github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-20 09:39:08 +00:00
Code Issues Projects Releases Wiki Activity
7,824 Commits 1 Branch 27 Tags 240 MiB
42670404f5
Commit Graph

7824 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
David Scott
42670404f5 alpine: Update versions file 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-21 11:34:59 +01:00
David Scott
34d0aef7d4 Update containerd to 1.4.11 
We can remove the workaround for musl using faccessat(2) and breaking
runc, because the fix is in rc93:

https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-21 11:34:55 +01:00
David Scott
2ff94c0d72 test: kmsg requires /dev/console 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:05:44 +01:00
David Scott
bdb1c13473 test: logwrite requires /dev/console 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:05:44 +01:00
David Scott
5a12600412 test: init-containerd requires /dev/console 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:05:44 +01:00
David Scott
dcecbe57c6 test: containerd tests need losetup which needs block device access 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:05:26 +01:00
David Scott
1c02c9ea86 test: losetup needs block device access 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:03:29 +01:00
David Scott
d4c6ab742b Update hashes for pkg/... 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:44 +01:00
David Scott
7434e5f5aa pkg/kmsg: grant access to /dev/kmsg 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:44 +01:00
David Scott
6bc99c5ff2 pkg/metadata: grant access to all block devices 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:36 +01:00
David Scott
9209808ac3 pkg/losetup: grant access to all block devices 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:18 +01:00
David Scott
344d974ae1 pkg/extend: grant access to all block devices 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:11 +01:00
David Scott
71fa9f2cae pkg/dm-crypt: grant access to all devices 
The package needs block devices e.g. for /dev/sda

It also needs character devices for /dev/mapper/

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:01:01 +01:00
David Scott
5895976b33 tools/mkimage: grant access to block devices 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:00:55 +01:00
David Scott
380f36cc1a runc: don't mount /dev with ro 
After runc 1.0.0-rc92 mounting /dev with ro will fail to start the
container with an error trying to `mkdir /dev/...` (for example
`/dev/pts`). This can be observed following the runc example

Comparing our `config.json` with the working one generated by
`runc spec`, both have a readonly rootfs (good) but the `runc spec`
one does not set `ro` in the `/dev` mount options.

This patch fixes readonly onboot containers by removing the "ro"
option from `/dev`, to match the `runc spec` example.

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:00:04 +01:00
David Scott
0cfaa9ce65 runc: update to v1.0.2 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:00:04 +01:00
Rolf Neugebauer
0dd8086d39 Update YAMLs to latest runc/containerd/test-containerd 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-10-16 16:57:15 +01:00
Rolf Neugebauer
6efae97c20 Update alpine for containerd 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-10-16 16:57:15 +01:00
Rolf Neugebauer
0e00eddd6b alpine: Fix push-manifest.sh 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-10-16 16:57:15 +01:00
Rolf Neugebauer
d2307ebae3 alpine: Update versions file 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-10-16 16:57:15 +01:00
David Scott
5124698b47 alpine: update containerd to 1.4.6 
As suggested on https://github.com/linuxkit/linuxkit/pull/3554#issuecomment-852910630

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-16 16:57:15 +01:00
David Scott
7d76051bb0 runc: update to v1.0.0-rc95 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-16 16:57:15 +01:00
Rolf Neugebauer
d71299a2c1
Merge pull request #3716 from djs55/containup-devices2 
Add OCI devices to yaml (needed by getty with runc v1.0.0-rc95)
 2021-10-16 10:35:35 +01:00
David Scott
c2d47b47ff Update hashes for pkg/swap 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-15 08:19:03 +01:00
David Scott
c3642dd089 Update hashes for pkg/mount 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-15 08:19:03 +01:00
David Scott
97d054da5d Update hashes for pkg/getty 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-15 08:18:58 +01:00
David Scott
21a7155824 Update hashes for pkg/format 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-14 16:14:21 +01:00
David Scott
46ea02f65b moby: device "all" will add to the cgroup whitelist 
After the runc security advisory[1] the default cgroup device
whitelist was changed.

In previous versions every container had "rwm" (read, write, mknod)
for every device ("a" for all). Typically this was overridden by
container engines like Docker. In LinuxKit we left the permissive
default.

In recent `runc` versions the default allow-all rule was removed,
so a container can only access a device if it is specifically
granted access, which LinuxKit handles via a device: entry.

