github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-09-02 15:37:11 +00:00
Code Issues Projects Releases Wiki Activity

Split base/ into base/ and tools/

Browse Source 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
This commit is contained in:
Riyaz Faizullabhoy
2017-01-26 11:54:26 -08:00
parent a6416a1214
commit d66bc2d501
36 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
tools/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
hash

10
tools/Makefile Normal file
View File

@@ -0,0 +1,10 @@
DIRS = $(shell find . -type d -depth 1)
.PHONY: clean dirs $(DIRS)
push: $(DIRS)
$(DIRS):
$(MAKE) -C $@
clean:
rm -f hash

15
tools/c-compile/Dockerfile Normal file
View File

@@ -0,0 +1,15 @@
FROM alpine:3.5
RUN \
apk update && apk upgrade && \
apk add \
curl \
gcc \
git \
libc-dev \
linux-headers \
util-linux-dev \
&& true
COPY compile.sh /usr/bin/
ENTRYPOINT ["/usr/bin/compile.sh"]

29
tools/c-compile/Makefile Normal file
View File

@@ -0,0 +1,29 @@
.PHONY: tag push
BASE=alpine:3.5
IMAGE=c-compile
default: push
hash: Dockerfile compile.sh
DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c 'cat /lib/apk/db/installed /usr/bin/compile.sh | sha1sum' | sed 's/ .*//' > hash
push: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
docker push mobylinux/$(IMAGE):$(shell cat hash))
docker rmi $(IMAGE):build
rm -f hash
tag: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
docker rmi $(IMAGE):build
rm -f hash
clean:
rm -f hash
.DELETE_ON_ERROR:

56
tools/c-compile/compile.sh Executable file
View File

@@ -0,0 +1,56 @@
#!/bin/sh
# This is designed to compile a single package to a single binary
# so it makes some assumptions about things to simplify config
# to output a single binary (in a tarball) just use -o file
# use --docker to output a tarball for input to docker build -
set -e
usage() {
echo "Usage: -o file"
exit 1
}
[ $# = 0 ] && usage
while [ $# -gt 0 ]
do
flag="$1"
case "$flag" in
-o)
[ $# -eq 1 ] && usage
out="$2"
mkdir -p "$(dirname $2)"
shift
;;
-l*)
LIBS="$LIBS $1"
shift
;;
*)
echo "Unknown option $1"
exit 1
esac
shift
done
[ -z "$out" ] && usage
package=$(basename "$out")
dir="/src/$package"
mkdir -p $dir
# untar input
tar xf - -C $dir
(
cd $dir
CFILES=$(find . -name '*.c')
cc -static -O2 -Wall -Werror -o ../../$out $CFILES $LIBS
)
tar cf - $out
exit 0

4
tools/check-config/Dockerfile Normal file
View File

@@ -0,0 +1,4 @@
FROM alpine:3.5
RUN apk update && apk upgrade && apk add --no-cache bash
ADD https://raw.githubusercontent.com/docker/docker/master/contrib/check-config.sh /usr/bin/check-config.sh
ENTRYPOINT ["/bin/bash", "/usr/bin/check-config.sh"]

29
tools/check-config/Makefile Normal file
View File

@@ -0,0 +1,29 @@
.PHONY: tag push
BASE=alpine:3.5
IMAGE=check-config
default: push
hash:
DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
tar cf - Dockerfile | docker build --no-cache -t $(IMAGE):build -
docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c 'cat /usr/bin/check-config.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash
push: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
docker push mobylinux/$(IMAGE):$(shell cat hash))
docker rmi $(IMAGE):build
rm -f hash
tag: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
docker rmi $(IMAGE):build
rm -f hash
clean:
rm -f hash
.DELETE_ON_ERROR:

3
tools/check-kernel-config/Dockerfile Normal file
View File

@@ -0,0 +1,3 @@
FROM alpine:3.5
ADD check-kernel-config.sh /usr/bin/check-kernel-config.sh
ENTRYPOINT ["/bin/sh", "/usr/bin/check-kernel-config.sh"]

29
tools/check-kernel-config/Makefile Normal file
View File

@@ -0,0 +1,29 @@
.PHONY: tag push
BASE=alpine:3.5
IMAGE=check-kernel-config
default: push
hash: Dockerfile check-kernel-config.sh
DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c 'cat /usr/bin/check-kernel-config.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash
push: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
docker push mobylinux/$(IMAGE):$(shell cat hash))
docker rmi $(IMAGE):build
rm -f hash
tag: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
docker rmi $(IMAGE):build
rm -f hash
clean:
rm -f hash
.DELETE_ON_ERROR:

