Non AUFS kernels do not create `sbin/` and `/usr` directories as they
do not provide the AUFS directories. Just create empty directories to
avoid a warning.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Default config is restricted ptrace, processes can only ptrace
related processes, such as child processes, rather than any process
with the same uid.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This seems the best option, although none are great
- build with `make AUFS=1` to build with AUFS support, currently with 4.8 kernel
- default is to build without AUFS support, with 4.9 kernel
This recognises that AUFS supprot is temporary #620 and only there until
we can phase it out on desktop editions, and allow the other editions that
never shipped with AUFS to ship something very close to mainline.
However we do still apply the patches so that the non AUFS branch runs fine on
all platforms, so it can be tested elsewhere.
We may be able to move the kernel versions back in line when 4.9 aufs support is out.
Plan is to shift CI to build both sets of images, and get the Desktop editions to
pick up the aufs set automatically, once this is merged.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- The scanning process was not ignoring the kernel extraversion before,
so was only sometimes picking up issues.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Includes fix for CVE-2016-8655 Linux af_packet.c race condition.
This gives a container escape with default container capabilities.
This now has the slow network namespace patch backported, so this
is removed.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Regenerated the kernel config from container, which bumped the kernel
version and included some other fixes. Also bumps the check-config
container to check for VSYSCALL_NATIVE
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Some of git's whitespace fixup option corrupts the patches by (at least)
stripping trailing spaces (which are present for empty lines in context) and
changing leading <space><tab> into just <tab>. `patch(1)` used by the build
here seems to tolerate this, but `git am` and/or `git apply` do not.
Fix this up by running git am and at each failure point (i.e. every patch)
applying the relevant patch using `patch(1)` (which works because `git am` was
unable to even partially apply the patches) before regenerating the whole lot
with `git format-patch`.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
128 CPUs seems plenty for now and it allows for the
debug kernels to boot on Hyper-V without modifications. It may
also have the added benefit of reducing some data structures
allocated per CPU (in particular for Debug kernels).
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This removes all the patches which have been upstreamed since 4.4.x
and only leaves patches for a minor fix to AF_VSOCK, the Hyper-V socket patch
and a new patch for fixing delays on creating netns with tunnel interfaces.
The latter has been accecpted into the upstream netdev branch and will
likely appear in 4.9.0 and we can cherry pick from there then.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Azure only uses the Hyper-V framebuffer, so we should not need this.
Simplify setup for graphics options we are not using.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
I think this may have got mangled in the kernel upgrade/downgrade.
diff file is still messy due to version changes.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
