mirror of
https://github.com/linuxkit/linuxkit.git
synced 2025-07-19 09:16:29 +00:00
Add in sysctl container
- based on @riyazdf earlier unmerged Go version 891c006d34/alpine/containers/cloud-config/main.go
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This commit is contained in:
Justin Cormack
parent
83c052f74c
commit
bf41a668d7
@ -2,7 +2,7 @@ QEMU_IMAGE=mobylinux/qemu-user-static:da39a3ee5e6b4b0d3255bfef95601890afd80709@s
|
||||
QEMU_FILES=qemu-arm qemu-aarch64 qemu-ppc64le
|
||||
QEMU_BINARIES=$(addprefix usr/bin/,$(QEMU_FILES))
|
||||
|
||||
GO_COMPILE=mobylinux/go-compile:d2d25ac665b5148ad356d0eab3ff3762a68c633d@sha256:aab55d0c317460850e66a07dd94139cc11ea9e1c0bee88716a6a8c768740885f
|
||||
GO_COMPILE=mobylinux/go-compile:236629d9fc0779db9e7573ceb8b0e92f08f553be@sha256:16020c2d90cecb1f1d2d731187e947535c23f38b62319dd386ae642b4b32e1fb
|
||||
|
||||
BINFMT_BINARY=usr/bin/binfmt
|
||||
|
||||
|
||||
4
base/sysctl/.gitignore
vendored
Normal file
4
base/sysctl/.gitignore
vendored
Normal file
@ -0,0 +1,4 @@
|
||||
dev
|
||||
proc
|
||||
sys
|
||||
usr
|
||||
3
base/sysctl/Dockerfile
Normal file
3
base/sysctl/Dockerfile
Normal file
@ -0,0 +1,3 @@
|
||||
FROM scratch
|
||||
COPY . ./
|
||||
CMD ["/usr/bin/sysctl"]
|
||||
44
base/sysctl/Makefile
Normal file
44
base/sysctl/Makefile
Normal file
@ -0,0 +1,44 @@
|
||||
GO_COMPILE=mobylinux/go-compile:236629d9fc0779db9e7573ceb8b0e92f08f553be@sha256:16020c2d90cecb1f1d2d731187e947535c23f38b62319dd386ae642b4b32e1fb
|
||||
|
||||
SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
|
||||
|
||||
SYSCTL_BINARY=usr/bin/sysctl
|
||||
|
||||
IMAGE=sysctl
|
||||
|
||||
.PHONY: tag push clean container
|
||||
default: push
|
||||
|
||||
$(SYSCTL_BINARY): main.go
|
||||
mkdir -p $(dir $@)
|
||||
tar cf - $^ | docker run --rm --net=none --log-driver=none -i $(GO_COMPILE) -o $@ | tar xf -
|
||||
|
||||
DIRS=dev proc sys
|
||||
$(DIRS):
|
||||
mkdir -p $@
|
||||
|
||||
DEPS=$(DIRS) $(SYSCTL_BINARY) etc/sysctl.d/00-moby.conf
|
||||
|
||||
container: Dockerfile $(DEPS)
|
||||
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
|
||||
|
||||
hash: Dockerfile $(DEPS)
|
||||
find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash
|
||||
|
||||
push: hash container
|
||||
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
|
||||
(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
|
||||
docker push mobylinux/$(IMAGE):$(shell cat hash))
|
||||
docker rmi $(IMAGE):build
|
||||
rm -f hash
|
||||
|
||||
tag: hash container
|
||||
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
|
||||
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
|
||||
docker rmi $(IMAGE):build
|
||||
rm -f hash
|
||||
|
||||
clean:
|
||||
rm -rf hash $(DIRS) usr
|
||||
|
||||
.DELETE_ON_ERROR:
|
||||
22
base/sysctl/etc/sysctl.d/00-moby.conf
Normal file
22
base/sysctl/etc/sysctl.d/00-moby.conf
Normal file
@ -0,0 +1,22 @@
|
||||
# general limits
|
||||
vm.max_map_count = 262144
|
||||
vm.overcommit_memory = 1
|
||||
net.core.somaxconn = 1024
|
||||
net.ipv4.neigh.default.gc_thresh1 = 30000
|
||||
net.ipv4.neigh.default.gc_thresh2 = 32000
|
||||
net.ipv4.neigh.default.gc_thresh3 = 32768
|
||||
fs.aio-max-nr = 1048576
|
||||
fs.inotify.max_user_watches = 524288
|
||||
fs.file-max = 524288
|
||||
# for rngd
|
||||
kernel.random.write_wakeup_threshold = 3072
|
||||
# security restrictions
|
||||
kernel.kptr_restrict = 2
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv4.conf.default.accept_source_route = 0
|
||||
net.ipv6.conf.all.accept_redirects = 0
|
||||
net.ipv6.conf.default.accept_redirects = 0
|
||||
