Merge pull request #1862 from justincormack/label-support

Label support
2025-07-19 17:26:28 +00:00 · 2017-05-20 10:31:48 +01:00 · 2017-05-20 10:31:48 +01:00 · a81a48629b
commit a81a48629b
parent ac31862c42 56121a774b
38 changed files with 232 additions and 201 deletions
--- a/2
+++ b/2
@ -17,7 +17,7 @@ endif

 PREFIX?=/usr/local/

-MOBY_COMMIT=a9a00fae6204a89baeed6903c7e2901412c1ede0
+MOBY_COMMIT=339aa5ec863c0cdabbe8331c7f530f6459a8fe92
 bin/moby: | bin
 	docker run --rm --log-driver=none $(CROSS) $(GO_COMPILE) --clone-path github.com/moby/tool --clone https://github.com/moby/tool.git --commit $(MOBY_COMMIT) --package github.com/moby/tool/cmd/moby --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_moby_bin.tar
 	tar xf tmp_moby_bin.tar > $@
--- a/examples/docker.yml
+++ b/examples/docker.yml
@ -8,13 +8,7 @@ init:
  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
  - name: sysfs
    image: linuxkit/sysfs:6c1d06f28ddd9681799d3950cddf044b930b221c
  - name: binfmt
--- a/examples/gcp.yml
+++ b/examples/gcp.yml
@ -8,13 +8,7 @@ init:
  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
  - name: dhcpcd
    image: "linuxkit/dhcpcd:cb96c09a33c166eca6530f166f0f79927c3e83b0"
    binds:
--- a/examples/packet.yml
+++ b/examples/packet.yml
@ -8,12 +8,7 @@ init:
  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
 services:
  - name: rngd
    image: "linuxkit/rngd:c97ef16be340884a985d8b025983505a9bcc51f0"
--- a/examples/sshd.yml
+++ b/examples/sshd.yml
@ -8,12 +8,7 @@ init:
  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
 services:
  - name: rngd
    image: "linuxkit/rngd:c97ef16be340884a985d8b025983505a9bcc51f0"
--- a/examples/swap.yml
+++ b/examples/swap.yml
@ -8,13 +8,7 @@ init:
  - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
  - name: binfmt
    image: "linuxkit/binfmt:548f7f044f5411a8938913527c5ce55d9876bb07"
    binds:
--- a/examples/vmware.yml
+++ b/examples/vmware.yml
@ -8,13 +8,7 @@ init:
  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
 services:
  - name: rngd
    image: "linuxkit/rngd:c97ef16be340884a985d8b025983505a9bcc51f0"
--- a/linuxkit.yml
+++ b/linuxkit.yml
@ -8,13 +8,7 @@ init:
  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
  - name: binfmt
    image: "linuxkit/binfmt:548f7f044f5411a8938913527c5ce55d9876bb07"
    binds:
--- a/pkg/sysctl/Dockerfile
+++ b/pkg/sysctl/Dockerfile
@ -1,3 +1,16 @@
+FROM linuxkit/alpine:6fd232518678407a5ce4b31f7e21e07a883b4ba4@sha256:f5084a6b1716dd931749d1308529ee904f87fa74a5a9523f23046c4a1215424e AS mirror
+
+RUN apk add --no-cache go musl-dev
+ENV GOPATH=/go PATH=$PATH:/go/bin
+
+COPY main.go /go/src/sysctl/
+RUN go-compile.sh /go/src/sysctl
+
 FROM scratch
-COPY . ./
+ENTRYPOINT []
+CMD []
+WORKDIR /
+COPY --from=mirror /go/bin/sysctl /usr/bin/sysctl
+COPY etc/ /etc/
 CMD ["/usr/bin/sysctl"]
+LABEL org.mobyproject.config='{"net": "host","pid": "host", "ipc": "host", "readonly": true, "capabilities": ["CAP_SYS_ADMIN"]}'
--- a/pkg/sysctl/Makefile
+++ b/pkg/sysctl/Makefile
@ -1,45 +1,15 @@
-GO_COMPILE=linuxkit/go-compile:4513068d9a7e919e4ec42e2d7ee879ff5b95b7f5@sha256:bdfadbe3e4ec699ca45b67453662321ec270f2d1a1dbdbf09625776d3ebd68c5
-
-SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
-
-SYSCTL_BINARY=usr/bin/sysctl
+.PHONY: tag push
+default: push

