diff --git a/Makefile b/Makefile index 7a8da284a..d38ac68e2 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ all: default VERSION="0.0" # dummy for now GIT_COMMIT=$(shell git rev-list -1 HEAD) -GO_COMPILE=linuxkit/go-compile:5bf17af781df44f07906099402680b9a661f999b@sha256:0bf523bcebb96ccc525f983a118f1fd8cb5e17dbf90e83044ca71bb983000e70 +GO_COMPILE=linuxkit/go-compile:5bf17af781df44f07906099402680b9a661f999b MOBY?=bin/moby LINUXKIT?=bin/linuxkit diff --git a/examples/docker.yml b/examples/docker.yml index fefde6a2d..9080f383d 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -82,5 +82,7 @@ files: trust: image: - linuxkit/kernel + - linuxkit/binfmt + - linuxkit/rngd outputs: - format: kernel+initrd diff --git a/examples/gcp.yml b/examples/gcp.yml index 666a13917..c86a3351d 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -63,6 +63,7 @@ services: trust: image: - linuxkit/kernel + - linuxkit/rngd outputs: - format: kernel+initrd - format: gcp-img diff --git a/examples/node_exporter.yml b/examples/node_exporter.yml index 763b47708..43716a747 100644 --- a/examples/node_exporter.yml +++ b/examples/node_exporter.yml @@ -35,5 +35,6 @@ services: trust: image: - linuxkit/kernel + - linuxkit/rngd outputs: - format: kernel+initrd diff --git a/examples/packet.yml b/examples/packet.yml index ecf6a6db8..efa09183e 100644 --- a/examples/packet.yml +++ b/examples/packet.yml @@ -43,6 +43,7 @@ services: trust: image: - linuxkit/kernel + - linuxkit/rngd files: - path: root/.ssh/authorized_keys contents: '#your ssh key here' diff --git a/examples/sshd.yml b/examples/sshd.yml index 3fad65d10..18a2c5223 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -43,6 +43,7 @@ services: trust: image: - linuxkit/kernel + - linuxkit/rngd files: - path: root/.ssh/authorized_keys contents: '#your ssh key here' diff --git a/examples/vmware.yml b/examples/vmware.yml index eadf07913..d100b7a92 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -45,5 +45,6 @@ services: trust: image: - linuxkit/kernel + - linuxkit/rngd outputs: - format: vmdk diff --git a/linuxkit.yml b/linuxkit.yml index b18aa1756..b521580c0 100644 --- a/linuxkit.yml +++ b/linuxkit.yml @@ -53,6 +53,8 @@ files: trust: image: - linuxkit/kernel + - linuxkit/binfmt + - linuxkit/rngd outputs: - format: kernel+initrd - format: iso-bios diff --git a/pkg/binfmt/Makefile b/pkg/binfmt/Makefile index c306d5e93..cc7f9a65c 100644 --- a/pkg/binfmt/Makefile +++ b/pkg/binfmt/Makefile @@ -2,6 +2,7 @@ default: push IMAGE=binfmt +BASE=alpine:edge SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 DEPS=Dockerfile Makefile main.go $(wildcard etc/binmft.d/*) @@ -14,7 +15,8 @@ hash: $(DEPS) tag: hash docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ - (docker build --no-cache -t $(IMAGE):build . && \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) push: tag @@ -23,6 +25,18 @@ push: tag rm -f hash docker rmi $(IMAGE):build || true +signed-tag: hash + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ + docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) + +sign: signed-tag + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) + rm -f hash + docker rmi $(IMAGE):build || true + clean: rm -f hash docker rmi $(IMAGE):build || true diff --git a/pkg/init/Makefile b/pkg/init/Makefile index 6cf6e7495..912ae1817 100644 --- a/pkg/init/Makefile +++ b/pkg/init/Makefile @@ -1,11 +1,12 @@ -C_COMPILE=linuxkit/c-compile:63b085bbaec1aa7c42a7bd22a4b1c350d900617d@sha256:286e3a729c7a0b1a605ae150235416190f9f430c29b00e65fa50ff73158998e5 +C_COMPILE=linuxkit/c-compile:63b085bbaec1aa7c42a7bd22a4b1c350d900617d START_STOP_DAEMON=sbin/start-stop-daemon default: push $(START_STOP_DAEMON): start-stop-daemon.c mkdir -p $(dir $@) - tar cf - $^ | docker run --rm --net=none --log-driver=none -i $(C_COMPILE) -o $@ | tar xf - + DOCKER_CONTENT_TRUST=1 docker pull $(C_COMPILE) + tar cf - $^ | DOCKER_CONTENT_TRUST=1 docker run --rm --net=none --log-driver=none -i $(C_COMPILE) -o $@ | tar xf - .PHONY: tag push diff --git a/pkg/rngd/Makefile b/pkg/rngd/Makefile index f6d908d83..8a155f312 100644 --- a/pkg/rngd/Makefile +++ b/pkg/rngd/Makefile @@ -2,6 +2,7 @@ default: push IMAGE=rngd +BASE=linuxkit/c-compile:f52f485825c890d581e82a62af6906c1d33d8e5d SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 DEPS=Dockerfile Makefile @@ -9,8 +10,10 @@ hash: $(DEPS) find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash tag: hash + DOCKER_CONTENT_TRUST=1 docker pull $(BASE) docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ - (docker build --no-cache -t $(IMAGE):build . && \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) push: tag @@ -19,6 +22,18 @@ push: tag rm -f hash docker rmi $(IMAGE):build || true +signed-tag: hash + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ + docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) + +sign: signed-tag + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) + rm -f hash + docker rmi $(IMAGE):build || true + clean: rm -f hash docker rmi $(IMAGE):build || true diff --git a/test/docker-bench/test-docker-bench.yml b/test/docker-bench/test-docker-bench.yml index a8b63ba8f..06d1547ec 100644 --- a/test/docker-bench/test-docker-bench.yml +++ b/test/docker-bench/test-docker-bench.yml @@ -80,5 +80,7 @@ services: trust: image: - linuxkit/kernel + - linuxkit/binfmt + - linuxkit/rngd outputs: - format: kernel+initrd diff --git a/test/virtsock/test-virtsock-server.yml b/test/virtsock/test-virtsock-server.yml index 40ff99063..c257084d6 100644 --- a/test/virtsock/test-virtsock-server.yml +++ b/test/virtsock/test-virtsock-server.yml @@ -43,6 +43,7 @@ services: trust: image: - linuxkit/kernel + - linuxkit/rngd outputs: - format: kernel+initrd - format: iso-bios diff --git a/tools/c-compile/Makefile b/tools/c-compile/Makefile index 2a143821f..864506bd8 100644 --- a/tools/c-compile/Makefile +++ b/tools/c-compile/Makefile @@ -23,6 +23,18 @@ tag: hash docker rmi $(IMAGE):build rm -f hash +signed-tag: hash + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ + docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) + +sign: signed-tag + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) + rm -f hash + docker rmi $(IMAGE):build || true + clean: rm -f hash diff --git a/tools/go-compile/Makefile b/tools/go-compile/Makefile index 3ca4406fb..cdd98dca5 100644 --- a/tools/go-compile/Makefile +++ b/tools/go-compile/Makefile @@ -23,6 +23,18 @@ tag: hash docker rmi $(IMAGE):build rm -f hash +signed-tag: hash + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ + docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) + +sign: signed-tag + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) + rm -f hash + docker rmi $(IMAGE):build || true + clean: rm -f hash diff --git a/tools/tini/Makefile b/tools/tini/Makefile index adacde647..bdda245b5 100644 --- a/tools/tini/Makefile +++ b/tools/tini/Makefile @@ -2,10 +2,12 @@ default: push IMAGE=tini +BASE=linuxkit/c-compile:f52f485825c890d581e82a62af6906c1d33d8e5d SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 DEPS=Dockerfile Makefile hash: $(DEPS) + DOCKER_CONTENT_TRUST=1 docker pull $(BASE) find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash tag: hash @@ -19,6 +21,18 @@ push: tag rm -f hash docker rmi $(IMAGE):build || true +signed-tag: hash + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ + docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) + +sign: signed-tag + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) + rm -f hash + docker rmi $(IMAGE):build || true + clean: rm -f hash docker rmi $(IMAGE):build || true diff --git a/tools/toybox-media/Makefile b/tools/toybox-media/Makefile index c50f62ee4..115c793bc 100644 --- a/tools/toybox-media/Makefile +++ b/tools/toybox-media/Makefile @@ -2,10 +2,12 @@ default: push IMAGE=toybox-media +BASE=linuxkit/c-compile:f52f485825c890d581e82a62af6906c1d33d8e5d SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 DEPS=Dockerfile Makefile hash: $(DEPS) + DOCKER_CONTENT_TRUST=1 docker pull $(BASE) find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash tag: hash @@ -19,6 +21,18 @@ push: tag rm -f hash docker rmi $(IMAGE):build || true +signed-tag: hash + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ + docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) + +sign: signed-tag + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) + rm -f hash + docker rmi $(IMAGE):build || true + clean: rm -f hash docker rmi $(IMAGE):build || true