Previously when we set `cmd.Stderr = os.Stderr`, the stderr from buildx
would be mixed with the image tar, corrupting it.
Work around this (Windows-specific) problem by adding an explicit
indirection via a io.Pipe()
Signed-off-by: David Scott <dave@recoil.org>
After runc 1.0.0-rc92 mounting /dev with ro will fail to start the
container with an error trying to `mkdir /dev/...` (for example
`/dev/pts`). This can be observed following the runc example
Comparing our `config.json` with the working one generated by
`runc spec`, both have a readonly rootfs (good) but the `runc spec`
one does not set `ro` in the `/dev` mount options.
This patch fixes readonly onboot containers by removing the "ro"
option from `/dev`, to match the `runc spec` example.
Signed-off-by: David Scott <dave@recoil.org>
After the runc security advisory[1] the default cgroup device
whitelist was changed.
In previous versions every container had "rwm" (read, write, mknod)
for every device ("a" for all). Typically this was overridden by
container engines like Docker. In LinuxKit we left the permissive
default.
In recent `runc` versions the default allow-all rule was removed,
so a container can only access a device if it is specifically
granted access, which LinuxKit handles via a device: entry.
However it is inconvenient for pkg/format, pkg/mount, pkg/swap
to list all possible block devices up-front. Therefore we add the
ability to grant access to an entire class of device with a single
rule:
```
- path: all
type: b
```
Obviously a paranoid user can still override this with a specific
major/minor number in a device: rule.
[1] https://github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq
Signed-off-by: David Scott <dave@recoil.org>
Prior to this commit we go build -o bin/foo, archive it, and
expand the archive, leaving the resulting artifact in bin.
This doesn't allow us to easily change the bin directory, or
move parts of the makefile around to make things more modular.
This commit changes the behaviour to:
go build -o foo, archive it, expand to `bin`
Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
This adds a --skip-platforms flag that can be used with
lkt pkg build to ignore any arch specified in build.yml
Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
This prevents override of the platform by the user.
lkt pkg build --platform=linux/amd64 pkg/bpftrace should
attempt to build that package for that arch even though
it is not in the build.yml
Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
Go can be weird about tools having to run in a directory with
go.mod. This commit moves the linuxkit makefile to the same
directory as the code.
It also changes the semantics of the local-build target.
You can now use STATIC=0 for dynamic builds or PIE=1 to
use --buildmode=pie. The binaries we were producing in
local-static weren't actually static so I fixed that too
Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
This commit removes Notary and Content Trust.
Notary v1 is due to be replaced with Notary v2 soon.
There is no clean migration path from one to the other.
For now, this removes all signing from LinuxKit.
We will look to add this back once a new Notary alternative
becomes available.
Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