 ORG?=linuxkit
 IMAGE=sysctl
+DEPS=Dockerfile Makefile main.go

-.PHONY: tag push clean container
-default: push
+HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}')

-$(SYSCTL_BINARY): main.go
-	mkdir -p $(dir $@)
-	tar cf - $^ | docker run --rm --net=none --log-driver=none -i $(GO_COMPILE) -o $@ | tar xf -
+tag: $(DEPS)
+	docker build --squash --no-cache --network=none -t $(ORG)/$(IMAGE):$(HASH) .

-DIRS=dev proc sys
-$(DIRS):
-	mkdir -p $@
-
-DEPS=$(DIRS) $(SYSCTL_BINARY) etc/sysctl.d/00-moby.conf
-
-container: Dockerfile $(DEPS)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
-
-hash: Dockerfile $(DEPS)
-	find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash
-
-push: hash container
-	docker pull $(ORG)/$(IMAGE):$(shell cat hash) || \
-		(docker tag $(IMAGE):build $(ORG)/$(IMAGE):$(shell cat hash) && \
-		 docker push $(ORG)/$(IMAGE):$(shell cat hash))
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-tag: hash container
-	docker pull $(ORG)/$(IMAGE):$(shell cat hash) || \
-		docker tag $(IMAGE):build $(ORG)/$(IMAGE):$(shell cat hash)
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-clean:
-	rm -rf hash $(DIRS) usr
-
-.DELETE_ON_ERROR:
+push: tag
+	docker pull $(ORG)/$(IMAGE):$(HASH) || \
+	docker push $(ORG)/$(IMAGE):$(HASH)
--- a/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf
+++ b/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf
--- a/projects/etcd/etcd.yml
+++ b/projects/etcd/etcd.yml
@ -8,13 +8,7 @@ init:
  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
  - name: format
    image: "linuxkit/format:d78093e943f9c88386e30c00353f9476d34fb551"
    binds:
--- a/projects/etcd/prom-us-central1-f.yml
+++ b/projects/etcd/prom-us-central1-f.yml
@ -8,13 +8,7 @@ init:
  - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
  - name: dhcpcd
    image: "linuxkit/dhcpcd:cb96c09a33c166eca6530f166f0f79927c3e83b0"
    binds:
--- a/projects/ima-namespace/ima-namespace.yml
+++ b/projects/ima-namespace/ima-namespace.yml
@ -9,13 +9,7 @@ init:
  - linuxkit/ima-utils:fe119c7dac08884f4144cd106dc279ddd8b37517
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
  - name: binfmt
    image: "linuxkit/binfmt:131026c0cf6084467316395fed3b358f64bda00c"
    binds:
--- a/projects/kubernetes/kube-master.yml
+++ b/projects/kubernetes/kube-master.yml
@ -8,13 +8,7 @@ init:
  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
  - name: sysfs
    image: linuxkit/sysfs:6c1d06f28ddd9681799d3950cddf044b930b221c
  - name: binfmt
--- a/projects/kubernetes/kube-node.yml
+++ b/projects/kubernetes/kube-node.yml
@ -8,13 +8,7 @@ init:
  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
  - name: sysfs
    image: linuxkit/sysfs:6c1d06f28ddd9681799d3950cddf044b930b221c
  - name: binfmt
--- a/projects/logging/examples/logging.yml
+++ b/projects/logging/examples/logging.yml
@ -9,13 +9,7 @@ init:
  - linuxkit/memlogd:9b5834189f598f43c507f6938077113906f51012
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
  - name: binfmt
    image: "linuxkit/binfmt:548f7f044f5411a8938913527c5ce55d9876bb07"
    binds:
--- a/projects/miragesdk/examples/mirage-dhcp.yml
+++ b/projects/miragesdk/examples/mirage-dhcp.yml
@ -8,13 +8,7 @@ init:
  - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
  - name: binfmt
    image: linuxkit/binfmt:548f7f044f5411a8938913527c5ce55d9876bb07
    binds:
--- a/projects/okernel/examples/okernel_simple.yaml
+++ b/projects/okernel/examples/okernel_simple.yaml
@ -8,12 +8,7 @@ init:
  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
 services:
  - name: rngd
    image: "linuxkit/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9"
--- a/projects/swarmd/swarmd.yml
+++ b/projects/swarmd/swarmd.yml
@ -8,13 +8,7 @@ init:
  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
  - name: dhcpcd
    image: "linuxkit/dhcpcd:cb96c09a33c166eca6530f166f0f79927c3e83b0"
