Commit Graph

356 Commits

Author SHA1 Message Date
David Scott
46ea02f65b moby: device "all" will add to the cgroup whitelist
After the runc security advisory[1] the default cgroup device
whitelist was changed.

In previous versions every container had "rwm" (read, write, mknod)
for every device ("a" for all). Typically this was overridden by
container engines like Docker. In LinuxKit we left the permissive
default.

In recent `runc` versions the default allow-all rule was removed,
so a container can only access a device if it is specifically
granted access, which LinuxKit handles via a device: entry.

However it is inconvenient for pkg/format, pkg/mount, pkg/swap
to list all possible block devices up-front. Therefore we add the
ability to grant access to an entire class of device with a single
rule:

```
- path: all
  type: b
```

Obviously a paranoid user can still override this with a specific
major/minor number in a device: rule.

[1] https://github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq

Signed-off-by: David Scott <dave@recoil.org>
2021-10-14 16:14:21 +01:00
David Scott
24db42dd68 moby: add a Devices array to the image yml
According to https://github.com/linuxkit/linuxkit/pull/3684#issuecomment-860128095

runc removed the console as a default device, so now it must be specified
explicitly in the OCI config.

See 60e21ec26e

The similar code in moby/moby is here: https://github.com/moby/moby/blob/master/oci/devices_linux.go

This patch allows packages to declare a `devices` array, which can contain `/dev/console` etc.

Signed-off-by: David Scott <dave@recoil.org>
2021-10-14 16:14:05 +01:00
Rolf Neugebauer
4eb60514c9 yaml: Update use of alpine:3.11 to alpine:3.13
Seceral YAML files used alpine:3:11. Update them to 3.13

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2021-08-10 00:13:52 +01:00
Rolf Neugebauer
c63162964f Merge pull request #3651 from deitch/kernel-tagging
tag kernel with builder version; simplify Makefile
2021-05-25 22:55:31 +01:00
Avi Deitcher
d053a0f279 tag kernel with builder version; simplify Makefile
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2021-05-25 15:51:01 +03:00
Avi Deitcher
4adc04a24d calculate manifest hash-tag using git ls-tree
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2021-05-21 01:31:14 +03:00
Dave Tucker
28f43e8121 docs: Document --skip-arches
Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
2021-05-02 17:31:33 +01:00
Avi Deitcher
f6d04977df Update to proper go-compile hash
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2021-04-30 02:01:55 +03:00
Avi Deitcher
d091f90f81 pass linkmode=external only for Linux
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2021-04-29 16:52:44 +03:00
Avi Deitcher
8576579f60 Update use of tools to latest
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2021-04-27 19:52:35 +03:00
Avi Deitcher
95ce6386aa Update Alpine base to 3.13; go-compile rebuilt with mod=vendor option, go bumped to 1.16
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2021-04-27 17:38:22 +03:00
Rolf Neugebauer
182646c776 Merge pull request #3630 from deitch/doc-s390x-docker
docs to hold maintainer build platforms
2021-04-23 21:19:59 +01:00
Avi Deitcher
e4a58e0130 docs to hold maintainer build platforms
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2021-04-23 02:12:07 +03:00
Avi Deitcher
c8ef7d0eb0 cross build packages
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2021-04-21 13:03:26 +03:00
Rolf Neugebauer
c7e753eb16 build: Update go-compile package
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2021-04-02 18:45:38 +01:00
Dave Tucker
561ce6f4be Remove Notary and Content Trust
This commit removes Notary and Content Trust.
Notary v1 is due to be replaced with Notary v2 soon.
There is no clean migration path from one to the other.
For now, this removes all signing from LinuxKit.
We will look to add this back once a new Notary alternative
becomes available.

Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
2021-03-30 14:51:11 +01:00
Avi Deitcher
9633d23d37 write to cache
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2021-02-12 16:18:21 +02:00
Avi Deitcher
4e23d08a8c update docs
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2021-01-19 09:55:16 +02:00
Petr Fedchenkov
301e7ef13e update to linuxkit/containerd:1ae8f054e9fe792d1dbdb9a65f1b5e14491cb106
Signed-off-by: Petr Fedchenkov <giggsoff@gmail.com>
2021-01-18 16:54:37 +03:00
Avi Deitcher
0b7502f130 pull and cache images locally without docker
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2020-12-30 18:27:02 +02:00
Avi Deitcher
34373e3b52 describe how to sign tags manually
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2020-11-12 14:40:36 +02:00
Avi Deitcher
203cbd9b9f multiple containerd options
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2020-10-21 11:11:48 +03:00
Avi Deitcher
865ed8a1ce add containerd cli opts
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2020-10-19 14:49:15 +03:00
Avi Deitcher
00b9bb56a0 Merge pull request #3532 from deitch/split-push-sign
options to split image steps and manifest steps
2020-06-10 11:13:01 +03:00
Avi Deitcher
ea18be414e options to split image steps and manifest steps
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2020-05-24 16:23:46 +03:00
Avi Deitcher
bcd36a4661 support merge yaml flags
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2020-05-18 17:41:36 +03:00
Karol Woźniak
d861987b79 scaleway: Fix bugs and add option for changing image size
* Fix using ams1 as zone
* Allow specifying image size (+ calculate default from ISO size)
* Fix mangling logs when asking for ssh passphrase
* Some minor code and docs cleanups

