From 78728c281df3cb44f846416daa4f2e4a22d02418 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Fri, 19 May 2017 14:22:12 +0100 Subject: [PATCH 1/8] Add go-compile script to linuxkit/alpine This means Go code can use the same base image, which now includes Go tooling. Signed-off-by: Justin Cormack --- tools/alpine/Dockerfile | 9 ++++++++ tools/alpine/Makefile | 12 +++------- tools/alpine/go-compile.sh | 46 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 9 deletions(-) create mode 100755 tools/alpine/go-compile.sh diff --git a/tools/alpine/Dockerfile b/tools/alpine/Dockerfile index 06645d186..b4f947728 100644 --- a/tools/alpine/Dockerfile +++ b/tools/alpine/Dockerfile @@ -25,10 +25,19 @@ RUN abuild-sign /mirror/$(uname -m)/APKINDEX.tar.gz # set this as our repo RUN echo "/mirror" > /etc/apk/repositories && apk update +# add Go validation tools +COPY go-compile.sh /go/bin/ +RUN apk add --no-cache build-base git go +ENV GOPATH=/go PATH=$PATH:/go/bin +RUN go get -u github.com/golang/lint/golint +RUN go get -u github.com/gordonklaus/ineffassign +RUN go get -u github.com/LK4D4/vndr + FROM alpine:edge COPY --from=mirror /etc/apk/repositories /etc/apk/repositories COPY --from=mirror /etc/apk/keys /etc/apk/keys/ COPY --from=mirror /mirror /mirror/ +COPY --from=mirror /go/bin /go/bin/ RUN apk update && apk upgrade -a diff --git a/tools/alpine/Makefile b/tools/alpine/Makefile index 06671198c..d5447d99b 100644 --- a/tools/alpine/Makefile +++ b/tools/alpine/Makefile @@ -6,14 +6,10 @@ BASE=alpine:edge default: push -define NEWLINE - -endef - -hash: Dockerfile packages +hash: DOCKER_CONTENT_TRUST=1 docker pull $(BASE) - tar cf - $^ | docker build --no-cache -t $(IMAGE):build - - docker run --rm $(IMAGE):build sh -c 'find /mirror -name '*.apk' -type f | xargs cat | cat /lib/apk/db/installed - | sha1sum' | sed 's/ .*//' > $@ + docker build --no-cache -t $(IMAGE):build . + docker run --rm $(IMAGE):build sh -c 'echo /lib/apk/db/installed $$(find /mirror -name '*.apk' -type f) $$(find /go/bin -type f) | xargs cat | sha1sum' | sed 's/ .*//' > $@ push: hash docker pull $(ORG)/$(IMAGE):$(shell cat hash) || \ @@ -31,5 +27,3 @@ tag: hash clean: rm -f hash - -.DELETE_ON_ERROR: diff --git a/tools/alpine/go-compile.sh b/tools/alpine/go-compile.sh new file mode 100755 index 000000000..abe1f2909 --- /dev/null +++ b/tools/alpine/go-compile.sh @@ -0,0 +1,46 @@ +#!/bin/sh + +set -e + +usage() { + echo "Usage: dir" + exit 1 +} + +[ $# = 0 ] && usage + +dir="$1" + +cd "$dir" + +# lint before building +>&2 echo "gofmt..." +test -z $(gofmt -s -l .| grep -v .pb. | grep -v vendor/ | tee /dev/stderr) + +>&2 echo "govet..." +test -z $(GOOS=linux go tool vet -printf=false . 2>&1 | grep -v vendor/ | tee /dev/stderr) + +>&2 echo "golint..." +test -z $(find . -type f -name "*.go" -not -path "*/vendor/*" -not -name "*.pb.*" -exec golint {} \; | tee /dev/stderr) + +>&2 echo "ineffassign..." +test -z $(find . -type f -name "*.go" -not -path "*/vendor/*" -not -name "*.pb.*" -exec ineffassign {} \; | tee /dev/stderr) + +>&2 echo "go test..." +go test + +>&2 echo "go build..." + +export CGO_ENABLED=0 + +if [ "$GOOS" = "darwin" -o "$GOOS" = "windows" ] +then + if [ -z "$ldflags" ] + then + go install + else + go install -ldflags "${ldflags}" + fi +else + go install -buildmode pie -ldflags "-s -w ${ldflags} -extldflags \"-fno-PIC -static\"" +fi From e12b5a36ba6df3ff9bb735604e04b27d5f266d25 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Fri, 19 May 2017 14:22:45 +0100 Subject: [PATCH 2/8] Convert sysctl to using linuxkit/alpine and nested build Signed-off-by: Justin Cormack --- pkg/sysctl/Dockerfile | 14 +++++- pkg/sysctl/Makefile | 48 ++++--------------- .../{00-moby.conf => 00-linuxkit.conf} | 0 3 files changed, 22 insertions(+), 40 deletions(-) rename pkg/sysctl/etc/sysctl.d/{00-moby.conf => 00-linuxkit.conf} (100%) diff --git a/pkg/sysctl/Dockerfile b/pkg/sysctl/Dockerfile index 2f131268e..c3887e206 100644 --- a/pkg/sysctl/Dockerfile +++ b/pkg/sysctl/Dockerfile @@ -1,3 +1,15 @@ +FROM linuxkit/alpine:6fd232518678407a5ce4b31f7e21e07a883b4ba4@sha256:f5084a6b1716dd931749d1308529ee904f87fa74a5a9523f23046c4a1215424e AS mirror + +RUN apk add --no-cache go musl-dev +ENV GOPATH=/go PATH=$PATH:/go/bin + +COPY main.go /go/src/sysctl/ +RUN go-compile.sh /go/src/sysctl + FROM scratch -COPY . ./ +ENTRYPOINT [] +CMD [] +WORKDIR / +COPY --from=mirror /go/bin/sysctl /usr/bin/sysctl +COPY etc/ /etc/ CMD ["/usr/bin/sysctl"] diff --git a/pkg/sysctl/Makefile b/pkg/sysctl/Makefile index 058a30c12..de7ae2bba 100644 --- a/pkg/sysctl/Makefile +++ b/pkg/sysctl/Makefile @@ -1,45 +1,15 @@ -GO_COMPILE=linuxkit/go-compile:4513068d9a7e919e4ec42e2d7ee879ff5b95b7f5@sha256:bdfadbe3e4ec699ca45b67453662321ec270f2d1a1dbdbf09625776d3ebd68c5 - -SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 - -SYSCTL_BINARY=usr/bin/sysctl +.PHONY: tag push +default: push ORG?=linuxkit IMAGE=sysctl +DEPS=Dockerfile Makefile main.go -.PHONY: tag push clean container -default: push +HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}') -$(SYSCTL_BINARY): main.go - mkdir -p $(dir $@) - tar cf - $^ | docker run --rm --net=none --log-driver=none -i $(GO_COMPILE) -o $@ | tar xf - +tag: $(DEPS) + docker build --squash --no-cache --network=none -t $(ORG)/$(IMAGE):$(HASH) . -DIRS=dev proc sys -$(DIRS): - mkdir -p $@ - -DEPS=$(DIRS) $(SYSCTL_BINARY) etc/sysctl.d/00-moby.conf - -container: Dockerfile $(DEPS) - tar cf - $^ | docker build --no-cache -t $(IMAGE):build - - -hash: Dockerfile $(DEPS) - find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash - -push: hash container - docker pull $(ORG)/$(IMAGE):$(shell cat hash) || \ - (docker tag $(IMAGE):build $(ORG)/$(IMAGE):$(shell cat hash) && \ - docker push $(ORG)/$(IMAGE):$(shell cat hash)) - docker rmi $(IMAGE):build - rm -f hash - -tag: hash container - docker pull $(ORG)/$(IMAGE):$(shell cat hash) || \ - docker tag $(IMAGE):build $(ORG)/$(IMAGE):$(shell cat hash) - docker rmi $(IMAGE):build - rm -f hash - -clean: - rm -rf hash $(DIRS) usr - -.DELETE_ON_ERROR: +push: tag + docker pull $(ORG)/$(IMAGE):$(HASH) || \ + docker push $(ORG)/$(IMAGE):$(HASH) diff --git a/pkg/sysctl/etc/sysctl.d/00-moby.conf b/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf similarity index 100% rename from pkg/sysctl/etc/sysctl.d/00-moby.conf rename to pkg/sysctl/etc/sysctl.d/00-linuxkit.conf From 345a294b5e88a538fc5f893dbbd7bec0e0cd1ac6 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Fri, 19 May 2017 15:41:13 +0100 Subject: [PATCH 3/8] Add a test case for the sysctl package Signed-off-by: Justin Cormack --- .../040_packages/000_sysctl/test-sysctl.yml | 36 +++++++++++++++++++ test/cases/040_packages/000_sysctl/test.sh | 23 ++++++++++++ test/cases/040_packages/group.sh | 36 +++++++++++++++++++ test/pkg/sysctl/Dockerfile | 3 ++ test/pkg/sysctl/Makefile | 29 +++++++++++++++ test/pkg/sysctl/check.sh | 11 ++++++ 6 files changed, 138 insertions(+) create mode 100644 test/cases/040_packages/000_sysctl/test-sysctl.yml create mode 100644 test/cases/040_packages/000_sysctl/test.sh create mode 100644 test/cases/040_packages/group.sh create mode 100644 test/pkg/sysctl/Dockerfile create mode 100644 test/pkg/sysctl/Makefile create mode 100755 test/pkg/sysctl/check.sh diff --git a/test/cases/040_packages/000_sysctl/test-sysctl.yml