github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-11-04 04:27:27 +00:00
Code Issues Projects Releases Wiki Activity
7,842 Commits 1 Branch 31 Tags
7475eb428bc0460e70b9bd8ddcfa6bfd1b29d76b
Commit Graph

7842 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rolf Neugebauer
7475eb428b Merge pull request #3728 from deitch/update-component-hash-yaml-only 
restrict update to just yaml files
 2021-11-05 23:22:25 +00:00
Avi Deitcher
920a83da32 restrict update to just yaml files 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2021-11-05 15:32:36 +02:00
Avi Deitcher
c07b11acb9 Merge pull request #3729 from deitch/extract-more-yaml 
extract more hard-coded yaml
 2021-11-05 09:21:44 -04:00
Avi Deitcher
e1dd1af1b9 extract more hard-coded yaml 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2021-11-05 13:07:06 +02:00
Avi Deitcher
01a1aac73c Merge pull request #3727 from deitch/embed-hashes 2021-11-05 04:46:45 -04:00
Avi Deitcher
f8471d443c Merge pull request #3723 from deitch/update-component-hash-pkg 2021-11-04 15:18:04 -04:00
Avi Deitcher
0660ace86f extract hard-coded default image builders into file 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2021-11-04 14:51:15 -04:00
Rolf Neugebauer
34b0a786e7 Merge pull request #3725 from djs55/fix-windows-pkg-build 
linuxkit: fix pkg build on Windows
 2021-10-31 10:54:45 +00:00
Avi Deitcher
a05f612aa4 update-component-sha --pkg option 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2021-10-31 05:38:32 -04:00
David Scott
f5f5dce318 linuxkit: fix pkg build on Windows 
Previously when we set `cmd.Stderr = os.Stderr`, the stderr from buildx
would be mixed with the image tar, corrupting it.

Work around this (Windows-specific) problem by adding an explicit
indirection via a io.Pipe()

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-29 12:01:35 +01:00
Rolf Neugebauer
f5a1541e00 Merge pull request #3719 from tonistiigi/cgroupv2 
init: add support for cgroupv2
 2021-10-27 09:26:11 +01:00
David Scott
10599f776a test: add a case for cgroupv2 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-26 20:07:38 +01:00
David Scott
9d16e2a2b9 test: the README.md says the numbers correspond to the first letter 
A few of these tests appear to be misnumbered, so renumber them.

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-26 20:04:51 +01:00
David Scott
e8f8a409e8 Update hashes for pkg/init 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-26 19:52:22 +01:00
Tonis Tiigi
5af7c526ec init: add support for cgroupv2 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
 2021-10-24 23:03:51 -07:00
Rolf Neugebauer
e71deb3862 Merge pull request #3718 from djs55/containup-test 
Update runc, containerd, add devices: and fix readonly
 2021-10-22 21:10:30 +01:00
David Scott
e4776e8778 Update hash for containerd 1.4.11 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-21 11:34:59 +01:00
David Scott
476d5a0f2e Update alpine for containerd 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-21 11:34:59 +01:00
David Scott
42670404f5 alpine: Update versions file 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-21 11:34:59 +01:00
David Scott
34d0aef7d4 Update containerd to 1.4.11 
We can remove the workaround for musl using faccessat(2) and breaking
runc, because the fix is in rc93:

https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-21 11:34:55 +01:00
David Scott
2ff94c0d72 test: kmsg requires /dev/console 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:05:44 +01:00
David Scott
bdb1c13473 test: logwrite requires /dev/console 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:05:44 +01:00
David Scott
5a12600412 test: init-containerd requires /dev/console 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:05:44 +01:00
David Scott
dcecbe57c6 test: containerd tests need losetup which needs block device access 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:05:26 +01:00
David Scott
1c02c9ea86 test: losetup needs block device access 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:03:29 +01:00
David Scott
d4c6ab742b Update hashes for pkg/... 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:44 +01:00
David Scott
7434e5f5aa pkg/kmsg: grant access to /dev/kmsg 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:44 +01:00
David Scott
6bc99c5ff2 pkg/metadata: grant access to all block devices 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:36 +01:00
David Scott
9209808ac3 pkg/losetup: grant access to all block devices 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:18 +01:00
David Scott
344d974ae1 pkg/extend: grant access to all block devices 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:02:11 +01:00
David Scott
71fa9f2cae pkg/dm-crypt: grant access to all devices 
The package needs block devices e.g. for /dev/sda