    binds:
--- a/test/cases/010_platforms/000_qemu/000_run_kernel/test.yml
+++ b/test/cases/010_platforms/000_qemu/000_run_kernel/test.yml
@ -7,12 +7,8 @@ init:
  - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed
 onboot:
  - name: poweroff
-    image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084"
-    pid: host
+    image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8"
    command: ["/bin/sh", "/poweroff.sh", "10"]
-    capabilities:
-     - CAP_SYS_BOOT
-    readonly: true
 trust:
  image:
    - linuxkit/kernel
--- a/test/cases/010_platforms/000_qemu/010_run_iso/test.yml
+++ b/test/cases/010_platforms/000_qemu/010_run_iso/test.yml
@ -7,12 +7,8 @@ init:
  - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed
 onboot:
  - name: poweroff
-    image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084"
-    pid: host
+    image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8"
    command: ["/bin/sh", "/poweroff.sh", "10"]
-    capabilities:
-     - CAP_SYS_BOOT
-    readonly: true
 trust:
  image:
    - linuxkit/kernel
--- a/test/cases/010_platforms/000_qemu/020_run_efi/test.yml
+++ b/test/cases/010_platforms/000_qemu/020_run_efi/test.yml
@ -7,12 +7,8 @@ init:
  - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed
 onboot:
  - name: poweroff
-    image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084"
-    pid: host
+    image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8"
    command: ["/bin/sh", "/poweroff.sh", "10"]
-    capabilities:
-     - CAP_SYS_BOOT
-    readonly: true
 trust:
  image:
    - linuxkit/kernel
--- a/test/cases/020_kernel/000_config/test-kernel-config.yml
+++ b/test/cases/020_kernel/000_config/test-kernel-config.yml
@ -22,11 +22,7 @@ onboot:
    image: "linuxkit/test-kernel-config:ecff41279ccbc408079a3996a956432651c6eb9c"
    readonly: true
  - name: poweroff
-    image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084"
-    pid: host
+    image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8"
    command: ["/bin/sh", "/poweroff.sh", "3"]
-    capabilities:
-     - CAP_SYS_BOOT
-    readonly: true
 outputs:
  - format: kernel+initrd
--- a/test/cases/020_kernel/010_kmod/kmod.yml
+++ b/test/cases/020_kernel/010_kmod/kmod.yml
@ -14,11 +14,7 @@ onboot:
    capabilities:
     - all
  - name: poweroff
-    image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084"
-    pid: host
+    image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8"
    command: ["/bin/sh", "/poweroff.sh", "3"]
-    capabilities:
-     - CAP_SYS_BOOT
-    readonly: true
 outputs:
  - format: kernel+initrd
--- a/test/cases/030_security/000_docker-bench/test-docker-bench.yml
+++ b/test/cases/030_security/000_docker-bench/test-docker-bench.yml
@ -8,13 +8,7 @@ init:
  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
 onboot:
  - name: sysctl
-    image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a"
-    net: host
-    pid: host
-    ipc: host
-    capabilities:
-     - CAP_SYS_ADMIN
-    readonly: true
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
  - name: sysfs
    image: "linuxkit/sysfs:6c1d06f28ddd9681799d3950cddf044b930b221c"
  - name: binfmt
--- a/test/cases/040_packages/000_sysctl/test-sysctl.yml
+++ b/test/cases/040_packages/000_sysctl/test-sysctl.yml
@ -0,0 +1,22 @@
+kernel:
+  image: "linuxkit/kernel:4.9.x"
+  cmdline: "console=ttyS0 page_poison=1"
+init:
+  - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e
+  - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6
+  - linuxkit/containerd:1c71f95fa36040ea7e987deb98a7a2a363853f01
+  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
+onboot:
+  - name: sysctl
+    image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c"
+  - name: test
+    image: "linuxkit/test-sysctl:c4df4c4d692904d6245dcdef1f4a79389bd3d894"
+  - name: poweroff