b/test/cases/040_packages/000_sysctl/test-sysctl.yml new file mode 100644 index 000000000..10d20fc44 --- /dev/null +++ b/test/cases/040_packages/000_sysctl/test-sysctl.yml @@ -0,0 +1,36 @@ +kernel: + image: "linuxkit/kernel:4.9.x" + cmdline: "console=ttyS0 page_poison=1" +init: + - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e + - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 + - linuxkit/containerd:1c71f95fa36040ea7e987deb98a7a2a363853f01 + - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 +onboot: + - name: sysctl + image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" + net: host + pid: host + ipc: host + capabilities: + - CAP_SYS_ADMIN + readonly: true + - name: test + image: "linuxkit/test-sysctl:37315a58ec0c18a28be7e2770feb3bf38384492d" + net: host + pid: host + - name: poweroff + image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084" + net: host + pid: host + command: ["/bin/sh", "/poweroff.sh", "3"] + capabilities: + - CAP_SYS_BOOT + readonly: true +trust: + image: + - linuxkit/kernel + - linuxkit/binfmt + - linuxkit/rngd +outputs: + - format: kernel+initrd diff --git a/test/cases/040_packages/000_sysctl/test.sh b/test/cases/040_packages/000_sysctl/test.sh new file mode 100644 index 000000000..30d0ed43a --- /dev/null +++ b/test/cases/040_packages/000_sysctl/test.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# SUMMARY: Check that the sysctl config works +# LABELS: +# REPEAT: +# AUTHOR: Justin Cormack + +set -e + +# Source libraries. Uncomment if needed/defined +#. "${RT_LIB}" +. "${RT_PROJECT_ROOT}/_lib/lib.sh" + +clean_up() { + find . -iname "test-sysctl*" -not -iname "*.yml" -exec rm -rf {} \; +} +trap clean_up EXIT + +# Test code goes here +moby build test-sysctl +RESULT="$(linuxkit run qemu test-sysctl)" +echo "${RESULT}" | grep -q "suite PASSED" + +exit 0 diff --git a/test/cases/040_packages/group.sh b/test/cases/040_packages/group.sh new file mode 100644 index 000000000..542439da7 --- /dev/null +++ b/test/cases/040_packages/group.sh @@ -0,0 +1,36 @@ +#!/bin/sh +# SUMMARY: LinuxKit package tests +# LABELS: +# For the top level group.sh also specify a 'NAME:' comment + +# Source libraries. Uncomment if needed/defined +#. "${RT_LIB}" +#. "${RT_PROJECT_ROOT}/_lib/lib.sh" + + +group_init() { + # Group initialisation code goes here + return 0 +} + +group_deinit() { + # Group de-initialisation code goes here + return 0 +} + +CMD=$1 +case $CMD in +init) + group_init + res=$? + ;; +deinit) + group_deinit + res=$? + ;; +*) + res=1 + ;; +esac + +exit $res diff --git a/test/pkg/sysctl/Dockerfile b/test/pkg/sysctl/Dockerfile new file mode 100644 index 000000000..a95ccd109 --- /dev/null +++ b/test/pkg/sysctl/Dockerfile @@ -0,0 +1,3 @@ +FROM alpine:edge +ADD . ./ +ENTRYPOINT ["/bin/sh", "/check.sh"] diff --git a/test/pkg/sysctl/Makefile b/test/pkg/sysctl/Makefile new file mode 100644 index 000000000..aa7e8aa90 --- /dev/null +++ b/test/pkg/sysctl/Makefile @@ -0,0 +1,29 @@ +.PHONY: tag push + +BASE=alpine:3.5 +IMAGE=test-sysctl + +default: push + +hash: Dockerfile check.sh + DOCKER_CONTENT_TRUST=1 docker pull $(BASE) + tar cf - $^ | docker build --no-cache -t $(IMAGE):build - + docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c "cat $^ /lib/apk/db/installed | sha1sum" | sed 's/ .*//' > hash + +push: hash + docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + (docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \ + docker push linuxkit/$(IMAGE):$(shell cat hash)) + docker rmi $(IMAGE):build + rm -f hash + +tag: hash + docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) + docker rmi $(IMAGE):build + rm -f hash + +clean: + rm -f hash + +.DELETE_ON_ERROR: diff --git a/test/pkg/sysctl/check.sh b/test/pkg/sysctl/check.sh new file mode 100755 index 000000000..28704978f --- /dev/null +++ b/test/pkg/sysctl/check.