On 4.9.x and 4.14.x kernels ebpf verifier bugs allow ebpf
programs to access (read/write) random memory. Setting
kernel.unprivileged_bpf_disabled=1 mitigates this somewhat
until it is fixed upstream.
See:
- https://lwn.net/Articles/742170
- https://lwn.net/Articles/742169
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This was added to alpine since our package was created. Now we have upgraded we
can just use the binary.
The package contains an auditd.conf but we have a tweak local copy which writes
to stdio (which goes to /var/log/auditd.*.log already). The package doesn't
have an audit.rules so keep that here too.
Signed-off-by: Ian Campbell <ijc@docker.com>
656bd87fd2...d9d2a91780d9d2a91 Merge pull request #193 from ijc/bugfix-191
307f13b Defer dockerRm until we are finished with the contents
ebd7228 Merge pull request #191 from ijc/reduce-memory-via-tempfiles
3045a80 Stream `docker export` directly to consumer
9f44acf Generate intermediate image into a temp file
9558740 Add cpu and mem profiling options
Reduces the memory usage substantially.
While here make some notes about the need to update src/cmd/linuxkit/build.go
where people might see them.
Signed-off-by: Ian Campbell <ijc@docker.com>
- Enable console for arm64 for all tests
- linuxkit.packages.binfmt is x86_64 only for now
- linuxkit.packages.format_mount.by_name seems to hang with no output.
needs investigating...
- linuxkit.packages.getty-containerd is x86_64 specific
- linuxkit.packages.mkimage is x86_64 specific
- linuxkit.packages.wireguard: Use the non-alpine variant as it is
available as a multiarch for arm64. Use a specific version/tag (1.13.7)
as currently 'latest' seem to have issues.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Disable kernel config tests on arm64 as some are x86_64
specific: https://github.com/linuxkit/linuxkit/issues/2807
- Add arm64 console to tests
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Disable tests which use unsupported formats
- Enable serial arm64 console for kernel+initrd test
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Currently there is a Content Trust issue with 4.0-alpine
as well as 4-alpine on arm64. 4.0.5-alpine works, so use
it for the example.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
It is not needed and the 'nginx:alpine' variant is not
yet multi-arch so it won't work on arm64.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- docker: Disabled because we don't have arm64 dind images
- tpm: The tss package is not compiled for arm64
- wireguard: This uses nginx:alpine which is not yet multi-arch
- docker_for_mac: Is x86 specific
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 'linuxkit build' command line option was renamed from
'-output' to '-format' a while back. Rename the test group
to reflect the change.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
*-bios and various cloud output image types are not
supported on arm64. Use the automatic 'amd64' label
to disable them for arm64.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Some testis explicitly use alpine:3.6 and alpine:3.5 to run
some shell scripts. Switch them to alpine:3.7 like the
rest of the packages and tools.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Commit 340d45d70850 ("locking/refcounts, x86/asm: Enable
CONFIG_ARCH_HAS_REFCOUNT") re-enabled the ARCH_HAS_REFCOUNT
again as default. Pick it up in our kernel config.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
* curve25519: explictly depend on AS_AVX
* curve25519: modularize dispatch
It's now much cleaner to see which implementation we're calling, and it will
be simpler to add more implementations in the future.
* compat: support RAP in assembly
This should fix PaX/Grsecurity support.
* device: do not clear keys during sleep on Android
While we want to clear keys when going to sleep on ordinary Linux, this
doesn't make sense in the Android world, where phones often sleep but are
woken up every few milliseconds by the radios to process packets.
* compat: fix 3.10 backport
Important compat fixes for non-x86.
* device: clear last handshake timer on ifdown
When bringing up an interface, we don't want the rate limiting to handshakes
to apply.
* netlink: rename symbol to avoid clashes
Allows coexistance with horrible Android drivers.
* kernel-tree: jury rig is the more common spelling
* tools: no need to put this on the stack
* blake2s-x86_64: fix spacing
Small fixes.
* contrib: keygen-html for generating keys in the browser
This was covered here:
https://lists.zx2c4.com/pipermail/wireguard/2017-December/002127.html
* tools: remove undocumented unused syntax
Not only did nobody know about this or use it, but the implementation actually
exposed compiler bugs in Qualcomm's "Snapdragon Clang".
* poly1305: update x86-64 kernel to AVX512F only
From Samuel Neves, this pulls in Andy Polyakov's changes to only require F and
not VL for the Poly implementation.
* chacha20-arm: fix with clang -fno-integrated-as.
This pulls in David Benjamin's clang fix.
* global: add SPDX tags to all files
From Greg KH, we now have SPDX annotations on all files, matching upstream
kernel's new approach to file licenses.
* chacha20poly1305: cleaner generic code
This entirely removes the last remains of Martin Willi's ChaCha
implementation, and now the generic C implementation is extremely small and
clearly written, while delivering a small performance boost too.
* poly1305: fix avx512f alignment bug
Unlucky people may have had their linkers misalign a constant. This fixes that
potential.
* chacha20: avx512vl implementation
From Samuel Neves, this imports Andy Polyakov's AVX512VL implementation of
ChaCha which should have a ~50% performance improvement over AVX2, though it
is still much slower than our AVX512F implementation.
* chacha20poly1305: wire up avx512vl for skylake-x
Some Skylake machines do not have two FMA units (though others do), so we
prefer the AVX512VL implementation over the should-be-faster AVX512F
implementation on those machines. What's needed now is to read the PIROM in
order to determine at runtime whether the particular Skylake-X machine
actually has the second FMA unit or not, but until that happens, we just fall
back to the VL implementation for all Skylake-X.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
