* Update linuxkit/alpine
Signed-off-by: Avi Deitcher <avi@deitcher.net>
* tools/alpine: Update to latest
Signed-off-by: Avi Deitcher <avi@deitcher.net>
* tools: Update to the latest linuxkit/alpine
Signed-off-by: Avi Deitcher <avi@deitcher.net>
* Update use of tools to latest
Signed-off-by: Avi Deitcher <avi@deitcher.net>
* tests: Update packages to the latest linuxkit/alpine
Signed-off-by: Avi Deitcher <avi@deitcher.net>
* Update use of test packages to latest
Signed-off-by: Avi Deitcher <avi@deitcher.net>
* pkgs: Update packages to the latest linuxkit/alpine
Signed-off-by: Avi Deitcher <avi@deitcher.net>
* Update package tags
Signed-off-by: Avi Deitcher <avi@deitcher.net>
---------
Signed-off-by: Avi Deitcher <avi@deitcher.net>
This allows SBOM tools to look at /lib/apk/db/installed to determine
which package versions are included in the container. This should
probably be applied across all of the linuxkit containers.
Signed-off-by: eriknordmark <erik@zededa.com>
With linux kernel 5.15+ change of proc/sys/net/ipv4/ip_forward require
CAP_NET_ADMIN (https://github.com/torvalds/linux/commit/8292d7f6). We do
not use ip_forward now, but we should be ready for future changes of
conf files.
Signed-off-by: Petr Fedchenkov <giggsoff@gmail.com>
We already had this increased above the defaults, but even larger values
seem to be recommended.
See https://blog.openai.com/scaling-kubernetes-to-2500-nodes/
"It’s common to tune this setting in HPC clusters, and is particularly
relevant in Kubernetes clusters since every pod has its own IP address
which consumes space in the ARP cache."
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- Previously, KV lines which were commented would attempt to be set. Now any commented KV lines will also be ignored.
- Comments can start with a hash or semicolon
- Splitting KV on both period and forward slash
- Some kernels may not have certain features enabled (such as IPv6) in the default etc/sysctl.d/*.conf, and thus pkg/sysctl would only set the KV until the first failure, and then silently skip the rest of the KVs. Now any failure is logged as a WARN, and those lines can now be commented per the above change, as they will be identified.
Signed-off-by: Isaac Rodman <isaac@eyz.us>
On 4.9.x and 4.14.x kernels ebpf verifier bugs allow ebpf
programs to access (read/write) random memory. Setting
kernel.unprivileged_bpf_disabled=1 mitigates this somewhat
until it is fixed upstream.
See:
- https://lwn.net/Articles/742170
- https://lwn.net/Articles/742169
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This is a `moby.ImageConfig` struct which is marshalled into JSON and added as
the `org.mobyproject.config` label on the built image.
Convert `pkg/sysctl` as PoC.
Signed-off-by: Ian Campbell <ijc@docker.com>
By running:
./scripts/update-component-sha.sh --image linuxkit/alpine ad35b6ddbc70faa07e59a9d7dee7707c08122e8d
Signed-off-by: Ian Campbell <ijc@docker.com>
This was done with the following "script":
git rm pkg/{auditd,binfmt,init}/Makefile
sed -e 's/IMAGE=/image: /g' -i pkg/*/Makefile
sed -e 's/NETWORK=1/network: true/g' -i pkg/*/Makefile
sed -e 's/ARCHES=x86_64/arches:\n - amd64/g' -i pkg/*/Makefile
sed -e '/DEPS:\?=/d' -i pkg/*/Makefile
sed -e '/ARCHES=SKIP/d' -i pkg/node_exporter/Makefile
sed -e 's/include \.\.\/package.mk//g' -i pkg/*/Makefile
sed -e '/^$/d' -i pkg/*/Makefile
git mv pkg/node_exporter/Makefile pkg/node_exporter/build.yml-skip
for i in pkg/*/Makefile ; do git mv $i ${i%Makefile}build.yml ; done
and manual update of pkg/Makefile.
Signed-off-by: Ian Campbell <ijc@docker.com>
This requires that users have `CAP_SYSLOG` in order to access `dmesg`.
This means that containers by default have no access to `dmesg` (which
can leak information about the host or other containers) unless they
have this capability added.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This commit moves the include statement to the bottom of the file to
ensure that all variables are set before conditionals are evaluated.
I also changed the ifndef NETWORK to ifdef NETWORK as the former was
incorrect. We want `NET_OPTS="--network=none"` in cases where NETWORK is
not defined.
Fixes: #2134
Signed-off-by: Dave Tucker <dt@docker.com>
In a subsequent commit, all YAML files will be updated with
new package hashes since all packages needed rebuild due to
build system changes in commit adae27b8d1 ("Simplify
Makefiles for Packages"). So, we might as well bring all
packages up to the latest alpine base package.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
These now inherit from a top-level package.mk
Options like use of the network can be enabled on a per package basis
This removes a lot of duplicate code and make the maintenace of these
Makefiles much easier
Signed-off-by: Dave Tucker <dt@docker.com>