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +function failed { + printf "sysctl test suite FAILED\n" >&1 + exit 1 +} + +# this is a non default value, so will fail if sysctl failed +[ "$(sysctl -n fs.inotify.max_user_watches)" -eq 524288 ] || failed + +printf "Sysctl test suite PASSED\n" >&1 From 4b30328c74a0a8eda4f529f528b664b571adb718 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Fri, 19 May 2017 15:54:11 +0100 Subject: [PATCH 4/8] Add label to sysctl image Signed-off-by: Justin Cormack --- pkg/sysctl/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/sysctl/Dockerfile b/pkg/sysctl/Dockerfile index c3887e206..31b43ac11 100644 --- a/pkg/sysctl/Dockerfile +++ b/pkg/sysctl/Dockerfile @@ -13,3 +13,4 @@ WORKDIR / COPY --from=mirror /go/bin/sysctl /usr/bin/sysctl COPY etc/ /etc/ CMD ["/usr/bin/sysctl"] +LABEL org.mobyproject.config='{"net": "host","pid": "host", "ipc": "host", "readonly": true, "capabilities": ["CAP_SYS_ADMIN"]}' From 07a8ceb9c95e4905ce56f6e108ae243720cfea41 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Fri, 19 May 2017 15:58:46 +0100 Subject: [PATCH 5/8] Update moby tool to support config in labels Signed-off-by: Justin Cormack --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index f57e08deb..b5e32c1e0 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ endif PREFIX?=/usr/local/ -MOBY_COMMIT=a9a00fae6204a89baeed6903c7e2901412c1ede0 +MOBY_COMMIT=339aa5ec863c0cdabbe8331c7f530f6459a8fe92 bin/moby: | bin docker run --rm --log-driver=none $(CROSS) $(GO_COMPILE) --clone-path github.com/moby/tool --clone https://github.com/moby/tool.git --commit $(MOBY_COMMIT) --package github.com/moby/tool/cmd/moby --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_moby_bin.tar tar xf tmp_moby_bin.tar > $@ From 702ad5d9d9646826a158774c9bd2cde259723856 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Fri, 19 May 2017 16:05:17 +0100 Subject: [PATCH 6/8] Update git hashes for sysctl And remove all the config options as they are now in the label. Signed-off-by: Justin Cormack --- examples/docker.yml | 8 +------- examples/gcp.yml | 8 +------- examples/packet.yml | 7 +------ examples/sshd.yml | 7 +------ examples/swap.yml | 8 +------- examples/vmware.yml | 8 +------- linuxkit.yml | 8 +------- projects/etcd/etcd.yml | 8 +------- projects/etcd/prom-us-central1-f.yml | 8 +------- projects/ima-namespace/ima-namespace.yml | 8 +------- projects/kubernetes/kube-master.yml | 8 +------- projects/kubernetes/kube-node.yml | 8 +------- projects/logging/examples/logging.yml | 8 +------- projects/miragesdk/examples/mirage-dhcp.yml | 8 +------- projects/okernel/examples/okernel_simple.yaml | 7 +------ projects/swarmd/swarmd.yml | 8 +------- .../030_security/000_docker-bench/test-docker-bench.yml | 8 +------- test/cases/040_packages/000_sysctl/test-sysctl.yml | 8 +------- 18 files changed, 18 insertions(+), 123 deletions(-) diff --git a/examples/docker.yml b/examples/docker.yml index cf8b9244e..541e93f97 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -8,13 +8,7 @@ init: - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 onboot: - name: sysctl - image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: sysfs image: linuxkit/sysfs:6c1d06f28ddd9681799d3950cddf044b930b221c - name: binfmt diff --git a/examples/gcp.yml b/examples/gcp.yml index 97c8109c8..9ad411d8b 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -8,13 +8,7 @@ init: - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 onboot: - name: sysctl - image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: dhcpcd image: "linuxkit/dhcpcd:cb96c09a33c166eca6530f166f0f79927c3e83b0" binds: diff --git a/examples/packet.yml b/examples/packet.yml index 66c6f81a7..99b0bbd3e 100644 --- a/examples/packet.yml +++ b/examples/packet.yml @@ -8,12 +8,7 @@ init: - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 onboot: - name: sysctl - image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" services: - name: rngd image: "linuxkit/rngd:c97ef16be340884a985d8b025983505a9bcc51f0" diff --git a/examples/sshd.yml b/examples/sshd.yml index b641eb083..b0c16588a 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -8,12 +8,7 @@ init: - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 onboot: - name: sysctl - image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" services: - name: rngd image: "linuxkit/rngd:c97ef16be340884a985d8b025983505a9bcc51f0" diff --git a/examples/swap.yml b/examples/swap.yml index 710bd03ee..758ff305a 100644 --- a/examples/swap.yml +++ b/examples/swap.yml @@ -8,13 +8,7 @@ init: - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 onboot: - name: sysctl - image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: binfmt image: "linuxkit/binfmt:548f7f044f5411a8938913527c5ce55d9876bb07" binds: diff --git a/examples/vmware.yml b/examples/vmware.yml index 652c9c095..62eedfa63 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -8,13 +8,7 @@ init: - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 onboot: - name: sysctl - image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" services: - name: rngd image: "linuxkit/rngd:c97ef16be340884a985d8b025983505a9bcc51f0" diff --git a/linuxkit.yml b/linuxkit.yml index 244c12223..86db4873b 100644 --- a/linuxkit.yml +++ b/linuxkit.yml @@ -8,13 +8,7 @@ init: - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 onboot: - name: sysctl - image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: binfmt image: "linuxkit/binfmt:548f7f044f5411a8938913527c5ce55d9876bb07" binds: diff --git a/projects/etcd/etcd.yml b/projects/etcd/etcd.yml index 51ca8b8dd..2ad45e794 100644 --- a/projects/etcd/etcd.yml +++ b/projects/etcd/etcd.yml @@ -8,13 +8,7 @@ init: - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 onboot: - name: sysctl - image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: format image: "linuxkit/format:d78093e943f9c88386e30c00353f9476d34fb551" binds: diff --git a/projects/etcd/prom-us-central1-f.yml b/projects/etcd/prom-us-central1-f.yml index bf1334769..7df7b10f5 100644 --- a/projects/etcd/prom-us-central1-f.yml +++ b/projects/etcd/prom-us-central1-f.yml @@ -8,13 +8,7 @@ init: - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 onboot: - name: sysctl - image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: dhcpcd image: "linuxkit/dhcpcd:cb96c09a33c166eca6530f166f0f79927c3e83b0" binds: diff --git a/projects/ima-namespace/ima-namespace.yml b/projects/ima-namespace/ima-namespace.yml index a2f1316b9..30e8f9d52 100644 --- a/projects/ima-namespace/ima-namespace.yml +++ b/projects/ima-namespace/ima-namespace.yml @@ -9,13 +9,7 @@ init: - linuxkit/ima-utils:fe119c7dac08884f4144cd106dc279ddd8b37517 onboot: - name: sysctl - image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: binfmt image: "linuxkit/binfmt:131026c0cf6084467316395fed3b358f64bda00c" binds: diff --git a/projects/kubernetes/kube-master.yml b/projects/kubernetes/kube-master.yml index 6bc7d2808..2aff03805 100644 --- a/projects/kubernetes/kube-master.yml +++ b/projects/kubernetes/kube-master.yml @@ -8,13 +8,7 @@ init: - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 onboot: - name: sysctl - image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: sysfs image: linuxkit/sysfs:6c1d06f28ddd9681799d3950cddf044b930b221c - name: binfmt diff --git a/projects/kubernetes/kube-node.yml b/projects/kubernetes/kube-node.yml index 116ad1cf6..72a9752fe 100644 --- a/projects/kubernetes/kube-node.yml +++ b/projects/kubernetes/kube-node.yml @@ -8,13 +8,7 @@ init: - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 onboot: - name: sysctl - image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: sysfs image: linuxkit/sysfs:6c1d06f28ddd9681799d3950cddf044b930b221c - name: binfmt diff --git a/projects/logging/examples/logging.yml b/projects/logging/examples/logging.yml index 1a7627ba9..5a00b7ce7 100644 --- a/projects/logging/examples/logging.yml +++ b/projects/logging/examples/logging.yml @@ -9,13 +9,7 @@ init: - linuxkit/memlogd:9b5834189f598f43c507f6938077113906f51012 onboot: - name: sysctl - image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: binfmt image: "linuxkit/binfmt:548f7f044f5411a8938913527c5ce55d9876bb07" binds: diff --git a/projects/miragesdk/examples/mirage-dhcp.yml b/projects/miragesdk/examples/mirage-dhcp.yml index 8b629ebc4..f21ae92d1 100644 --- a/projects/miragesdk/examples/mirage-dhcp.yml +++ b/projects/miragesdk/examples/mirage-dhcp.yml @@ -8,13 +8,7 @@ init: - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 onboot: - name: sysctl - image: linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: binfmt image: linuxkit/binfmt:548f7f044f5411a8938913527c5ce55d9876bb07 binds: diff --git a/projects/okernel/examples/okernel_simple.yaml b/projects/okernel/examples/okernel_simple.yaml index 29e11fb66..499d69aa7 100644 --- a/projects/okernel/examples/okernel_simple.yaml +++ b/projects/okernel/examples/okernel_simple.yaml @@ -8,12 +8,7 @@ init: - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 onboot: - name: sysctl - image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" services: - name: rngd image: "linuxkit/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9" diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index 303055c71..d4af90dfb 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -8,13 +8,7 @@ init: - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 onboot: - name: sysctl - image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: dhcpcd image: "linuxkit/dhcpcd:cb96c09a33c166eca6530f166f0f79927c3e83b0" binds: diff --git a/test/cases/030_security/000_docker-bench/test-docker-bench.yml b/test/cases/030_security/000_docker-bench/test-docker-bench.yml index 91f533a4b..996b692d2 100644 --- a/test/cases/030_security/000_docker-bench/test-docker-bench.yml +++ b/test/cases/030_security/000_docker-bench/test-docker-bench.yml @@ -8,13 +8,7 @@ init: - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 onboot: - name: sysctl - image: "linuxkit/sysctl:1f5ec5d5e6f7a7a1b3d2ff9dd9e36fd6fb14756a" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: sysfs image: "linuxkit/sysfs:6c1d06f28ddd9681799d3950cddf044b930b221c" - name: binfmt diff --git a/test/cases/040_packages/000_sysctl/test-sysctl.yml b/test/cases/040_packages/000_sysctl/test-sysctl.yml index 10d20fc44..2d098e446 100644 --- a/test/cases/040_packages/000_sysctl/test-sysctl.yml +++ b/test/cases/040_packages/000_sysctl/test-sysctl.yml @@ -8,13 +8,7 @@ init: - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 onboot: - name: sysctl - image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true + image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: test image: "linuxkit/test-sysctl:37315a58ec0c18a28be7e2770feb3bf38384492d" net: host From 4d4598e78447b8d337cc035ac91ef3d557967660 