Default config is restricted ptrace, processes can only ptrace
related processes, such as child processes, rather than any process
with the same uid.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This builds both the standard and AUFS versions of Moby,
and does `make clean` carefully.
- `make ci` for branches (pushes artifacts)
- `make pr` for PRs
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This seems the best option, although none are great
- build with `make AUFS=1` to build with AUFS support, currently with 4.8 kernel
- default is to build without AUFS support, with 4.9 kernel
This recognises that AUFS supprot is temporary #620 and only there until
we can phase it out on desktop editions, and allow the other editions that
never shipped with AUFS to ship something very close to mainline.
However we do still apply the patches so that the non AUFS branch runs fine on
all platforms, so it can be tested elsewhere.
We may be able to move the kernel versions back in line when 4.9 aufs support is out.
Plan is to shift CI to build both sets of images, and get the Desktop editions to
pick up the aufs set automatically, once this is merged.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
See #875
This will only happen if there has been some sort of error
before, but lets not make it worse.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- this is a raw 1GB filesystem image with syslinux for booting
- built with libguestfs so does not need any privileges
- need not be built on GCE
- there is a target that runs the image in qemu for local tests
Does not yet have a script to upload the image to cloud storage or create image from it.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Sometimes Debian just wants to ask you questions on an install,
this is really not a useful behaviour when there is no one
attached to the process.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- make quiet
- force, so some adjustments are not checked see https://github.com/docker/pinata/issues/6198
- set resize_inode as we do resize partitions on cloud and they could have very few inodes otherwise
- inline all the default options and remove the config file, so script is more standalone
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- The scanning process was not ignoring the kernel extraversion before,
so was only sometimes picking up issues.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Includes fix for CVE-2016-8655 Linux af_packet.c race condition.
This gives a container escape with default container capabilities.
This now has the slow network namespace patch backported, so this
is removed.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- run test suite under containerd
- in future this should be converted to Go not shell see #860
- test suite is now in its own initrd, can be run on any platform not just qemu
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Regenerated the kernel config from container, which bumped the kernel
version and included some other fixes. Also bumps the check-config
container to check for VSYSCALL_NATIVE
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
This is a minimal standalone statically linked shell for use
for now in converting images to containers.
Plan to phase it out and replace with actual programs later.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
