The log.Fatal* calls will leak the vpnkit process since
defer functions are not invoked when os.Exit(int) is invoked
We register an ExitHandler with logrus - that'll be invoke when
log.Fatal* is called
Signed-off-by: Steve Hiehn <shiehn@pivotal.io>
Signed-off-by: Dave Protasowski <dprotaso@gmail.com>
containerd v1.0.0-rc.0 changed the subreaper config entry to the
negative given subreaper "on" is the default. However, linuxkit
does not need to change the default subreaper setting so removing
the now invalid config line.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
This allows the `linuxkit/kubernetes` "image-cache" packages to use a standard
`linuxkit pkg build` based flow rather than requiring surrounding scaffolding.
Fixes#2766. Compared with the original (actually, the second) proposal made in
issue #2766, the field is `docker-images` rather than `images` to allow for
future inclusion of e.g. `containerd-images`.
Signed-off-by: Ian Campbell <ijc@docker.com>
You can use `linuxkit run vbox ...` to run using Oracle VirtualBox.
ISO or raw should be supported, and you can specify EFI.
Some more options may be useful in future.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
vpnkit mode has one or two arguments (eth socket and port control socket).
If splitting into only 2 then
vpnkit,vpnkit-state/eth.sock,vpnkit-state/port.sock
becomes
2: vpnkit
1: vpnkit-state/eth.sock,vpnkit-state/port.sock
rather than
0: vpnkit
1: vpnkit-state/eth.sock
2: vpnkit-state/port.sock
as desired.
Signed-off-by: Ian Campbell <ijc@docker.com>
- ENA networking is what the very new (and bare metal) machines have
- sriov "simple" mode is Intel VF passthrough
I reflect the underlying APIs, which is bool for ENA and a string
for sriov even though there is currently only one valid sriov option...
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Currently we will always create a temp tar file even the 'docker run'
failed for some reason,e.g, the docker daemon doesn't run. As a result,
we'll get the 2nd error even we've fixed 'docker run' failure.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
This is a `moby.ImageConfig` struct which is marshalled into JSON and added as
the `org.mobyproject.config` label on the built image.
Convert `pkg/sysctl` as PoC.
Signed-off-by: Ian Campbell <ijc@docker.com>
This is a double bump.
Changes 0.0.20171122:
* chacha20poly1305: fast primitives from Andy Polyakov
Samuel Neves and I have spent considerable time and headaches porting,
reworking, and partially rewriting Andy's optimized implementations of
ChaCha20 and Poly1305. We now support the following:
On x86_64:
- Poly1305: integer unit
- ChaCha20: SSSE3
- HChaCha20: SSSE3
- Poly1305: AVX
- ChaCha20: AVX2
- Poly1305: AVX2
- ChaCha20: AVX512
- Poly1305: AVX512
On ARM:
- Poly1305: integer unit
- ChaCha20: NEON
- Poly1305: NEON
On ARM64:
- Poly1305: integer unit
- ChaCha20: NEON
- Poly1305: NEON
On MIPS64:
- Poly1305: integer unit
All others:
- ChaCha20: generic C
- Poly1305: generic C
This is a pretty substantial amount of new handrolled assembly. It will
perhaps MURDER KITTENS, so please tread lightly with this snapshot and adjust
expectations accordingly. I'm looking forward to quickly fixing any issues
folks find while testing.
Performance-wise, this should see increases all around. The biggest speedups
will be on ARM and ARM64, but x86_64 and MIPS64 should also see modest speed
improvements too, especially on Skylake systems supporting AVX512.