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Fri, 19 May 2017 16:45:41 +0100 Subject: [PATCH 7/8] Use labels for the test-sysctl image Signed-off-by: Justin Cormack --- test/cases/040_packages/000_sysctl/test-sysctl.yml | 4 +--- test/pkg/sysctl/Dockerfile | 1 + 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/test/cases/040_packages/000_sysctl/test-sysctl.yml b/test/cases/040_packages/000_sysctl/test-sysctl.yml index 2d098e446..ab50f8cc7 100644 --- a/test/cases/040_packages/000_sysctl/test-sysctl.yml +++ b/test/cases/040_packages/000_sysctl/test-sysctl.yml @@ -10,9 +10,7 @@ onboot: - name: sysctl image: "linuxkit/sysctl:13a37b8d38fbec34d8c7d3bd4dadb57c9f92c94c" - name: test - image: "linuxkit/test-sysctl:37315a58ec0c18a28be7e2770feb3bf38384492d" - net: host - pid: host + image: "linuxkit/test-sysctl:c4df4c4d692904d6245dcdef1f4a79389bd3d894" - name: poweroff image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084" net: host diff --git a/test/pkg/sysctl/Dockerfile b/test/pkg/sysctl/Dockerfile index a95ccd109..99cf97e6d 100644 --- a/test/pkg/sysctl/Dockerfile +++ b/test/pkg/sysctl/Dockerfile @@ -1,3 +1,4 @@ FROM alpine:edge ADD . ./ ENTRYPOINT ["/bin/sh", "/check.sh"] +LABEL org.mobyproject.config='{"net": "host","pid": "host", "ipc": "host", "readonly": true}' From 56121a774b8745ac149d2e4d15f572540a6b65a0 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Fri, 19 May 2017 17:04:45 +0100 Subject: [PATCH 8/8] Add label for poweroff container to simplify tests Signed-off-by: Justin Cormack --- test/cases/010_platforms/000_qemu/000_run_kernel/test.yml | 6 +----- test/cases/010_platforms/000_qemu/010_run_iso/test.yml | 6 +----- test/cases/010_platforms/000_qemu/020_run_efi/test.yml | 6 +----- test/cases/020_kernel/000_config/test-kernel-config.yml | 6 +----- test/cases/020_kernel/010_kmod/kmod.yml | 6 +----- test/cases/040_packages/000_sysctl/test-sysctl.yml | 8 +------- test/hack/test-ltp.yml | 6 +----- test/hack/test.yml | 6 +----- test/pkg/poweroff/Dockerfile | 1 + 9 files changed, 9 insertions(+), 42 deletions(-) diff --git a/test/cases/010_platforms/000_qemu/000_run_kernel/test.yml b/test/cases/010_platforms/000_qemu/000_run_kernel/test.yml index 6f9b52459..a372778b5 100644 --- a/test/cases/010_platforms/000_qemu/000_run_kernel/test.yml +++ b/test/cases/010_platforms/000_qemu/000_run_kernel/test.yml @@ -7,12 +7,8 @@ init: - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed onboot: - name: poweroff - image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084" - pid: host + image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" command: ["/bin/sh", "/poweroff.sh", "10"] - capabilities: - - CAP_SYS_BOOT - readonly: true trust: image: - linuxkit/kernel diff --git a/test/cases/010_platforms/000_qemu/010_run_iso/test.yml b/test/cases/010_platforms/000_qemu/010_run_iso/test.yml index 87c762462..938e911de 100644 --- a/test/cases/010_platforms/000_qemu/010_run_iso/test.yml +++ b/test/cases/010_platforms/000_qemu/010_run_iso/test.yml @@ -7,12 +7,8 @@ init: - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed onboot: - name: poweroff - image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084" - pid: host + image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" command: ["/bin/sh", "/poweroff.sh", "10"] - capabilities: - - CAP_SYS_BOOT - readonly: true trust: image: - linuxkit/kernel diff --git a/test/cases/010_platforms/000_qemu/020_run_efi/test.yml b/test/cases/010_platforms/000_qemu/020_run_efi/test.yml index 8153330ba..8add0fcbb 100644 --- a/test/cases/010_platforms/000_qemu/020_run_efi/test.yml +++ b/test/cases/010_platforms/000_qemu/020_run_efi/test.yml @@ -7,12 +7,8 @@ init: - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed onboot: - name: poweroff - image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084" - pid: host + image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" command: ["/bin/sh", "/poweroff.sh", "10"] - capabilities: - - CAP_SYS_BOOT - readonly: true trust: image: - linuxkit/kernel diff --git a/test/cases/020_kernel/000_config/test-kernel-config.yml b/test/cases/020_kernel/000_config/test-kernel-config.yml index 6c5509423..d1c105a3c 100644 --- a/test/cases/020_kernel/000_config/test-kernel-config.yml +++ b/test/cases/020_kernel/000_config/test-kernel-config.yml @@ -22,11 +22,7 @@ onboot: image: "linuxkit/test-kernel-config:ecff41279ccbc408079a3996a956432651c6eb9c" readonly: true - name: poweroff - image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084" - pid: host + image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" command: ["/bin/sh", "/poweroff.sh", "3"] - capabilities: - - CAP_SYS_BOOT - readonly: true outputs: - format: kernel+initrd diff --git a/test/cases/020_kernel/010_kmod/kmod.yml b/test/cases/020_kernel/010_kmod/kmod.yml index 72d17485c..5765ddfa2 100644 --- a/test/cases/020_kernel/010_kmod/kmod.yml +++ b/test/cases/020_kernel/010_kmod/kmod.yml @@ -14,11 +14,7 @@ onboot: capabilities: - all - name: poweroff - image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084" - pid: host + image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" command: ["/bin/sh", "/poweroff.sh", "3"] - capabilities: - - CAP_SYS_BOOT - readonly: true outputs: - format: kernel+initrd diff --git a/test/cases/040_packages/000_sysctl/test-sysctl.yml b/test/cases/040_packages/000_sysctl/test-sysctl.yml index ab50f8cc7..f6bceee6e 100644 --- a/test/cases/040_packages/000_sysctl/test-sysctl.yml +++ b/test/cases/040_packages/000_sysctl/test-sysctl.yml @@ -12,13 +12,7 @@ onboot: - name: test image: "linuxkit/test-sysctl:c4df4c4d692904d6245dcdef1f4a79389bd3d894" - name: poweroff - image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084" - net: host - pid: host - command: ["/bin/sh", "/poweroff.sh", "3"] - capabilities: - - CAP_SYS_BOOT - readonly: true + image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" trust: image: - linuxkit/kernel diff --git a/test/hack/test-ltp.yml b/test/hack/test-ltp.yml index 5f94970da..c7367a31a 100644 --- a/test/hack/test-ltp.yml +++ b/test/hack/test-ltp.yml @@ -16,11 +16,7 @@ onboot: capabilities: - all - name: poweroff - image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084" - pid: host - capabilities: - - CAP_SYS_BOOT - readonly: true + image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" files: - path: /etc/ltp/baseline contents: "100" diff --git a/test/hack/test.yml b/test/hack/test.yml index 60b9b185b..2171ff947 100644 --- a/test/hack/test.yml +++ b/test/hack/test.yml @@ -24,11 +24,7 @@ onboot: image: "linuxkit/test-kernel-config:ecff41279ccbc408079a3996a956432651c6eb9c" readonly: true - name: poweroff - image: "linuxkit/poweroff:961412b8ef5c5285de0d40ec076701d955eaa084" - pid: host + image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" command: ["/bin/sh", "/poweroff.sh", "3"] - capabilities: - - CAP_SYS_BOOT - readonly: true outputs: - format: gcp-img diff --git a/test/pkg/poweroff/Dockerfile b/test/pkg/poweroff/Dockerfile index 1eb8acc4a..81bd752f7 100644 --- a/test/pkg/poweroff/Dockerfile +++ b/test/pkg/poweroff/Dockerfile @@ -1,3 +1,4 @@ FROM alpine:3.5 ADD . ./ ENTRYPOINT ["/bin/sh", "/poweroff.sh"] +LABEL org.mobyproject.config='{"net": "host","pid": "host", "ipc": "host", "readonly": true, "capabilities": ["CAP_SYS_BOOT"]}'