Signed-off-by: Karol Woźniak <wozniakk@gmail.com>
2020-05-01 01:15:24 +02:00
Federico Pellegatta
5fc196c289 Add partition table type selector (defaulted to DOS/MBR) to format package
Signed-off-by: Federico Pellegatta <12744504+federico-pellegatta@users.noreply.github.com>
2020-04-23 10:16:36 +02:00
Rolf Neugebauer
25d5ba8ef8 Update linuxkit/go-compile to the latest
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2020-04-17 10:36:03 +01:00
Rolf Neugebauer
5d2f1ccbd0 Update use of tools to latest
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2020-04-17 10:36:03 +01:00
Aymen EL AMRI
a7a42e986d add SG to linuxkit run command
Signed-off-by: Aymen EL AMRI <aymen@eralabs.io>
2020-02-17 13:41:09 +01:00
Nick Jones
10b2436eec [OpenStack] Support os-client-config usage for authentication
Update Gophercloud dependencies and also bring in the 'utils'
package.  This provides support for configuring access to OpenStack
clouds as detailed in the [official
documentation](https://docs.openstack.org/os-client-config/latest/user/configuration.html).

By relying on this package we can simplify the code required to
interact with OpenStack's APIs.  Support is also provided upstream for
self-signed and insecure SSL configurations.

Tested with a public cloud running OpenStack 'Rocky', the latest release.

Signed-off-by: Nick Jones <nick@dischord.org>
2019-10-08 12:46:43 +01:00
Simon Fridlund
fc88e2104e Add Hetzner provider in the metadata package
Signed-off-by: Simon Fridlund <simon@fridlund.email>
2019-10-07 17:31:57 +02:00
Avi Deitcher
fad3354448 Add docker-standard ftp_proxy/FTP_PROXY env var, and socks-standard all_proxy/ALL_PROXY
Signed-off-by: Avi Deitcher <avi@deitcher.net>
2019-09-03 11:00:26 +03:00
Patrik Cyvoct
6a4d127fd3 Update Scaleway Provider with new Go SDK
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
2019-06-17 19:12:47 +02:00
schrotthaufen
0120b7dc74 kernel: Include lan78xx kernel module for use with rpi3b+
Signed-off-by: schrotthaufen <schrotthaufen@invalid.invalid>
2019-05-16 20:32:43 +02:00
Rolf Neugebauer
da3f1e9c6c Update use of tools to latest
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2019-04-16 23:16:18 +01:00
sethp
993b392bdd Update example link
The directory the link previously went to has changed.

Signed-off-by: Seth Pellegrino <seth@codecopse.net>
2019-03-20 21:58:12 -07:00
Rolf Neugebauer
5910713bae Update use of tools to latest
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2019-03-02 19:18:46 +00:00
Rolf Neugebauer
eeb2d546d1 Merge pull request #3249 from chriswue/master
Adding support to mount an encrypted filesystem
2019-01-18 01:28:50 +01:00
Christian Wuerdig
a9bc7372de Adding dm-crypt as core pkg
Signed-off-by: Christian Wuerdig <christian.wuerdig@gmail.com>
2019-01-18 11:56:18 +13:00
Christian Wuerdig
8cd16c4904 Adding losetup utility package to core pkg
Signed-off-by: Christian Wuerdig <christian.wuerdig@gmail.com>
2019-01-14 06:24:00 +13:00
Rolf Neugebauer
e7b85b6589 docs: Add details about reproducible builds
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2018-12-29 15:38:02 +00:00
Krister Johansen
a6ac644703 Add some documentation.
Signed-off-by: Krister Johansen <krister.johansen@oracle.com>
2018-08-13 17:18:55 -07:00
Rolf Neugebauer
0cb45e0dff doc: Update release doc with DinD uses which should get updated
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2018-08-12 10:50:20 +01:00
Brice Figureau
02e5f70589 Allow to specify more than one networking adapter for vbox
Note: this patch introduces an incompatibility in the
`linuxkit run vbox` arguments.

It wasn't impossible to specify more than one network adapter
to the `linuxkit run vbox` command.

This patch allows to specify more than one `-networking` argument to specify
different network adapters.

For instance:
~~~sh
linuxkit run vbox -networking type=nat -networking type=hostonly,adapter=vboxnet0
~~~
will setup the VM with 2 NICs.

It is also possible to get rid of the `type` argument.

Signed-off-by: Brice Figureau <brice@daysofwonder.com>
2018-08-02 10:34:26 +02:00
Rolf Neugebauer
8f841600a4 doc: Add updating AUTHORS to release steps
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2018-07-26 21:01:59 +01:00
Rolf Neugebauer
169e97fe52 Update use of tools to latest
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2018-07-26 19:49:18 +01:00
Rolf Neugebauer
29dd9f2004 doc: Add 'sources' documentation
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2018-07-26 16:23:35 +01:00
Rolf Neugebauer
5dcb3d48cb docs: Update documentation regarding private repos
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2018-07-20 14:35:45 +01:00