+    image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8"
+trust:
+  image:
+    - linuxkit/kernel
+    - linuxkit/binfmt
+    - linuxkit/rngd
+outputs:
+  - format: kernel+initrd
--- a/test/cases/040_packages/000_sysctl/test.sh
+++ b/test/cases/040_packages/000_sysctl/test.sh
@ -0,0 +1,23 @@
+#!/bin/sh
+# SUMMARY: Check that the sysctl config works
+# LABELS:
+# REPEAT:
+# AUTHOR: Justin Cormack <justin.cormack@docker.com>
+
+set -e
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+clean_up() {
+	find . -iname "test-sysctl*" -not -iname "*.yml" -exec rm -rf {} \;
+}
+trap clean_up EXIT
+
+# Test code goes here
+moby build test-sysctl
+RESULT="$(linuxkit run qemu test-sysctl)"
+echo "${RESULT}" | grep -q "suite PASSED"
+
+exit 0
--- a/test/cases/040_packages/group.sh
+++ b/test/cases/040_packages/group.sh
@ -0,0 +1,36 @@
+#!/bin/sh
+# SUMMARY: LinuxKit package tests
+# LABELS:
+# For the top level group.sh also specify a 'NAME:' comment
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+#. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+
+group_init() {
+    # Group initialisation code goes here
+    return 0
+}
+
+group_deinit() {
+    # Group de-initialisation code goes here
+    return 0
+}
+
+CMD=$1
+case $CMD in
+init)
+    group_init
+    res=$?
+    ;;
+deinit)
+    group_deinit
+    res=$?
+    ;;
+*)
+    res=1
+    ;;
+esac
+
+exit $res
--- a/test/hack/test-ltp.yml
+++ b/test/hack/test-ltp.yml
@ -16,11 +16,7 @@ onboot:
    capabilities:
     - all
  - name: poweroff
-    image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084"
-    pid: host
-    capabilities:
-      - CAP_SYS_BOOT
-    readonly: true
+    image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8"
 files:
  - path: /etc/ltp/baseline
    contents: "100"
--- a/test/hack/test.yml
+++ b/test/hack/test.yml
@ -24,11 +24,7 @@ onboot:
    image: "linuxkit/test-kernel-config:ecff41279ccbc408079a3996a956432651c6eb9c"
    readonly: true
  - name: poweroff
-    image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084"
-    pid: host
+    image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8"
    command: ["/bin/sh", "/poweroff.sh", "3"]
-    capabilities:
-     - CAP_SYS_BOOT
-    readonly: true
 outputs:
    - format: gcp-img
--- a/test/pkg/poweroff/Dockerfile
+++ b/test/pkg/poweroff/Dockerfile
@ -1,3 +1,4 @@
 FROM alpine:3.5
 ADD . ./
 ENTRYPOINT ["/bin/sh", "/poweroff.sh"]
+LABEL org.mobyproject.config='{"net": "host","pid": "host", "ipc": "host", "readonly": true, "capabilities": ["CAP_SYS_BOOT"]}'
--- a/test/pkg/sysctl/Dockerfile
+++ b/test/pkg/sysctl/Dockerfile
@ -0,0 +1,4 @@
+FROM alpine:edge
+ADD . ./
+ENTRYPOINT ["/bin/sh", "/check.sh"]
+LABEL org.mobyproject.config='{"net": "host","pid": "host", "ipc": "host", "readonly": true}'
--- a/test/pkg/sysctl/Makefile
+++ b/test/pkg/sysctl/Makefile
@ -0,0 +1,29 @@
+.PHONY: tag push
+
+BASE=alpine:3.5
+IMAGE=test-sysctl
+
+default: push
+
+hash: Dockerfile check.sh
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
+	docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c "cat $^ /lib/apk/db/installed | sha1sum" | sed 's/ .*//' > hash
+
+push: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
+		 docker push linuxkit/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -f hash
+
+.DELETE_ON_ERROR:
--- a/test/pkg/sysctl/check.sh
+++ b/test/pkg/sysctl/check.sh
@ -0,0 +1,11 @@
+#!/bin/sh
+
+function failed {
+	printf "sysctl test suite FAILED\n" >&1
+	exit 1
+}
+
+# this is a non default value, so will fail if sysctl failed
+[ "$(sysctl -n fs.inotify.max_user_watches)" -eq 524288 ] || failed
+
+printf "Sysctl test suite PASSED\n" >&1
--- a/tools/alpine/Dockerfile
+++ b/tools/alpine/Dockerfile
@ -25,10 +25,19 @@ RUN abuild-sign /mirror/$(uname -m)/APKINDEX.tar.gz
 # set this as our repo
 RUN echo "/mirror" > /etc/apk/repositories && apk update

