From 977a2eb0ffb5140e067bd4e43ac7a1f9ac8f9f2e Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Fri, 26 May 2017 13:04:02 +0100 Subject: [PATCH 01/13] tools: Switch the Alpine base image to Alpine 3.6 Signed-off-by: Rolf Neugebauer --- tools/alpine/Dockerfile | 4 ++-- tools/alpine/Makefile | 2 +- tools/alpine/versions | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/alpine/Dockerfile b/tools/alpine/Dockerfile index 80d6a6fdb..e78b9a634 100644 --- a/tools/alpine/Dockerfile +++ b/tools/alpine/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:edge AS mirror +FROM alpine:3.6 AS mirror # update base image RUN apk update && apk upgrade -a @@ -33,7 +33,7 @@ RUN go get -u github.com/golang/lint/golint RUN go get -u github.com/gordonklaus/ineffassign RUN go get -u github.com/LK4D4/vndr -FROM alpine:edge +FROM alpine:3.6 COPY --from=mirror /etc/apk/repositories /etc/apk/repositories COPY --from=mirror /etc/apk/keys /etc/apk/keys/ diff --git a/tools/alpine/Makefile b/tools/alpine/Makefile index d62bb98a2..66871dea6 100644 --- a/tools/alpine/Makefile +++ b/tools/alpine/Makefile @@ -2,7 +2,7 @@ ORG?=linuxkit IMAGE=alpine -BASE=alpine:edge +BASE=alpine:3.6 default: push diff --git a/tools/alpine/versions b/tools/alpine/versions index 89ce73193..eea74d9a1 100644 --- a/tools/alpine/versions +++ b/tools/alpine/versions @@ -108,7 +108,7 @@ libseccomp-dev-2.3.2-r0 libsmartcols-2.28.2-r2 libssh2-1.8.0-r1 libstdc++-6.3.0-r4 -libtasn1-4.10-r0 +libtasn1-4.10-r1 libtirpc-1.0.1-r1 libunistring-0.9.7-r0 libusb-1.0.21-r0 From aecad407c5f09e8bd9c228c612b3819f6fd0672b Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Fri, 26 May 2017 11:28:40 +0100 Subject: [PATCH 02/13] tools: Add shellcheck to the Alpine base We use the "official" Alpine based Docker image and extract the binary and libraries from it and add to the base. Compiling it from source would require a Haskell setup... Signed-off-by: Rolf Neugebauer --- tools/alpine/Dockerfile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/alpine/Dockerfile b/tools/alpine/Dockerfile index e78b9a634..1f215c3de 100644 --- a/tools/alpine/Dockerfile +++ b/tools/alpine/Dockerfile @@ -33,6 +33,9 @@ RUN go get -u github.com/golang/lint/golint RUN go get -u github.com/gordonklaus/ineffassign RUN go get -u github.com/LK4D4/vndr +FROM koalaman/shellcheck:v0.4.6@sha256:191b61e5f436fc51f22faaf2f4e0f77799f75977c7210377dd73a1a0f99ef8bd AS shellcheck + + FROM alpine:3.6 COPY --from=mirror /etc/apk/repositories /etc/apk/repositories @@ -40,4 +43,7 @@ COPY --from=mirror /etc/apk/keys /etc/apk/keys/ COPY --from=mirror /mirror /mirror/ COPY --from=mirror /go/bin /go/bin/ +COPY --from=shellcheck /usr/local/bin/shellcheck /usr/local/bin/shellcheck +COPY --from=shellcheck /usr/local/lib/ /usr/local/lib/ + RUN apk update && apk upgrade -a From ac5122ced74bd36f9398afe6239e7f2443a3c582 Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Fri, 26 May 2017 11:41:49 +0100 Subject: [PATCH 03/13] tools: Add Dockerfile to the Alpine base image to calculate the hash The Dockerfile is now an input to the contents of the base image and needs to be included in the hash calculation. Also, make the Makefile, Dockerfile and pacakges file a dependency. Signed-off-by: Rolf Neugebauer --- tools/alpine/Dockerfile | 3 +++ tools/alpine/Makefile | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tools/alpine/Dockerfile b/tools/alpine/Dockerfile index 1f215c3de..c6ce018fa 100644 --- a/tools/alpine/Dockerfile +++ b/tools/alpine/Dockerfile @@ -3,6 +3,8 @@ FROM alpine:3.6 AS mirror # update base image RUN apk update && apk upgrade -a +# Copy Dockerfile so we can include it in the hash +COPY Dockerfile /Dockerfile COPY packages /tmp/ # mirror packages @@ -42,6 +44,7 @@ COPY --from=mirror /etc/apk/repositories /etc/apk/repositories COPY --from=mirror /etc/apk/keys /etc/apk/keys/ COPY --from=mirror /mirror /mirror/ COPY --from=mirror /go/bin /go/bin/ +COPY --from=mirror /Dockerfile /Dockerfile COPY --from=shellcheck /usr/local/bin/shellcheck /usr/local/bin/shellcheck COPY --from=shellcheck /usr/local/lib/ /usr/local/lib/ diff --git a/tools/alpine/Makefile b/tools/alpine/Makefile index 66871dea6..6769afad4 100644 --- a/tools/alpine/Makefile +++ b/tools/alpine/Makefile @@ -6,10 +6,10 @@ BASE=alpine:3.6 default: push -hash: +hash: Dockerfile Makefile packages DOCKER_CONTENT_TRUST=1 docker pull $(BASE) docker build --no-cache -t $(IMAGE):build . - docker run --rm $(IMAGE):build sh -c 'echo /lib/apk/db/installed $$(find /mirror -name '*.apk' -type f) $$(find /go/bin -type f) | xargs cat | sha1sum' | sed 's/ .*//' > $@ + docker run --rm $(IMAGE):build sh -c 'echo Dockerfile /lib/apk/db/installed $$(find /mirror -name '*.apk' -type f) $$(find /go/bin -type f) | xargs cat | sha1sum' | sed 's/ .*//' > $@ push: hash DOCKER_CONTENT_TRUST=1 docker pull $(ORG)/$(IMAGE):$(shell cat hash) || \ From 7915cae6bd7e268a9f2e35219a09fb7d80fae96b Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Fri, 26 May 2017 13:57:26 +0100 Subject: [PATCH 04/13] pkg: Update the Alpine base for some of the packages The remaining packages will be updated with subsequent commits to also include the config label. Signed-off-by: Rolf Neugebauer --- pkg/binfmt/Dockerfile | 2 +- pkg/ca-certificates/Dockerfile | 2 +- pkg/containerd/Dockerfile | 2 +- pkg/dhcpcd/Dockerfile | 2 +- pkg/docker-ce/Dockerfile | 2 +- pkg/init/Dockerfile | 2 +- pkg/mkimage/Dockerfile | 2 +- pkg/rngd/Dockerfile | 4 ++-- pkg/runc/Dockerfile | 2 +- pkg/sysctl/Dockerfile | 2 +- pkg/sysfs/Dockerfile | 2 +- test/pkg/virtsock/Dockerfile | 2 +- 12 files changed, 13 insertions(+), 13 deletions(-) diff --git a/pkg/binfmt/Dockerfile b/pkg/binfmt/Dockerfile index a7c2080cf..2bb368d34 100644 --- a/pkg/binfmt/Dockerfile +++ b/pkg/binfmt/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:5f6db26ab7bf6a9c452a612e236cc7495408132b@sha256:d009afc85d0b005daf51c8f3026aa552ab997dc47cab43915e9dc761accae086 AS qemu +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS qemu RUN apk add \ qemu-aarch64 \ qemu-arm \ diff --git a/pkg/ca-certificates/Dockerfile b/pkg/ca-certificates/Dockerfile index 7e7a0c26f..3bd8c7dc5 100644 --- a/pkg/ca-certificates/Dockerfile +++ b/pkg/ca-certificates/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:6336329f15b4166514782eaa555cf0ffd35c519c@sha256:f6c2ce92910b1d6e4e5557850a554f4a3ae9f66c1e89ad86a24d6c6e550f165e as alpine +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 as alpine RUN apk add ca-certificates diff --git a/pkg/containerd/Dockerfile b/pkg/containerd/Dockerfile index ea5e16d24..0d9c51bfa 100644 --- a/pkg/containerd/Dockerfile +++ b/pkg/containerd/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:6336329f15b4166514782eaa555cf0ffd35c519c@sha256:f6c2ce92910b1d6e4e5557850a554f4a3ae9f66c1e89ad86a24d6c6e550f165e as alpine +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 as alpine RUN \ apk add \ btrfs-progs-dev \ diff --git a/pkg/dhcpcd/Dockerfile b/pkg/dhcpcd/Dockerfile index 31d66e210..6bf8536af 100644 --- a/pkg/dhcpcd/Dockerfile +++ b/pkg/dhcpcd/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:5f6db26ab7bf6a9c452a612e236cc7495408132b@sha256:d009afc85d0b005daf51c8f3026aa552ab997dc47cab43915e9dc761accae086 AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ RUN apk add --no-cache --initdb -p /out \ alpine-baselayout \ diff --git a/pkg/docker-ce/Dockerfile b/pkg/docker-ce/Dockerfile index 405e5e512..639156913 100644 --- a/pkg/docker-ce/Dockerfile +++ b/pkg/docker-ce/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:6336329f15b4166514782eaa555cf0ffd35c519c@sha256:f6c2ce92910b1d6e4e5557850a554f4a3ae9f66c1e89ad86a24d6c6e550f165e AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies # removed openssl as I do not think server needs it diff --git a/pkg/init/Dockerfile b/pkg/init/Dockerfile index a5d54d8a5..0d2dbcd0b 100644 --- a/pkg/init/Dockerfile +++ b/pkg/init/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:6336329f15b4166514782eaa555cf0ffd35c519c@sha256:f6c2ce92910b1d6e4e5557850a554f4a3ae9f66c1e89ad86a24d6c6e550f165e AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ RUN apk add --no-cache --initdb -p /out alpine-baselayout busybox musl diff --git a/pkg/mkimage/Dockerfile b/pkg/mkimage/Dockerfile index 229fed31b..47f158175 100644 --- a/pkg/mkimage/Dockerfile +++ b/pkg/mkimage/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:6336329f15b4166514782eaa555cf0ffd35c519c@sha256:f6c2ce92910b1d6e4e5557850a554f4a3ae9f66c1e89ad86a24d6c6e550f165e AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ RUN apk add --no-cache --initdb -p /out \ diff --git a/pkg/rngd/Dockerfile b/pkg/rngd/Dockerfile index 36dba6490..44efcf3ad 100644 --- a/pkg/rngd/Dockerfile +++ b/pkg/rngd/Dockerfile @@ -1,11 +1,11 @@ -FROM linuxkit/alpine:5f6db26ab7bf6a9c452a612e236cc7495408132b@sha256:d009afc85d0b005daf51c8f3026aa552ab997dc47cab43915e9dc761accae086 AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ RUN apk add --no-cache --initdb -p /out \ tini RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache RUN mkdir -p /out/dev /out/proc /out/sys -FROM linuxkit/alpine:dae8bcbc6e2cec0a1cc1958dddbc5d6bd3ccf9a0@sha256:02c251d54c4083a596ead8cae92144306b385db0ff961c95a3a620a4c69961ed AS build +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS build RUN apk add \ argp-standalone \ automake \ diff --git a/pkg/runc/Dockerfile b/pkg/runc/Dockerfile index e580a752c..b49ecfde2 100644 --- a/pkg/runc/Dockerfile +++ b/pkg/runc/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:6336329f15b4166514782eaa555cf0ffd35c519c@sha256:f6c2ce92910b1d6e4e5557850a554f4a3ae9f66c1e89ad86a24d6c6e550f165e as alpine +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 as alpine RUN \ apk add \ bash \ diff --git a/pkg/sysctl/Dockerfile b/pkg/sysctl/Dockerfile index 1bc417bb2..d2b4d7dfe 100644 --- a/pkg/sysctl/Dockerfile +++ b/pkg/sysctl/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:5f6db26ab7bf6a9c452a612e236cc7495408132b@sha256:d009afc85d0b005daf51c8f3026aa552ab997dc47cab43915e9dc761accae086 AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror RUN apk add --no-cache go musl-dev ENV GOPATH=/go PATH=$PATH:/go/bin diff --git a/pkg/sysfs/Dockerfile b/pkg/sysfs/Dockerfile index 42946bc42..a76186f12 100644 --- a/pkg/sysfs/Dockerfile +++ b/pkg/sysfs/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:5f6db26ab7bf6a9c452a612e236cc7495408132b@sha256:d009afc85d0b005daf51c8f3026aa552ab997dc47cab43915e9dc761accae086 AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror RUN apk add --no-cache go musl-dev ENV GOPATH=/go PATH=$PATH:/go/bin diff --git a/test/pkg/virtsock/Dockerfile b/test/pkg/virtsock/Dockerfile index cb7c07952..3def1594b 100644 --- a/test/pkg/virtsock/Dockerfile +++ b/test/pkg/virtsock/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:dae8bcbc6e2cec0a1cc1958dddbc5d6bd3ccf9a0@sha256:02c251d54c4083a596ead8cae92144306b385db0ff961c95a3a620a4c69961ed AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ RUN apk add --no-cache --initdb -p /out \ tini From 5484035af50a68273798642155787f30145476ad Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Thu, 25 May 2017 14:30:43 +0100 Subject: [PATCH 05/13] pkg: Add config label to the format package Also update to latest Alpine base image. Signed-off-by: Rolf Neugebauer --- pkg/format/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/format/Dockerfile b/pkg/format/Dockerfile index 6c1dd4edf..74cf2004a 100644 --- a/pkg/format/Dockerfile +++ b/pkg/format/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:6336329f15b4166514782eaa555cf0ffd35c519c@sha256:f6c2ce92910b1d6e4e5557850a554f4a3ae9f66c1e89ad86a24d6c6e550f165e AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ RUN apk add --no-cache --initdb -p /out \ @@ -19,3 +19,4 @@ WORKDIR / COPY --from=mirror /out/ / COPY format.sh / CMD ["/bin/sh", "/format.sh"] +LABEL org.mobyproject.config='{"binds": ["/dev:/dev"], "capabilities": ["CAP_SYS_ADMIN", "CAP_MKNOD"]}' From 3aac2416ad5c5b076045521906f22c8c3e8b008a Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Thu, 25 May 2017 14:33:52 +0100 Subject: [PATCH 06/13] pkg: Add config label to the mount package Also update to latest Alpine base image. Signed-off-by: Rolf Neugebauer --- pkg/mount/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/mount/Dockerfile b/pkg/mount/Dockerfile index e9189b4f3..767f42d63 100644 --- a/pkg/mount/Dockerfile +++ b/pkg/mount/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:6336329f15b4166514782eaa555cf0ffd35c519c@sha256:f6c2ce92910b1d6e4e5557850a554f4a3ae9f66c1e89ad86a24d6c6e550f165e AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ RUN apk add --no-cache --initdb -p /out \ @@ -17,3 +17,4 @@ WORKDIR / COPY --from=mirror /out/ / COPY mount.sh / CMD ["/bin/sh", "/mount.sh"] +LABEL org.mobyproject.config='{"binds": ["/dev:/dev", "/var:/var:rshared,rbind"], "capabilities": ["CAP_SYS_ADMIN"], "rootfsPropagation": "shared"}' From 330ccdf0e26bec7f3d1968945f57d83bb7f56584 Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Thu, 25 May 2017 14:37:58 +0100 Subject: [PATCH 07/13] pkg: Add config label to the openntpd package Also update to latest Alpine base image. Signed-off-by: Rolf Neugebauer --- pkg/openntpd/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/openntpd/Dockerfile b/pkg/openntpd/Dockerfile index 42dd54401..318cdf938 100644 --- a/pkg/openntpd/Dockerfile +++ b/pkg/openntpd/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:6336329f15b4166514782eaa555cf0ffd35c519c@sha256:f6c2ce92910b1d6e4e5557850a554f4a3ae9f66c1e89ad86a24d6c6e550f165e AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ RUN apk add --no-cache --initdb -p /out \ @@ -16,3 +16,4 @@ WORKDIR / COPY --from=mirror /out/ / COPY etc/ /etc/ CMD ["/usr/sbin/ntpd", "-d", "-s"] +LABEL org.mobyproject.config='{"net": "host", "capabilities": ["CAP_SYS_TIME", "CAP_SYS_NICE", "CAP_SYS_CHROOT", "CAP_SETUID", "CAP_SETGID"]}' From 27c573ed2c773b1387541a250f5da0721ff01491 Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Thu, 25 May 2017 14:48:52 +0100 Subject: [PATCH 08/13] pkg: Add config label to the node_exporter package Signed-off-by: Rolf Neugebauer --- pkg/node_exporter/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/node_exporter/Dockerfile b/pkg/node_exporter/Dockerfile index c5e53a269..c680e3970 100644 --- a/pkg/node_exporter/Dockerfile +++ b/pkg/node_exporter/Dockerfile @@ -4,3 +4,4 @@ ENTRYPOINT ["/bin/node_exporter", "-collector.procfs", "/host/proc", \ "-collector.sysfs", "/host/sys", \ "-collector.filesystem.ignored-mount-points", \ "^/(sys|proc|dev|host|etc)($|/)"] +LABEL org.mobyproject.config='{"net": "host", "pid": "host", "binds": ["/proc:/host/proc", "/sys:/host/sys", "/:/rootfs"], "capabilities": ["all"]}' From fbbfd7a1fe1fc77cf7b71eb65334920a62a2702e Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Thu, 25 May 2017 14:52:22 +0100 Subject: [PATCH 09/13] pkg: Add config label to the sshd package Also update to latest Alpine base image. Signed-off-by: Rolf Neugebauer --- pkg/sshd/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/sshd/Dockerfile b/pkg/sshd/Dockerfile index c2f98322a..fd5457637 100644 --- a/pkg/sshd/Dockerfile +++ b/pkg/sshd/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:6336329f15b4166514782eaa555cf0ffd35c519c@sha256:f6c2ce92910b1d6e4e5557850a554f4a3ae9f66c1e89ad86a24d6c6e550f165e AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ RUN apk add --no-cache --initdb -p /out \ @@ -19,3 +19,4 @@ COPY etc/ /etc/ COPY usr/ /usr/ RUN mkdir -p /etc/ssh /root/.ssh && chmod 0700 /root/.ssh CMD ["/sbin/tini", "/usr/bin/ssh.sh"] +LABEL org.mobyproject.config='{"net": "host", "pid": "host", "binds": ["/root/.ssh:/root/.ssh", "/etc/resolv.conf:/etc/resolv.conf"], "capabilities": ["all"]}' From 157c07be15d31ea827ab7009210aa037f90595ab Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Thu, 25 May 2017 16:28:49 +0100 Subject: [PATCH 10/13] pkg: Add config label to the swap package Note this also removes 'net:host' and 'pid:host' as this does not seem to be necessary. Also update to latest Alpine base image. Signed-off-by: Rolf Neugebauer --- pkg/swap/Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/swap/Dockerfile b/pkg/swap/Dockerfile index 955415aa1..9ee7d5fda 100644 --- a/pkg/swap/Dockerfile +++ b/pkg/swap/Dockerfile @@ -1,4 +1,5 @@ -FROM linuxkit/alpine:6336329f15b4166514782eaa555cf0ffd35c519c@sha256:f6c2ce92910b1d6e4e5557850a554f4a3ae9f66c1e89ad86a24d6c6e550f165e AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror + RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ RUN apk add --no-cache --initdb -p /out \ alpine-baselayout \ @@ -15,3 +16,4 @@ WORKDIR / COPY --from=mirror /out/ / COPY /swap.sh . ENTRYPOINT ["swap.sh"] +LABEL org.mobyproject.config='{"binds": ["/dev:/dev", "/var:/var"], "capabilities": ["CAP_SYS_ADMIN", "CAP_MKNOD"]}' From 9bdfcb5b126ac1d9c41391835aff639fb4951b5d Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Fri, 26 May 2017 15:37:31 +0100 Subject: [PATCH 11/13] Update YAML files with new packages, config, and trust data - Update to packages using the Alpine 3.6 base image - Remove config for packages which now supply it - Update/add trust section Signed-off-by: Rolf Neugebauer --- examples/docker.yml | 52 +++++++--------- examples/gcp.yml | 27 +++++---- examples/minimal.yml | 12 ++-- examples/node_exporter.yml | 24 ++++---- examples/packet.yml | 39 ++++++------ examples/redis-os.yml | 15 +++-- examples/sshd.yml | 38 ++++++------ examples/swap.yml | 49 ++++++--------- examples/vmware.yml | 20 ++++--- linuxkit.yml | 22 ++++--- .../clear-containers/clear-containers.yml | 13 +--- projects/etcd/etcd.yml | 59 ++++++++----------- projects/etcd/prom-us-central1-f.yml | 6 +- projects/ima-namespace/ima-namespace.yml | 35 ++++------- projects/kubernetes/image-cache/Dockerfile | 2 +- projects/kubernetes/kube-master.yml | 42 ++++--------- projects/kubernetes/kube-node.yml | 42 ++++--------- projects/kubernetes/mounts.rb | 2 +- projects/landlock/landlock.yml | 21 ++++--- projects/logging/examples/logging.yml | 26 +++++--- projects/miragesdk/examples/mirage-dhcp.yml | 7 +-- projects/okernel/examples/okernel_simple.yaml | 23 +++----- projects/swarmd/swarmd.yml | 34 +++-------- test/cases/000_build/000_outputs/test.yml | 12 ++-- .../000_qemu/000_run_kernel/test.yml | 10 +++- .../000_qemu/010_run_iso/test.yml | 10 +++- .../000_qemu/020_run_efi/test.yml | 9 ++- .../000_qemu/030_run_qcow/test.yml | 9 ++- .../000_qemu/100_container/test.yml | 9 ++- .../010_hyperkit/000_run_kernel/test.yml | 9 ++- .../000_config_4.4.x/test-kernel-config.yml | 12 +++- .../001_config_4.9.x/test-kernel-config.yml | 12 +++- .../002_config_4.10.x/test-kernel-config.yml | 12 +++- .../003_config_4.11.x/test-kernel-config.yml | 12 +++- test/cases/020_kernel/010_kmod_4.9.x/kmod.yml | 12 +++- .../000_docker-bench/test-docker-bench.yml | 44 +++++++------- .../040_packages/000_sysctl/test-sysctl.yml | 15 ++--- .../040_packages/001_mkimage/mkimage.yml | 13 ++-- test/cases/040_packages/001_mkimage/run.yml | 9 +-- test/hack/test-ltp.yml | 13 ++-- test/hack/test.yml | 14 +++-- 41 files changed, 408 insertions(+), 438 deletions(-) diff --git a/examples/docker.yml b/examples/docker.yml index 8c82e91e3..de4f28f87 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -2,49 +2,31 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" - name: sysfs - image: linuxkit/sysfs:1cde5876d44117af61dfea629ad922defcd48808 + image: linuxkit/sysfs:47367d0ef851e8bf2a9e2f80a05392c17f5c2c88 - name: binfmt - image: "linuxkit/binfmt:603e5f064b3e8a64088c0fcf7a80d2783541ee1d" + image: "linuxkit/binfmt:eb3977596d5fc9e847eee1d34cb3beb3f574cac9" - name: format - image: "linuxkit/format:d78093e943f9c88386e30c00353f9476d34fb551" - binds: - - /dev:/dev - capabilities: - - CAP_SYS_ADMIN - - CAP_MKNOD + image: "linuxkit/format:55afe08816c2a4d8dbae3ee51ef53e0bee422d66" - name: mount - image: "linuxkit/mount:fc7164d7c4e1fe5d1da395c7f949fb332cffe752" - binds: - - /dev:/dev - - /var:/var:rshared,rbind - capabilities: - - CAP_SYS_ADMIN - rootfsPropagation: shared + image: "linuxkit/mount:15e20f27abe69d276f796e4026531833ec5ff345" command: ["/mount.sh", "/var/lib/docker"] services: - name: rngd - image: "linuxkit/rngd:69f951ce2a3a9534dbbc7ba8119e1df4391f06c0" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" - name: ntpd image: "linuxkit/openntpd:ad834449a7eaf10dc022b3d8d2ed9faf7ec99d37" - capabilities: - - CAP_SYS_TIME - - CAP_SYS_NICE - - CAP_SYS_CHROOT - - CAP_SETUID - - CAP_SETGID - net: host - name: docker - image: "linuxkit/docker-ce:261f93927d85001c65e5ce0f421eb6062f09c0a5" + image: "linuxkit/docker-ce:668d62da6e3da081a8f8aca7db3e2a98adf5da59" capabilities: - all net: host @@ -60,5 +42,15 @@ files: trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/ca-certificates + - linuxkit/sysctl + - linuxkit/sysfs - linuxkit/binfmt + - linuxkit/format + - linuxkit/mount - linuxkit/rngd + - linuxkit/dhcpcd + - linuxkit/openntpd diff --git a/examples/gcp.yml b/examples/gcp.yml index d238fadc8..b5386bb59 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -2,15 +2,15 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: metadata image: "linuxkit/metadata:a810b68fec9c9282cf096eed50605ddd6b2f3142" @@ -23,14 +23,9 @@ onboot: - CAP_SYS_ADMIN services: - name: rngd - image: "linuxkit/rngd:69f951ce2a3a9534dbbc7ba8119e1df4391f06c0" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: sshd - image: "linuxkit/sshd:1613253e5def414e0dfd261acd0e191eadb5fedf" - capabilities: - - all - net: host - pid: host - binds: + image: "linuxkit/sshd:ddce15b9fbde068941e31294acdcd22befa4fc20" - /var/config/ssh/authorized_keys:/root/.ssh/authorized_keys - /tmp/etc/resolv.conf:/etc/resolv.conf - name: nginx @@ -45,4 +40,10 @@ services: trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/ca-certificates + - linuxkit/sysctl + - linuxkit/dhcpcd - linuxkit/rngd diff --git a/examples/minimal.yml b/examples/minimal.yml index 6fa42fcb8..a281d6ded 100644 --- a/examples/minimal.yml +++ b/examples/minimal.yml @@ -2,13 +2,17 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/dhcpcd diff --git a/examples/node_exporter.yml b/examples/node_exporter.yml index 945149d92..8402f9e85 100644 --- a/examples/node_exporter.yml +++ b/examples/node_exporter.yml @@ -2,25 +2,21 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b services: - name: rngd - image: "linuxkit/rngd:69f951ce2a3a9534dbbc7ba8119e1df4391f06c0" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" - name: node_exporter - image: "linuxkit/node_exporter:bdb20b41855d0e2b4edeec44ef569d030ea3cc47" - capabilities: - - all - net: host - pid: host - binds: - - /proc:/host/proc - - /sys:/host/sys - - /:/rootfs + image: "linuxkit/node_exporter:29a85e9c5de1a1bd470a963878194303f6a7bd8c" trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd - linuxkit/rngd + - linuxkit/dhcpcd diff --git a/examples/packet.yml b/examples/packet.yml index 279cb1d80..2f20888b2 100644 --- a/examples/packet.yml +++ b/examples/packet.yml @@ -2,31 +2,32 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS1 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" services: - name: rngd - image: "linuxkit/rngd:69f951ce2a3a9534dbbc7ba8119e1df4391f06c0" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" - name: sshd - image: "linuxkit/sshd:1613253e5def414e0dfd261acd0e191eadb5fedf" - capabilities: - - all - net: host - pid: host - binds: - - /root/.ssh:/root/.ssh - - /etc/resolv.conf:/etc/resolv.conf -trust: - image: - - linuxkit/kernel - - linuxkit/rngd + image: "linuxkit/sshd:ddce15b9fbde068941e31294acdcd22befa4fc20" files: - path: root/.ssh/authorized_keys contents: '#your ssh key here' +trust: + image: + - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/ca-certificates + - linuxkit/sysctl + - linuxkit/rngd + - linuxkit/dhcpcd + - linuxkit/openntpd + - linuxkit/sshd diff --git a/examples/redis-os.yml b/examples/redis-os.yml index 98cf178f2..eb85550e4 100644 --- a/examples/redis-os.yml +++ b/examples/redis-os.yml @@ -4,12 +4,12 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: redis @@ -21,3 +21,10 @@ services: - CAP_SETGID - CAP_DAC_OVERRIDE net: host +trust: + image: + - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/dhcpcd diff --git a/examples/sshd.yml b/examples/sshd.yml index 44a501884..db0ad313b 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -2,31 +2,31 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" services: - name: rngd - image: "linuxkit/rngd:69f951ce2a3a9534dbbc7ba8119e1df4391f06c0" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" - name: sshd - image: "linuxkit/sshd:1613253e5def414e0dfd261acd0e191eadb5fedf" - capabilities: - - all - net: host - pid: host - binds: - - /root/.ssh:/root/.ssh - - /etc/resolv.conf:/etc/resolv.conf -trust: - image: - - linuxkit/kernel - - linuxkit/rngd + image: "linuxkit/sshd:ddce15b9fbde068941e31294acdcd22befa4fc20" files: - path: root/.ssh/authorized_keys contents: '#your ssh key here' +trust: + image: + - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/ca-certificates + - linuxkit/sysctl + - linuxkit/rngd + - linuxkit/dhcpcd + - linuxkit/sshd diff --git a/examples/swap.yml b/examples/swap.yml index d1f974682..9673e640d 100644 --- a/examples/swap.yml +++ b/examples/swap.yml @@ -2,51 +2,29 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:42fe8cb1508b3afed39eb89821906e3cc7a70551 - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b - linuxkit/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" - - name: binfmt - image: "linuxkit/binfmt:603e5f064b3e8a64088c0fcf7a80d2783541ee1d" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: format - image: "linuxkit/format:d78093e943f9c88386e30c00353f9476d34fb551" - binds: - - /dev:/dev - capabilities: - - CAP_SYS_ADMIN - - CAP_MKNOD + image: "linuxkit/format:55afe08816c2a4d8dbae3ee51ef53e0bee422d66" - name: mount - image: "linuxkit/mount:fc7164d7c4e1fe5d1da395c7f949fb332cffe752" - binds: - - /dev:/dev - - /var:/var:rshared,rbind - capabilities: - - CAP_SYS_ADMIN - rootfsPropagation: shared + image: "linuxkit/mount:15e20f27abe69d276f796e4026531833ec5ff345" command: ["/mount.sh", "/var/external"] - name: swap - image: "linuxkit/swap:c4c723a3d6678dc49770181bbb231ec99b271c75" - net: host - pid: host - capabilities: - - CAP_SYS_ADMIN - - CAP_MKNOD - readonly: true - binds: - - /var:/var - - /dev:/dev + image: "linuxkit/swap:085f0088dd1ef2f994e707e438218ea4d41bad13" # to use unencrypted swap, use: # command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G"] command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G", "--encrypt"] services: - name: rngd - image: "linuxkit/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: nginx image: "nginx:alpine" capabilities: @@ -59,3 +37,12 @@ services: trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/ca-certificates + - linuxkit/sysctl + - linuxkit/dhcpcd + - linuxkit/format + - linuxkit/mount + - linuxkit/rngd diff --git a/examples/vmware.yml b/examples/vmware.yml index a692fa368..be0d3db1f 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -2,18 +2,18 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=tty0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" services: - name: rngd - image: "linuxkit/rngd:69f951ce2a3a9534dbbc7ba8119e1df4391f06c0" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" - name: nginx image: "nginx:alpine" capabilities: @@ -26,4 +26,10 @@ services: trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/ca-certificates + - linuxkit/sysctl - linuxkit/rngd + - linuxkit/dhcpcd diff --git a/linuxkit.yml b/linuxkit.yml index cd6b54619..1b63c584f 100644 --- a/linuxkit.yml +++ b/linuxkit.yml @@ -2,21 +2,21 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" - name: binfmt - image: "linuxkit/binfmt:603e5f064b3e8a64088c0fcf7a80d2783541ee1d" + image: "linuxkit/binfmt:eb3977596d5fc9e847eee1d34cb3beb3f574cac9" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: rngd - image: "linuxkit/rngd:69f951ce2a3a9534dbbc7ba8119e1df4391f06c0" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: nginx image: "nginx:alpine" capabilities: @@ -32,5 +32,11 @@ files: trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/ca-certificates + - linuxkit/sysctl - linuxkit/binfmt + - linuxkit/dhcpcd - linuxkit/rngd diff --git a/projects/clear-containers/clear-containers.yml b/projects/clear-containers/clear-containers.yml index 966051367..40cbb2f5c 100644 --- a/projects/clear-containers/clear-containers.yml +++ b/projects/clear-containers/clear-containers.yml @@ -2,23 +2,12 @@ kernel: image: "linuxkit/kernel-clear-containers:4.9.x" cmdline: "root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro rw rootfstype=ext4 tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k panic=1 console=hvc0 console=hvc1 initcall_debug iommu=off quiet cryptomgr.notests page_poison=on" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 onboot: - name: sysctl image: "mobylinux/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true services: - name: rngd - image: "mobylinux/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9" - capabilities: - - CAP_SYS_ADMIN - oomScoreAdj: -800 - readonly: true files: - path: etc/docker/daemon.json contents: '{"debug": true}' diff --git a/projects/etcd/etcd.yml b/projects/etcd/etcd.yml index 0472c5e18..9b22cda81 100644 --- a/projects/etcd/etcd.yml +++ b/projects/etcd/etcd.yml @@ -2,31 +2,20 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" - name: format - image: "linuxkit/format:d78093e943f9c88386e30c00353f9476d34fb551" - binds: - - /dev:/dev - capabilities: - - CAP_SYS_ADMIN - - CAP_MKNOD + image: "linuxkit/format:55afe08816c2a4d8dbae3ee51ef53e0bee422d66" - name: mount - image: "linuxkit/mount:fc7164d7c4e1fe5d1da395c7f949fb332cffe752" - binds: - - /dev:/dev - - /var:/var:rshared,rbind - capabilities: - - CAP_SYS_ADMIN - rootfsPropagation: shared + image: "linuxkit/mount:15e20f27abe69d276f796e4026531833ec5ff345" command: ["/mount.sh", "/var/lib/etcd"] - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: metadata image: "linuxkit/metadata:a810b68fec9c9282cf096eed50605ddd6b2f3142" @@ -39,26 +28,11 @@ onboot: - CAP_SYS_ADMIN services: - name: rngd - image: "linuxkit/rngd:f5e5be43e730ea819c3293d5c6dcbfa7f4c5c314" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: ntpd image: "linuxkit/openntpd:ad834449a7eaf10dc022b3d8d2ed9faf7ec99d37" - capabilities: - - CAP_SYS_TIME - - CAP_SYS_NICE - - CAP_SYS_CHROOT - - CAP_SETUID - - CAP_SETGID - net: host - name: node_exporter - image: "linuxkit/node_exporter:bdb20b41855d0e2b4edeec44ef569d030ea3cc47" - capabilities: - - all - net: host - pid: host - binds: - - /proc:/host/proc - - /sys:/host/sys - - /:/rootfs + image: "linuxkit/node_exporter:29a85e9c5de1a1bd470a963878194303f6a7bd8c" - name: etcd image: "moby/etcd" capabilities: @@ -72,3 +46,16 @@ services: binds: - /var/lib/etcd:/var/lib/etcd - /var/config/etcd:/etc/etcd +trust: + - images: + - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/ca-certificates + - linuxkit/sysctl + - linuxkit/format + - linuxkit/mount + - linuxkit/dhcpcd + - linuxkit/rngd + - linuxkit/openntpd diff --git a/projects/etcd/prom-us-central1-f.yml b/projects/etcd/prom-us-central1-f.yml index 12d4694ba..c89fcc349 100644 --- a/projects/etcd/prom-us-central1-f.yml +++ b/projects/etcd/prom-us-central1-f.yml @@ -2,15 +2,15 @@ kernel: image: "mobylinux/kernel:4.9.x" cmdline: "console=ttyS0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - mobylinux/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: metadata image: "linuxkit/metadata:a810b68fec9c9282cf096eed50605ddd6b2f3142" diff --git a/projects/ima-namespace/ima-namespace.yml b/projects/ima-namespace/ima-namespace.yml index 23e4814be..4d2d87513 100644 --- a/projects/ima-namespace/ima-namespace.yml +++ b/projects/ima-namespace/ima-namespace.yml @@ -3,36 +3,21 @@ kernel: cmdline: "console=ttyS0 console=tty0 page_poison=1 ima_appraise=enforce_ns" init: - linuxkit/init:b3740303f3d1e5689a84c87b7dfb48fd2a40a192 - - linuxkit/runc:47b1c38d63468c0f3078f8b1b055d07965a1895d - - linuxkit/containerd:cf2614f5a96c569a0bd4bd54e054a65ba17d167f - - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d - linuxkit/ima-utils:fe119c7dac08884f4144cd106dc279ddd8b37517 onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" - name: binfmt - image: "linuxkit/binfmt:131026c0cf6084467316395fed3b358f64bda00c" - binds: - - /proc/sys/fs/binfmt_misc:/binfmt_misc - readonly: true + image: "linuxkit/binfmt:eb3977596d5fc9e847eee1d34cb3beb3f574cac9" - name: dhcpcd - image: "linuxkit/dhcpcd:2def74ab3f9233b4c09ebb196ba47c27c08b0ed8" - binds: - - /var:/var - - /tmp/etc:/etc - capabilities: - - CAP_NET_ADMIN - - CAP_NET_BIND_SERVICE - - CAP_NET_RAW - net: host + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: rngd - image: "linuxkit/rngd:61a07ced77a9747708223ca16a4aec621eacf518" - capabilities: - - CAP_SYS_ADMIN - oomScoreAdj: -800 - readonly: true + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: nginx image: "nginx:alpine" capabilities: @@ -48,5 +33,11 @@ files: trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/ca-certificates + - linuxkit/sysctl - linuxkit/binfmt + - linuxkit/dhcpcd - linuxkit/rngd diff --git a/projects/kubernetes/image-cache/Dockerfile b/projects/kubernetes/image-cache/Dockerfile index a86fee6db..dfbc6eb30 100644 --- a/projects/kubernetes/image-cache/Dockerfile +++ b/projects/kubernetes/image-cache/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/docker-ce:261f93927d85001c65e5ce0f421eb6062f09c0a5 +FROM linuxkit/docker-ce:668d62da6e3da081a8f8aca7db3e2a98adf5da59 ADD . /images ENTRYPOINT [ "/bin/sh", "-c" ] CMD [ "for image in /images/*.tar ; do docker image load -i $image && rm -f $image ; done" ] diff --git a/projects/kubernetes/kube-master.yml b/projects/kubernetes/kube-master.yml index d3b008057..4f23db7b9 100644 --- a/projects/kubernetes/kube-master.yml +++ b/projects/kubernetes/kube-master.yml @@ -2,24 +2,19 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" - name: sysfs - image: linuxkit/sysfs:1cde5876d44117af61dfea629ad922defcd48808 + image: linuxkit/sysfs:47367d0ef851e8bf2a9e2f80a05392c17f5c2c88 - name: binfmt - image: "linuxkit/binfmt:603e5f064b3e8a64088c0fcf7a80d2783541ee1d" + image: "linuxkit/binfmt:eb3977596d5fc9e847eee1d34cb3beb3f574cac9" - name: format - image: "linuxkit/format:d78093e943f9c88386e30c00353f9476d34fb551" - binds: - - /dev:/dev - capabilities: - - CAP_SYS_ADMIN - - CAP_MKNOD + image: "linuxkit/format:55afe08816c2a4d8dbae3ee51ef53e0bee422d66" - name: mounts image: "linuxkit/kubernetes:latest-mounts" capabilities: @@ -31,28 +26,15 @@ onboot: - /var:/var:rshared,rbind services: - name: rngd - image: "linuxkit/rngd:f5e5be43e730ea819c3293d5c6dcbfa7f4c5c314" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" - name: ntpd image: "linuxkit/openntpd:ad834449a7eaf10dc022b3d8d2ed9faf7ec99d37" - capabilities: - - CAP_SYS_TIME - - CAP_SYS_NICE - - CAP_SYS_CHROOT - - CAP_SETUID - - CAP_SETGID - net: host - name: sshd - image: "linuxkit/sshd:1613253e5def414e0dfd261acd0e191eadb5fedf" - capabilities: - - all - net: host - pid: host - binds: - - /root/.ssh:/root/.ssh + image: "linuxkit/sshd:ddce15b9fbde068941e31294acdcd22befa4fc20" - name: docker - image: "linuxkit/docker-ce:261f93927d85001c65e5ce0f421eb6062f09c0a5" + image: "linuxkit/docker-ce:668d62da6e3da081a8f8aca7db3e2a98adf5da59" capabilities: - all net: host diff --git a/projects/kubernetes/kube-node.yml b/projects/kubernetes/kube-node.yml index 442b9279d..c7a879805 100644 --- a/projects/kubernetes/kube-node.yml +++ b/projects/kubernetes/kube-node.yml @@ -2,24 +2,19 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" - name: sysfs - image: linuxkit/sysfs:1cde5876d44117af61dfea629ad922defcd48808 + image: linuxkit/sysfs:47367d0ef851e8bf2a9e2f80a05392c17f5c2c88 - name: binfmt - image: "linuxkit/binfmt:603e5f064b3e8a64088c0fcf7a80d2783541ee1d" + image: "linuxkit/binfmt:eb3977596d5fc9e847eee1d34cb3beb3f574cac9" - name: format - image: "linuxkit/format:d78093e943f9c88386e30c00353f9476d34fb551" - binds: - - /dev:/dev - capabilities: - - CAP_SYS_ADMIN - - CAP_MKNOD + image: "linuxkit/format:55afe08816c2a4d8dbae3ee51ef53e0bee422d66" - name: mounts image: "linuxkit/kubernetes:latest-mounts" capabilities: @@ -31,28 +26,15 @@ onboot: - /var:/var:rshared,rbind services: - name: rngd - image: "linuxkit/rngd:f5e5be43e730ea819c3293d5c6dcbfa7f4c5c314" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" - name: ntpd image: "linuxkit/openntpd:ad834449a7eaf10dc022b3d8d2ed9faf7ec99d37" - capabilities: - - CAP_SYS_TIME - - CAP_SYS_NICE - - CAP_SYS_CHROOT - - CAP_SETUID - - CAP_SETGID - net: host - name: sshd - image: "linuxkit/sshd:1613253e5def414e0dfd261acd0e191eadb5fedf" - capabilities: - - all - net: host - pid: host - binds: - - /root/.ssh:/root/.ssh + image: "linuxkit/sshd:ddce15b9fbde068941e31294acdcd22befa4fc20" - name: docker - image: "linuxkit/docker-ce:261f93927d85001c65e5ce0f421eb6062f09c0a5" + image: "linuxkit/docker-ce:668d62da6e3da081a8f8aca7db3e2a98adf5da59" capabilities: - all net: host diff --git a/projects/kubernetes/mounts.rb b/projects/kubernetes/mounts.rb index 21dd4835c..406d825f8 100644 --- a/projects/kubernetes/mounts.rb +++ b/projects/kubernetes/mounts.rb @@ -1,6 +1,6 @@ import 'common.rb' -from "linuxkit/mount:fc7164d7c4e1fe5d1da395c7f949fb332cffe752" +from "linuxkit/mount:15e20f27abe69d276f796e4026531833ec5ff345" script = [ mount_bind_hostns_self("/etc/cni"), mount_make_hostns_rshared("/etc/cni"), diff --git a/projects/landlock/landlock.yml b/projects/landlock/landlock.yml index 2ec5dc650..32f6d35cb 100644 --- a/projects/landlock/landlock.yml +++ b/projects/landlock/landlock.yml @@ -2,23 +2,22 @@ kernel: image: "mobylinux/kernel-landlock:4.9.x" cmdline: "console=ttyS0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - mobylinux/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 onboot: - name: sysctl image: "mobylinux/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" - net: host - pid: host - ipc: host - capabilities: - - CAP_SYS_ADMIN - readonly: true services: - name: rngd image: "mobylinux/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9" - capabilities: - - CAP_SYS_ADMIN - oomScoreAdj: -800 - readonly: true +trust: + image: + - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/ca-certificates + - linuxkit/sysctl + - linuxkit/rngd diff --git a/projects/logging/examples/logging.yml b/projects/logging/examples/logging.yml index 801a6452e..848214c56 100644 --- a/projects/logging/examples/logging.yml +++ b/projects/logging/examples/logging.yml @@ -2,22 +2,22 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:062e57b1d1e017e44c6339fc2b4cd41f3f10b2a9 # with runc, logwrite, startmemlogd - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 # with runc, logwrite, startmemlogd + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d - linuxkit/memlogd:9b5834189f598f43c507f6938077113906f51012 onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" - name: binfmt - image: "linuxkit/binfmt:603e5f064b3e8a64088c0fcf7a80d2783541ee1d" + image: "linuxkit/binfmt:eb3977596d5fc9e847eee1d34cb3beb3f574cac9" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: rngd - image: "linuxkit/rngd:69f951ce2a3a9534dbbc7ba8119e1df4391f06c0" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: nginx image: "nginx:alpine" capabilities: @@ -32,4 +32,12 @@ files: contents: '{"debug": true}' trust: image: - - mobylinux/kernel + - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/ca-certificates + - linuxkit/sysctl + - linuxkit/binfmt + - linuxkit/dhcpcd + - linuxkit/rngd diff --git a/projects/miragesdk/examples/mirage-dhcp.yml b/projects/miragesdk/examples/mirage-dhcp.yml index 0ed22cba1..0fbc45012 100644 --- a/projects/miragesdk/examples/mirage-dhcp.yml +++ b/projects/miragesdk/examples/mirage-dhcp.yml @@ -8,15 +8,10 @@ init: - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" - - name: binfmt + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" services: - name: rngd image: mobylinux/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9 - capabilities: - - CAP_SYS_ADMIN - oomScoreAdj: -800 - readonly: true - name: dhcp-client image: mobylinux/dhcp-client:a7a6b49b0ff51ffa2f44ac848cd649e29f946e0c net: host diff --git a/projects/okernel/examples/okernel_simple.yaml b/projects/okernel/examples/okernel_simple.yaml index eec90e476..ead2385f1 100644 --- a/projects/okernel/examples/okernel_simple.yaml +++ b/projects/okernel/examples/okernel_simple.yaml @@ -2,27 +2,20 @@ kernel: image: "linuxkit/okernel:latest" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" services: - name: rngd - image: "linuxkit/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" - name: sshd - image: "linuxkit/sshd:1613253e5def414e0dfd261acd0e191eadb5fedf" - capabilities: - - all - net: host - pid: host - binds: - - /root/.ssh:/root/.ssh - - /etc/resolv.conf:/etc/resolv.conf + image: "linuxkit/sshd:ddce15b9fbde068941e31294acdcd22befa4fc20" files: - path: root/.ssh/authorized_keys contents: '#your ssh key here' diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index 89e115529..49899f56b 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -2,31 +2,20 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: format - image: "linuxkit/format:d78093e943f9c88386e30c00353f9476d34fb551" - binds: - - /dev:/dev - capabilities: - - CAP_SYS_ADMIN - - CAP_MKNOD + image: "linuxkit/format:55afe08816c2a4d8dbae3ee51ef53e0bee422d66" - name: mount - image: "linuxkit/mount:fc7164d7c4e1fe5d1da395c7f949fb332cffe752" - binds: - - /dev:/dev - - /var:/var:rshared,rbind - capabilities: - - CAP_SYS_ADMIN - rootfsPropagation: shared + image: "linuxkit/mount:15e20f27abe69d276f796e4026531833ec5ff345" command: ["/mount.sh", "/var/lib/swarmd"] - name: metadata image: "linuxkit/metadata:a810b68fec9c9282cf096eed50605ddd6b2f3142" @@ -39,16 +28,9 @@ onboot: - CAP_SYS_ADMIN services: - name: rngd - image: "linuxkit/rngd:69f951ce2a3a9534dbbc7ba8119e1df4391f06c0" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: ntpd image: "linuxkit/openntpd:ad834449a7eaf10dc022b3d8d2ed9faf7ec99d37" - capabilities: - - CAP_SYS_TIME - - CAP_SYS_NICE - - CAP_SYS_CHROOT - - CAP_SETUID - - CAP_SETGID - net: host - name: swarmd image: "linuxkit/swarmd:a2f57f14f07fb6d7cded7832b2dabe878b28554e" command: ["/usr/bin/swarmd", "--containerd-addr=/run/containerd/containerd.sock", "--log-level=debug", "--state-dir=/var/lib/swarmd"] diff --git a/test/cases/000_build/000_outputs/test.yml b/test/cases/000_build/000_outputs/test.yml index 6fa42fcb8..a281d6ded 100644 --- a/test/cases/000_build/000_outputs/test.yml +++ b/test/cases/000_build/000_outputs/test.yml @@ -2,13 +2,17 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/dhcpcd diff --git a/test/cases/010_platforms/000_qemu/000_run_kernel/test.yml b/test/cases/010_platforms/000_qemu/000_run_kernel/test.yml index 56a5ba4b6..e5aaeef61 100644 --- a/test/cases/010_platforms/000_qemu/000_run_kernel/test.yml +++ b/test/cases/010_platforms/000_qemu/000_run_kernel/test.yml @@ -2,9 +2,9 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:f71c3b30ac1ba4ef16c160c89610fa4976f9752f - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" @@ -12,3 +12,7 @@ onboot: trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + diff --git a/test/cases/010_platforms/000_qemu/010_run_iso/test.yml b/test/cases/010_platforms/000_qemu/010_run_iso/test.yml index 56a5ba4b6..e5aaeef61 100644 --- a/test/cases/010_platforms/000_qemu/010_run_iso/test.yml +++ b/test/cases/010_platforms/000_qemu/010_run_iso/test.yml @@ -2,9 +2,9 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:f71c3b30ac1ba4ef16c160c89610fa4976f9752f - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" @@ -12,3 +12,7 @@ onboot: trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + diff --git a/test/cases/010_platforms/000_qemu/020_run_efi/test.yml b/test/cases/010_platforms/000_qemu/020_run_efi/test.yml index 56a5ba4b6..354a2f50d 100644 --- a/test/cases/010_platforms/000_qemu/020_run_efi/test.yml +++ b/test/cases/010_platforms/000_qemu/020_run_efi/test.yml @@ -2,9 +2,9 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:f71c3b30ac1ba4ef16c160c89610fa4976f9752f - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" @@ -12,3 +12,6 @@ onboot: trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd diff --git a/test/cases/010_platforms/000_qemu/030_run_qcow/test.yml b/test/cases/010_platforms/000_qemu/030_run_qcow/test.yml index 56a5ba4b6..354a2f50d 100644 --- a/test/cases/010_platforms/000_qemu/030_run_qcow/test.yml +++ b/test/cases/010_platforms/000_qemu/030_run_qcow/test.yml @@ -2,9 +2,9 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:f71c3b30ac1ba4ef16c160c89610fa4976f9752f - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" @@ -12,3 +12,6 @@ onboot: trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd diff --git a/test/cases/010_platforms/000_qemu/100_container/test.yml