53
tools/check-kernel-config/check-kernel-config.sh Executable file
View File

@@ -0,0 +1,53 @@
#!/bin/sh
set -e
echo "starting kernel config sanity test with /proc/config.gz"
# decompress /proc/config.gz from the Moby host
zcat /proc/config.gz > unzipped_config
kernelVersion="$(uname -r)"
kernelMajor="${kernelVersion%%.*}"
kernelMinor="${kernelVersion#$kernelMajor.}"
kernelMinor="${kernelMinor%%.*}"
# Most tests against https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
# Positive cases
cat unzipped_config | grep CONFIG_BUG=y
cat unzipped_config | grep CONFIG_DEBUG_KERNEL=y
cat unzipped_config | grep CONFIG_DEBUG_RODATA=y
cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR=y
cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR_STRONG=y
cat unzipped_config | grep CONFIG_STRICT_DEVMEM=y
cat unzipped_config | grep CONFIG_SYN_COOKIES=y
cat unzipped_config | grep CONFIG_DEBUG_CREDENTIALS=y
cat unzipped_config | grep CONFIG_DEBUG_NOTIFIERS=y
cat unzipped_config | grep CONFIG_DEBUG_LIST=y
cat unzipped_config | grep CONFIG_SECCOMP=y
cat unzipped_config | grep CONFIG_SECCOMP_FILTER=y
cat unzipped_config | grep CONFIG_SECURITY=y
cat unzipped_config | grep CONFIG_SECURITY_YAMA=y
cat unzipped_config | grep CONFIG_PANIC_ON_OOPS=y
cat unzipped_config | grep CONFIG_DEBUG_SET_MODULE_RONX=y
# Conditional on kernel version
if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 5 ]; then
cat unzipped_config | grep CONFIG_IO_STRICT_DEVMEM=y
cat unzipped_config | grep CONFIG_UBSAN=y
fi
if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 7 ]; then
cat unzipped_config | grep CONFIG_SLAB_FREELIST_RANDOM=y
fi
if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 8 ]; then
cat unzipped_config | grep CONFIG_HARDENED_USERCOPY=y
fi
# Negative cases
cat unzipped_config | grep 'CONFIG_ACPI_CUSTOM_METHOD is not set'
cat unzipped_config | grep 'CONFIG_COMPAT_BRK is not set'
cat unzipped_config | grep 'CONFIG_DEVKMEM is not set'
cat unzipped_config | grep 'CONFIG_COMPAT_VDSO is not set'
cat unzipped_config | grep 'CONFIG_KEXEC is not set'
cat unzipped_config | grep 'CONFIG_HIBERNATION is not set'
cat unzipped_config | grep 'CONFIG_LEGACY_PTYS is not set'

8
tools/go-compile/Dockerfile Normal file
View File

@@ -0,0 +1,8 @@
FROM golang:1.7-alpine3.5
RUN apk update && apk add --no-cache build-base git
RUN go get -u github.com/golang/lint/golint
COPY compile.sh /usr/bin/
ENTRYPOINT ["/usr/bin/compile.sh"]

29
tools/go-compile/Makefile Normal file
View File

@@ -0,0 +1,29 @@
.PHONY: tag push
BASE=golang:1.7-alpine3.5
IMAGE=go-compile
default: push
hash: Dockerfile compile.sh
DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c 'cat /usr/local/go/bin/go /lib/apk/db/installed /go/bin/golint /usr/bin/compile.sh | sha1sum' | sed 's/ .*//' > hash
push: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
docker push mobylinux/$(IMAGE):$(shell cat hash))
docker rmi $(IMAGE):build
rm -f hash
tag: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
docker rmi $(IMAGE):build
rm -f hash
clean:
rm -f hash
.DELETE_ON_ERROR:

