```
$ fdd init &
$ fdd share /tmp/foo # serve a fresh socketpair on that path
$ fdd test /tmp/foo # read the socketpair and test that it works
```
Instead of `fdd test` (which is only useful for testing), users are expected to
connect to the unix domain socket and call `recvmsg(2)`. They will get one side
of the socketpair. Two different processes can do this and they will be able to
talk to each other.
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
Warn the user in the MOTD
Add "(ns: getty)" or "(ns: sshd)" to the PS1
Use `agetty` and `-a root` to ensure we get a login shell when insecure
Signed-off-by: Dave Tucker <dt@docker.com>
Two things to note here: we unfortunately can't just exec audit, because
something needs to load the rules in beforehand.
Second, it also dies if it can't re-nice itself, so we have to give it
CAP_SYS_NICE as well as the audit caps.
I didn't add this to the default linuxkit.yml because the linuxkit/audit
repo doesn't exist yet, but we should probably (?) do that. Additionally,
we should provide the kernel parameter audit=1, otherwise according to
auditd's man pages, we can't audit some early tasks.
Closes#52
Signed-off-by: Tycho Andersen <tycho@docker.com>
We'll use abuild in the next commit for building auditd from source.
Also add these audit deps:
* swig
* python3
* libcap-ng-dev
Signed-off-by: Tycho Andersen <tycho@docker.com>
Avi has been contributing to many areas of LinuxKit, including support
for containerised `getty`, encrypted swap and other areas.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This starts the trim-after-delete daemon which calls
`fstrim /var/lib/docker` after image deletes are observed.
Signed-off-by: David Scott <dave.scott@docker.com>
- Use the new style kernel tags with the full kernel version
- Update packages with new alpine base and new/simplified Makefiles.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
People typically update hashes in YAML files with
'git grep ... | sed ...' this will change the README.md files
in the ./pkg directory and thus change the git tree hash.
Remove the use of explicit hashes from those files to avoid
the obvious chicken and egg problem.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This adds a helper which monitors the Docker event stream and, when it
receives an image delete event, queues a call to `fstrim /var/lib/docker`
to trigger a space reclamation. Previously we would rely on a cron job
running every 15 minutes.
Signed-off-by: David Scott <dave.scott@docker.com>
There seems to be a change in docker 17.06-rc5 on how remote
URLs and tar archives work with ADD. Use curl instead.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
In a subsequent commit, all YAML files will be updated with
new package hashes since all packages needed rebuild due to
build system changes in commit adae27b8d1 ("Simplify
Makefiles for Packages"). So, we might as well bring all
packages up to the latest alpine base package.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
A subsequent commit will update all packages, so we might as well
update all packages to the latest base.
The new hash is: linuxkit/alpine:c608d404c1cb36cce0c7d9303e30b52c9d81ccf0
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Combine 'sign' and 'push' targets like it is done for
package builds.
- Append '-dirty' to the tag if the repository is dirty.
- Don't push to hub if the repository is dirty.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Only build if the hash has changed. Previosuly
we'd unconditionally build and not push of the tag existed.
- Add '.m' to the hash if the repository is dirty.
This allows developers to build locally without committing
but makes it clear that the hash is from a modified repository.
- Don't push to hub if the repository is dirty
- If the current commit has a tag, also push this to hub.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This is based on examples/getty.yml modified to drop console=tty0 from the
command line since we will be capturing/logging only the serial so want
everything to go there.
Also updates the getty example to pickup the latest containerd and
ca-certificates as used in the top level linuxkit.yml.
Fix a typo in the containerd test too.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
The default is set by probing for /dev/kvm. Use of KVM can be forcibly disabled
with `-enable-kvm=false`. Note that passing `-enable-kvm=true` when `/dev/kvm` is
not present still boots but complains:
Could not access KVM kernel module: No such file or directory
failed to initialize KVM: No such file or directory
Back to tcg accelerator.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
In particular this contains 1be7107fbe18eed3e319 ("mm: larger stack
guard gap, between vmas") which is a fix for CVE-2017-1000364.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
