This commit removes Notary and Content Trust.
Notary v1 is due to be replaced with Notary v2 soon.
There is no clean migration path from one to the other.
For now, this removes all signing from LinuxKit.
We will look to add this back once a new Notary alternative
becomes available.
Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
Add support for s390 architecture for linuxkit/alpine and the
other docker images in tools and pkg.
Signed-off-by: Alice Frosi <alice@linux.vnet.ibm.com>
Before the alpine base image is multi-arch and signed, the
DOCKER_CONTENT_TRUST=1 doesn't work on AArch64 for 'docker build'.
Now since the alpine base image is already multi-arch and signed,
also we've used 'push_manifest.sh' to push and sign linuxkit/image,
so we can remove this workaround.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
- append a architecture specific suffix (-amd64, -arm64) to the
image
- add a script which looks up the hashes from the 'versions' file
and creates a multi-arch manifest
- the manifest is pushed to hub and signed with notary
The new linuxkit/alpine multi-arch image is available with the
x86_64 hash without the '-amd64' suffix.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This should reduce instability due to different people's environment. This
undoes the reordering done by "alpine: Update to containerd v1.0.0-alpha2",
leaving just the hash update (as expected).
Signed-off-by: Ian Campbell <ijc@docker.com>
We should always pull and push linuxkit/alpine with content trust
irrespective of architecture, unless explicitly disabled.
Currently, we have to dance around various other issues on arm64,
which are now documented in the Makefile.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This was added in 17.06 and allows us to avoid using `$(BASE):build` which is
not safe against parallel builds etc.
Having done this restructure the build to not always delete the built container
and to separate out the `hash` and `version` file rules so that they can be
included in both the `tag` and `push` targets.
Signed-off-by: Ian Campbell <ijc@docker.com>
Alpine is the base docker image for the LinuxKit, but currently
it only supports amd64 architecture. This patch is try to unify
the alpine tool docker image build process order to suport other
architectures, such as AArch64, by using '--build-arg' to override
the alpine base image specified by 'FROM' in the Dockerfile.
Also this patch splits the standalone packages into 2 parts:
one is common for all archs, another is arch-specific.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Otherwise the only record is if the pusher happens to remember to put it in the
commit message (tollerable) or the github PR (not great).
Also add the same show-tag target as `pkg/package.mk` supports, although with a
very different implementation.
The actual hash is unchanged from the previous commit.
Signed-off-by: Ian Campbell <ijc@docker.com>
The Dockerfile is now an input to the contents of the base image and
needs to be included in the hash calculation.
Also, make the Makefile, Dockerfile and pacakges file a dependency.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The added packages are necessary to create a base Alpine
container image and for converting more packages.
Update the versions file to the latest versions
Also make the HUB org/registry build time configurable.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This means that we limit to one place where we use network access
in building, and in future all other package builds can be deterministic.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