kernel.perf_event_paranoid = 3
|
||||
fs.protected_hardlinks = 1
|
||||
fs.protected_symlinks = 1
|
||||
72
base/sysctl/main.go
Normal file
72
base/sysctl/main.go
Normal file
@ -0,0 +1,72 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"flag"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
)
|
||||
|
||||
var (
|
||||
configDir string
|
||||
sysctlDir string
|
||||
)
|
||||
|
||||
func init() {
|
||||
flag.StringVar(&configDir, "configDir", "/etc/sysctl.d", "directory with config files")
|
||||
flag.StringVar(&sysctlDir, "sysctlDir", "/proc/sys", "mount point for sysctls")
|
||||
}
|
||||
|
||||
func sysctl(line []byte) error {
|
||||
// parse line into a string of expected form X.Y.Z=VALUE
|
||||
sysctlLineKV := strings.Split(string(line[:]), "=")
|
||||
if len(sysctlLineKV) != 2 {
|
||||
if len(sysctlLineKV) >= 1 && len(sysctlLineKV[0]) >= 1 && strings.Trim(sysctlLineKV[0], " ")[:1] == "#" {
|
||||
return nil
|
||||
}
|
||||
return fmt.Errorf("Cannot parse %s", string(line))
|
||||
}
|
||||
// trim any extra whitespace
|
||||
sysctlSetting, sysctlValue := strings.Trim(sysctlLineKV[0], " "), strings.Trim(sysctlLineKV[1], " ")
|
||||
sysctlFile := filepath.Join(sysctlDir, filepath.Join(strings.Split(sysctlSetting, ".")...))
|
||||
file, err := os.OpenFile(sysctlFile, os.O_WRONLY, 0)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Cannot open %s: %s", sysctlFile, err)
|
||||
}
|
||||
defer file.Close()
|
||||
_, err = file.Write([]byte(sysctlValue))
|
||||
if err != nil {
|
||||
return fmt.Errorf("Cannot write to %s: %s", sysctlFile, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func main() {
|
||||
flag.Parse()
|
||||
|
||||
files, err := ioutil.ReadDir(configDir)
|
||||
if err != nil {
|
||||
log.Fatalf("Cannot read directory %s: %s", configDir, err)
|
||||
}
|
||||
|
||||
for _, file := range files {
|
||||
contents, err := ioutil.ReadFile(filepath.Join(configDir, file.Name()))
|
||||
if err != nil {
|
||||
log.Fatalf("Cannot read file %s: %s", file.Name(), err)
|
||||
}
|
||||
lines := bytes.Split(contents, []byte("\n"))
|
||||
for _, line := range lines {
|
||||
if len(line) == 0 {
|
||||
continue
|
||||
}
|
||||
err = sysctl(line)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -37,6 +37,7 @@ type MobyImage struct {
|
||||
Command []string
|
||||
NetworkMode string `yaml:"network_mode"`
|
||||
Pid string
|
||||
Ipc string
|
||||
}
|
||||
|
||||
const riddler = "mobylinux/riddler:7d4545d8b8ac2700971a83f12a3446a76db28c14@sha256:11b7310df6482fc38aa52b419c2ef1065d7b9207c633d47554e13aa99f6c0b72"
|
||||
@ -77,6 +78,10 @@ func ConfigToRun(order int, path string, image *MobyImage) []string {
|
||||
// TODO only "host" supported
|
||||
args = append(args, "--pid="+image.Pid)
|
||||
}
|
||||
if image.Ipc != "" {
|
||||
// TODO only "host" supported
|
||||
args = append(args, "--ipc="+image.Pid)
|
||||
}
|
||||
for _, bind := range image.Binds {
|
||||
args = append(args, "-v", bind)
|
||||
}
|
||||
|
||||
@ -1,6 +1,13 @@
|
||||
kernel: "mobylinux/kernel:598481c08deafa37dccb33c88ad69fdecda57909"
|
||||
init: "mobylinux/init:2f1b5c1be1157cb17e5b1e6dee171dccdebb5277"
|
||||
system:
|
||||
- name: sysctl
|
||||
image: "mobylinux/sysctl:9bef9130afb8023ed1b2cecb4d961ba34a0f6628"
|
||||
network_mode: host
|
||||
pid: host
|
||||
ipc: host
|
||||
capabilities:
|
||||
- CAP_SYS_ADMIN
|
||||
- name: binfmt
|
||||
image: "mobylinux/binfmt:a94e0587b702edaa95cc6f303464959d0eb2311c@sha256:432732b90cbe0498f5ca148d75b90bb1eabd8fbfe8c872df8b23906c225091b1"
|
||||
binds:
|
||||
|
||||
Loading…
Reference in New Issue
Block a user