github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-21 10:09:07 +00:00
Code Issues Projects Releases Wiki Activity
8,147 Commits 1 Branch 27 Tags 240 MiB
03c97c3584
Commit Graph

8147 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Avi Deitcher
c07b11acb9
Merge pull request #3729 from deitch/extract-more-yaml 
extract more hard-coded yaml
 2021-11-05 09:21:44 -04:00
Avi Deitcher
e1dd1af1b9 extract more hard-coded yaml 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2021-11-05 13:07:06 +02:00
Frédéric Dalleau
56c08df66b Refresh configs for kernel update 
Signed-off-by: Frédéric Dalleau <frederic.dalleau@docker.com>
 2021-11-05 10:28:24 +01:00
Frédéric Dalleau
3cf25af73e kernel: update LTS kernels to 5.10.76/5.4.156 
Signed-off-by: Frédéric Dalleau <frederic.dalleau@docker.com>
 2021-11-05 10:28:24 +01:00
Frédéric Dalleau
e9e3a8ddce Refresh configs for virtiofs 
Signed-off-by: Frédéric Dalleau <frederic.dalleau@docker.com>
 2021-11-05 10:28:12 +01:00
Frédéric Dalleau
ad4f9a77a0 Enable CONFIG_VIRTIO_FS=y 
Signed-off-by: Frédéric Dalleau <frederic.dalleau@docker.com>
 2021-11-05 10:16:18 +01:00
Avi Deitcher
01a1aac73c
Merge pull request #3727 from deitch/embed-hashes 2021-11-05 04:46:45 -04:00
Avi Deitcher
f8471d443c
Merge pull request #3723 from deitch/update-component-hash-pkg 2021-11-04 15:18:04 -04:00
Avi Deitcher
0660ace86f extract hard-coded default image builders into file 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2021-11-04 14:51:15 -04:00
Rolf Neugebauer
34b0a786e7
Merge pull request #3725 from djs55/fix-windows-pkg-build 
linuxkit: fix pkg build on Windows
 2021-10-31 10:54:45 +00:00
Avi Deitcher
a05f612aa4 update-component-sha --pkg option 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2021-10-31 05:38:32 -04:00
David Scott
f5f5dce318 linuxkit: fix pkg build on Windows 
Previously when we set `cmd.Stderr = os.Stderr`, the stderr from buildx
would be mixed with the image tar, corrupting it.

Work around this (Windows-specific) problem by adding an explicit
indirection via a io.Pipe()

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-29 12:01:35 +01:00
Gabriel Chabot
c37046f617 Add openssl to the kernel-build 
Signed-off-by: Gabriel Chabot <gabriel.chabot@qarnot-computing.com>
 2021-10-28 10:55:16 +02:00
Rolf Neugebauer
f5a1541e00
Merge pull request #3719 from tonistiigi/cgroupv2 
init: add support for cgroupv2
 2021-10-27 09:26:11 +01:00
David Scott
10599f776a test: add a case for cgroupv2 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-26 20:07:38 +01:00
David Scott
9d16e2a2b9 test: the README.md says the numbers correspond to the first letter 
A few of these tests appear to be misnumbered, so renumber them.

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-26 20:04:51 +01:00
David Scott
e8f8a409e8 Update hashes for pkg/init 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-26 19:52:22 +01:00
Tonis Tiigi
5af7c526ec init: add support for cgroupv2 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
 2021-10-24 23:03:51 -07:00
Rolf Neugebauer
e71deb3862
Merge pull request #3718 from djs55/containup-test 
Update runc, containerd, add devices: and fix readonly
 2021-10-22 21:10:30 +01:00
David Scott
e4776e8778 Update hash for containerd 1.4.11 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-21 11:34:59 +01:00
David Scott
476d5a0f2e Update alpine for containerd 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-21 11:34:59 +01:00
David Scott
42670404f5 alpine: Update versions file 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-21 11:34:59 +01:00
David Scott
34d0aef7d4 Update containerd to 1.4.11 
We can remove the workaround for musl using faccessat(2) and breaking
runc, because the fix is in rc93:

