- use one shot dhcp
- add a one shot rngd as needs entropy
- add metadata
- remove ssh key from host as we have in metadata
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Use the packet metadata to set up bonding, also get ssh keys and hostname.
This does not yet do anything with disk metadata.
Userdata is not used if it has been used for ipxe, but is otherwise available.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This is a recommended security measure to protect the low portion
of virtual memory. On x86_64 the recommended value is 65536 while
for arm it shouldn't be higher than 32768.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The resulting kernel boots fine on qemu and on Cavium Thunder,
though the latter still has some issues.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The local changes were merged, so switching back to the original
repository. A minor change in API was needed.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This contans the upstream (non busybox) version of `ip` and also the
Wireguard tools as these aere not yet integrated into `ip`. It is designed
to be used for network configuration.
For example a Wireguard interface can be setup with something like:
```
- name: wg
image: linuxkit/ip
net: new
binds:
- /etc/wireguard:/etc/wireguard
command: ["sh", "-c", "ip link set dev wg0 up; ip address add dev wg0 192.168.2.1 peer 192.168.2.2; wg setconf wg0 /etc/wireguard/wg0.conf; wg show wg0"]
runtime:
interfaces:
- name: wg0
add: wireguard
createInRoot: true
bindNS:
net: /run/netns/wg
```
This binds the net namespace so other containers can use it later.
Note that `ip` supports batch scripts with `ip -b file` which is quite convenient for
this use case.
Alas `wg-quick` requires `bash` so this is currently a bit bloated, maybe @zx2c4
might be persuaded to rewrite it without bashisms...
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This adds support for a runtime configuration file that can do:
- `mkdir` to make a directory at runtime, eg in `/var` or `/tmp`, to avoid workarounds
- `interface` that can create network interfaces in a container or move them
- `bindNS` that can bind mount namespaces of an `onboot` container to a file so a service can be started in that namespace.
It merges the `service` and `onboot` tools (in `init`) to avoid duplication. This also saves some size for
eg LCOW which did not use the `onboot` code in `runc`.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Currently we depend on the qemu to detect the firmware file format
automatically, which is dangerous. This patch specify the 'raw'
format explicitly to remove the kind of restrictions.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
This add a -device option which enables the re-use of an existing
device. The device state is update to use a potentially new base-url
ro PXE boot from. This maybe faster than provisioning a new server.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
