From 1f6c1a59ca58965781835e943550d082af8aef24 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Fri, 3 Nov 2017 15:19:33 +0000 Subject: [PATCH 1/2] linuxkit pkg: Add `config` field to `build.yml` This is a `moby.ImageConfig` struct which is marshalled into JSON and added as the `org.mobyproject.config` label on the built image. Convert `pkg/sysctl` as PoC. Signed-off-by: Ian Campbell --- docs/packages.md | 1 + pkg/sysctl/Dockerfile | 1 - pkg/sysctl/build.yml | 5 +++++ src/cmd/linuxkit/pkglib/build.go | 10 ++++++++++ src/cmd/linuxkit/pkglib/pkglib.go | 19 ++++++++++++------- src/cmd/linuxkit/vendor.conf | 2 +- .../github.com/moby/tool/src/moby/config.go | 10 ++++++++-- 7 files changed, 37 insertions(+), 11 deletions(-) diff --git a/docs/packages.md b/docs/packages.md index 77c537f77..4a0a024b2 100644 --- a/docs/packages.md +++ b/docs/packages.md @@ -29,6 +29,7 @@ A package source consists of a directory containing at least two files: - `network` _(bool)_: Allow network access during the package build (default: no) - `disable-content-trust` _(bool)_: Disable Docker content trust for this package (default: no) - `disable-cache` _(bool)_: Disable build cache for this package (default: no) +- `config`: _(struct `github.com/moby/tool/src/moby.ImageConfig`)_: Image configuration, marshalled to JSON and added as `org.mobyproject.config` label on image (default: no label) ## Building packages diff --git a/pkg/sysctl/Dockerfile b/pkg/sysctl/Dockerfile index 6a8e3ee76..e01f8c2c4 100644 --- a/pkg/sysctl/Dockerfile +++ b/pkg/sysctl/Dockerfile @@ -13,4 +13,3 @@ WORKDIR / COPY --from=mirror /go/bin/sysctl /usr/bin/sysctl COPY etc/ /etc/ CMD ["/usr/bin/sysctl"] -LABEL org.mobyproject.config='{"pid": "host", "readonly": true, "capabilities": ["CAP_SYS_ADMIN"]}' diff --git a/pkg/sysctl/build.yml b/pkg/sysctl/build.yml index 21d62da47..471e3993d 100644 --- a/pkg/sysctl/build.yml +++ b/pkg/sysctl/build.yml @@ -1 +1,6 @@ image: sysctl +config: + pid: "host" + readonly: true + capabilities: + - CAP_SYS_ADMIN diff --git a/src/cmd/linuxkit/pkglib/build.go b/src/cmd/linuxkit/pkglib/build.go index 8049ee632..83ea540cc 100644 --- a/src/cmd/linuxkit/pkglib/build.go +++ b/src/cmd/linuxkit/pkglib/build.go @@ -1,6 +1,7 @@ package pkglib import ( + "encoding/json" "fmt" "os" "runtime" @@ -122,6 +123,15 @@ func (p Pkg) Build(bos ...BuildOpt) error { args = append(args, "--network=none") } + if p.config != nil { + b, err := json.Marshal(*p.config) + if err != nil { + return err + } + + args = append(args, "--label=org.mobyproject.config="+string(b)) + } + if err := d.build(p.Tag()+suffix, p.pkgPath, args...); err != nil { return err } diff --git a/src/cmd/linuxkit/pkglib/pkglib.go b/src/cmd/linuxkit/pkglib/pkglib.go index 9708710a2..f698c326a 100644 --- a/src/cmd/linuxkit/pkglib/pkglib.go +++ b/src/cmd/linuxkit/pkglib/pkglib.go @@ -8,17 +8,20 @@ import ( "os" "path/filepath" "strings" + + "github.com/moby/tool/src/moby" ) // Containers fields settable in the build.yml type pkgInfo struct { - Image string `yaml:"image"` - Org string `yaml:"org"` - Arches []string `yaml:"arches"` - GitRepo string `yaml:"gitrepo"` // ?? - Network bool `yaml:"network"` - DisableContentTrust bool `yaml:"disable-content-trust"` - DisableCache bool `yaml:"disable-cache"` + Image string `yaml:"image"` + Org string `yaml:"org"` + Arches []string `yaml:"arches"` + GitRepo string `yaml:"gitrepo"` // ?? + Network bool `yaml:"network"` + DisableContentTrust bool `yaml:"disable-content-trust"` + DisableCache bool `yaml:"disable-cache"` + Config *moby.ImageConfig `yaml:"config"` } // Pkg encapsulates information about a package's source @@ -31,6 +34,7 @@ type Pkg struct { network bool trust bool cache bool + config *moby.ImageConfig // Internal state pkgPath string @@ -185,6 +189,7 @@ func NewFromCLI(fs *flag.FlagSet, args ...string) (Pkg, error) { network: pi.Network, trust: !pi.DisableContentTrust, cache: !pi.DisableCache, + config: pi.Config, dirty: dirty, pkgPath: pkgPath, git: git, diff --git a/src/cmd/linuxkit/vendor.conf b/src/cmd/linuxkit/vendor.conf index 09a22b669..23eb34dd6 100644 --- a/src/cmd/linuxkit/vendor.conf +++ b/src/cmd/linuxkit/vendor.conf @@ -24,7 +24,7 @@ github.com/jmespath/go-jmespath bd40a432e4c76585ef6b72d3fd96fb9b6dc7b68d github.com/mitchellh/go-ps 4fdf99ab29366514c69ccccddab5dc58b8d84062 