However it is inconvenient for pkg/format, pkg/mount, pkg/swap
to list all possible block devices up-front. Therefore we add the
ability to grant access to an entire class of device with a single
rule:

```
- path: all
  type: b
```

Obviously a paranoid user can still override this with a specific
major/minor number in a device: rule.

[1] https://github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-14 16:14:21 +01:00
David Scott
24db42dd68 moby: add a Devices array to the image yml 
According to https://github.com/linuxkit/linuxkit/pull/3684#issuecomment-860128095

runc removed the console as a default device, so now it must be specified
explicitly in the OCI config.

See 60e21ec26e

The similar code in moby/moby is here: https://github.com/moby/moby/blob/master/oci/devices_linux.go

This patch allows packages to declare a `devices` array, which can contain `/dev/console` etc.

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-14 16:14:05 +01:00
Rolf Neugebauer
d0145160a8
Merge pull request #3717 from djs55/run-qemu-m1 
Fix `linuxkit run qemu` on macOS on Apple Silicon
 2021-10-13 21:16:48 +01:00
David Scott
c779e894da Fix linuxkit run qemu on macOS on Apple Silicon 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-13 14:38:20 +01:00
Rolf Neugebauer
46d4edc967
Merge pull request #3711 from djpbessems/patch-1 
Include `lvm2`
 2021-08-14 13:30:35 +01:00
Rolf Neugebauer
2eb87b7ffb
Merge pull request #3713 from rn/notrust 
Update YAML files
 2021-08-10 23:39:44 +01:00
Rolf Neugebauer
4eb60514c9 yaml: Update use of alpine:3.11 to alpine:3.13 
Seceral YAML files used alpine:3:11. Update them to 3.13

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-08-10 00:13:52 +01:00
Rolf Neugebauer
ce73340d6c examples: Prefix examples for platforms with platform- 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-08-10 00:11:48 +01:00
Rolf Neugebauer
f52c7f17c8 yaml: Remove trust section from examples and tests 
With 561ce6f4be ("Remove Notary and Content Trust") we
removed support for content trust. No need to have it
in the YAMLs either.

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-08-10 00:07:13 +01:00
Danny Bessems
098f5c86c0 Include lvm2 
Signed-off-by: djpbessems <danny@bessems.eu>
 2021-08-06 15:14:38 +02:00
Rolf Neugebauer
4e600a3790
Merge pull request #3704 from rn/kern-up 
Update kernels to 5.10.47/5.4.129, remove 5.11.x and add 5.12.x
 2021-07-06 23:22:57 +01:00
Rolf Neugebauer
47198556c2 Update YAMLs to latest kernel config test 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-07-04 13:54:55 +01:00
Rolf Neugebauer
88352cd358 pkg: Drop oprofile fs check from kernel config check 
oprofile kernel support was dropped with 5.12.x with:
f8408264c77a ("drivers: Remove CONFIG_OPROFILE support")

However the commit stated that the userspace oprofile tools
had stopped using the kernel interface for a log time. So
drop the check.

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-07-04 13:47:12 +01:00
Rolf Neugebauer
4389918aef Update YAMLs to latest kernels 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-07-04 11:16:45 +01:00
Rolf Neugebauer
f4afb12454 tests: Add tests for 5.12.x kernel 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-07-04 11:16:45 +01:00
Rolf Neugebauer
f20e08bcb8 kernel: Enable CONFIG_SQUASHFS_ZSTD 
requested/suggested by @olljanat

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-07-04 11:16:45 +01:00
Rolf Neugebauer
01b46ba789 kernel: Add support for 5.12.x kernel 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-07-04 11:16:45 +01:00
Rolf Neugebauer
a54b9509ae tests: Remove 5.11 tests 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-07-04 11:16:45 +01:00
Rolf Neugebauer
1e97e29be3 kernel: Remove 5.11.x as it is not longer maintained 
Leave it for -rt kernels

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-07-04 11:16:45 +01:00
Rolf Neugebauer
43d3ff0630 kernel: Update LTS kernels to 5.10.47/5.4.129 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-07-04 11:16:45 +01:00
Rolf Neugebauer
25c796e854 kernel: Fix Dockerfile.kconfig 
KERNEL_VERSIONS apparently needs to be specified as
argument after the FROM

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-07-04 11:16:45 +01:00
Rolf Neugebauer
a4c518f696 kernel: Remove support for s390x 
WIP #3676

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-07-04 11:16:45 +01:00
Rolf Neugebauer
36d8026b17
Merge pull request #3700 from TiejunChina/master-dev 
enable 5.11.x-rt
 2021-07-03 10:13:15 +01:00