* chacha20poly1305: add more test vectors, some of which are weird
Test vectors are pretty important, so we added more to catch odd edge cases
using the following butcher's code:
from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305
import os
def encode_blob(blob):
a = ""
for i in blob:
a += "\\x" + hex(i)[2:]
return a
enc = [ ]
dec = [ ]
def make_vector(plen, adlen):
key = os.urandom(32)
nonce = os.urandom(8)
p = os.urandom(plen)
ad = os.urandom(adlen)
c = ChaCha20Poly1305(key).encrypt(nonce=bytes(4) + nonce, data=p, associated_data=ad)
out = "{\n"
out += "\t.key\t= \"" + encode_blob(key) + "\",\n"
out += "\t.nonce\t= \"" + encode_blob(nonce) + "\",\n"
out += "\t.assoc\t= \"" + encode_blob(ad) + "\",\n"
out += "\t.alen\t= " + str(len(ad)) + ",\n"
out += "\t.input\t= \"" + encode_blob(p) + "\",\n"
out += "\t.ilen\t= " + str(len(p)) + ",\n"
out += "\t.result\t= \"" + encode_blob(c) + "\"\n"
out += "}"
enc.append(out)
out = "{\n"
out += "\t.key\t= \"" + encode_blob(key) + "\",\n"
out += "\t.nonce\t= \"" + encode_blob(nonce) + "\",\n"
out += "\t.assoc\t= \"" + encode_blob(ad) + "\",\n"
out += "\t.alen\t= " + str(len(ad)) + ",\n"
out += "\t.input\t= \"" + encode_blob(c) + "\",\n"
out += "\t.ilen\t= " + str(len(c)) + ",\n"
out += "\t.result\t= \"" + encode_blob(p) + "\"\n"
out += "}"
dec.append(out)
make_vector(0, 0)
make_vector(0, 8)
make_vector(1, 8)
make_vector(1, 0)
make_vector(129, 7)
make_vector(256, 0)
make_vector(512, 0)
make_vector(513, 9)
make_vector(1024, 16)
make_vector(1933, 7)
make_vector(2011, 63)
print("======== encryption vectors ========")
print(", ".join(enc))
print("\n\n\n======== decryption vectors ========")
print(", ".join(dec))
* wg-quick: document localhost exception and v6 rule
Probably a "kill switch" wants this too:
-m addrtype ! --dst-type LOCAL
so that basic local services can continue to work.
* selftest: allowedips: randomized test mutex update
* allowedips: do not write out of bounds
* device: uninitialize socket first in destruction
* tools: tighten up strtoul parsing
Small fixups.
* qemu: update kernel
* qemu: use unprefixed strip when not cross-compiling
Fedora/Redhat doesn't ship with a prefixed strip, and we don't need
to use it anyway when we're not cross compiling, so don't.
* compat: 3.16.50 got proper rt6_get_cookie
* compat: stable finally backported fix
* compat: new kernels have netlink fixes
* compat: fix compilation with PaX
Usual set of compatibility updates.
* curve25519-neon: compile in thumb mode
In thumb mode, it's not possible to use sp as an operand of and, so
we have to muck around with r3 as a scratch register.
* socket: only free socket after successful creation of new
When an interface is down, the socket port can change freely. A socket
will be allocated when the interface comes up, and if a socket can't be
allocated, the interface doesn't come up.
However, a socket port can change while the interface is up. In this
case, if a new socket with a new port cannot be allocated, it's
important to keep the interface in a consistent state. The choices are
either to bring down the interface or to preserve the old socket. This
patch implements the latter.
* global: switch from timeval to timespec
This gets us nanoseconds instead of microseconds, which is better, and
we can do this pretty much without freaking out existing userspace,
which doesn't actually make use of the nano/microseconds field. The below
test program shows that this won't break existing sizes:
zx2c4@thinkpad ~ $ cat a.c
void main()
{
puts(sizeof(struct timeval) == sizeof(struct timespec) ?
"success" : "failure");
}
zx2c4@thinkpad ~ $ gcc a.c -m64 && ./a.out
success
zx2c4@thinkpad ~ $ gcc a.c -m32 && ./a.out
success
Changes 0.0.20171127:
* compat: support timespec64 on old kernels
* compat: support AVX512BW+VL by lying
* compat: fix typo and ranges
* compat: support 4.15's netlink and barrier changes
* poly1305-avx512: requires AVX512F+VL+BW
Numerous compat fixes which should keep us supporting 3.10-4.15-rc1.
* blake2s: AVX512F+VL implementation
* blake2s: tweak avx512 code
* blake2s: hmac space optimization
Another terrific submission from Samuel Neves: we now have an implementation
of Blake2s using AVX512, which is extremely fast.
* allowedips: optimize
* allowedips: simplify
* chacha20: directly assign constant and initial state
Small performance tweaks.
* tools: fix removing preshared keys
* qemu: use netfilter.org https site
* qemu: take shared lock for untarring
Small bug fixes.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