github.com/moby/datakit 97b3d230535397a813323902c23751e176481a86 github.com/moby/hyperkit a12cd7250bcd8d689078e3e42ae4a7cf6a0cbaf3 -github.com/moby/tool 63a5dedd28a459900eba56dd191edaeb688cfdf4 +github.com/moby/tool 656bd87fd26b4cfc7da735939ce78cc7cb541181 github.com/moby/vpnkit 0e4293bb1058598c4b0a406ed171f52573ef414c github.com/opencontainers/go-digest 21dfd564fd89c944783d00d069f33e3e7123c448 github.com/opencontainers/image-spec v1.0.0 diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/config.go b/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/config.go index 9d4119cc4..d4f57c8aa 100644 --- a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/config.go +++ b/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/config.go @@ -62,8 +62,14 @@ type File struct { // Image is the type of an image config type Image struct { - Name string `yaml:"name" json:"name"` - Image string `yaml:"image" json:"image"` + Name string `yaml:"name" json:"name"` + Image string `yaml:"image" json:"image"` + ImageConfig `yaml:",inline"` +} + +// ImageConfig is the configuration part of Image, it is the subset +// which is valid in a "org.mobyproject.config" label on an image. +type ImageConfig struct { Capabilities *[]string `yaml:"capabilities" json:"capabilities,omitempty"` Ambient *[]string `yaml:"ambient" json:"ambient,omitempty"` Mounts *[]specs.Mount `yaml:"mounts" json:"mounts,omitempty"` From fd9242d5ef56f38d760cf489628cb2a6af522348 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Tue, 28 Nov 2017 13:32:04 +0000 Subject: [PATCH 2/2] Bump yml Signed-off-by: Ian Campbell --- blueprints/docker-for-mac/base.yml | 2 +- examples/aws.yml | 2 +- examples/azure.yml | 2 +- examples/cadvisor.yml | 2 +- examples/docker.yml | 2 +- examples/gcp.yml | 2 +- examples/getty.yml | 2 +- examples/openstack.yml | 2 +- examples/packet.yml | 2 +- examples/sshd.yml | 2 +- examples/swap.yml | 2 +- examples/tpm.yml | 2 +- examples/vmware.yml | 2 +- examples/vultr.yml | 2 +- examples/wireguard.yml | 2 +- linuxkit.yml | 2 +- projects/swarmd/swarmd.yml | 2 +- test/cases/030_security/000_docker-bench/test.yml | 2 +- test/cases/040_packages/003_containerd/test.yml | 2 +- test/cases/040_packages/019_sysctl/test.yml | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/blueprints/docker-for-mac/base.yml b/blueprints/docker-for-mac/base.yml index 012c435ad..090d62cf1 100644 --- a/blueprints/docker-for-mac/base.yml +++ b/blueprints/docker-for-mac/base.yml @@ -13,7 +13,7 @@ onboot: - name: metadata image: linuxkit/metadata:026aca5c08c22589a7e319f79449bef2c65f04c5 - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: sysfs image: linuxkit/sysfs:5367b46211882278b84a9e8048855ca5df65beda - name: binfmt diff --git a/examples/aws.yml b/examples/aws.yml index 640f44021..c46e5b677 100644 --- a/examples/aws.yml +++ b/examples/aws.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: dhcpcd image: linuxkit/dhcpcd:48831507404049660b960e4055f544917d90378e command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/azure.yml b/examples/azure.yml index 2f8579ba8..2cd3cd4a2 100644 --- a/examples/azure.yml +++ b/examples/azure.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 services: - name: rngd image: linuxkit/rngd:842e5e8ece7934f0cab9fd0027b595ff3471e5b9 diff --git a/examples/cadvisor.yml b/examples/cadvisor.yml index ef85082b8..0b4260553 100644 --- a/examples/cadvisor.yml +++ b/examples/cadvisor.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: dhcpcd image: linuxkit/dhcpcd:48831507404049660b960e4055f544917d90378e command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/docker.yml b/examples/docker.yml index dd4d3e2e1..c1f09ba80 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: sysfs image: linuxkit/sysfs:5367b46211882278b84a9e8048855ca5df65beda - name: format diff --git a/examples/gcp.yml b/examples/gcp.yml index f7aa28b3c..192f20d7c 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: dhcpcd image: linuxkit/dhcpcd:48831507404049660b960e4055f544917d90378e command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/getty.yml b/examples/getty.yml index 72cf2eb1d..967e7d32e 100644 --- a/examples/getty.yml +++ b/examples/getty.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: dhcpcd image: linuxkit/dhcpcd:48831507404049660b960e4055f544917d90378e command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/openstack.yml b/examples/openstack.yml index 8baec9f2f..a6a9eb584 100644 --- a/examples/openstack.yml +++ b/examples/openstack.