61
tools/go-compile/compile.sh Executable file
View File

@@ -0,0 +1,61 @@
#!/bin/sh
# This is designed to compile a single package to a single binary
# so it makes some assumptions about things to simplify config
# to output a single binary (in a tarball) just use -o file
# use --docker to output a tarball for input to docker build -
set -e
usage() {
echo "Usage: -o file"
exit 1
}
[ $# = 0 ] && usage
while [ $# -gt 1 ]
do
flag="$1"
case "$flag" in
-o)
out="$2"
mkdir -p "$(dirname $2)"
shift
;;
*)
echo "Unknown option $1"
exit 1
esac
shift
done
[ $# -gt 0 ] && usage
[ -z "$out" ] && usage
package=$(basename "$out")
dir="$GOPATH/src/$package"
mkdir -p $dir
# untar input
tar xf - -C $dir
cd $dir
# lint before building
>&2 echo "gofmt..."
test -z $(gofmt -s -l .| grep -v .pb. | grep -v */vendor/ | tee /dev/stderr)
>&2 echo "govet..."
test -z $(go tool vet -printf=false . 2>&1 | grep -v */vendor/ | tee /dev/stderr)
>&2 echo "golint..."
test -z $(find . -type f -name "*.go" -not -path "*/vendor/*" -not -name "*.pb.*" -exec golint {} \; | tee /dev/stderr)
>&2 echo "go build..."
go build -o $out -buildmode pie --ldflags '-extldflags "-static"' "$package"
tar cf - $out

5
tools/mkimage-gce/Dockerfile Normal file
View File

@@ -0,0 +1,5 @@
FROM mobylinux/guestfs:8719f0f33b3cf9d59a62be64a42220978ac96486@sha256:c7229f01c1a54270d2bc3597c30121628c18db211ed32fb7202823b6eaa4f853
COPY . .
CMD [ "/make-gce" ]

27
tools/mkimage-gce/Makefile Normal file
View File

@@ -0,0 +1,27 @@
.PHONY: tag push
IMAGE=mkimage-gce
default: push
hash: Dockerfile make-gce
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
docker run --rm $(IMAGE):build sh -c "(cat $^; apt list --installed 2>/dev/null) | sha1sum" | sed 's/ .*//' > hash
push: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
docker push mobylinux/$(IMAGE):$(shell cat hash))
docker rmi $(IMAGE):build
rm -f hash
tag: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
docker rmi $(IMAGE):build
rm -f hash
clean:
rm -f hash
.DELETE_ON_ERROR:

54
tools/mkimage-gce/make-gce Executable file
View File

@@ -0,0 +1,54 @@
#!/bin/sh
set -e
mkdir -p /tmp/image
cd /tmp/image
# input is a tarball of vmlinuz64 and initrd.img on stdin
# output is a compressed tarball of a raw disk image on stdout
mkdir -p files
cd files
# extract. As guestfs base is currently Debian, no compression support
# only if stdin is a tty, if so need files volume mounted...
[ -t 0 ] || tar xf -
INITRD="$(find . -name '*.img')"
KERNEL="$(find . -name vmlinuz64 -or -name bzImage)"
[ "$KERNEL" = "./vmlinuz64" ] || mv "$KERNEL" vmlinuz64
[ "$INITRD" = "./initrd.img" ] || mv "$INITRD" initrd.img
# clean up subdirectories
find . -mindepth 1 -maxdepth 1 -type d | xargs rm -rf
# should be externally provided as GCE specific
GCE_CONFIG="earlyprintk=ttyS0,115200 console=ttyS0,115200 mobyplatform=gcp vsyscall=emulate"
CFG="DEFAULT linux
LABEL linux
KERNEL /vmlinuz64
INITRD /initrd.img
APPEND $GCE_CONFIG $*
"
printf "$CFG" > syslinux.cfg
cd ..
tar cf files.tar -C files .
virt-make-fs --size=1G --type=ext4 --partition files.tar disk.raw
guestfish -a disk.raw -m /dev/sda1 <<EOF
upload /usr/lib/SYSLINUX/mbr.bin /mbr.bin
copy-file-to-device /mbr.bin /dev/sda size:440
rm /mbr.bin
extlinux /
part-set-bootable /dev/sda 1 true
EOF
tar cf - disk.raw | gzip -9

13
tools/mkimage-iso-bios/Dockerfile Normal file
View File

@@ -0,0 +1,13 @@
FROM alpine:3.5
RUN \
apk update && apk upgrade && \
apk add --no-cache \
libarchive-tools \
cdrkit \
syslinux \
&& true
COPY . .
CMD [ "/make-iso" ]

