporter/Dockerfile

@@ -4,4 +4,4 @@ ENTRYPOINT ["/bin/node_exporter", "-collector.procfs",  "/host/proc", \
             "-collector.sysfs",  "/host/sys", \
             "-collector.filesystem.ignored-mount-points", \
             "^/(sys|proc|dev|host|etc)($|/)"]
-LABEL org.mobyproject.config='{"net": "host", "pid": "host", "binds": ["/proc:/host/proc", "/sys:/host/sys", "/:/rootfs"], "capabilities": ["all"]}'
+LABEL org.mobyproject.config='{"pid": "host", "binds": ["/proc:/host/proc", "/sys:/host/sys", "/:/rootfs"], "capabilities": ["all"]}'

pkg/open-vm-tools/Dockerfile

@@ -14,4 +14,3 @@ CMD []
 WORKDIR /
 COPY --from=mirror /out/ /
 CMD ["/usr/bin/vmtoolsd"]
-LABEL org.mobyproject.config='{"net": "host"}'

pkg/openntpd/Dockerfile

@@ -16,4 +16,4 @@ WORKDIR /
 COPY --from=mirror /out/ /
 COPY etc/ /etc/
 CMD ["/usr/sbin/ntpd", "-d", "-s"]
-LABEL org.mobyproject.config='{"net": "host", "capabilities": ["CAP_SYS_TIME", "CAP_SYS_NICE", "CAP_SYS_CHROOT", "CAP_SETUID", "CAP_SETGID"]}'
+LABEL org.mobyproject.config='{"capabilities": ["CAP_SYS_TIME", "CAP_SYS_NICE", "CAP_SYS_CHROOT", "CAP_SETUID", "CAP_SETGID"]}'

pkg/rngd/Dockerfile

@@ -42,4 +42,4 @@ WORKDIR /
 COPY --from=mirror /out/ /
 COPY --from=build usr/sbin/rngd usr/sbin/rngd
 CMD ["/sbin/tini", "/usr/sbin/rngd", "-f"]
-LABEL org.mobyproject.config='{"capabilities": ["CAP_SYS_ADMIN"], "oomScoreAdj": -800, "readonly": true}'
+LABEL org.mobyproject.config='{"capabilities": ["CAP_SYS_ADMIN"], "oomScoreAdj": -800, "readonly": true, "net": "new", "ipc": "new"}'

pkg/sshd/Dockerfile

@@ -19,4 +19,4 @@ COPY etc/ /etc/
 COPY usr/ /usr/
 RUN mkdir -p /etc/ssh /root/.ssh && chmod 0700 /root/.ssh
 CMD ["/sbin/tini", "/usr/bin/ssh.sh"]
-LABEL org.mobyproject.config='{"net": "host", "pid": "host", "binds": ["/root/.ssh:/root/.ssh", "/etc/resolv.conf:/etc/resolv.conf"], "capabilities": ["all"]}'
+LABEL org.mobyproject.config='{"pid": "host", "binds": ["/root/.ssh:/root/.ssh", "/etc/resolv.conf:/etc/resolv.conf"], "capabilities": ["all"]}'

pkg/swap/Dockerfile

@@ -16,4 +16,4 @@ WORKDIR /
 COPY --from=mirror /out/ /
 COPY /swap.sh .
 ENTRYPOINT ["swap.sh"]
-LABEL org.mobyproject.config='{"binds": ["/dev:/dev", "/var:/var"], "capabilities": ["CAP_SYS_ADMIN", "CAP_MKNOD"]}'
+LABEL org.mobyproject.config='{"binds": ["/dev:/dev", "/var:/var"], "capabilities": ["CAP_SYS_ADMIN", "CAP_MKNOD"], "net": "new", "ipc": "new"}'

pkg/swap/README.md

@@ -8,7 +8,7 @@ Normally, unless you are running explicitly in a desktop version, LinuxKit image
 ```
 onboot:
   - name: swap
-    image: "linuxkit/swap:085f0088dd1ef2f994e707e438218ea4d41bad13"
+    image: "linuxkit/swap:e36b5e794256c2a56c000035f73a4d46f7ffb3e6"
     command: ["swap.sh","--path","/var/external/swap","--size","2G"]
 ```
 

pkg/sysctl/Dockerfile

@@ -13,4 +13,4 @@ WORKDIR /
 COPY --from=mirror /go/bin/sysctl /usr/bin/sysctl
 COPY etc/ /etc/
 CMD ["/usr/bin/sysctl"]
-LABEL org.mobyproject.config='{"net": "host","pid": "host", "ipc": "host", "readonly": true, "capabilities": ["CAP_SYS_ADMIN"]}'
+LABEL org.mobyproject.config='{"pid": "host", "readonly": true, "capabilities": ["CAP_SYS_ADMIN"]}'

pkg/sysfs/Dockerfile

@@ -13,3 +13,4 @@ WORKDIR /
 COPY --from=mirror /go/bin/sysfs /usr/bin/sysfs
 COPY etc/ /etc/
 CMD ["/usr/bin/sysfs"]
+LABEL org.mobyproject.config='{"net": "new", "ipc": "new"}'