It also needs character devices for /dev/mapper/

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:01:01 +01:00
David Scott
5895976b33 tools/mkimage: grant access to block devices 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:00:55 +01:00
David Scott
380f36cc1a runc: don't mount /dev with ro 
After runc 1.0.0-rc92 mounting /dev with ro will fail to start the
container with an error trying to `mkdir /dev/...` (for example
`/dev/pts`). This can be observed following the runc example

Comparing our `config.json` with the working one generated by
`runc spec`, both have a readonly rootfs (good) but the `runc spec`
one does not set `ro` in the `/dev` mount options.

This patch fixes readonly onboot containers by removing the "ro"
option from `/dev`, to match the `runc spec` example.

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:00:04 +01:00
David Scott
0cfaa9ce65 runc: update to v1.0.2 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-18 21:00:04 +01:00
Rolf Neugebauer
0dd8086d39 Update YAMLs to latest runc/containerd/test-containerd 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-10-16 16:57:15 +01:00
Rolf Neugebauer
6efae97c20 Update alpine for containerd 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-10-16 16:57:15 +01:00
Rolf Neugebauer
0e00eddd6b alpine: Fix push-manifest.sh 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-10-16 16:57:15 +01:00
Rolf Neugebauer
d2307ebae3 alpine: Update versions file 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2021-10-16 16:57:15 +01:00
David Scott
5124698b47 alpine: update containerd to 1.4.6 
As suggested on https://github.com/linuxkit/linuxkit/pull/3554#issuecomment-852910630

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-16 16:57:15 +01:00
David Scott
7d76051bb0 runc: update to v1.0.0-rc95 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-16 16:57:15 +01:00
Rolf Neugebauer
d71299a2c1 Merge pull request #3716 from djs55/containup-devices2 
Add OCI devices to yaml (needed by getty with runc v1.0.0-rc95)
 2021-10-16 10:35:35 +01:00
David Scott
c2d47b47ff Update hashes for pkg/swap 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-15 08:19:03 +01:00
David Scott
c3642dd089 Update hashes for pkg/mount 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-15 08:19:03 +01:00
David Scott
97d054da5d Update hashes for pkg/getty 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-15 08:18:58 +01:00
David Scott
21a7155824 Update hashes for pkg/format 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-14 16:14:21 +01:00
David Scott
46ea02f65b moby: device "all" will add to the cgroup whitelist 
After the runc security advisory[1] the default cgroup device
whitelist was changed.

In previous versions every container had "rwm" (read, write, mknod)
for every device ("a" for all). Typically this was overridden by
container engines like Docker. In LinuxKit we left the permissive
default.

In recent `runc` versions the default allow-all rule was removed,
so a container can only access a device if it is specifically
granted access, which LinuxKit handles via a device: entry.

However it is inconvenient for pkg/format, pkg/mount, pkg/swap
to list all possible block devices up-front. Therefore we add the
ability to grant access to an entire class of device with a single
rule:

```
- path: all
  type: b
```

Obviously a paranoid user can still override this with a specific
major/minor number in a device: rule.

[1] https://github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-14 16:14:21 +01:00
David Scott
24db42dd68 moby: add a Devices array to the image yml 
According to https://github.com/linuxkit/linuxkit/pull/3684#issuecomment-860128095

runc removed the console as a default device, so now it must be specified
explicitly in the OCI config.

See 60e21ec26e

The similar code in moby/moby is here: https://github.com/moby/moby/blob/master/oci/devices_linux.go

This patch allows packages to declare a `devices` array, which can contain `/dev/console` etc.

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-14 16:14:05 +01:00
Rolf Neugebauer
d0145160a8 Merge pull request #3717 from djs55/run-qemu-m1 
Fix `linuxkit run qemu` on macOS on Apple Silicon
 2021-10-13 21:16:48 +01:00
David Scott
c779e894da Fix linuxkit run qemu on macOS on Apple Silicon 
Signed-off-by: David Scott <dave@recoil.org>
 2021-10-13 14:38:20 +01:00
Rolf Neugebauer
46d4edc967 Merge pull request #3711 from djpbessems/patch-1 
Include `lvm2`
 2021-08-14 13:30:35 +01:00