The type of the guest and host ports should be uint16 not int. Also
make them public member of the PublishPort structure.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This code will soon be shared by other backends.
While at it, also rename the type to PublishPort (from publishPorts)
as it is just one Port and the function from splitPublish() to
NewPublishPort() as this seems more go like.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
On Linux the default is /dev/random which may block if there
is not enough entropy (and it determines lack of entropy
conservatively). /dev/urandom never blocks but is fed from
the same entropy source as /dev/random so this change should
not affect platforms which have hardware RNGs but helps to
prevent stalls on platforms, in particular some arm64 platforms,
where the hardware RNG is either not present or not enabled.
If you really care about proper entropy inside a VM do not use
'linuxkit run', it's mostly for testing and shouldn't be used
for production anyway.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This fixes issue #2635 related to no network being passed during an
image upload as no network is required. However a hostname is still
required due to vCenter handing the upload to a vSphere server and it’s
DataStore.
Signed-off-by: Dan Finneran <daniel.finneran@gmail.com>
Pulling the arch suffixed version does not provide any assurance that a
previous build was actually completed.
Signed-off-by: Ian Campbell <ijc@docker.com>
There is more to do on these, but clean up some unused variables,
missing args, stray `\n` etc.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Detect if this is the case by checking if the given path is not in git and
conditionalising anything which would touch git.
Images built from outside git will, in the absence of options to force
otherwise, get tagged "latest".
Fixes: #2613
Signed-off-by: Ian Campbell <ijc@docker.com>
Currently all forward it to os.Stderr, but in my next patch I will want to
direct to /dev/null for one command.
Signed-off-by: Ian Campbell <ijc@docker.com>
Ensure that all git commands are run as if from the package directory using the
`-C` option. Otherwise the various attempts to use git fail if `linuxkit pkg`
is invoked from outside the git repo.
Signed-off-by: Ian Campbell <ijc@docker.com>
Looks like a6b89f1137 ("Update linuxkit/mkimage-*") updated to a
non-existing tag.
linuxkit pkg show-tag tools/mkimage-iso-bios
linuxkit/mkimage-iso-bios:165b051322578cb0c2a4f16253b20f7d2797a502
and docker pull of that image works.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Could be e.g.:
```
pkg:
content-trust-passphrase-command: "lpass show <key> --password"
```
or
```
pkg:
content-trust-passphrase-command: "gpg -d ~/.notary/passphrase.gpg"
```
Signed-off-by: Ian Campbell <ijc@docker.com>
These versions were created by https://github.com/linuxkit/linuxkit/pull/2607
which enables content trust, so drop the sha256 from all of them and ensure
DOCKER_CONTENT_TRUST is unconditionally set when running, since these
references are hardcoded we know they must be signed.
Signed-off-by: Ian Campbell <ijc@docker.com>
AFAICT none of the callers (which all involve one of `linuxkit/mkimage-*`) have
any reason to hit the network.
Signed-off-by: Ian Campbell <ijc@docker.com>
With the old package.mk arrangements we would only append -dirty and -$arch to
the hash if the user didn't specify a HASH= directly. So the following would
work
make ORG=ijc HASH=dev tag
and produce an image `ijc/«image»:dev`.
However the new equivalent:
linuxkit pkg build -org=ijc --hash-=dev
instead produces an image `ijc/«image»:dev-dirty-$arch`. Which is undesirable.
This commit refactors the code in two main ways:
Firstly directly append `-dirty` to the hash as we extract it from git (rather
than on use in the `Tag()` method), and only do this if the user has not
specified an explicit tag. Note that we still track dirtiness in the `Pkg`
object and so will not allow a push (or release) from a dirty tree (the
makefile version would have tried this with unpredictable results), nor will we
apply the `org.opencontainers.image.revision` label to a dirty build.
Secondly if we are not pushing the image+manifest then we retag the -$arch
suffixed image without the the -$arch. This differs from the Makefile version
which would simply have built without the -$arch in the first place, I think
this is an improvement. If we are pushing the manifest-tool remains responsible
for creating the non -$arch image.
Signed-off-by: Ian Campbell <ijc@docker.com>