29
tools/mkimage-iso-bios/Makefile Normal file
View File

@@ -0,0 +1,29 @@
.PHONY: tag push
BASE=alpine:3.5
IMAGE=mkimage-iso-bios
default: push
hash: Dockerfile make-iso
DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
docker run --rm --entrypoint /bin/sh $(IMAGE):build -c 'cat $^ /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > $@
push: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
docker push mobylinux/$(IMAGE):$(shell cat hash))
docker rmi $(IMAGE):build
rm -f hash
tag: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
docker rmi $(IMAGE):build
rm -f hash
clean:
rm -f hash
.DELETE_ON_ERROR:

45
tools/mkimage-iso-bios/make-iso Executable file
View File

@@ -0,0 +1,45 @@
#!/bin/sh
set -e
mkdir -p /tmp/iso
cd /tmp/iso
# input is a tarball of vmlinuz64 and initrd.img on stdin
# output is an iso on stdout
# extract. BSD tar auto recognises compression, unlike GNU tar
# only if stdin is a tty, if so need files volume mounted...
[ -t 0 ] || bsdtar xzf -
INITRD="$(find . -name '*.img')"
KERNEL="$(find . -name vmlinuz64 -or -name bzImage)"
[ "$KERNEL" = "vmlinuz64" ] || mv "$KERNEL" vmlinuz64
[ "$INITRD" = "initrd.img" ] || mv "$INITRD" initrd.img
# clean up subdirectories
find . -mindepth 1 -maxdepth 1 -type d | xargs rm -rf
mkdir -p isolinux
cp /usr/share/syslinux/isolinux.bin ./isolinux/
cp /usr/share/syslinux/ldlinux.c32 ./isolinux/
CFG="DEFAULT linux
LABEL linux
KERNEL /vmlinuz64
INITRD /initrd.img
APPEND earlyprintk=serial console=ttyS0 console=tty1 $*
"
printf "$CFG" > isolinux/isolinux.cfg
genisoimage -o ../mobylinux-bios.iso -l -J -R \
-c isolinux/boot.cat \
-b isolinux/isolinux.bin \
-no-emul-boot -boot-load-size 4 -boot-info-table \
-V MobyLinux .
isohybrid ../mobylinux-bios.iso
cat ../mobylinux-bios.iso

6
tools/pad4/Dockerfile Normal file
View File

@@ -0,0 +1,6 @@
FROM alpine:3.5
COPY . /
ENTRYPOINT ["/bin/sh", "-c"]
CMD ["/pad4.sh"]

29
tools/pad4/Makefile Normal file
View File

@@ -0,0 +1,29 @@
.PHONY: tag push
BASE=alpine:3.5
IMAGE=pad4
default: push
hash: Dockerfile pad4.sh
DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c 'cat Dockerfile pad4.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash
push: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
docker push mobylinux/$(IMAGE):$(shell cat hash))
docker rmi $(IMAGE):build
rm -f hash
tag: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
docker rmi $(IMAGE):build
rm -f hash
clean:
rm -f hash
.DELETE_ON_ERROR:

28
tools/pad4/pad4.sh Executable file
View File

@@ -0,0 +1,28 @@
#!/bin/sh
set -e
cd /tmp
cat > initrd.img
SIZE=$(stat -c "%s" initrd.img)
SIZE4=$(( $SIZE / 4 \* 4 ))
DIFF=$(( $SIZE - $SIZE4 ))
[ $DIFF -ne 0 ] && DIFF=$(( 4 - $DIFF ))
dd if=/dev/zero bs=1 count=$DIFF of=zeropad 2>/dev/null
cat zeropad >> initrd.img
SIZE=$(stat -c "%s" initrd.img)
SIZE4=$(( $SIZE / 4 \* 4 ))
DIFF=$(( $SIZE - $SIZE4 ))
if [ $DIFF -ne 0 ]
then
echo "Bad alignment" >2
exit 1
fi
cat initrd.img

1
tools/perf/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
/bin

35
tools/perf/Dockerfile Normal file
View File

@@ -0,0 +1,35 @@
FROM alpine:3.4
RUN \
apk update && apk upgrade && \
apk add \
argp-standalone \
automake \
bc \
binutils-dev \
bison \
build-base \
curl \
flex \
libelf-dev \
linux-headers \
sed \
tar \
util-linux-dev \
xz \
&& true
ARG KERNEL_VERSION=4.9.3
# get kernel source and extract it under /linux
ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.xz
RUN curl -fsSL -o linux-${KERNEL_VERSION}.tar.xz ${KERNEL_SOURCE}
RUN cat linux-${KERNEL_VERSION}.tar.xz | tar --absolute-names -xJ && mv /linux-${KERNEL_VERSION} /linux
RUN mkdir -p /build/perf && \
make -C /linux/tools/perf O=/build/perf LDFLAGS=-static
WORKDIR /build/perf
CMD ["tar", "cf", "-", "perf"]

