This commit updates the support for pushing images into OpenStack by
inheriting environment variables for endpoint and authentication
information, when available.
It also attempts to make the `openstack run` support more consistent
with other providers (specifically GCP and AWS), i.e just take the name
of the image as the argument and launch an instance using that.
Finally, it also updates the relevant documentation for OpenStack
support.
Signed-off-by: Nick Jones <nick@dischord.org>
Rather than using an initrd, unpack full filesystem for ISO BIOS.
Stream docker output direct to file rather than via a buffer, to save
memory.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
When we converted these to cpio we were not noticing that they
were invalid as they had incorrect paths as we converted the
path to a symlink anyway. Only the busybox images have hard links
in, the Alpine ones are symlinks anyway, which is why it was
less visible too.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Also do some code cleanup.
Related to #131 we need to read the OCI config to find if the container
is read only, not rely on the yaml, as it may just be set in the label.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
To work with truly immutable filesystems, rather than ones
we sneakily remount `rw`, we are going to use overlay for
writeable containers. To leave the final mount as `rootfs`,
in the writeable case we make a new `lower` path for the read
only filesystem, and leave `rootfs` as a mount point for an
overlay, with the writable layer and workdir mounted as a tmpfs
on `tmp`.
See https://github.com/linuxkit/linuxkit/issues/2288
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This commit allows the GCP backend to use the familiar `-disk` behaviour
that the local hypervisors use. The `file` attribute is used as the disk
name in GCP. The size is converted to GB and is always > 1GB.
This has the benefit of allowing multiple disks to be used with GCP
instances.
Signed-off-by: Dave Tucker <dt@docker.com>
By default we want qemu to use the EFI firmware image in the qemu
container. However the logic in the code would always bind mount
the FW image into the container.
This commit changes the logic to only bind mount the FW image if
it was specified on the commandline.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This follows the model in the hyperkit runner, although the options are
different.
The options are:
- `user`: the existing user mode networking (the default).
- `tap,«device»`: replaces the previous `-tap-device «device»` option.
- `bridge,«name»`: tap device on (preexisting) named bridge.
- `none`: No networking at all.
If not running as root then `bridge` mode requires host configuration
http://wiki.qemu.org/Features/HelperNetworking. TL;DR: you need to `chmod u+s`
the `qemu-bridge-helper` and to whitelist specific bridges in
`/etc/qemu/bridge.conf`.
Pass an explicit virtio nic and configure a random MAC since QEMU seems to use
the same one by default.
In the hyperkit runner the various `networking*` constants become
`hyperkitNetworking*` to avoid namespace clashes (e.g. for `None`). The QEMU
equivalents are `qemuNetworking*`.
Both hyperkit and qemu now support an explicit `-networking default` or
`-networking ''` to make scripting easier.
Signed-off-by: Ian Campbell <ijc@docker.com>
This is the same behaviour as the LinuxKit backend.
This populates /sys/class/dmi/id/product_uuid, which newer version of weave-net
appears to require.
Signed-off-by: Ian Campbell <ijc@docker.com>
Unfortunately there are a lot of issues with resolv.conf as we
cannot actually write it into the image from any docker image, as docker will
always have something bind mounted in.
In addition, normally we expect the filesystem to br read only for images
that moby generates, so the actual etc/resolv.conf is likely not to be writeable.
Previously we were adding in a default resolv.conf into every image pointing at
Google's name servers but that is really a bad idea.
Instead, normal images now get an empty default, while images in the `init`
section will get a symlink, currently hard coded to `/run/resolvconf/resolv.conf`
but you can override this with the `files` section to be static or a different
link.
In future, if we have an easy way to build and extract images with user control
of this, we can drop this.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This commit refactors the OpenStack push support to make use of the
Gophercloud library in order to handle authentication and talking to the
right image service as defined in the service catalogue.
Signed-off-by: Nick Jones <nick@dischord.org>
The motivation for this is networking out (in particular, testing NFS
support) from the VM.
We could be a lot more user friendly (a la libvirt) by creating the tap
device for users and allowing them to specify a bridge instead, but then
we'd need root to create this tap device. For now, let's make people do
their own tap devices, and just use them. A tap device can be created for a
bridge as follows:
# ip tuntap add linuxkit0 mode tap user `whoami`
# ip link set linuxkit0 up
# ip link set linuxkit0 master $bridge_name
and then used by:
$ ./bin/linuxkit run qemu -tap-device linuxkit0 linuxkit
Signed-off-by: Tycho Andersen <tycho@docker.com>
Some of these are arbitrary and just syncing for the sake of it, however the
image- and runtime-spec are relevant. Interesting changes:
- runtime spec:
- LinuxRLimit is now POSIXRLimit.
- Specs.Config is now a pointer.
- LinuxResources.DisableOOMKiller moved to
LinuxResources.LinuxMemory.DisableOOMKiller
- image spec:
- Platform.Features is removed (unused here).
Signed-off-by: Ian Campbell <ijc@docker.com>
This is a list of images to run on a clean shutdown. Note that you must not rely on these
being run at all, as machines may be be powered off or shut down without having time to run
these scripts. If you add anything here you should test both in the case where they are
run and when they are not. Most systems are likely to be "crash only" and not have any setup here,
but you can attempt to deregister cleanly from a network service here, rather than relying
on timeouts, for example.
Fix https://github.com/linuxkit/linuxkit/issues/1988
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Currently this supports "yaml" as the only option, which will output
the yaml config (as JSON) into the file specified in the image.
Fix#107
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Previously I was forcing them to be strings, which is horrible. Now you
can either specify a numeric uid or the name of a service to use the
allocated id for that service.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Current implementation uses a fixed firmware(bios) binary
installed by the build process of the qemu container image,
which will prevent us from providing an external firmware binary
outside the container. This patch removes this limitation, thus we
can assign a firware binary image file with "-fw" option.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
This is useful in the case where Moby is shelling out to LinuxKit for certain
image types (currently raw and qcow2). Currently to experiment with different
options (e.g. when comparing performance to CI) you have to edit either the
moby or linuxkit tool to change the options used.
The environment variables take precedence over any explict command line options
given.
Signed-off-by: Ian Campbell <ijc@docker.com>
This commit fixes an issue reported on Slack where `linuxkit run` will
assume that a file that is neither a kernel or iso must be a disk image
without first checking that it exists. This would result in `qemu-img`
attempting to create a disk with 0 size due to the default behaviour of
creating disk images that do not exist.
Signed-off-by: Dave Tucker <dt@docker.com>
Latest `vndr` has changed its algorithm a bit. It also pointed out that we were missing
some things.
Move the `vendor` directory up to the `linuxkit` command, else it gets confused by packages
that have Go code in.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Continue to allow onboot to have duplicates as we do not run simultaneously
so that is ok (and we number them anyway), but services are run together
so we will get a runtime error if duplicated as this is the containerd/runc
id.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
We were pulling in this whole stack of packages just for `trust.ReleasesRole`.
Just define it locally.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
Current implementation hardcodes the virtual machine as
"q35" for x86, this patch remove this hardcode and config
the machine type according to the arch the VM is running.
Also, in order to make sure the qemu can run on arm64 platform,
we need to specify the vcpu type in the command line.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Note that various fields have changed moved around in the JSON as a result:
* `Platform` has been removed.
* `Process` is now a pointer.
* `OOMScoreAdj` has moved into `Process`, from `Linux.Resources` (resolving a
TODO here).
Also updates golang.org/x/sys which is less critical.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
This adds the OCI parts needed into the yaml, but there are still
permissions issues in practise so marked as experimental.
It may just need further documentation to resolve the issues.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