b/test/cases/010_platforms/000_qemu/100_container/test.yml index 3b0cd9b69..7c0fd1cb0 100644 --- a/test/cases/010_platforms/000_qemu/100_container/test.yml +++ b/test/cases/010_platforms/000_qemu/100_container/test.yml @@ -2,9 +2,9 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" @@ -12,3 +12,6 @@ onboot: trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd diff --git a/test/cases/010_platforms/010_hyperkit/000_run_kernel/test.yml b/test/cases/010_platforms/010_hyperkit/000_run_kernel/test.yml index 56a5ba4b6..354a2f50d 100644 --- a/test/cases/010_platforms/010_hyperkit/000_run_kernel/test.yml +++ b/test/cases/010_platforms/010_hyperkit/000_run_kernel/test.yml @@ -2,9 +2,9 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:f71c3b30ac1ba4ef16c160c89610fa4976f9752f - - linuxkit/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 - - linuxkit/containerd:60e2486a74c665ba4df57e561729aec20758daed + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" @@ -12,3 +12,6 @@ onboot: trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd diff --git a/test/cases/020_kernel/000_config_4.4.x/test-kernel-config.yml b/test/cases/020_kernel/000_config_4.4.x/test-kernel-config.yml index 67985faac..561b46251 100644 --- a/test/cases/020_kernel/000_config_4.4.x/test-kernel-config.yml +++ b/test/cases/020_kernel/000_config_4.4.x/test-kernel-config.yml @@ -2,9 +2,9 @@ kernel: image: "linuxkit/kernel:4.4.x" cmdline: "console=ttyS0" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: check-kernel-config image: "linuxkit/test-kernel-config:ecff41279ccbc408079a3996a956432651c6eb9c" @@ -12,3 +12,9 @@ onboot: - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" command: ["/bin/sh", "/poweroff.sh", "3"] +trust: + image: + - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd diff --git a/test/cases/020_kernel/001_config_4.9.x/test-kernel-config.yml b/test/cases/020_kernel/001_config_4.9.x/test-kernel-config.yml index 8102961be..d5ce54d86 100644 --- a/test/cases/020_kernel/001_config_4.9.x/test-kernel-config.yml +++ b/test/cases/020_kernel/001_config_4.9.x/test-kernel-config.yml @@ -2,9 +2,9 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: check-kernel-config image: "linuxkit/test-kernel-config:ecff41279ccbc408079a3996a956432651c6eb9c" @@ -12,3 +12,9 @@ onboot: - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" command: ["/bin/sh", "/poweroff.sh", "3"] +trust: + image: + - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd diff --git a/test/cases/020_kernel/002_config_4.10.x/test-kernel-config.yml b/test/cases/020_kernel/002_config_4.10.x/test-kernel-config.yml index 6b8c96c52..b476bbe83 100644 --- a/test/cases/020_kernel/002_config_4.10.x/test-kernel-config.yml +++ b/test/cases/020_kernel/002_config_4.10.x/test-kernel-config.yml @@ -2,9 +2,9 @@ kernel: image: "linuxkit/kernel:4.10.x" cmdline: "console=ttyS0" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: check-kernel-config image: "linuxkit/test-kernel-config:ecff41279ccbc408079a3996a956432651c6eb9c" @@ -12,3 +12,9 @@ onboot: - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" command: ["/bin/sh", "/poweroff.sh", "3"] +trust: + image: + - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd diff --git a/test/cases/020_kernel/003_config_4.11.x/test-kernel-config.yml b/test/cases/020_kernel/003_config_4.11.x/test-kernel-config.yml index 1c3c6d7ee..85843f6eb 100644 --- a/test/cases/020_kernel/003_config_4.11.x/test-kernel-config.yml +++ b/test/cases/020_kernel/003_config_4.11.x/test-kernel-config.yml @@ -2,9 +2,9 @@ kernel: image: "linuxkit/kernel:4.11.x" cmdline: "console=ttyS0" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: check-kernel-config image: "linuxkit/test-kernel-config:ecff41279ccbc408079a3996a956432651c6eb9c" @@ -12,3 +12,9 @@ onboot: - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" command: ["/bin/sh", "/poweroff.sh", "3"] +trust: + image: + - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd diff --git a/test/cases/020_kernel/010_kmod_4.9.x/kmod.yml b/test/cases/020_kernel/010_kmod_4.9.x/kmod.yml index e4c896e68..1fc3fc0e0 100644 --- a/test/cases/020_kernel/010_kmod_4.9.x/kmod.yml +++ b/test/cases/020_kernel/010_kmod_4.9.x/kmod.yml @@ -2,9 +2,9 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: check image: "kmod-test" @@ -16,3 +16,9 @@ onboot: - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" command: ["/bin/sh", "/poweroff.sh", "3"] +trust: + image: + - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd diff --git a/test/cases/030_security/000_docker-bench/test-docker-bench.yml b/test/cases/030_security/000_docker-bench/test-docker-bench.yml index 4a56fea7a..768cac35c 100644 --- a/test/cases/030_security/000_docker-bench/test-docker-bench.yml +++ b/test/cases/030_security/000_docker-bench/test-docker-bench.yml @@ -2,40 +2,29 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b + - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" - name: sysfs - image: "linuxkit/sysfs:1cde5876d44117af61dfea629ad922defcd48808" + image: "linuxkit/sysfs:47367d0ef851e8bf2a9e2f80a05392c17f5c2c88" - name: binfmt - image: "linuxkit/binfmt:603e5f064b3e8a64088c0fcf7a80d2783541ee1d" + image: "linuxkit/binfmt:eb3977596d5fc9e847eee1d34cb3beb3f574cac9" - name: format - image: "linuxkit/format:d78093e943f9c88386e30c00353f9476d34fb551" - binds: - - /dev:/dev - capabilities: - - CAP_SYS_ADMIN - - CAP_MKNOD + image: "linuxkit/format:55afe08816c2a4d8dbae3ee51ef53e0bee422d66" - name: mount - image: "linuxkit/mount:fc7164d7c4e1fe5d1da395c7f949fb332cffe752" - binds: - - /dev:/dev - - /var:/var:rshared,rbind - capabilities: - - CAP_SYS_ADMIN - rootfsPropagation: shared + image: "linuxkit/mount:15e20f27abe69d276f796e4026531833ec5ff345" command: ["/mount.sh", "/var/lib/docker"] services: - name: rngd - image: "linuxkit/rngd:69f951ce2a3a9534dbbc7ba8119e1df4391f06c0" + image: "linuxkit/rngd:b67c3151a52b05db50e6207b40876900f2208d14" - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" - name: docker - image: "linuxkit/docker-ce:261f93927d85001c65e5ce0f421eb6062f09c0a5" + image: "linuxkit/docker-ce:668d62da6e3da081a8f8aca7db3e2a98adf5da59" capabilities: - all net: host @@ -58,5 +47,14 @@ services: trust: image: - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/ca-certificates + - linuxkit/sysctl + - linuxkit/sysfs - linuxkit/binfmt + - linuxkit/format + - linuxkit/mount - linuxkit/rngd + - linuxkit/dhcpcd diff --git a/test/cases/040_packages/000_sysctl/test-sysctl.yml b/test/cases/040_packages/000_sysctl/test-sysctl.yml index 6471deba2..a21bd0782 100644 --- a/test/cases/040_packages/000_sysctl/test-sysctl.yml +++ b/test/cases/040_packages/000_sysctl/test-sysctl.yml @@ -2,13 +2,12 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 page_poison=1" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:1c71f95fa36040ea7e987deb98a7a2a363853f01 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: sysctl - image: "linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64" + image: "linuxkit/sysctl:b16a483897dd5f71be7e0c04cd090b05f52682e1" - name: test image: "linuxkit/test-sysctl:c4df4c4d692904d6245dcdef1f4a79389bd3d894" - name: poweroff @@ -16,5 +15,7 @@ onboot: trust: image: - linuxkit/kernel - - linuxkit/binfmt - - linuxkit/rngd + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/sysctl diff --git a/test/cases/040_packages/001_mkimage/mkimage.yml b/test/cases/040_packages/001_mkimage/mkimage.yml index bfa8c90c4..8bcced824 100644 --- a/test/cases/040_packages/001_mkimage/mkimage.yml +++ b/test/cases/040_packages/001_mkimage/mkimage.yml @@ -2,12 +2,12 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: mkimage - image: "linuxkit/mkimage:8bb18fe306afaca9ba50fe3148ec12570586c2a6" + image: "linuxkit/mkimage:a3fd615543b84733ac8ba6f7e1927727665ef404" - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" files: @@ -20,5 +20,6 @@ files: trust: image: - linuxkit/kernel - - linuxkit/binfmt - - linuxkit/rngd + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd diff --git a/test/cases/040_packages/001_mkimage/run.yml b/test/cases/040_packages/001_mkimage/run.yml index e0e14cb47..95f1253c8 100644 --- a/test/cases/040_packages/001_mkimage/run.yml +++ b/test/cases/040_packages/001_mkimage/run.yml @@ -2,15 +2,12 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:1c71f95fa36040ea7e987deb98a7a2a363853f01 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" trust: image: - linuxkit/kernel - - linuxkit/binfmt - - linuxkit/rngd diff --git a/test/hack/test-ltp.yml b/test/hack/test-ltp.yml index f0c793650..06523fdad 100644 --- a/test/hack/test-ltp.yml +++ b/test/hack/test-ltp.yml @@ -2,10 +2,9 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0" init: - - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e - - linuxkit/runc:24dfe632ed3ff53a026ee3fac046fd544434e2d6 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 + - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: ltp image: "linuxkit/test-ltp-20170116:81229df2d25065b06f0a3071faaace8d66c87e67" @@ -20,3 +19,9 @@ onboot: files: - path: /etc/ltp/baseline contents: "100" +trust: + image: + - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd diff --git a/test/hack/test.yml b/test/hack/test.yml index 44d057164..b2353c484 100644 --- a/test/hack/test.yml +++ b/test/hack/test.yml @@ -4,13 +4,12 @@ kernel: image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0" init: - - linuxkit/init:deea956a9ab07bf262083e93a86930bdc610cc2f + - linuxkit/init:4fc8aa82ab34d62d510575c8fbe0c58b7ba9c480 - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 - - linuxkit/containerd:f1130450206d4f64f0ddc13d15bb68435aa1ff61 - - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4 + - linuxkit/containerd:b1766e4c4c09f63ac4925a6e4612852a93f7e73b onboot: - name: dhcpcd - image: "linuxkit/dhcpcd:ae03169274d19fe8841314fa5a6fea3c61adbf4e" + image: "linuxkit/dhcpcd:7d2f17a0e5d1ef9a75a527821a9ab0d753b22e7e" command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: check-kernel-config image: "linuxkit/test-kernel-config:ecff41279ccbc408079a3996a956432651c6eb9c" @@ -18,3 +17,10 @@ onboot: - name: poweroff image: "linuxkit/poweroff:a8f1e4ad8d459f1fdaad9e4b007512cb3b504ae8" command: ["/bin/sh", "/poweroff.sh", "3"] +trust: + image: + - linuxkit/kernel + - linuxkit/init + - linuxkit/runc + - linuxkit/containerd + - linuxkit/dhcpcd From 86a66359309bf7c0eb979e1f8e63f0f61dbb5884 Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Fri, 26 May 2017 15:43:39 +0100 Subject: [PATCH 12/13] docs: Update documentation Signed-off-by: Rolf Neugebauer --- docs/external-disk.md | 17 ++++------------- docs/yaml.md | 3 +-- pkg/swap/README.md | 11 +---------- 3 files changed, 6 insertions(+), 25 deletions(-) diff --git a/docs/external-disk.md b/docs/external-disk.md index 5e2c72ae7..60acbbf80 100644 --- a/docs/external-disk.md +++ b/docs/external-disk.md @@ -39,20 +39,9 @@ To simplify the process, two `onboot` images are available for you to use: ```yml onboot: - name: format - image: "linuxkit/format:fdbfda789fe30a97ff194a06ac51ee0ff6b3ccf4" - binds: - - /dev:/dev - capabilities: - - CAP_SYS_ADMIN - - CAP_MKNOD + image: "linuxkit/format:55afe08816c2a4d8dbae3ee51ef53e0bee422d66" - name: mount - image: "linuxkit/mount:ad138d252798d9d0d6779f7f4d35b7fbcbbeefb9" - binds: - - /dev:/dev - - /var:/var:rshared,rbind - capabilities: - - CAP_SYS_ADMIN - rootfsPropagation: shared + image: "linuxkit/mount:15e20f27abe69d276f796e4026531833ec5ff345" command: ["/mount.sh", "/var/external"] ``` @@ -62,10 +51,12 @@ Notice several key points: * The format container needs to have bind mounts for `/dev` * The format container needs `CAP_SYS_ADMIN` and `CAP_MKNOD` capabilities * The format container only needs to run **once**, not matter how many external disks or partitions are provided. It finds all block devices under `/dev` and processes them. + * The default container config should be sufficient 2. mount container * The mount container `command` is `mount.sh` followed by the desired mount point. Remember that nearly everything in a linuxkit image is read-only except under `/var`, so mount it there. * The mount container needs to have bind mounts for `/dev` and `/var` * The mount container needs `CAP_SYS_ADMIN` capabilities * The mount container needs `rootfsPropagation: shared` + * The default container config should be sufficient, though the `mount.sh` command needs to be specified With the above in place, if run with the current disk options, the image will make the external disk available as `/dev/vda1` and mount it at `/var/external`. diff --git a/docs/yaml.md b/docs/yaml.md index 8bce1081e..73374fd8d 100644 --- a/docs/yaml.md +++ b/docs/yaml.md @@ -50,8 +50,7 @@ The image name may include tag or digest, but the matching also succeeds if the ## Image specification For each image in the `system` and `daemon` sections you can specify the OCI options that are passed to -`runc`, so you can specify what capabilities are needed and so on. Generally there are few defaults. -For more details see the [OCI specification](https://github.com/opencontainers/runtime-spec/blob/master/spec.md). +`runc`, so you can specify what capabilities are needed and so on. Most LinuxKit packages now define defaults in the `org.mobyproject.config` image label. For more details see the [OCI specification](https://github.com/opencontainers/runtime-spec/blob/master/spec.md). - `name` a unique name for the program being executed, used as the `containerd` id. - `image` the Docker image to use for the root filesystem. The default command, path and environment are diff --git a/pkg/swap/README.md b/pkg/swap/README.md index 045c59d63..a2df721cc 100644 --- a/pkg/swap/README.md +++ b/pkg/swap/README.md @@ -8,16 +8,7 @@ Normally, unless you are running explicitly in a desktop version, LinuxKit image ``` onboot: - name: swap - image: "linuxkit/swap:c4c723a3d6678dc49770181bbb231ec99b271c75" - net: host - pid: host - capabilities: - - CAP_SYS_ADMIN - - CAP_MKNOD - readonly: true - binds: - - /dev:/dev - - /var:/var + image: "linuxkit/swap:085f0088dd1ef2f994e707e438218ea4d41bad13" command: ["swap.sh","--path","/var/external/swap","--size","2G"] ``` From 37c5e6bffbee73f3177372fdc27ecc1e2a56256a Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Fri, 26 May 2017 15:51:53 +0100 Subject: [PATCH 13/13] pkg: Update open-vm-tools to new Alpine base Signed-off-by: Rolf Neugebauer --- pkg/open-vm-tools/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/open-vm-tools/Dockerfile b/pkg/open-vm-tools/Dockerfile index d40456251..95a2ea10f 100644 --- a/pkg/open-vm-tools/Dockerfile +++ b/pkg/open-vm-tools/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:dc7d4cdb5932f3e6ff62172c05627816c0d412fa@sha256:0239e6984a9932bfe1b44dc9be6f8e4c29dd7bdb431ba0b040b6d027b1091f08 AS mirror +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS mirror RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ RUN apk add --no-cache --initdb -p /out \ alpine-baselayout \