https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-21 11:34:55 +01:00
David Scott
2ff94c0d72 test: kmsg requires /dev/console 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:05:44 +01:00
David Scott
bdb1c13473 test: logwrite requires /dev/console 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:05:44 +01:00
David Scott
5a12600412 test: init-containerd requires /dev/console 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:05:44 +01:00
David Scott
dcecbe57c6 test: containerd tests need losetup which needs block device access 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:05:26 +01:00
David Scott
1c02c9ea86 test: losetup needs block device access 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:03:29 +01:00
David Scott
d4c6ab742b Update hashes for pkg/... 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:44 +01:00
David Scott
7434e5f5aa pkg/kmsg: grant access to /dev/kmsg 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:44 +01:00
David Scott
6bc99c5ff2 pkg/metadata: grant access to all block devices 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:36 +01:00
David Scott
9209808ac3 pkg/losetup: grant access to all block devices 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:18 +01:00
David Scott
344d974ae1 pkg/extend: grant access to all block devices 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:11 +01:00
David Scott
71fa9f2cae pkg/dm-crypt: grant access to all devices 
The package needs block devices e.g. for /dev/sda

It also needs character devices for /dev/mapper/

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:01:01 +01:00
David Scott
5895976b33 tools/mkimage: grant access to block devices 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:00:55 +01:00
David Scott
380f36cc1a runc: don't mount /dev with ro 
After runc 1.0.0-rc92 mounting /dev with ro will fail to start the
container with an error trying to `mkdir /dev/...` (for example
`/dev/pts`). This can be observed following the runc example

Comparing our `config.json` with the working one generated by
`runc spec`, both have a readonly rootfs (good) but the `runc spec`
one does not set `ro` in the `/dev` mount options.

This patch fixes readonly onboot containers by removing the "ro"
option from `/dev`, to match the `runc spec` example.

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:00:04 +01:00
David Scott
0cfaa9ce65 runc: update to v1.0.2 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:00:04 +01:00
Rolf Neugebauer
0dd8086d39 Update YAMLs to latest runc/containerd/test-containerd 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-10-16 16:57:15 +01:00
Rolf Neugebauer
6efae97c20 Update alpine for containerd 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-10-16 16:57:15 +01:00
Rolf Neugebauer
0e00eddd6b alpine: Fix push-manifest.sh 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-10-16 16:57:15 +01:00
Rolf Neugebauer
d2307ebae3 alpine: Update versions file 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-10-16 16:57:15 +01:00
David Scott
5124698b47 alpine: update containerd to 1.4.6 
As suggested on https://github.com/linuxkit/linuxkit/pull/3554#issuecomment-852910630

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-16 16:57:15 +01:00
David Scott
7d76051bb0 runc: update to v1.0.0-rc95 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-16 16:57:15 +01:00
Rolf Neugebauer
d71299a2c1
Merge pull request #3716 from djs55/containup-devices2 
Add OCI devices to yaml (needed by getty with runc v1.0.0-rc95)
 2021-10-16 10:35:35 +01:00
David Scott
c2d47b47ff Update hashes for pkg/swap 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-15 08:19:03 +01:00
David Scott
c3642dd089 Update hashes for pkg/mount 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-15 08:19:03 +01:00
David Scott
97d054da5d Update hashes for pkg/getty 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-15 08:18:58 +01:00
David Scott
21a7155824 Update hashes for pkg/format 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-14 16:14:21 +01:00
David Scott
46ea02f65b moby: device "all" will add to the cgroup whitelist 
After the runc security advisory[1] the default cgroup device
whitelist was changed.

In previous versions every container had "rwm" (read, write, mknod)
for every device ("a" for all). Typically this was overridden by
container engines like Docker. In LinuxKit we left the permissive
default.

In recent `runc` versions the default allow-all rule was removed,
so a container can only access a device if it is specifically
granted access, which LinuxKit handles via a device: entry.

However it is inconvenient for pkg/format, pkg/mount, pkg/swap
to list all possible block devices up-front. Therefore we add the
ability to grant access to an entire class of device with a single
rule:

```
- path: all
  type: b
```

Obviously a paranoid user can still override this with a specific
major/minor number in a device: rule.

[1] https://github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-14 16:14:21 +01:00
David Scott
24db42dd68 moby: add a Devices array to the image yml 
According to https://github.com/linuxkit/linuxkit/pull/3684#issuecomment-860128095

runc removed the console as a default device, so now it must be specified
explicitly in the OCI config.

See 60e21ec26e

The similar code in moby/moby is here: https://github.com/moby/moby/blob/master/oci/devices_linux.go

This patch allows packages to declare a `devices` array, which can contain `/dev/console` etc.

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-14 16:14:05 +01:00