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: dhcpcd image: linuxkit/dhcpcd:48831507404049660b960e4055f544917d90378e command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/packet.yml b/examples/packet.yml index 02406766b..280f84530 100644 --- a/examples/packet.yml +++ b/examples/packet.yml @@ -11,7 +11,7 @@ onboot: image: linuxkit/rngd:842e5e8ece7934f0cab9fd0027b595ff3471e5b9 command: ["/sbin/rngd", "-1"] - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: dhcpcd image: linuxkit/dhcpcd:48831507404049660b960e4055f544917d90378e command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/sshd.yml b/examples/sshd.yml index c8e721044..22fc8fd1f 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: rngd1 image: linuxkit/rngd:842e5e8ece7934f0cab9fd0027b595ff3471e5b9 command: ["/sbin/rngd", "-1"] diff --git a/examples/swap.yml b/examples/swap.yml index 3e51a2675..617923925 100644 --- a/examples/swap.yml +++ b/examples/swap.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: dhcpcd image: linuxkit/dhcpcd:48831507404049660b960e4055f544917d90378e command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/tpm.yml b/examples/tpm.yml index 124335af3..38312827c 100644 --- a/examples/tpm.yml +++ b/examples/tpm.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: dhcpcd image: linuxkit/dhcpcd:48831507404049660b960e4055f544917d90378e command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/vmware.yml b/examples/vmware.yml index 4799468d8..e9ad3421f 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 services: - name: getty image: linuxkit/getty:6af22c32c98536a79230eef000e9abd06b037faa diff --git a/examples/vultr.yml b/examples/vultr.yml index 54001ca0d..66bab015e 100644 --- a/examples/vultr.yml +++ b/examples/vultr.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: dhcpcd image: linuxkit/dhcpcd:48831507404049660b960e4055f544917d90378e command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/examples/wireguard.yml b/examples/wireguard.yml index 6477f6c6c..adb9863fe 100644 --- a/examples/wireguard.yml +++ b/examples/wireguard.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: dhcpcd image: linuxkit/dhcpcd:48831507404049660b960e4055f544917d90378e command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/linuxkit.yml b/linuxkit.yml index db7ac5be6..62808061f 100644 --- a/linuxkit.yml +++ b/linuxkit.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: dhcpcd image: linuxkit/dhcpcd:48831507404049660b960e4055f544917d90378e command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index b171ff883..2c025cb1b 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 binds: - /etc/sysctl.d/01-swarmd.conf:/etc/sysctl.d/01-swarmd.conf - name: dhcpcd diff --git a/test/cases/030_security/000_docker-bench/test.yml b/test/cases/030_security/000_docker-bench/test.yml index 092ea0105..425117a25 100644 --- a/test/cases/030_security/000_docker-bench/test.yml +++ b/test/cases/030_security/000_docker-bench/test.yml @@ -8,7 +8,7 @@ init: - linuxkit/ca-certificates:af4880e78edc28743f7c5e262678c67c6add4c26 onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: sysfs image: linuxkit/sysfs:5367b46211882278b84a9e8048855ca5df65beda - name: format diff --git a/test/cases/040_packages/003_containerd/test.yml b/test/cases/040_packages/003_containerd/test.yml index bfe2c6420..bc695ad89 100644 --- a/test/cases/040_packages/003_containerd/test.yml +++ b/test/cases/040_packages/003_containerd/test.yml @@ -11,7 +11,7 @@ onboot: image: linuxkit/dhcpcd:48831507404049660b960e4055f544917d90378e command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: format image: linuxkit/format:6b46d0450082f397177da36be6b4d74d93eacd1e - name: mount diff --git a/test/cases/040_packages/019_sysctl/test.yml b/test/cases/040_packages/019_sysctl/test.yml index 5cfd1438a..fa4f21738 100644 --- a/test/cases/040_packages/019_sysctl/test.yml +++ b/test/cases/040_packages/019_sysctl/test.yml @@ -6,7 +6,7 @@ init: - linuxkit/runc:1b0741d07949c0acc444cd6a04ee7f833443579d onboot: - name: sysctl - image: linuxkit/sysctl:a9ad57ed738a31ea9380cd73236866c312b35489 + image: linuxkit/sysctl:efe693534bb623007f94a2e3ff4a9fd6ead75aa1 - name: test image: alpine:3.6 net: host