12
tools/perf/Makefile Normal file
View File

@@ -0,0 +1,12 @@
BASE=alpine:3.4
DEPS=Dockerfile
bin/perf: $(DEPS)
DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
mkdir -p $(dir $@)
BUILD=$$( docker build -q . ) && \
docker run --rm --net=none $$BUILD | tar xf - -C bin
clean:
rm -rf bin

1
tools/perf/README.md Normal file
View File

@@ -0,0 +1 @@
Builds a statically linked version of the Linux kernel `perf` utility. You may want to/need to adjust the kernel version in the `Dockerfile` to match your kernel.

24
tools/riddler/Dockerfile Normal file
View File

@@ -0,0 +1,24 @@
FROM golang:1.7-alpine
RUN \
apk update && apk upgrade && \
apk add \
docker \
gcc \
git \
jq \
linux-headers \
musl-dev \
tar \
&& true
COPY Dockerfile /
COPY riddler.sh /usr/bin/
RUN git clone https://github.com/jessfraz/riddler.git /go/src/github.com/jessfraz/riddler
WORKDIR /go/src/github.com/jessfraz/riddler
RUN git checkout 23befa0b232877b5b502b828e24161d801bd67f6
RUN go build -o /usr/bin/riddler .
ENTRYPOINT ["/usr/bin/riddler.sh"]

29
tools/riddler/Makefile Normal file
View File

@@ -0,0 +1,29 @@
.PHONY: tag push
BASE=golang:1.7-alpine
IMAGE=riddler
default: push
hash: Dockerfile riddler.sh
DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
docker run --entrypoint=/bin/sh --rm $(IMAGE):build -c 'cat /Dockerfile /usr/bin/riddler.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > $@
push: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
docker push mobylinux/$(IMAGE):$(shell cat hash))
docker rmi $(IMAGE):build
rm -f hash
tag: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
docker rmi $(IMAGE):build
rm -f hash
clean:
rm -f hash
.DELETE_ON_ERROR:

54
tools/riddler/riddler.sh Executable file
View File

@@ -0,0 +1,54 @@
#!/bin/sh
set -e
# arguments are image name, prefix, then arguments passed to Docker
# eg ./riddler.sh alpine:3.4 / --read-only alpine:3.4 ls
# This script will output a tarball under prefix/ with rootfs and config.json
IMAGE="$1"; shift
PREFIX="$1"; shift
cd /tmp
mkdir -p /tmp/$PREFIX
cd /tmp/$PREFIX
# riddler always adds the apparmor options if this is not present
EXTRA_OPTIONS="--security-opt apparmor=unconfined"
ARGS="$@"
CONTAINER=$(docker create $EXTRA_OPTIONS $ARGS)
riddler $CONTAINER > /dev/null
docker rm $CONTAINER > /dev/null
# unfixed known issues
# noNewPrivileges is always set by riddler, but that is fine for our use cases
# These fixes should be removed when riddler is fixed
# process.rlimits, just a constant at present, not useful
# memory swappiness is too big by default
# remove user namespaces
# --read-only sets /dev ro
# /sysfs ro unless privileged - cannot detect so will do if grant all caps
#
mv config.json config.json.orig
cat config.json.orig | \
jq 'del(.process.rlimits)' | \
jq 'del (.linux.resources.memory.swappiness)' | \
jq 'del(.linux.uidMappings) | del(.linux.gidMappings) | .linux.namespaces = (.linux.namespaces|map(select(.type!="user")))' | \
jq 'if .root.readonly==true then .mounts = (.mounts|map(if .destination=="/dev" then .options |= .+ ["ro"] else . end)) else . end' | \
jq '.mounts = if .process.capabilities | length != 38 then (.mounts|map(if .destination=="/sys" then .options |= .+ ["ro"] else . end)) else . end' \
> config.json
rm config.json.orig
# extract rootfs
EXCLUDE="--exclude .dockerenv --exclude Dockerfile \
--exclude dev/console --exclude dev/pts --exclude dev/shm \
--exclude etc/hostname --exclude etc/hosts --exclude etc/mtab --exclude etc/resolv.conf"
mkdir -p rootfs
CONTAINER="$(docker create $IMAGE /dev/null)"
docker export "$CONTAINER" | tar -xf - -C rootfs $EXCLUDE
docker rm "$CONTAINER" > /dev/null
cd /tmp
tar cf - .