+# add Go validation tools
+COPY go-compile.sh /go/bin/
+RUN apk add --no-cache build-base git go
+ENV GOPATH=/go PATH=$PATH:/go/bin
+RUN go get -u github.com/golang/lint/golint
+RUN go get -u github.com/gordonklaus/ineffassign
+RUN go get -u github.com/LK4D4/vndr
+
 FROM alpine:edge

 COPY --from=mirror /etc/apk/repositories /etc/apk/repositories
 COPY --from=mirror /etc/apk/keys /etc/apk/keys/
 COPY --from=mirror /mirror /mirror/
+COPY --from=mirror /go/bin /go/bin/

 RUN apk update && apk upgrade -a
--- a/tools/alpine/Makefile
+++ b/tools/alpine/Makefile
@ -6,14 +6,10 @@ BASE=alpine:edge

 default: push

-define NEWLINE
-
-endef
-
-hash: Dockerfile packages
+hash:
 	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
-	docker run --rm $(IMAGE):build sh -c 'find /mirror -name '*.apk' -type f | xargs cat | cat /lib/apk/db/installed - | sha1sum' | sed 's/ .*//' > $@
+	docker build --no-cache -t $(IMAGE):build .
+	docker run --rm $(IMAGE):build sh -c 'echo /lib/apk/db/installed $$(find /mirror -name '*.apk' -type f) $$(find /go/bin -type f) | xargs cat | sha1sum' | sed 's/ .*//' > $@

 push: hash
 	docker pull $(ORG)/$(IMAGE):$(shell cat hash) || \
@ -31,5 +27,3 @@ tag: hash

 clean:
 	rm -f hash
-
-.DELETE_ON_ERROR:
--- a/tools/alpine/go-compile.sh
+++ b/tools/alpine/go-compile.sh
@ -0,0 +1,46 @@
+#!/bin/sh
+
+set -e
+
+usage() {
+	echo "Usage: dir"
+	exit 1
+}
+
+[ $# = 0 ] && usage
+
+dir="$1"
+
+cd "$dir"
+
+# lint before building
+>&2 echo "gofmt..."
+test -z $(gofmt -s -l .| grep -v .pb. | grep -v vendor/ | tee /dev/stderr)
+
+>&2 echo "govet..."
+test -z $(GOOS=linux go tool vet -printf=false . 2>&1 | grep -v vendor/ | tee /dev/stderr)
+
+>&2 echo "golint..."
+test -z $(find . -type f -name "*.go" -not -path "*/vendor/*" -not -name "*.pb.*" -exec golint {} \; | tee /dev/stderr)
+
+>&2 echo "ineffassign..."
+test -z $(find . -type f -name "*.go" -not -path "*/vendor/*" -not -name "*.pb.*" -exec ineffassign {} \; | tee /dev/stderr)
+
+>&2 echo "go test..."
+go test
+
+>&2 echo "go build..."
+
+export CGO_ENABLED=0
+
+if [ "$GOOS" = "darwin" -o "$GOOS" = "windows" ]
+then
+	if [ -z "$ldflags" ]
+	then
+		go install
+	else
+		go install -ldflags "${ldflags}"
+	fi
+else
+	go install -buildmode pie -ldflags "-s -w ${ldflags} -extldflags \"-fno-PIC -static\""
+fi