Now that LinuxKit works on a truly immutable filesystem, for an
ISO it makes sense to use the ISO filesystem rather than using
an initrd. Only major difference is you may need to specify the
device for the root filesystem in the kernel command line, but
we set a sane default of `/dev/sr0` if unspecified.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- append a architecture specific suffix (-amd64, -arm64) to the
image
- add a script which looks up the hashes from the 'versions' file
and creates a multi-arch manifest
- the manifest is pushed to hub and signed with notary
The new linuxkit/alpine multi-arch image is available with the
x86_64 hash without the '-amd64' suffix.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
These were removed as unused in 8acecf1b62 but with the update to 1.7.2 they
are now pulled in (again?) by the default system.
Signed-off-by: Ian Campbell <ijc@docker.com>
PR #2314 turned /var into a tmpfs (possibly overmounted by a persistent disk)
and made /var/run into a symlink to /run. Adjust various containers and bind
mount settings to allow for this change. In particular ensuring that everything
can find the correct shared /var/run/docker.sock, which due to the symlink is
now actually at /run.
Signed-off-by: Ian Campbell <ijc@docker.com>
The manifest-tool will be used to build multi-arch hub
images and currently needs a patched version to print
out the size/length of the manifest pushed to hub to
enable signing with notary.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The document showed the incorrect sub-command options for LinuxKit run azure which needs to be updated and hence fixed it.
Signed-off-by: Ajeet Raina <ajeetraina@gmail.com>
Only supports the use cases we currently need, currently support
for using Intel hardware rng to initialise and add entropy.
Supports oneshot and service mode. Call as `rngd -1` for one shot
mode.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Previously we were cheating and remounting /var `rw` but this does not
work if the filesystem is really read only. Nount a tmpfs, which may
be overmounted later by a persistent filesystem.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Mounting a directory inside a read only container requires that to be
created in advance, but `runc` worked around that if the rootfs was not
originally read only.
You cannot even bind mount a file that does not exist into a
read only container.
The containerd test is given a disk, as running on an overlay does
not work; however it is also disabled as one of the parts of the test
is failing, needs investigation.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Previously we would sneakily remount as `rw` but of course you can't
really do that on a truly immutable filesystem.
See https://github.com/moby/tool/pull/129 for the `moby` side.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
We need to add 'ttyAMA0' console used on ARM64 platform into
securetty file to make it's possible to log into the system
as root. Also it will dismiss the below warning message before
login:
"getty: cmdline has console=ttyAMA0 but does not exist in
/etc/securetty; will not be able to log in as root on this tty ttyAMA0."
'ttyAMA1' is also added order to handle some system happens have that one
instead of 'ttyAMA0'
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