6
tools/tar2initrd/Dockerfile Normal file
View File

@@ -0,0 +1,6 @@
FROM alpine:3.5
COPY . /
ENTRYPOINT ["/bin/sh", "-c"]
CMD ["/tar2initrd.sh"]

29
tools/tar2initrd/Makefile Normal file
View File

@@ -0,0 +1,29 @@
.PHONY: tag push
BASE=alpine:3.5
IMAGE=tar2initrd
default: push
hash: Dockerfile tar2initrd.sh
DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c 'cat Dockerfile tar2initrd.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash
push: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
docker push mobylinux/$(IMAGE):$(shell cat hash))
docker rmi $(IMAGE):build
rm -f hash
tag: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
docker rmi $(IMAGE):build
rm -f hash
clean:
rm -f hash
.DELETE_ON_ERROR:

34
tools/tar2initrd/tar2initrd.sh Executable file
View File

@@ -0,0 +1,34 @@
#!/bin/sh
set -e
mkdir -p /tmp/input
cd /tmp/input
tar xf -
find . | cpio -H newc -o | gzip -9 > ../initrd.img
cd /tmp
SIZE=$(stat -c "%s" initrd.img)
SIZE4=$(( $SIZE / 4 \* 4 ))
DIFF=$(( $SIZE - $SIZE4 ))
[ $DIFF -ne 0 ] && DIFF=$(( 4 - $DIFF ))
dd if=/dev/zero bs=1 count=$DIFF of=zeropad 2>/dev/null
cat zeropad >> initrd.img
SIZE=$(stat -c "%s" initrd.img)
SIZE4=$(( $SIZE / 4 \* 4 ))
DIFF=$(( $SIZE - $SIZE4 ))
if [ $DIFF -ne 0 ]
then
echo "Bad alignment" >2
exit 1
fi
cat initrd.img

12
tools/tartar2initrd/Dockerfile Normal file
View File

@@ -0,0 +1,12 @@
FROM alpine:3.5
RUN \
apk update && apk upgrade -a && \
apk add --no-cache \
libarchive-tools \
&& true
COPY . /
ENTRYPOINT ["/bin/sh", "-c"]
CMD ["/tartar2initrd.sh"]

29
tools/tartar2initrd/Makefile Normal file
View File

@@ -0,0 +1,29 @@
.PHONY: tag push
BASE=alpine:3.5
IMAGE=tartar2initrd
default: push
hash: Dockerfile tartar2initrd.sh
DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c "cat $^ /lib/apk/db/installed | sha1sum" | sed 's/ .*//' > $@
push: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
docker push mobylinux/$(IMAGE):$(shell cat hash))
docker rmi $(IMAGE):build
rm -f hash
tag: hash
docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
docker rmi $(IMAGE):build
rm -f hash
clean:
rm -f hash
.DELETE_ON_ERROR:

40
tools/tartar2initrd/tartar2initrd.sh Executable file
View File

@@ -0,0 +1,40 @@
#!/bin/sh
set -e
mkdir -p /tmp/input0 /tmp/input
cd /tmp/input0
# outer tarball
bsdtar xf -
cd /tmp/input
# inner tarballs
find /tmp/input0 \( -name '*.tar' -or -name '*.tgz' -or -name '*.tar.gz' \) -exec bsdtar xf '{}' \;
find . | cpio -H newc -o | gzip -9 > ../initrd.img
cd /tmp
SIZE=$(stat -c "%s" initrd.img)
SIZE4=$(( $SIZE / 4 \* 4 ))
DIFF=$(( $SIZE - $SIZE4 ))
[ $DIFF -ne 0 ] && DIFF=$(( 4 - $DIFF ))
dd if=/dev/zero bs=1 count=$DIFF of=zeropad 2>/dev/null
cat zeropad >> initrd.img
SIZE=$(stat -c "%s" initrd.img)
SIZE4=$(( $SIZE / 4 \* 4 ))
DIFF=$(( $SIZE - $SIZE4 ))
if [ $DIFF -ne 0 ]
then
echo "Bad alignment" >2
exit 1
fi
cat initrd.img